1046 files changed, 15486 insertions, 18435 deletions

diff --git a/src/lib/libc/include/thread_private.h b/src/lib/libc/include/thread_private.h
index 1ec1071161..3e1dbcdf6e 100644
--- a/src/lib/libc/include/thread_private.h
+++ b/src/lib/libc/include/thread_private.h
@@ -1,10 +1,13 @@
-/* $OpenBSD: thread_private.h,v 1.37 2024/08/18 02:25:51 guenther Exp $ */
+/* $OpenBSD: thread_private.h,v 1.40 2025/08/04 01:44:33 dlg Exp $ */
 
 /* PUBLIC DOMAIN: No Rights Reserved. Marco S Hyman <marc@snafu.org> */
 
 #ifndef _THREAD_PRIVATE_H_
 #define _THREAD_PRIVATE_H_
 
+#include <sys/types.h>
+#include <sys/gmon.h>
+
 extern int __isthreaded;
 
 #define _MALLOC_MUTEXES 32
@@ -292,6 +295,12 @@ TAILQ_HEAD(pthread_queue, pthread);
 
 #ifdef FUTEX
 
+/*
+ * CAS based implementations
+ */
+
+#define __CMTX_CAS
+
 struct pthread_mutex {
         volatile unsigned int lock;
         int type;
@@ -312,6 +321,10 @@ struct pthread_rwlock {
 
 #else
 
+/*
+ * spinlock based implementations
+ */
+
 struct pthread_mutex {
         _atomic_lock_t lock;
         struct pthread_queue lockers;
@@ -336,6 +349,46 @@ struct pthread_rwlock {
 };
 #endif /* FUTEX */
 
+/* libc mutex */
+
+#define __CMTX_UNLOCKED         0
+#define __CMTX_LOCKED           1
+#define __CMTX_CONTENDED        2
+
+#ifdef __CMTX_CAS
+struct __cmtx {
+        volatile unsigned int   lock;
+};
+
+#define __CMTX_INITIALIZER() {                                          \
+        .lock = __CMTX_UNLOCKED,                                        \
+}
+#else /* __CMTX_CAS */
+struct __cmtx {
+        _atomic_lock_t          spin;
+        volatile unsigned int   lock;
+};
+
+#define __CMTX_INITIALIZER() {                                          \
+        .spin = _SPINLOCK_UNLOCKED,                                     \
+        .lock = __CMTX_UNLOCKED,                                        \
+}
+#endif /* __CMTX_CAS */
+
+/* libc recursive mutex */
+
+struct __rcmtx {
+        volatile pthread_t      owner;
+        struct __cmtx           mtx;
+        unsigned int            depth;
+};
+
+#define __RCMTX_INITIALIZER() {                                         \
+        .owner = NULL,                                                  \
+        .mtx = __CMTX_INITIALIZER(),                                    \
+        .depth = 0,                                                     \
+}
+
 struct pthread_mutex_attr {
         int ma_type;
         int ma_protocol;
@@ -390,6 +443,7 @@ struct pthread {
 
         /* cancel received in a delayed cancel block? */
         int delayed_cancel;
+        struct gmonparam *gmonparam;
 };
 /* flags in pthread->flags */
 #define THREAD_DONE             0x001
@@ -410,6 +464,16 @@ void	_spinlock(volatile _atomic_lock_t *);
 int     _spinlocktry(volatile _atomic_lock_t *);
 void    _spinunlock(volatile _atomic_lock_t *);
 
+void    __cmtx_init(struct __cmtx *);
+int     __cmtx_enter_try(struct __cmtx *);
+void    __cmtx_enter(struct __cmtx *);
+void    __cmtx_leave(struct __cmtx *);
+
+void    __rcmtx_init(struct __rcmtx *);
+int     __rcmtx_enter_try(struct __rcmtx *);
+void    __rcmtx_enter(struct __rcmtx *);
+void    __rcmtx_leave(struct __rcmtx *);
+
 void    _rthread_debug(int, const char *, ...)
                 __attribute__((__format__ (printf, 2, 3)));
 pid_t   _thread_dofork(pid_t (*_sys_fork)(void));
diff --git a/src/lib/libc/net/ether_aton.3 b/src/lib/libc/net/ether_aton.3
index 98562dc44c..83fe98880c 100644
--- a/src/lib/libc/net/ether_aton.3
+++ b/src/lib/libc/net/ether_aton.3
@@ -1,8 +1,8 @@
-.\"     $OpenBSD: ether_aton.3,v 1.3 2022/09/11 06:38:10 jmc Exp $
+.\"     $OpenBSD: ether_aton.3,v 1.4 2025/06/29 00:33:46 dlg Exp $
 .\"
 .\" Written by roland@frob.com.  Public domain.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: June 29 2025 $
 .Dt ETHER_ATON 3
 .Os
 .Sh NAME
@@ -19,7 +19,7 @@
 .In netinet/in.h
 .In netinet/if_ether.h
 .Ft char *
-.Fn ether_ntoa "struct ether_addr *e"
+.Fn ether_ntoa "const struct ether_addr *e"
 .Ft struct ether_addr *
 .Fn ether_aton "const char *s"
 .Ft int
diff --git a/src/lib/libc/net/ethers.c b/src/lib/libc/net/ethers.c
index d62be1ca71..6edad5c5e5 100644
--- a/src/lib/libc/net/ethers.c
+++ b/src/lib/libc/net/ethers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ethers.c,v 1.27 2019/01/25 00:19:25 millert Exp $     */
+/*      $OpenBSD: ethers.c,v 1.28 2025/06/29 00:33:46 dlg Exp $ */
 
 /*
  * Copyright (c) 1998 Todd C. Miller <millert@openbsd.org>
@@ -42,7 +42,7 @@
 static char * _ether_aton(const char *, struct ether_addr *);
 
 char *
-ether_ntoa(struct ether_addr *e)
+ether_ntoa(const struct ether_addr *e)
 {
         static char a[] = "xx:xx:xx:xx:xx:xx";
 
diff --git a/src/lib/libc/net/gai_strerror.3 b/src/lib/libc/net/gai_strerror.3
index d271f492c5..93d11aad09 100644
--- a/src/lib/libc/net/gai_strerror.3
+++ b/src/lib/libc/net/gai_strerror.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: gai_strerror.3,v 1.10 2017/05/03 01:58:33 deraadt Exp $
+.\"     $OpenBSD: gai_strerror.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: gai_strerror.3,v 1.1 2005/01/05 03:04:47 itojun Exp $
 .\"
 .\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
@@ -16,7 +16,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 3 2017 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt GAI_STRERROR 3
 .Os
 .Sh NAME
@@ -26,7 +26,7 @@
 .In sys/types.h
 .In sys/socket.h
 .In netdb.h
-.Ft "const char *"
+.Ft const char *
 .Fn gai_strerror "int ecode"
 .Sh DESCRIPTION
 The
diff --git a/src/lib/libc/net/if_indextoname.3 b/src/lib/libc/net/if_indextoname.3
index 25d2a2722f..9d00d66bd5 100644
--- a/src/lib/libc/net/if_indextoname.3
+++ b/src/lib/libc/net/if_indextoname.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: if_indextoname.3,v 1.16 2015/11/21 07:48:10 jmc Exp $
+.\"     $OpenBSD: if_indextoname.3,v 1.17 2025/06/13 18:34:00 schwarze Exp $
 .\" Copyright (c) 1983, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
 .\"
@@ -28,7 +28,7 @@
 .\"
 .\"     From: @(#)rcmd.3        8.1 (Berkeley) 6/4/93
 .\"
-.Dd $Mdocdate: November 21 2015 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt IF_NAMETOINDEX 3
 .Os
 .Sh NAME
@@ -41,13 +41,13 @@
 .In sys/types.h
 .In sys/socket.h
 .In net/if.h
-.Ft "unsigned int"
+.Ft unsigned int
 .Fn if_nametoindex "const char *ifname"
-.Ft "char *"
+.Ft char *
 .Fn if_indextoname "unsigned int ifindex" "char *ifname"
-.Ft "struct if_nameindex *"
+.Ft struct if_nameindex *
 .Fn if_nameindex "void"
-.Ft "void"
+.Ft void
 .Fn if_freenameindex "struct if_nameindex *ptr"
 .Sh DESCRIPTION
 These functions map interface indexes to interface names (such as
diff --git a/src/lib/libc/net/inet6_opt_init.3 b/src/lib/libc/net/inet6_opt_init.3
index 41ba842166..87244507a9 100644
--- a/src/lib/libc/net/inet6_opt_init.3
+++ b/src/lib/libc/net/inet6_opt_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: inet6_opt_init.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: inet6_opt_init.3,v 1.9 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: inet6_opt_init.3,v 1.7 2004/12/27 05:08:23 itojun Exp $
 .\"
 .\" Copyright (C) 2004 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt INET6_OPT_INIT 3
 .Os
 .\"
@@ -44,19 +44,19 @@
 .\"
 .Sh SYNOPSIS
 .In netinet/in.h
-.Ft "int"
+.Ft int
 .Fn inet6_opt_init "void *extbuf" "socklen_t extlen"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_append "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t type" "socklen_t len" "u_int8_t align" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_finish "void *extbuf" "socklen_t extlen" "int offset"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_set_val "void *databuf" "int offset" "void *val" "socklen_t vallen"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_next "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t *typep" "socklen_t *lenp" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_find "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t type" "socklen_t *lenp" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_get_val "void *databuf" "socklen_t offset" "void *val" "socklen_t vallen"
 .\"
 .Sh DESCRIPTION
diff --git a/src/lib/libc/net/inet6_rth_space.3 b/src/lib/libc/net/inet6_rth_space.3
index c40b45057e..7304266fe1 100644
--- a/src/lib/libc/net/inet6_rth_space.3
+++ b/src/lib/libc/net/inet6_rth_space.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: inet6_rth_space.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: inet6_rth_space.3,v 1.9 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: inet6_rth_space.3,v 1.7 2005/01/05 03:00:44 itojun Exp $
 .\"
 .\" Copyright (C) 2004 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt INET6_RTH_SPACE 3
 .Os
 .\"
@@ -45,7 +45,7 @@
 .In netinet/in.h
 .Ft socklen_t
 .Fn inet6_rth_space "int" "int"
-.Ft "void *"
+.Ft void *
 .Fn inet6_rth_init "void *" "socklen_t" "int" "int"
 .Ft int
 .Fn inet6_rth_add "void *" "const struct in6_addr *"
@@ -53,7 +53,7 @@
 .Fn inet6_rth_reverse "const void *" "void *"
 .Ft int
 .Fn inet6_rth_segments "const void *"
-.Ft "struct in6_addr *"
+.Ft struct in6_addr *
 .Fn inet6_rth_getaddr "const void *" "int"
 .\"
 .Sh DESCRIPTION
diff --git a/src/lib/libc/stdlib/exit.3 b/src/lib/libc/stdlib/exit.3
index 22acade86c..ccb416ee82 100644
--- a/src/lib/libc/stdlib/exit.3
+++ b/src/lib/libc/stdlib/exit.3
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: exit.3,v 1.18 2024/08/30 03:44:48 guenther Exp $
+.\"     $OpenBSD: exit.3,v 1.19 2025/06/03 14:15:53 yasuoka Exp $
 .\"
-.Dd $Mdocdate: August 30 2024 $
+.Dd $Mdocdate: June 3 2025 $
 .Dt EXIT 3
 .Os
 .Sh NAME
@@ -54,9 +54,7 @@ Call the functions registered with the
 .Xr atexit 3
 function, in the reverse order of their registration.
 .It
-Flush all open output streams.
-.It
-Close all open streams.
+Flush and close all open streams.
 .It
 Unlink all files created with the
 .Xr tmpfile 3
@@ -79,6 +77,7 @@ function never returns.
 .Sh SEE ALSO
 .Xr _exit 2 ,
 .Xr atexit 3 ,
+.Xr fflush 3 ,
 .Xr intro 3 ,
 .Xr sysexits 3 ,
 .Xr tmpfile 3
@@ -86,7 +85,7 @@ function never returns.
 The
 .Fn exit
 function conforms to
-.St -isoC-99 .
+.St -p1003.1-2024 .
 .Sh HISTORY
 An
 .Fn exit
diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3
index bea5575bf8..ee13b01bd4 100644
--- a/src/lib/libc/stdlib/malloc.3
+++ b/src/lib/libc/stdlib/malloc.3
@@ -30,9 +30,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: malloc.3,v 1.142 2024/08/03 20:09:24 guenther Exp $
+.\"     $OpenBSD: malloc.3,v 1.147 2025/06/04 00:38:01 yasuoka Exp $
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 4 2025 $
 .Dt MALLOC 3
 .Os
 .Sh NAME
@@ -69,7 +69,8 @@
 .Fn malloc_conceal "size_t size"
 .Ft void *
 .Fn calloc_conceal "size_t nmemb" "size_t size"
-.Vt char *malloc_options ;
+.Vt const char * const
+.Va malloc_options ;
 .Sh DESCRIPTION
 The standard functions
 .Fn malloc ,
@@ -268,7 +269,15 @@ next checks the environment for a variable called
 and finally looks at the global variable
 .Va malloc_options
 in the program.
-Each is scanned for the flags documented below.
+Since
+.Fn malloc
+might already get called before the beginning of
+.Fn main ,
+either initialize
+.Va malloc_options
+to a string literal at file scope or do not declare it at all.
+.Pp
+Each of the three strings is scanned for the flags documented below.
 Unless otherwise noted uppercase means on, lowercase means off.
 During initialization, flags occurring later modify the behaviour
 that was requested by flags processed earlier.
@@ -363,18 +372,9 @@ Use with
 to get a verbose dump of malloc's internal state.
 .It Cm X
 .Dq xmalloc .
-Rather than return failure,
+Rather than return failure to handle out-of-memory conditions gracefully,
 .Xr abort 3
 the program with a diagnostic message on stderr.
-It is the intention that this option be set at compile time by
-including in the source:
-.Bd -literal -offset indent
-extern char *malloc_options;
-malloc_options = "X";
-.Ed
-.Pp
-Note that this will cause code that is supposed to handle
-out-of-memory conditions gracefully to abort instead.
 .It Cm <
 .Dq Halve the cache size .
 Decrease the size of the free page cache by a factor of two.
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index cad8e5d6a1..c6261d87c5 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc.c,v 1.297 2024/09/20 02:00:46 jsg Exp $        */
+/*      $OpenBSD: malloc.c,v 1.299 2025/06/12 16:07:09 deraadt Exp $    */
 /*
  * Copyright (c) 2008, 2010, 2011, 2016, 2023 Otto Moerbeek <otto@drijf.net>
  * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -31,7 +31,6 @@
 #include <sys/queue.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
-#include <uvm/uvmexp.h>
 #include <errno.h>
 #include <stdarg.h>
 #include <stdint.h>
@@ -264,7 +263,8 @@ static union {
                 __attribute__((section(".openbsd.mutable")));
 #define mopts   malloc_readonly.mopts
 
-char            *malloc_options;        /* compile-time options */
+/* compile-time options */
+const char *const malloc_options __attribute__((weak));
 
 static __dead void wrterror(struct dir_info *d, char *msg, ...)
     __attribute__((__format__ (printf, 2, 3)));
@@ -501,7 +501,8 @@ omalloc_parseopt(char opt)
 static void
 omalloc_init(void)
 {
-        char *p, *q, b[16];
+        const char *p;
+        char *q, b[16];
         int i, j;
         const int mib[2] = { CTL_VM, VM_MALLOC_CONF };
         size_t sb;
diff --git a/src/lib/libc/stdlib/mkstemp.c b/src/lib/libc/stdlib/mkstemp.c
index 75a9d27d1a..760575005f 100644
--- a/src/lib/libc/stdlib/mkstemp.c
+++ b/src/lib/libc/stdlib/mkstemp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mkstemp.c,v 1.1 2024/01/19 19:45:02 millert Exp $ */
+/*      $OpenBSD: mkstemp.c,v 1.2 2025/08/04 04:59:31 guenther Exp $ */
 /*
  * Copyright (c) 2024 Todd C. Miller
  *
@@ -20,7 +20,8 @@
 #include <fcntl.h>
 #include <stdlib.h>
 
-#define MKOSTEMP_FLAGS  (O_APPEND | O_CLOEXEC | O_DSYNC | O_RSYNC | O_SYNC)
+#define MKOSTEMP_FLAGS \
+        (O_APPEND | O_CLOEXEC | O_CLOFORK | O_DSYNC | O_RSYNC | O_SYNC)
 
 static int
 mkstemp_cb(const char *path, int flags)
diff --git a/src/lib/libc/stdlib/mktemp.3 b/src/lib/libc/stdlib/mktemp.3
index 83b7c9eb30..a967358164 100644
--- a/src/lib/libc/stdlib/mktemp.3
+++ b/src/lib/libc/stdlib/mktemp.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: mktemp.3,v 1.2 2024/03/01 21:30:40 millert Exp $
+.\"     $OpenBSD: mktemp.3,v 1.4 2025/08/04 14:11:37 schwarze Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
@@ -27,17 +27,17 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 1 2024 $
+.Dd $Mdocdate: August 4 2025 $
 .Dt MKTEMP 3
 .Os
 .Sh NAME
 .Nm mktemp ,
 .Nm mkstemp ,
-.Nm mkostemp ,
 .Nm mkstemps ,
-.Nm mkostemps ,
 .Nm mkdtemp ,
-.Nm mkdtemps
+.Nm mkdtemps ,
+.Nm mkostemp ,
+.Nm mkostemps
 .Nd make temporary file name (unique)
 .Sh SYNOPSIS
 .In stdlib.h
@@ -119,6 +119,8 @@ system call:
 Append on each write.
 .It Dv O_CLOEXEC
 Set the close-on-exec flag on the new file descriptor.
+.It Dv O_CLOFORK
+Set the close-on-fork flag on the new file descriptor.
 .It Dv O_SYNC
 Perform synchronous I/O operations.
 .El
@@ -163,8 +165,8 @@ functions return a pointer to the template on success and
 on failure.
 The
 .Fn mkstemp ,
-.Fn mkostemp ,
 .Fn mkstemps ,
+.Fn mkostemp ,
 and
 .Fn mkostemps
 functions return \-1 if no suitable file could be created.
@@ -253,9 +255,9 @@ of
 The
 .Fn mktemp ,
 .Fn mkstemp ,
-.Fn mkostemp ,
+.Fn mkdtemp ,
 and
-.Fn mkdtemp
+.Fn mkostemp
 functions may set
 .Va errno
 to one of the following values:
@@ -318,8 +320,8 @@ function.
 .Pp
 The
 .Fn mkstemp ,
-.Fn mkostemp ,
 .Fn mkstemps ,
+.Fn mkostemp ,
 and
 .Fn mkostemps
 functions may also set
@@ -345,18 +347,16 @@ function.
 .Xr tmpnam 3
 .Sh STANDARDS
 The
-.Fn mkdtemp
+.Fn mkstemp ,
+.Fn mkdtemp ,
 and
-.Fn mkstemp
+.Fn mkostemp
 functions conform to the
-.St -p1003.1-2008
+.St -p1003.1-2024
 specification.
 The ability to specify more than six
 .Em X Ns s
 is an extension to that standard.
-The
-.Fn mkostemp
-function is expected to conform to a future revision of that standard.
 .Pp
 The
 .Fn mktemp
@@ -368,9 +368,9 @@ it is no longer a part of the standard.
 .Pp
 The
 .Fn mkstemps ,
-.Fn mkostemps ,
+.Fn mkdtemps ,
 and
-.Fn mkdtemps
+.Fn mkostemps
 functions are non-standard and should not be used if portability is required.
 .Sh HISTORY
 A
@@ -378,14 +378,14 @@ A
 function appeared in
 .At v7 .
 The
-.Fn mkdtemp
-function appeared in
-.Ox 2.2 .
-The
 .Fn mkstemp
 function appeared in
 .Bx 4.3 .
 The
+.Fn mkdtemp
+function appeared in
+.Ox 2.2 .
+The
 .Fn mkstemps
 function appeared in
 .Ox 2.3 .
diff --git a/src/lib/libc/stdlib/ptsname.3 b/src/lib/libc/stdlib/ptsname.3
index 98705528f5..eea36a5a02 100644
--- a/src/lib/libc/stdlib/ptsname.3
+++ b/src/lib/libc/stdlib/ptsname.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ptsname.3,v 1.2 2012/12/04 18:42:16 millert Exp $
+.\"     $OpenBSD: ptsname.3,v 1.3 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2002 The FreeBSD Project, Inc.
 .\" All rights reserved.
@@ -32,7 +32,7 @@
 .\"
 .\" $FreeBSD: head/lib/libc/stdlib/ptsname.3 240412 2012-09-12 17:54:09Z emaste $
 .\"
-.Dd $Mdocdate: December 4 2012 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt PTSNAME 3
 .Os
 .Sh NAME
@@ -44,7 +44,7 @@
 .In stdlib.h
 .Ft int
 .Fn grantpt "int fildes"
-.Ft "char *"
+.Ft char *
 .Fn ptsname "int fildes"
 .Ft int
 .Fn unlockpt "int fildes"
diff --git a/src/lib/libc/stdlib/rand48.3 b/src/lib/libc/stdlib/rand48.3
index fa7a7179bc..02e1999db9 100644
--- a/src/lib/libc/stdlib/rand48.3
+++ b/src/lib/libc/stdlib/rand48.3
@@ -9,9 +9,9 @@
 .\" of any kind. I shall in no event be liable for anything that happens
 .\" to anyone/anything when using this software.
 .\"
-.\"     $OpenBSD: rand48.3,v 1.21 2019/12/20 19:16:40 tb Exp $
+.\"     $OpenBSD: rand48.3,v 1.22 2025/06/13 18:34:00 schwarze Exp $
 .\"
-.Dd $Mdocdate: December 20 2019 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DRAND48 3
 .Os
 .Sh NAME
@@ -46,9 +46,9 @@
 .Fn srand48 "long seed"
 .Ft void
 .Fn srand48_deterministic "long seed"
-.Ft "unsigned short *"
+.Ft unsigned short *
 .Fn seed48 "unsigned short xseed[3]"
-.Ft "unsigned short *"
+.Ft unsigned short *
 .Fn seed48_deterministic "unsigned short xseed[3]"
 .Ft void
 .Fn lcong48 "unsigned short p[7]"
diff --git a/src/lib/libc/stdlib/realpath.3 b/src/lib/libc/stdlib/realpath.3
index 1dec10fef4..1f932e3bb5 100644
--- a/src/lib/libc/stdlib/realpath.3
+++ b/src/lib/libc/stdlib/realpath.3
@@ -28,9 +28,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: realpath.3,v 1.26 2021/10/13 15:04:53 kn Exp $
+.\"     $OpenBSD: realpath.3,v 1.27 2025/06/13 18:34:00 schwarze Exp $
 .\"
-.Dd $Mdocdate: October 13 2021 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt REALPATH 3
 .Os
 .Sh NAME
@@ -39,7 +39,7 @@
 .Sh SYNOPSIS
 .In limits.h
 .In stdlib.h
-.Ft "char *"
+.Ft char *
 .Fn realpath "const char *pathname" "char *resolved"
 .Sh DESCRIPTION
 The
diff --git a/src/lib/libc/string/memmem.3 b/src/lib/libc/string/memmem.3
index de62d738de..eeb621f8f6 100644
--- a/src/lib/libc/string/memmem.3
+++ b/src/lib/libc/string/memmem.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: memmem.3,v 1.4 2024/08/03 20:13:23 guenther Exp $
+.\"     $OpenBSD: memmem.3,v 1.5 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2005 Pascal Gloor <pascal.gloor@spale.com>
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt MEMMEM 3
 .Os
 .Sh NAME
@@ -34,7 +34,7 @@
 .Nd locate a byte substring in a byte string
 .Sh SYNOPSIS
 .In string.h
-.Ft "void *"
+.Ft void *
 .Fo memmem
 .Fa "const void *big" "size_t big_len"
 .Fa "const void *little" "size_t little_len"
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index db3bc767d9..459b0c9235 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.231 2024/12/19 23:56:32 tb Exp $
+# $OpenBSD: Makefile,v 1.242 2025/08/14 15:48:48 beck Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -25,6 +25,7 @@ CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
 CFLAGS+= -DHAVE_FUNOPEN
 
 CFLAGS+= -I${LCRYPTO_SRC}
+CFLAGS+= -I${LCRYPTO_SRC}/aes
 CFLAGS+= -I${LCRYPTO_SRC}/arch/${MACHINE_CPU}
 CFLAGS+= -I${LCRYPTO_SRC}/asn1
 CFLAGS+= -I${LCRYPTO_SRC}/bio
@@ -67,7 +68,6 @@ SRCS+= crypto_memory.c
 # aes/
 SRCS+= aes.c
 SRCS+= aes_core.c
-SRCS+= aes_ige.c
 
 # asn1/
 SRCS+= a_bitstr.c
@@ -119,10 +119,8 @@ SRCS+= x_attrib.c
 SRCS+= x_bignum.c
 SRCS+= x_crl.c
 SRCS+= x_exten.c
-SRCS+= x_info.c
 SRCS+= x_long.c
 SRCS+= x_name.c
-SRCS+= x_pkey.c
 SRCS+= x_pubkey.c
 SRCS+= x_req.c
 SRCS+= x_sig.c
@@ -152,13 +150,13 @@ SRCS+= bss_conn.c
 SRCS+= bss_dgram.c
 SRCS+= bss_fd.c
 SRCS+= bss_file.c
-SRCS+= bss_log.c
 SRCS+= bss_mem.c
 SRCS+= bss_null.c
 SRCS+= bss_sock.c
 
 # bn/
 SRCS+= bn_add.c
+SRCS+= bn_add_sub.c
 SRCS+= bn_bpsw.c
 SRCS+= bn_const.c
 SRCS+= bn_convert.c
@@ -172,6 +170,7 @@ SRCS+= bn_kron.c
 SRCS+= bn_lib.c
 SRCS+= bn_mod.c
 SRCS+= bn_mod_sqrt.c
+SRCS+= bn_mod_words.c
 SRCS+= bn_mont.c
 SRCS+= bn_mul.c
 SRCS+= bn_prime.c
@@ -281,11 +280,13 @@ SRCS+= ec_asn1.c
 SRCS+= ec_convert.c
 SRCS+= ec_curve.c
 SRCS+= ec_err.c
+SRCS+= ec_field.c
 SRCS+= ec_key.c
 SRCS+= ec_lib.c
 SRCS+= ec_mult.c
 SRCS+= ec_pmeth.c
 SRCS+= eck_prn.c
+SRCS+= ecp_hp_methods.c
 SRCS+= ecp_methods.c
 SRCS+= ecx_methods.c
 
@@ -373,8 +374,10 @@ SRCS+= md4.c
 SRCS+= md5.c
 
 # mlkem/
+SRCS+= mlkem.c
 SRCS+= mlkem768.c
 SRCS+= mlkem1024.c
+SRCS+= mlkem_key.c
 
 # modes/
 SRCS+= cbc128.c
@@ -450,11 +453,7 @@ SRCS+= rand_lib.c
 SRCS+= randfile.c
 
 # rc2/
-SRCS+= rc2_cbc.c
-SRCS+= rc2_ecb.c
-SRCS+= rc2_skey.c
-SRCS+= rc2cfb64.c
-SRCS+= rc2ofb64.c
+SRCS+= rc2.c
 
 # rc4/
 SRCS+= rc4.c
@@ -671,6 +670,7 @@ HDRS=\
         ${LCRYPTO_SRC}/lhash/lhash.h \
         ${LCRYPTO_SRC}/md4/md4.h \
         ${LCRYPTO_SRC}/md5/md5.h \
+        ${LCRYPTO_SRC}/mlkem/mlkem.h \
         ${LCRYPTO_SRC}/modes/modes.h \
         ${LCRYPTO_SRC}/objects/objects.h \
         ${LCRYPTO_SRC}/ocsp/ocsp.h \
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index e259430bbf..2aae617f0a 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -308,7 +308,6 @@ BIO_s_connect
 BIO_s_datagram
 BIO_s_fd
 BIO_s_file
-BIO_s_log
 BIO_s_mem
 BIO_s_null
 BIO_s_socket
@@ -1664,9 +1663,7 @@ PEM_ASN1_write_bio
 PEM_SignFinal
 PEM_SignInit
 PEM_SignUpdate
-PEM_X509_INFO_read
 PEM_X509_INFO_read_bio
-PEM_X509_INFO_write_bio
 PEM_bytes_read_bio
 PEM_def_callback
 PEM_dek_info
@@ -2474,8 +2471,6 @@ X509_OBJECT_idx_by_subject
 X509_OBJECT_new
 X509_OBJECT_retrieve_by_subject
 X509_OBJECT_retrieve_match
-X509_PKEY_free
-X509_PKEY_new
 X509_PUBKEY_free
 X509_PUBKEY_get
 X509_PUBKEY_get0
diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index 3dc2c9a458..693badcd66 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.5 2025/04/20 09:17:53 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.14 2025/07/22 09:13:49 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -52,9 +52,12 @@
 
 #include <openssl/aes.h>
 #include <openssl/bio.h>
+#include <openssl/crypto.h>
 #include <openssl/modes.h>
 
 #include "crypto_arch.h"
+#include "crypto_internal.h"
+#include "modes_local.h"
 
 static const unsigned char aes_wrap_default_iv[] = {
         0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
@@ -97,6 +100,18 @@ AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
 }
 LCRYPTO_ALIAS(AES_decrypt);
 
+void
+aes_encrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_encrypt_internal(in, out, key);
+}
+
+void
+aes_decrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_decrypt_internal(in, out, key);
+}
+
 #ifdef HAVE_AES_CBC_ENCRYPT_INTERNAL
 void aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
     size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
@@ -108,10 +123,10 @@ aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
 {
         if (enc)
                 CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
-                    (block128_f)AES_encrypt);
+                    aes_encrypt_block128);
         else
                 CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
-                    (block128_f)AES_decrypt);
+                    aes_decrypt_block128);
 }
 #endif
 
@@ -134,7 +149,7 @@ AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
     const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
         CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb128_encrypt);
 
@@ -144,7 +159,7 @@ AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, size_t length,
     const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
         CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb1_encrypt);
 
@@ -153,17 +168,134 @@ AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, size_t length,
     const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
         CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb8_encrypt);
 
 void
+aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint8_t in_mask;
+        uint64_t ctr;
+        int i;
+
+        in_mask = 0 - (encrypt != 0);
+
+        memcpy(iv, ivec, sizeof(iv));
+
+        ctr = crypto_load_be64toh(&iv[8]);
+
+        while (blocks > 0) {
+                crypto_store_htobe64(&iv[8], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+
+                for (i = 0; i < 16; i++) {
+                        out[i] = in[i] ^ buf[i];
+                        cmac[i] ^= (in[i] & in_mask) | (out[i] & ~in_mask);
+                }
+
+                aes_encrypt_internal(cmac, cmac, key);
+
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+
+#ifdef HAVE_AES_CCM64_ENCRYPT_INTERNAL
+void aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+
+#else
+static inline void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+#endif
+
+void
+aes_ccm64_encrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 1);
+}
+
+void
+aes_ccm64_decrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 0);
+}
+
+void
+aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint32_t ctr;
+        int i;
+
+        memcpy(iv, ivec, sizeof(iv));
+
+        ctr = crypto_load_be32toh(&iv[12]);
+
+        while (blocks > 0) {
+                crypto_store_htobe32(&iv[12], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+
+                for (i = 0; i < AES_BLOCK_SIZE; i++)
+                        out[i] = in[i] ^ buf[i];
+
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+
+#ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
+void aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
+#else
+static inline void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+#endif
+
+void
+aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out, size_t blocks,
+    const void *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_internal(in, out, blocks, key, ivec);
+}
+
+void
 AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
     size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],
     unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)
 {
-        CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
-            (block128_f)AES_encrypt);
+        CRYPTO_ctr128_encrypt_ctr32(in, out, length, key, ivec, ecount_buf,
+            num, aes_ctr32_encrypt_ctr128f);
 }
 LCRYPTO_ALIAS(AES_ctr128_encrypt);
 
@@ -178,15 +310,121 @@ AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
 }
 LCRYPTO_ALIAS(AES_ecb_encrypt);
 
+#ifndef HAVE_AES_ECB_ENCRYPT_INTERNAL
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        while (len >= AES_BLOCK_SIZE) {
+                AES_ecb_encrypt(in, out, key, encrypt);
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+#endif
+
+#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
+typedef struct {
+        unsigned long data[N_WORDS];
+} aes_block_t;
+
+void
+AES_ige_encrypt(const unsigned char *in, unsigned char *out, size_t length,
+    const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        aes_block_t tmp, tmp2;
+        aes_block_t iv;
+        aes_block_t iv2;
+        size_t n;
+        size_t len;
+
+        /* N.B. The IV for this mode is _twice_ the block size */
+
+        OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
+
+        len = length / AES_BLOCK_SIZE;
+
+        memcpy(iv.data, ivec, AES_BLOCK_SIZE);
+        memcpy(iv2.data, ivec + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+
+        if (AES_ENCRYPT == enc) {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] = tmp.data[n] ^ iv.data[n];
+                        AES_encrypt((unsigned char *)tmp2.data,
+                            (unsigned char *)tmp2.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] ^= iv2.data[n];
+                        memcpy(out, tmp2.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        } else {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        tmp2 = tmp;
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv2.data[n];
+                        AES_decrypt((unsigned char *)tmp.data,
+                            (unsigned char *)tmp.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv.data[n];
+                        memcpy(out, tmp.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        }
+        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
+        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
+}
+LCRYPTO_ALIAS(AES_ige_encrypt);
+
 void
 AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
     const AES_KEY *key, unsigned char *ivec, int *num)
 {
         CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_ofb128_encrypt);
 
+void
+aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        XTS128_CONTEXT xctx;
+
+        if (encrypt)
+                xctx.block1 = aes_encrypt_block128;
+        else 
+                xctx.block1 = aes_decrypt_block128;
+
+        xctx.block2 = aes_encrypt_block128;
+        xctx.key1 = key1;
+        xctx.key2 = key2;
+
+        CRYPTO_xts128_encrypt(&xctx, iv, in, out, len, encrypt);
+}
+
+#ifndef HAVE_AES_XTS_ENCRYPT_INTERNAL
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
+#endif
+
 int
 AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
     const unsigned char *in, unsigned int inlen)
@@ -253,7 +491,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
         }
         if (!iv)
                 iv = aes_wrap_default_iv;
-        if (memcmp(A, iv, 8)) {
+        if (timingsafe_memcmp(A, iv, 8) != 0) {
                 explicit_bzero(out, inlen);
                 return 0;
         }
diff --git a/src/lib/libcrypto/aes/aes_amd64.c b/src/lib/libcrypto/aes/aes_amd64.c
new file mode 100644
index 0000000000..183a5cce14
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_amd64.c
@@ -0,0 +1,201 @@
+/* $OpenBSD: aes_amd64.c,v 1.5 2025/07/22 09:13:49 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/aes.h>
+
+#include "crypto_arch.h"
+#include "modes_local.h"
+
+int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+
+void aes_encrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+
+void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+
+void aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
+void aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+
+void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+
+void aesni_ccm64_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aesni_ccm64_decrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+
+void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key, int enc);
+
+void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+
+void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+
+int
+aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0)
+                return aesni_set_encrypt_key(userKey, bits, key);
+
+        return aes_set_encrypt_key_generic(userKey, bits, key);
+}
+
+int
+aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0)
+                return aesni_set_decrypt_key(userKey, bits, key);
+
+        return aes_set_decrypt_key_generic(userKey, bits, key);
+}
+
+void
+aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_encrypt(in, out, key);
+                return;
+        }
+
+        aes_encrypt_generic(in, out, key);
+}
+
+void
+aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_decrypt(in, out, key);
+                return;
+        }
+
+        aes_decrypt_generic(in, out, key);
+}
+
+void
+aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_cbc_encrypt(in, out, len, key, ivec, enc);
+                return;
+        }
+
+        aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
+}
+
+void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                if (encrypt)
+                        aesni_ccm64_encrypt_blocks(in, out, blocks, key, ivec, cmac);
+                else
+                        aesni_ccm64_decrypt_blocks(in, out, blocks, key, ivec, cmac);
+                return;
+        }
+
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+                return;
+        }
+
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_ecb_encrypt(in, out, len, key, encrypt);
+                return;
+        }
+
+        while (len >= AES_BLOCK_SIZE) {
+                if (encrypt)
+                        aes_encrypt_generic(in, out, key);
+                else
+                        aes_decrypt_generic(in, out, key);
+
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                if (encrypt)
+                        aesni_xts_encrypt(in, out, len, key1, key2, iv);
+                else
+                        aesni_xts_decrypt(in, out, len, key1, key2, iv);
+                return;
+        }
+
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
diff --git a/src/lib/libcrypto/aes/aes_i386.c b/src/lib/libcrypto/aes/aes_i386.c
new file mode 100644
index 0000000000..85a14454da
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_i386.c
@@ -0,0 +1,201 @@
+/* $OpenBSD: aes_i386.c,v 1.5 2025/07/22 09:13:49 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/aes.h>
+
+#include "crypto_arch.h"
+#include "modes_local.h"
+
+int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+
+void aes_encrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+
+void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+
+void aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
+void aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
+
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+
+void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+
+void aesni_ccm64_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aesni_ccm64_decrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+
+void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key, int enc);
+
+void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+
+void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+
+int
+aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0)
+                return aesni_set_encrypt_key(userKey, bits, key);
+
+        return aes_set_encrypt_key_generic(userKey, bits, key);
+}
+
+int
+aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0)
+                return aesni_set_decrypt_key(userKey, bits, key);
+
+        return aes_set_decrypt_key_generic(userKey, bits, key);
+}
+
+void
+aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_encrypt(in, out, key);
+                return;
+        }
+
+        aes_encrypt_generic(in, out, key);
+}
+
+void
+aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_decrypt(in, out, key);
+                return;
+        }
+
+        aes_decrypt_generic(in, out, key);
+}
+
+void
+aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_cbc_encrypt(in, out, len, key, ivec, enc);
+                return;
+        }
+
+        aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
+}
+
+void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                if (encrypt)
+                        aesni_ccm64_encrypt_blocks(in, out, blocks, key, ivec, cmac);
+                else
+                        aesni_ccm64_decrypt_blocks(in, out, blocks, key, ivec, cmac);
+                return;
+        }
+
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+                return;
+        }
+
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_ecb_encrypt(in, out, len, key, encrypt);
+                return;
+        }
+
+        while (len >= AES_BLOCK_SIZE) {
+                if (encrypt)
+                        aes_encrypt_generic(in, out, key);
+                else
+                        aes_decrypt_generic(in, out, key);
+
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                if (encrypt)
+                        aesni_xts_encrypt(in, out, len, key1, key2, iv);
+                else
+                        aesni_xts_decrypt(in, out, len, key1, key2, iv);
+                return;
+        }
+
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
diff --git a/src/lib/libcrypto/aes/aes_ige.c b/src/lib/libcrypto/aes/aes_ige.c
deleted file mode 100644
index 1a6fcfcfbf..0000000000
--- a/src/lib/libcrypto/aes/aes_ige.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/* $OpenBSD: aes_ige.c,v 1.10 2024/03/30 05:14:12 joshua Exp $ */
-/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- */
-
-#include <openssl/aes.h>
-#include <openssl/crypto.h>
-
-#include "aes_local.h"
-
-#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
-typedef struct {
-        unsigned long data[N_WORDS];
-} aes_block_t;
-
-/* XXX: probably some better way to do this */
-#if defined(__i386__) || defined(__x86_64__)
-#define UNALIGNED_MEMOPS_ARE_FAST 1
-#else
-#define UNALIGNED_MEMOPS_ARE_FAST 0
-#endif
-
-#if UNALIGNED_MEMOPS_ARE_FAST
-#define load_block(d, s)        (d) = *(const aes_block_t *)(s)
-#define store_block(d, s)       *(aes_block_t *)(d) = (s)
-#else
-#define load_block(d, s)        memcpy((d).data, (s), AES_BLOCK_SIZE)
-#define store_block(d, s)       memcpy((d), (s).data, AES_BLOCK_SIZE)
-#endif
-
-/* N.B. The IV for this mode is _twice_ the block size */
-
-void
-AES_ige_encrypt(const unsigned char *in, unsigned char *out, size_t length,
-    const AES_KEY *key, unsigned char *ivec, const int enc)
-{
-        size_t n;
-        size_t len;
-
-        OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
-
-        len = length / AES_BLOCK_SIZE;
-
-        if (AES_ENCRYPT == enc) {
-                if (in != out && (UNALIGNED_MEMOPS_ARE_FAST ||
-                    ((size_t)in|(size_t)out|(size_t)ivec) %
-                    sizeof(long) == 0)) {
-                        aes_block_t *ivp = (aes_block_t *)ivec;
-                        aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
-
-                        while (len) {
-                                aes_block_t *inp = (aes_block_t *)in;
-                                aes_block_t *outp = (aes_block_t *)out;
-
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] = inp->data[n] ^ ivp->data[n];
-                                AES_encrypt((unsigned char *)outp->data, (unsigned char *)outp->data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] ^= iv2p->data[n];
-                                ivp = outp;
-                                iv2p = inp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memmove(ivec, ivp->data, AES_BLOCK_SIZE);
-                        memmove(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
-                } else {
-                        aes_block_t tmp, tmp2;
-                        aes_block_t iv;
-                        aes_block_t iv2;
-
-                        load_block(iv, ivec);
-                        load_block(iv2, ivec + AES_BLOCK_SIZE);
-
-                        while (len) {
-                                load_block(tmp, in);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp2.data[n] = tmp.data[n] ^ iv.data[n];
-                                AES_encrypt((unsigned char *)tmp2.data,
-                                    (unsigned char *)tmp2.data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp2.data[n] ^= iv2.data[n];
-                                store_block(out, tmp2);
-                                iv = tmp2;
-                                iv2 = tmp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
-                        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
-                }
-        } else {
-                if (in != out && (UNALIGNED_MEMOPS_ARE_FAST ||
-                    ((size_t)in|(size_t)out|(size_t)ivec) %
-                    sizeof(long) == 0)) {
-                        aes_block_t *ivp = (aes_block_t *)ivec;
-                        aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
-
-                        while (len) {
-                                aes_block_t tmp;
-                                aes_block_t *inp = (aes_block_t *)in;
-                                aes_block_t *outp = (aes_block_t *)out;
-
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] = inp->data[n] ^ iv2p->data[n];
-                                AES_decrypt((unsigned char *)tmp.data,
-                                    (unsigned char *)outp->data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] ^= ivp->data[n];
-                                ivp = inp;
-                                iv2p = outp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memmove(ivec, ivp->data, AES_BLOCK_SIZE);
-                        memmove(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
-                } else {
-                        aes_block_t tmp, tmp2;
-                        aes_block_t iv;
-                        aes_block_t iv2;
-
-                        load_block(iv, ivec);
-                        load_block(iv2, ivec + AES_BLOCK_SIZE);
-
-                        while (len) {
-                                load_block(tmp, in);
-                                tmp2 = tmp;
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] ^= iv2.data[n];
-                                AES_decrypt((unsigned char *)tmp.data,
-                                    (unsigned char *)tmp.data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] ^= iv.data[n];
-                                store_block(out, tmp);
-                                iv = tmp2;
-                                iv2 = tmp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
-                        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
-                }
-        }
-}
-LCRYPTO_ALIAS(AES_ige_encrypt);
diff --git a/src/lib/libcrypto/aes/aes_local.h b/src/lib/libcrypto/aes/aes_local.h
index 823dbab574..a265eaac1d 100644
--- a/src/lib/libcrypto/aes/aes_local.h
+++ b/src/lib/libcrypto/aes/aes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_local.h,v 1.5 2025/04/21 12:23:09 jsing Exp $ */
+/* $OpenBSD: aes_local.h,v 1.11 2025/07/22 09:29:31 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -60,13 +60,30 @@
 
 __BEGIN_HIDDEN_DECLS
 
-#define MAXKC   (256/32)
-#define MAXKB   (256/8)
-#define MAXNR   14
-
 /* This controls loop-unrolling in aes_core.c */
 #undef FULL_UNROLL
 
+void aes_encrypt_block128(const unsigned char *in, unsigned char *out,
+   const void *key);
+
+void aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+
+void aes_ccm64_encrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aes_ccm64_decrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+
+void aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt);
+
+void aes_xts_encrypt_internal(const char unsigned *in, char unsigned *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
+
 __END_HIDDEN_DECLS
 
 #endif /* !HEADER_AES_LOCAL_H */
diff --git a/src/lib/libcrypto/aes/asm/aes-586.pl b/src/lib/libcrypto/aes/asm/aes-586.pl
index 364099d4d3..402a1a3c46 100644
--- a/src/lib/libcrypto/aes/asm/aes-586.pl
+++ b/src/lib/libcrypto/aes/asm/aes-586.pl
@@ -1158,8 +1158,8 @@ sub enclast()
         &data_word(0x00000000, 0x00000000, 0x00000000, 0x00000000);
         &previous();
 
-# void aes_encrypt_internal(const void *inp, void *out, const AES_KEY *key);
-&function_begin("aes_encrypt_internal");
+# void aes_encrypt_generic(const void *inp, void *out, const AES_KEY *key);
+&function_begin("aes_encrypt_generic");
         &mov    ($acc,&wparam(0));              # load inp
         &mov    ($key,&wparam(2));              # load key
 
@@ -1213,7 +1213,7 @@ sub enclast()
         &mov    (&DWP(4,$acc),$s1);
         &mov    (&DWP(8,$acc),$s2);
         &mov    (&DWP(12,$acc),$s3);
-&function_end("aes_encrypt_internal");
+&function_end("aes_encrypt_generic");
 
 #--------------------------------------------------------------------#
 
@@ -1947,8 +1947,8 @@ sub declast()
         &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
         &previous();
 
-# void aes_decrypt_internal(const void *inp, void *out, const AES_KEY *key);
-&function_begin("aes_decrypt_internal");
+# void aes_decrypt_generic(const void *inp, void *out, const AES_KEY *key);
+&function_begin("aes_decrypt_generic");
         &mov    ($acc,&wparam(0));              # load inp
         &mov    ($key,&wparam(2));              # load key
 
@@ -2002,9 +2002,9 @@ sub declast()
         &mov    (&DWP(4,$acc),$s1);
         &mov    (&DWP(8,$acc),$s2);
         &mov    (&DWP(12,$acc),$s3);
-&function_end("aes_decrypt_internal");
+&function_end("aes_decrypt_generic");
 
-# void aes_cbc_encrypt_internal(const void char *inp, unsigned char *out,
+# void aes_cbc_encrypt_generic(const void char *inp, unsigned char *out,
 #     size_t length, const AES_KEY *key, unsigned char *ivp,const int enc);
 {
 # stack frame layout
@@ -2028,7 +2028,7 @@ my $ivec=&DWP(60,"esp");	# ivec[16]
 my $aes_key=&DWP(76,"esp");     # copy of aes_key
 my $mark=&DWP(76+240,"esp");    # copy of aes_key->rounds
 
-&function_begin("aes_cbc_encrypt_internal");
+&function_begin("aes_cbc_encrypt_generic");
         &mov    ($s2 eq "ecx"? $s2 : "",&wparam(2));    # load len
         &cmp    ($s2,0);
         &je     (&label("drop_out"));
@@ -2616,7 +2616,7 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
 
         &mov    ("esp",$_esp);
         &popf   ();
-&function_end("aes_cbc_encrypt_internal");
+&function_end("aes_cbc_encrypt_generic");
 }
 
 #------------------------------------------------------------------#
@@ -2849,12 +2849,12 @@ sub enckey()
     &set_label("exit");
 &function_end("_x86_AES_set_encrypt_key");
 
-# int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
 #      AES_KEY *key)
-&function_begin_B("aes_set_encrypt_key_internal");
+&function_begin_B("aes_set_encrypt_key_generic");
         &call   ("_x86_AES_set_encrypt_key");
         &ret    ();
-&function_end_B("aes_set_encrypt_key_internal");
+&function_end_B("aes_set_encrypt_key_generic");
 
 sub deckey()
 { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
@@ -2911,9 +2911,9 @@ sub deckey()
         &mov    (&DWP(4*$i,$key),$tp1);
 }
 
-# int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
-&function_begin_B("aes_set_decrypt_key_internal");
+&function_begin_B("aes_set_decrypt_key_generic");
         &call   ("_x86_AES_set_encrypt_key");
         &cmp    ("eax",0);
         &je     (&label("proceed"));
@@ -2969,6 +2969,6 @@ sub deckey()
         &jb     (&label("permute"));
 
         &xor    ("eax","eax");                  # return success
-&function_end("aes_set_decrypt_key_internal");
+&function_end("aes_set_decrypt_key_generic");
 
 &asm_finish();
diff --git a/src/lib/libcrypto/aes/asm/aes-x86_64.pl b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
index 324c4a2be2..2c73627546 100755
--- a/src/lib/libcrypto/aes/asm/aes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
@@ -586,15 +586,15 @@ $code.=<<___;
 .size   _x86_64_AES_encrypt_compact,.-_x86_64_AES_encrypt_compact
 ___
 
-# void aes_encrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_encrypt_generic(const void *inp, void *out, const AES_KEY *key);
 $code.=<<___;
-.globl  aes_encrypt_internal
-.type   aes_encrypt_internal,\@function,3
+.globl  aes_encrypt_generic
+.type   aes_encrypt_generic,\@function,3
 .align  16
 .globl  asm_AES_encrypt
 .hidden asm_AES_encrypt
 asm_AES_encrypt:
-aes_encrypt_internal:
+aes_encrypt_generic:
         _CET_ENDBR
         push    %rbx
         push    %rbp
@@ -655,7 +655,7 @@ aes_encrypt_internal:
         lea     48(%rsi),%rsp
 .Lenc_epilogue:
         ret
-.size   aes_encrypt_internal,.-aes_encrypt_internal
+.size   aes_encrypt_generic,.-aes_encrypt_generic
 ___
 
 #------------------------------------------------------------------#
@@ -1188,15 +1188,15 @@ $code.=<<___;
 .size   _x86_64_AES_decrypt_compact,.-_x86_64_AES_decrypt_compact
 ___
 
-# void aes_decrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_decrypt_generic(const void *inp, void *out, const AES_KEY *key);
 $code.=<<___;
-.globl  aes_decrypt_internal
-.type   aes_decrypt_internal,\@function,3
+.globl  aes_decrypt_generic
+.type   aes_decrypt_generic,\@function,3
 .align  16
 .globl  asm_AES_decrypt
 .hidden asm_AES_decrypt
 asm_AES_decrypt:
-aes_decrypt_internal:
+aes_decrypt_generic:
         _CET_ENDBR
         push    %rbx
         push    %rbp
@@ -1259,7 +1259,7 @@ aes_decrypt_internal:
         lea     48(%rsi),%rsp
 .Ldec_epilogue:
         ret
-.size   aes_decrypt_internal,.-aes_decrypt_internal
+.size   aes_decrypt_generic,.-aes_decrypt_generic
 ___
 #------------------------------------------------------------------#
 
@@ -1290,13 +1290,13 @@ $code.=<<___;
 ___
 }
 
-# int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
 $code.=<<___;
-.globl  aes_set_encrypt_key_internal
-.type   aes_set_encrypt_key_internal,\@function,3
+.globl  aes_set_encrypt_key_generic
+.type   aes_set_encrypt_key_generic,\@function,3
 .align  16
-aes_set_encrypt_key_internal:
+aes_set_encrypt_key_generic:
         _CET_ENDBR
         push    %rbx
         push    %rbp
@@ -1318,7 +1318,7 @@ aes_set_encrypt_key_internal:
         add     \$56,%rsp
 .Lenc_key_epilogue:
         ret
-.size   aes_set_encrypt_key_internal,.-aes_set_encrypt_key_internal
+.size   aes_set_encrypt_key_generic,.-aes_set_encrypt_key_generic
 
 .type   _x86_64_AES_set_encrypt_key,\@abi-omnipotent
 .align  16
@@ -1562,13 +1562,13 @@ $code.=<<___;
 ___
 }
 
-# int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
 $code.=<<___;
-.globl  aes_set_decrypt_key_internal
-.type   aes_set_decrypt_key_internal,\@function,3
+.globl  aes_set_decrypt_key_generic
+.type   aes_set_decrypt_key_generic,\@function,3
 .align  16
-aes_set_decrypt_key_internal:
+aes_set_decrypt_key_generic:
         _CET_ENDBR
         push    %rbx
         push    %rbp
@@ -1638,10 +1638,10 @@ $code.=<<___;
         add     \$56,%rsp
 .Ldec_key_epilogue:
         ret
-.size   aes_set_decrypt_key_internal,.-aes_set_decrypt_key_internal
+.size   aes_set_decrypt_key_generic,.-aes_set_decrypt_key_generic
 ___
 
-# void aes_cbc_encrypt_internal(const void char *inp, unsigned char *out,
+# void aes_cbc_encrypt_generic(const void char *inp, unsigned char *out,
 #     size_t length, const AES_KEY *key, unsigned char *ivp,const int enc);
 {
 # stack frame layout
@@ -1659,15 +1659,15 @@ my $aes_key="80(%rsp)";		# copy of aes_key
 my $mark="80+240(%rsp)";        # copy of aes_key->rounds
 
 $code.=<<___;
-.globl  aes_cbc_encrypt_internal
-.type   aes_cbc_encrypt_internal,\@function,6
+.globl  aes_cbc_encrypt_generic
+.type   aes_cbc_encrypt_generic,\@function,6
 .align  16
 .extern OPENSSL_ia32cap_P
 .hidden OPENSSL_ia32cap_P
 .globl  asm_AES_cbc_encrypt
 .hidden asm_AES_cbc_encrypt
 asm_AES_cbc_encrypt:
-aes_cbc_encrypt_internal:
+aes_cbc_encrypt_generic:
         _CET_ENDBR
         cmp     \$0,%rdx        # check length
         je      .Lcbc_epilogue
@@ -2117,7 +2117,7 @@ aes_cbc_encrypt_internal:
         popfq
 .Lcbc_epilogue:
         ret
-.size   aes_cbc_encrypt_internal,.-aes_cbc_encrypt_internal
+.size   aes_cbc_encrypt_generic,.-aes_cbc_encrypt_generic
 ___
 }
 
@@ -2782,45 +2782,45 @@ cbc_se_handler:
 
 .section        .pdata
 .align  4
-        .rva    .LSEH_begin_aes_encrypt_internal
-        .rva    .LSEH_end_aes_encrypt_internal
-        .rva    .LSEH_info_aes_encrypt_internal
+        .rva    .LSEH_begin_aes_encrypt_generic
+        .rva    .LSEH_end_aes_encrypt_generic
+        .rva    .LSEH_info_aes_encrypt_generic
 
-        .rva    .LSEH_begin_aes_decrypt_internal
-        .rva    .LSEH_end_aes_decrypt_internal
-        .rva    .LSEH_info_aes_decrypt_internal
+        .rva    .LSEH_begin_aes_decrypt_generic
+        .rva    .LSEH_end_aes_decrypt_generic
+        .rva    .LSEH_info_aes_decrypt_generic
 
-        .rva    .LSEH_begin_aes_set_encrypt_key_internal
-        .rva    .LSEH_end_aes_set_encrypt_key_internal
-        .rva    .LSEH_info_aes_set_encrypt_key_internal
+        .rva    .LSEH_begin_aes_set_encrypt_key_generic
+        .rva    .LSEH_end_aes_set_encrypt_key_generic
+        .rva    .LSEH_info_aes_set_encrypt_key_generic
 
-        .rva    .LSEH_begin_aes_set_decrypt_key_internal
-        .rva    .LSEH_end_aes_set_decrypt_key_internal
-        .rva    .LSEH_info_aes_set_decrypt_key_internal
+        .rva    .LSEH_begin_aes_set_decrypt_key_generic
+        .rva    .LSEH_end_aes_set_decrypt_key_generic
+        .rva    .LSEH_info_aes_set_decrypt_key_generic
 
-        .rva    .LSEH_begin_aes_cbc_encrypt_internal
-        .rva    .LSEH_end_aes_cbc_encrypt_internal
-        .rva    .LSEH_info_aes_cbc_encrypt_internal
+        .rva    .LSEH_begin_aes_cbc_encrypt_generic
+        .rva    .LSEH_end_aes_cbc_encrypt_generic
+        .rva    .LSEH_info_aes_cbc_encrypt_generic
 
 .section        .xdata
 .align  8
-.LSEH_info_aes_encrypt_internal:
+.LSEH_info_aes_encrypt_generic:
         .byte   9,0,0,0
         .rva    block_se_handler
         .rva    .Lenc_prologue,.Lenc_epilogue   # HandlerData[]
-.LSEH_info_aes_decrypt_internal:
+.LSEH_info_aes_decrypt_generic:
         .byte   9,0,0,0
         .rva    block_se_handler
         .rva    .Ldec_prologue,.Ldec_epilogue   # HandlerData[]
-.LSEH_info_aes_set_encrypt_key_internal:
+.LSEH_info_aes_set_encrypt_key_generic:
         .byte   9,0,0,0
         .rva    key_se_handler
         .rva    .Lenc_key_prologue,.Lenc_key_epilogue   # HandlerData[]
-.LSEH_info_aes_set_decrypt_key_internal:
+.LSEH_info_aes_set_decrypt_key_generic:
         .byte   9,0,0,0
         .rva    key_se_handler
         .rva    .Ldec_key_prologue,.Ldec_key_epilogue   # HandlerData[]
-.LSEH_info_aes_cbc_encrypt_internal:
+.LSEH_info_aes_cbc_encrypt_generic:
         .byte   9,0,0,0
         .rva    cbc_se_handler
 ___
diff --git a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
deleted file mode 100644
index c44a338114..0000000000
--- a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
+++ /dev/null
@@ -1,3123 +0,0 @@
-#!/usr/bin/env perl
-
-###################################################################
-### AES-128 [originally in CTR mode]                            ###
-### bitsliced implementation for Intel Core 2 processors        ###
-### requires support of SSE extensions up to SSSE3              ###
-### Author: Emilia Käsper and Peter Schwabe                    ###
-### Date: 2009-03-19                                            ###
-### Public domain                                               ###
-###                                                             ###
-### See http://homes.esat.kuleuven.be/~ekasper/#software for    ###
-### further information.                                        ###
-###################################################################
-#
-# September 2011.
-#
-# Started as transliteration to "perlasm" the original code has
-# undergone following changes:
-#
-# - code was made position-independent;
-# - rounds were folded into a loop resulting in >5x size reduction
-#   from 12.5KB to 2.2KB;
-# - above was possible thanks to mixcolumns() modification that
-#   allowed to feed its output back to aesenc[last], this was
-#   achieved at cost of two additional inter-registers moves;
-# - some instruction reordering and interleaving;
-# - this module doesn't implement key setup subroutine, instead it
-#   relies on conversion of "conventional" key schedule as returned
-#   by AES_set_encrypt_key (see discussion below);
-# - first and last round keys are treated differently, which allowed
-#   to skip one shiftrows(), reduce bit-sliced key schedule and
-#   speed-up conversion by 22%;
-# - support for 192- and 256-bit keys was added;
-#
-# Resulting performance in CPU cycles spent to encrypt one byte out
-# of 4096-byte buffer with 128-bit key is:
-#
-#               Emilia's        this(*)         difference
-#
-# Core 2        9.30            8.69            +7%
-# Nehalem(**)   7.63            6.98            +9%
-# Atom          17.1            17.4            -2%(***)
-#
-# (*)   Comparison is not completely fair, because "this" is ECB,
-#       i.e. no extra processing such as counter values calculation
-#       and xor-ing input as in Emilia's CTR implementation is
-#       performed. However, the CTR calculations stand for not more
-#       than 1% of total time, so comparison is *rather* fair.
-#
-# (**)  Results were collected on Westmere, which is considered to
-#       be equivalent to Nehalem for this code.
-#
-# (***) Slowdown on Atom is rather strange per se, because original
-#       implementation has a number of 9+-bytes instructions, which
-#       are bad for Atom front-end, and which I eliminated completely.
-#       In attempt to address deterioration sbox() was tested in FP
-#       SIMD "domain" (movaps instead of movdqa, xorps instead of
-#       pxor, etc.). While it resulted in nominal 4% improvement on
-#       Atom, it hurted Westmere by more than 2x factor.
-#
-# As for key schedule conversion subroutine. Interface to OpenSSL
-# relies on per-invocation on-the-fly conversion. This naturally
-# has impact on performance, especially for short inputs. Conversion
-# time in CPU cycles and its ratio to CPU cycles spent in 8x block
-# function is:
-#
-#               conversion      conversion/8x block
-# Core 2        240             0.22
-# Nehalem       180             0.20
-# Atom          430             0.19
-#
-# The ratio values mean that 128-byte blocks will be processed
-# 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%,
-# etc. Then keep in mind that input sizes not divisible by 128 are
-# *effectively* slower, especially shortest ones, e.g. consecutive
-# 144-byte blocks are processed 44% slower than one would expect,
-# 272 - 29%, 400 - 22%, etc. Yet, despite all these "shortcomings"
-# it's still faster than ["hyper-threading-safe" code path in]
-# aes-x86_64.pl on all lengths above 64 bytes...
-#
-# October 2011.
-#
-# Add decryption procedure. Performance in CPU cycles spent to decrypt
-# one byte out of 4096-byte buffer with 128-bit key is:
-#
-# Core 2        9.83
-# Nehalem       7.74
-# Atom          19.0
-#
-# November 2011.
-#
-# Add bsaes_xts_[en|de]crypt. Less-than-80-bytes-block performance is
-# suboptimal, but XTS is meant to be used with larger blocks...
-#
-#                                               <appro@openssl.org>
-
-$flavour = shift;
-$output  = shift;
-if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-
-my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
-my @XMM=map("%xmm$_",(15,0..14));       # best on Atom, +10% over (0..15)
-my $ecb=0;      # suppress unreferenced ECB subroutines, spare some space...
-
-{
-my ($key,$rounds,$const)=("%rax","%r10d","%r11");
-
-sub Sbox {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b0, b1, b4, b6, b3, b7, b2, b5] < msb
-my @b=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-        &InBasisChange  (@b);
-        &Inv_GF256      (@b[6,5,0,3,7,1,4,2],@t,@s);
-        &OutBasisChange (@b[7,1,4,2,6,5,0,3]);
-}
-
-sub InBasisChange {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b6, b5, b0, b3, b7, b1, b4, b2] < msb 
-my @b=@_[0..7];
-$code.=<<___;
-        pxor    @b[6], @b[5]
-        pxor    @b[1], @b[2]
-        pxor    @b[0], @b[3]
-        pxor    @b[2], @b[6]
-        pxor    @b[0], @b[5]
-
-        pxor    @b[3], @b[6]
-        pxor    @b[7], @b[3]
-        pxor    @b[5], @b[7]
-        pxor    @b[4], @b[3]
-        pxor    @b[5], @b[4]
-        pxor    @b[1], @b[3]
-
-        pxor    @b[7], @b[2]
-        pxor    @b[5], @b[1]
-___
-}
-
-sub OutBasisChange {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b6, b1, b2, b4, b7, b0, b3, b5] < msb
-my @b=@_[0..7];
-$code.=<<___;
-        pxor    @b[6], @b[0]
-        pxor    @b[4], @b[1]
-        pxor    @b[0], @b[2]
-        pxor    @b[6], @b[4]
-        pxor    @b[1], @b[6]
-
-        pxor    @b[5], @b[1]
-        pxor    @b[3], @b[5]
-        pxor    @b[7], @b[3]
-        pxor    @b[5], @b[7]
-        pxor    @b[5], @b[2]
-
-        pxor    @b[7], @b[4]
-___
-}
-
-sub InvSbox {
-# input in lsb  > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b0, b1, b6, b4, b2, b7, b3, b5] < msb
-my @b=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-        &InvInBasisChange       (@b);
-        &Inv_GF256              (@b[5,1,2,6,3,7,0,4],@t,@s);
-        &InvOutBasisChange      (@b[3,7,0,4,5,1,2,6]);
-}
-
-sub InvInBasisChange {          # OutBasisChange in reverse
-my @b=@_[5,1,2,6,3,7,0,4];
-$code.=<<___
-        pxor    @b[7], @b[4]
-
-        pxor    @b[5], @b[7]
-        pxor    @b[5], @b[2]
-        pxor    @b[7], @b[3]
-        pxor    @b[3], @b[5]
-        pxor    @b[5], @b[1]
-
-        pxor    @b[1], @b[6]
-        pxor    @b[0], @b[2]
-        pxor    @b[6], @b[4]
-        pxor    @b[6], @b[0]
-        pxor    @b[4], @b[1]
-___
-}
-
-sub InvOutBasisChange {         # InBasisChange in reverse
-my @b=@_[2,5,7,3,6,1,0,4];
-$code.=<<___;
-        pxor    @b[5], @b[1]
-        pxor    @b[7], @b[2]
-
-        pxor    @b[1], @b[3]
-        pxor    @b[5], @b[4]
-        pxor    @b[5], @b[7]
-        pxor    @b[4], @b[3]
-         pxor   @b[0], @b[5]
-        pxor    @b[7], @b[3]
-         pxor   @b[2], @b[6]
-         pxor   @b[1], @b[2]
-        pxor    @b[3], @b[6]
-
-        pxor    @b[0], @b[3]
-        pxor    @b[6], @b[5]
-___
-}
-
-sub Mul_GF4 {
-#;*************************************************************
-#;* Mul_GF4: Input x0-x1,y0-y1 Output x0-x1 Temp t0 (8) *
-#;*************************************************************
-my ($x0,$x1,$y0,$y1,$t0)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-        pxor    $y1, $t0
-        pand    $x0, $t0
-        pxor    $x1, $x0
-        pand    $y0, $x1
-        pand    $y1, $x0
-        pxor    $x1, $x0
-        pxor    $t0, $x1
-___
-}
-
-sub Mul_GF4_N {                         # not used, see next subroutine
-# multiply and scale by N
-my ($x0,$x1,$y0,$y1,$t0)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-        pxor    $y1, $t0
-        pand    $x0, $t0
-        pxor    $x1, $x0
-        pand    $y0, $x1
-        pand    $y1, $x0
-        pxor    $x0, $x1
-        pxor    $t0, $x0
-___
-}
-
-sub Mul_GF4_N_GF4 {
-# interleaved Mul_GF4_N and Mul_GF4
-my ($x0,$x1,$y0,$y1,$t0,
-    $x2,$x3,$y2,$y3,$t1)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-         movdqa $y2, $t1
-        pxor    $y1, $t0
-         pxor   $y3, $t1
-        pand    $x0, $t0
-         pand   $x2, $t1
-        pxor    $x1, $x0
-         pxor   $x3, $x2
-        pand    $y0, $x1
-         pand   $y2, $x3
-        pand    $y1, $x0
-         pand   $y3, $x2
-        pxor    $x0, $x1
-         pxor   $x3, $x2
-        pxor    $t0, $x0
-         pxor   $t1, $x3
-___
-}
-sub Mul_GF16_2 {
-my @x=@_[0..7];
-my @y=@_[8..11];
-my @t=@_[12..15];
-$code.=<<___;
-        movdqa  @x[0], @t[0]
-        movdqa  @x[1], @t[1]
-___
-        &Mul_GF4        (@x[0], @x[1], @y[0], @y[1], @t[2]);
-$code.=<<___;
-        pxor    @x[2], @t[0]
-        pxor    @x[3], @t[1]
-        pxor    @y[2], @y[0]
-        pxor    @y[3], @y[1]
-___
-        Mul_GF4_N_GF4   (@t[0], @t[1], @y[0], @y[1], @t[3],
-                         @x[2], @x[3], @y[2], @y[3], @t[2]);
-$code.=<<___;
-        pxor    @t[0], @x[0]
-        pxor    @t[0], @x[2]
-        pxor    @t[1], @x[1]
-        pxor    @t[1], @x[3]
-
-        movdqa  @x[4], @t[0]
-        movdqa  @x[5], @t[1]
-        pxor    @x[6], @t[0]
-        pxor    @x[7], @t[1]
-___
-        &Mul_GF4_N_GF4  (@t[0], @t[1], @y[0], @y[1], @t[3],
-                         @x[6], @x[7], @y[2], @y[3], @t[2]);
-$code.=<<___;
-        pxor    @y[2], @y[0]
-        pxor    @y[3], @y[1]
-___
-        &Mul_GF4        (@x[4], @x[5], @y[0], @y[1], @t[3]);
-$code.=<<___;
-        pxor    @t[0], @x[4]
-        pxor    @t[0], @x[6]
-        pxor    @t[1], @x[5]
-        pxor    @t[1], @x[7]
-___
-}
-sub Inv_GF256 {
-#;********************************************************************
-#;* Inv_GF256: Input x0-x7 Output x0-x7 Temp t0-t3,s0-s3 (144)       *
-#;********************************************************************
-my @x=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-# direct optimizations from hardware
-$code.=<<___;
-        movdqa  @x[4], @t[3]
-        movdqa  @x[5], @t[2]
-        movdqa  @x[1], @t[1]
-        movdqa  @x[7], @s[1]
-        movdqa  @x[0], @s[0]
-
-        pxor    @x[6], @t[3]
-        pxor    @x[7], @t[2]
-        pxor    @x[3], @t[1]
-         movdqa @t[3], @s[2]
-        pxor    @x[6], @s[1]
-         movdqa @t[2], @t[0]
-        pxor    @x[2], @s[0]
-         movdqa @t[3], @s[3]
-
-        por     @t[1], @t[2]
-        por     @s[0], @t[3]
-        pxor    @t[0], @s[3]
-        pand    @s[0], @s[2]
-        pxor    @t[1], @s[0]
-        pand    @t[1], @t[0]
-        pand    @s[0], @s[3]
-        movdqa  @x[3], @s[0]
-        pxor    @x[2], @s[0]
-        pand    @s[0], @s[1]
-        pxor    @s[1], @t[3]
-        pxor    @s[1], @t[2]
-        movdqa  @x[4], @s[1]
-        movdqa  @x[1], @s[0]
-        pxor    @x[5], @s[1]
-        pxor    @x[0], @s[0]
-        movdqa  @s[1], @t[1]
-        pand    @s[0], @s[1]
-        por     @s[0], @t[1]
-        pxor    @s[1], @t[0]
-        pxor    @s[3], @t[3]
-        pxor    @s[2], @t[2]
-        pxor    @s[3], @t[1]
-        movdqa  @x[7], @s[0]
-        pxor    @s[2], @t[0]
-        movdqa  @x[6], @s[1]
-        pxor    @s[2], @t[1]
-        movdqa  @x[5], @s[2]
-        pand    @x[3], @s[0]
-        movdqa  @x[4], @s[3]
-        pand    @x[2], @s[1]
-        pand    @x[1], @s[2]
-        por     @x[0], @s[3]
-        pxor    @s[0], @t[3]
-        pxor    @s[1], @t[2]
-        pxor    @s[2], @t[1]
-        pxor    @s[3], @t[0] 
-
-        #Inv_GF16 \t0, \t1, \t2, \t3, \s0, \s1, \s2, \s3
-
-        # new smaller inversion
-
-        movdqa  @t[3], @s[0]
-        pand    @t[1], @t[3]
-        pxor    @t[2], @s[0]
-
-        movdqa  @t[0], @s[2]
-        movdqa  @s[0], @s[3]
-        pxor    @t[3], @s[2]
-        pand    @s[2], @s[3]
-
-        movdqa  @t[1], @s[1]
-        pxor    @t[2], @s[3]
-        pxor    @t[0], @s[1]
-
-        pxor    @t[2], @t[3]
-
-        pand    @t[3], @s[1]
-
-        movdqa  @s[2], @t[2]
-        pxor    @t[0], @s[1]
-
-        pxor    @s[1], @t[2]
-        pxor    @s[1], @t[1]
-
-        pand    @t[0], @t[2]
-
-        pxor    @t[2], @s[2]
-        pxor    @t[2], @t[1]
-
-        pand    @s[3], @s[2]
-
-        pxor    @s[0], @s[2]
-___
-# output in s3, s2, s1, t1
-
-# Mul_GF16_2 \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \t2, \t3, \t0, \t1, \s0, \s1, \s2, \s3
-
-# Mul_GF16_2 \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \s3, \s2, \s1, \t1, \s0, \t0, \t2, \t3
-        &Mul_GF16_2(@x,@s[3,2,1],@t[1],@s[0],@t[0,2,3]);
-
-### output msb > [x3,x2,x1,x0,x7,x6,x5,x4] < lsb
-}
-
-# AES linear components
-
-sub ShiftRows {
-my @x=@_[0..7];
-my $mask=pop;
-$code.=<<___;
-        pxor    0x00($key),@x[0]
-        pxor    0x10($key),@x[1]
-        pshufb  $mask,@x[0]
-        pxor    0x20($key),@x[2]
-        pshufb  $mask,@x[1]
-        pxor    0x30($key),@x[3]
-        pshufb  $mask,@x[2]
-        pxor    0x40($key),@x[4]
-        pshufb  $mask,@x[3]
-        pxor    0x50($key),@x[5]
-        pshufb  $mask,@x[4]
-        pxor    0x60($key),@x[6]
-        pshufb  $mask,@x[5]
-        pxor    0x70($key),@x[7]
-        pshufb  $mask,@x[6]
-        lea     0x80($key),$key
-        pshufb  $mask,@x[7]
-___
-}
-
-sub MixColumns {
-# modified to emit output in order suitable for feeding back to aesenc[last]
-my @x=@_[0..7];
-my @t=@_[8..15];
-my $inv=@_[16]; # optional
-$code.=<<___;
-        pshufd  \$0x93, @x[0], @t[0]    # x0 <<< 32
-        pshufd  \$0x93, @x[1], @t[1]
-         pxor   @t[0], @x[0]            # x0 ^ (x0 <<< 32)
-        pshufd  \$0x93, @x[2], @t[2]
-         pxor   @t[1], @x[1]
-        pshufd  \$0x93, @x[3], @t[3]
-         pxor   @t[2], @x[2]
-        pshufd  \$0x93, @x[4], @t[4]
-         pxor   @t[3], @x[3]
-        pshufd  \$0x93, @x[5], @t[5]
-         pxor   @t[4], @x[4]
-        pshufd  \$0x93, @x[6], @t[6]
-         pxor   @t[5], @x[5]
-        pshufd  \$0x93, @x[7], @t[7]
-         pxor   @t[6], @x[6]
-         pxor   @t[7], @x[7]
-
-        pxor    @x[0], @t[1]
-        pxor    @x[7], @t[0]
-        pxor    @x[7], @t[1]
-         pshufd \$0x4E, @x[0], @x[0]    # (x0 ^ (x0 <<< 32)) <<< 64)
-        pxor    @x[1], @t[2]
-         pshufd \$0x4E, @x[1], @x[1]
-        pxor    @x[4], @t[5]
-         pxor   @t[0], @x[0]
-        pxor    @x[5], @t[6]
-         pxor   @t[1], @x[1]
-        pxor    @x[3], @t[4]
-         pshufd \$0x4E, @x[4], @t[0]
-        pxor    @x[6], @t[7]
-         pshufd \$0x4E, @x[5], @t[1]
-        pxor    @x[2], @t[3]
-         pshufd \$0x4E, @x[3], @x[4]
-        pxor    @x[7], @t[3]
-         pshufd \$0x4E, @x[7], @x[5]
-        pxor    @x[7], @t[4]
-         pshufd \$0x4E, @x[6], @x[3]
-        pxor    @t[4], @t[0]
-         pshufd \$0x4E, @x[2], @x[6]
-        pxor    @t[5], @t[1]
-___
-$code.=<<___ if (!$inv);
-        pxor    @t[3], @x[4]
-        pxor    @t[7], @x[5]
-        pxor    @t[6], @x[3]
-         movdqa @t[0], @x[2]
-        pxor    @t[2], @x[6]
-         movdqa @t[1], @x[7]
-___
-$code.=<<___ if ($inv);
-        pxor    @x[4], @t[3]
-        pxor    @t[7], @x[5]
-        pxor    @x[3], @t[6]
-         movdqa @t[0], @x[3]
-        pxor    @t[2], @x[6]
-         movdqa @t[6], @x[2]
-         movdqa @t[1], @x[7]
-         movdqa @x[6], @x[4]
-         movdqa @t[3], @x[6]
-___
-}
-
-sub InvMixColumns_orig {
-my @x=@_[0..7];
-my @t=@_[8..15];
-
-$code.=<<___;
-        # multiplication by 0x0e
-        pshufd  \$0x93, @x[7], @t[7]
-        movdqa  @x[2], @t[2]
-        pxor    @x[5], @x[7]            # 7 5
-        pxor    @x[5], @x[2]            # 2 5
-        pshufd  \$0x93, @x[0], @t[0]
-        movdqa  @x[5], @t[5]
-        pxor    @x[0], @x[5]            # 5 0           [1]
-        pxor    @x[1], @x[0]            # 0 1
-        pshufd  \$0x93, @x[1], @t[1]
-        pxor    @x[2], @x[1]            # 1 25
-        pxor    @x[6], @x[0]            # 01 6          [2]
-        pxor    @x[3], @x[1]            # 125 3         [4]
-        pshufd  \$0x93, @x[3], @t[3]
-        pxor    @x[0], @x[2]            # 25 016        [3]
-        pxor    @x[7], @x[3]            # 3 75
-        pxor    @x[6], @x[7]            # 75 6          [0]
-        pshufd  \$0x93, @x[6], @t[6]
-        movdqa  @x[4], @t[4]
-        pxor    @x[4], @x[6]            # 6 4
-        pxor    @x[3], @x[4]            # 4 375         [6]
-        pxor    @x[7], @x[3]            # 375 756=36
-        pxor    @t[5], @x[6]            # 64 5          [7]
-        pxor    @t[2], @x[3]            # 36 2
-        pxor    @t[4], @x[3]            # 362 4         [5]
-        pshufd  \$0x93, @t[5], @t[5]
-___
-                                        my @y = @x[7,5,0,2,1,3,4,6];
-$code.=<<___;
-        # multiplication by 0x0b
-        pxor    @y[0], @y[1]
-        pxor    @t[0], @y[0]
-        pxor    @t[1], @y[1]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[5], @y[0]
-        pxor    @t[6], @y[1]
-        pxor    @t[7], @y[0]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[6], @t[7]            # clobber t[7]
-        pxor    @y[0], @y[1]
-
-        pxor    @t[0], @y[3]
-        pshufd  \$0x93, @t[0], @t[0]
-        pxor    @t[1], @y[2]
-        pxor    @t[1], @y[4]
-        pxor    @t[2], @y[2]
-        pshufd  \$0x93, @t[1], @t[1]
-        pxor    @t[2], @y[3]
-        pxor    @t[2], @y[5]
-        pxor    @t[7], @y[2]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[3], @y[3]
-        pxor    @t[3], @y[6]
-        pxor    @t[3], @y[4]
-        pshufd  \$0x93, @t[3], @t[3]
-        pxor    @t[4], @y[7]
-        pxor    @t[4], @y[5]
-        pxor    @t[7], @y[7]
-        pxor    @t[5], @y[3]
-        pxor    @t[4], @y[4]
-        pxor    @t[5], @t[7]            # clobber t[7] even more
-
-        pxor    @t[7], @y[5]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[7], @y[6]
-        pxor    @t[7], @y[4]
-
-        pxor    @t[5], @t[7]
-        pshufd  \$0x93, @t[5], @t[5]
-        pxor    @t[6], @t[7]            # restore t[7]
-
-        # multiplication by 0x0d
-        pxor    @y[7], @y[4]
-        pxor    @t[4], @y[7]
-        pshufd  \$0x93, @t[6], @t[6]
-        pxor    @t[0], @y[2]
-        pxor    @t[5], @y[7]
-        pxor    @t[2], @y[2]
-        pshufd  \$0x93, @t[7], @t[7]
-
-        pxor    @y[1], @y[3]
-        pxor    @t[1], @y[1]
-        pxor    @t[0], @y[0]
-        pxor    @t[0], @y[3]
-        pxor    @t[5], @y[1]
-        pxor    @t[5], @y[0]
-        pxor    @t[7], @y[1]
-        pshufd  \$0x93, @t[0], @t[0]
-        pxor    @t[6], @y[0]
-        pxor    @y[1], @y[3]
-        pxor    @t[1], @y[4]
-        pshufd  \$0x93, @t[1], @t[1]
-
-        pxor    @t[7], @y[7]
-        pxor    @t[2], @y[4]
-        pxor    @t[2], @y[5]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[6], @y[2]
-        pxor    @t[3], @t[6]            # clobber t[6]
-        pxor    @y[7], @y[4]
-        pxor    @t[6], @y[3]
-
-        pxor    @t[6], @y[6]
-        pxor    @t[5], @y[5]
-        pxor    @t[4], @y[6]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[6], @y[5]
-        pxor    @t[7], @y[6]
-        pxor    @t[3], @t[6]            # restore t[6]
-
-        pshufd  \$0x93, @t[5], @t[5]
-        pshufd  \$0x93, @t[6], @t[6]
-        pshufd  \$0x93, @t[7], @t[7]
-        pshufd  \$0x93, @t[3], @t[3]
-
-        # multiplication by 0x09
-        pxor    @y[1], @y[4]
-        pxor    @y[1], @t[1]            # t[1]=y[1]
-        pxor    @t[5], @t[0]            # clobber t[0]
-        pxor    @t[5], @t[1]
-        pxor    @t[0], @y[3]
-        pxor    @y[0], @t[0]            # t[0]=y[0]
-        pxor    @t[6], @t[1]
-        pxor    @t[7], @t[6]            # clobber t[6]
-        pxor    @t[1], @y[4]
-        pxor    @t[4], @y[7]
-        pxor    @y[4], @t[4]            # t[4]=y[4]
-        pxor    @t[3], @y[6]
-        pxor    @y[3], @t[3]            # t[3]=y[3]
-        pxor    @t[2], @y[5]
-        pxor    @y[2], @t[2]            # t[2]=y[2]
-        pxor    @t[7], @t[3]
-        pxor    @y[5], @t[5]            # t[5]=y[5]
-        pxor    @t[6], @t[2]
-        pxor    @t[6], @t[5]
-        pxor    @y[6], @t[6]            # t[6]=y[6]
-        pxor    @y[7], @t[7]            # t[7]=y[7]
-
-        movdqa  @t[0],@XMM[0]
-        movdqa  @t[1],@XMM[1]
-        movdqa  @t[2],@XMM[2]
-        movdqa  @t[3],@XMM[3]
-        movdqa  @t[4],@XMM[4]
-        movdqa  @t[5],@XMM[5]
-        movdqa  @t[6],@XMM[6]
-        movdqa  @t[7],@XMM[7]
-___
-}
-
-sub InvMixColumns {
-my @x=@_[0..7];
-my @t=@_[8..15];
-
-# Thanks to Jussi Kivilinna for providing pointer to
-#
-# | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
-# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
-# | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
-# | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
-
-$code.=<<___;
-        # multiplication by 0x05-0x00-0x04-0x00
-        pshufd  \$0x4E, @x[0], @t[0]
-        pshufd  \$0x4E, @x[6], @t[6]
-        pxor    @x[0], @t[0]
-        pshufd  \$0x4E, @x[7], @t[7]
-        pxor    @x[6], @t[6]
-        pshufd  \$0x4E, @x[1], @t[1]
-        pxor    @x[7], @t[7]
-        pshufd  \$0x4E, @x[2], @t[2]
-        pxor    @x[1], @t[1]
-        pshufd  \$0x4E, @x[3], @t[3]
-        pxor    @x[2], @t[2]
-         pxor   @t[6], @x[0]
-         pxor   @t[6], @x[1]
-        pshufd  \$0x4E, @x[4], @t[4]
-        pxor    @x[3], @t[3]
-         pxor   @t[0], @x[2]
-         pxor   @t[1], @x[3]
-        pshufd  \$0x4E, @x[5], @t[5]
-        pxor    @x[4], @t[4]
-         pxor   @t[7], @x[1]
-         pxor   @t[2], @x[4]
-        pxor    @x[5], @t[5]
-
-         pxor   @t[7], @x[2]
-         pxor   @t[6], @x[3]
-         pxor   @t[6], @x[4]
-         pxor   @t[3], @x[5]
-         pxor   @t[4], @x[6]
-         pxor   @t[7], @x[4]
-         pxor   @t[7], @x[5]
-         pxor   @t[5], @x[7]
-___
-        &MixColumns     (@x,@t,1);      # flipped 2<->3 and 4<->6
-}
-
-sub aesenc {                            # not used
-my @b=@_[0..7];
-my @t=@_[8..15];
-$code.=<<___;
-        movdqa  0x30($const),@t[0]      # .LSR
-___
-        &ShiftRows      (@b,@t[0]);
-        &Sbox           (@b,@t);
-        &MixColumns     (@b[0,1,4,6,3,7,2,5],@t);
-}
-
-sub aesenclast {                        # not used
-my @b=@_[0..7];
-my @t=@_[8..15];
-$code.=<<___;
-        movdqa  0x40($const),@t[0]      # .LSRM0
-___
-        &ShiftRows      (@b,@t[0]);
-        &Sbox           (@b,@t);
-$code.=<<___
-        pxor    0x00($key),@b[0]
-        pxor    0x10($key),@b[1]
-        pxor    0x20($key),@b[4]
-        pxor    0x30($key),@b[6]
-        pxor    0x40($key),@b[3]
-        pxor    0x50($key),@b[7]
-        pxor    0x60($key),@b[2]
-        pxor    0x70($key),@b[5]
-___
-}
-
-sub swapmove {
-my ($a,$b,$n,$mask,$t)=@_;
-$code.=<<___;
-        movdqa  $b,$t
-        psrlq   \$$n,$b
-        pxor    $a,$b
-        pand    $mask,$b
-        pxor    $b,$a
-        psllq   \$$n,$b
-        pxor    $t,$b
-___
-}
-sub swapmove2x {
-my ($a0,$b0,$a1,$b1,$n,$mask,$t0,$t1)=@_;
-$code.=<<___;
-        movdqa  $b0,$t0
-        psrlq   \$$n,$b0
-         movdqa $b1,$t1
-         psrlq  \$$n,$b1
-        pxor    $a0,$b0
-         pxor   $a1,$b1
-        pand    $mask,$b0
-         pand   $mask,$b1
-        pxor    $b0,$a0
-        psllq   \$$n,$b0
-         pxor   $b1,$a1
-         psllq  \$$n,$b1
-        pxor    $t0,$b0
-         pxor   $t1,$b1
-___
-}
-
-sub bitslice {
-my @x=reverse(@_[0..7]);
-my ($t0,$t1,$t2,$t3)=@_[8..11];
-$code.=<<___;
-        movdqa  0x00($const),$t0        # .LBS0
-        movdqa  0x10($const),$t1        # .LBS1
-___
-        &swapmove2x(@x[0,1,2,3],1,$t0,$t2,$t3);
-        &swapmove2x(@x[4,5,6,7],1,$t0,$t2,$t3);
-$code.=<<___;
-        movdqa  0x20($const),$t0        # .LBS2
-___
-        &swapmove2x(@x[0,2,1,3],2,$t1,$t2,$t3);
-        &swapmove2x(@x[4,6,5,7],2,$t1,$t2,$t3);
-
-        &swapmove2x(@x[0,4,1,5],4,$t0,$t2,$t3);
-        &swapmove2x(@x[2,6,3,7],4,$t0,$t2,$t3);
-}
-
-$code.=<<___;
-.text
-
-.extern asm_AES_encrypt
-.extern asm_AES_decrypt
-
-.type   _bsaes_encrypt8,\@abi-omnipotent
-.align  64
-_bsaes_encrypt8:
-        _CET_ENDBR
-        lea     .LBS0(%rip), $const     # constants table
-
-        movdqa  ($key), @XMM[9]         # round 0 key
-        lea     0x10($key), $key
-        movdqa  0x50($const), @XMM[8]   # .LM0SR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-         pshufb @XMM[8], @XMM[7]
-_bsaes_encrypt8_bitslice:
-___
-        &bitslice       (@XMM[0..7, 8..11]);
-$code.=<<___;
-        dec     $rounds
-        jmp     .Lenc_sbox
-.align  16
-.Lenc_loop:
-___
-        &ShiftRows      (@XMM[0..7, 8]);
-$code.=".Lenc_sbox:\n";
-        &Sbox           (@XMM[0..7, 8..15]);
-$code.=<<___;
-        dec     $rounds
-        jl      .Lenc_done
-___
-        &MixColumns     (@XMM[0,1,4,6,3,7,2,5, 8..15]);
-$code.=<<___;
-        movdqa  0x30($const), @XMM[8]   # .LSR
-        jnz     .Lenc_loop
-        movdqa  0x40($const), @XMM[8]   # .LSRM0
-        jmp     .Lenc_loop
-.align  16
-.Lenc_done:
-___
-        # output in lsb > [t0, t1, t4, t6, t3, t7, t2, t5] < msb
-        &bitslice       (@XMM[0,1,4,6,3,7,2,5, 8..11]);
-$code.=<<___;
-        movdqa  ($key), @XMM[8]         # last round key
-        pxor    @XMM[8], @XMM[4]
-        pxor    @XMM[8], @XMM[6]
-        pxor    @XMM[8], @XMM[3]
-        pxor    @XMM[8], @XMM[7]
-        pxor    @XMM[8], @XMM[2]
-        pxor    @XMM[8], @XMM[5]
-        pxor    @XMM[8], @XMM[0]
-        pxor    @XMM[8], @XMM[1]
-        ret
-.size   _bsaes_encrypt8,.-_bsaes_encrypt8
-
-.type   _bsaes_decrypt8,\@abi-omnipotent
-.align  64
-_bsaes_decrypt8:
-        _CET_ENDBR
-        lea     .LBS0(%rip), $const     # constants table
-
-        movdqa  ($key), @XMM[9]         # round 0 key
-        lea     0x10($key), $key
-        movdqa  -0x30($const), @XMM[8]  # .LM0ISR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-         pshufb @XMM[8], @XMM[7]
-___
-        &bitslice       (@XMM[0..7, 8..11]);
-$code.=<<___;
-        dec     $rounds
-        jmp     .Ldec_sbox
-.align  16
-.Ldec_loop:
-___
-        &ShiftRows      (@XMM[0..7, 8]);
-$code.=".Ldec_sbox:\n";
-        &InvSbox        (@XMM[0..7, 8..15]);
-$code.=<<___;
-        dec     $rounds
-        jl      .Ldec_done
-___
-        &InvMixColumns  (@XMM[0,1,6,4,2,7,3,5, 8..15]);
-$code.=<<___;
-        movdqa  -0x10($const), @XMM[8]  # .LISR
-        jnz     .Ldec_loop
-        movdqa  -0x20($const), @XMM[8]  # .LISRM0
-        jmp     .Ldec_loop
-.align  16
-.Ldec_done:
-___
-        &bitslice       (@XMM[0,1,6,4,2,7,3,5, 8..11]);
-$code.=<<___;
-        movdqa  ($key), @XMM[8]         # last round key
-        pxor    @XMM[8], @XMM[6]
-        pxor    @XMM[8], @XMM[4]
-        pxor    @XMM[8], @XMM[2]
-        pxor    @XMM[8], @XMM[7]
-        pxor    @XMM[8], @XMM[3]
-        pxor    @XMM[8], @XMM[5]
-        pxor    @XMM[8], @XMM[0]
-        pxor    @XMM[8], @XMM[1]
-        ret
-.size   _bsaes_decrypt8,.-_bsaes_decrypt8
-___
-}
-{
-my ($out,$inp,$rounds,$const)=("%rax","%rcx","%r10d","%r11");
-
-sub bitslice_key {
-my @x=reverse(@_[0..7]);
-my ($bs0,$bs1,$bs2,$t2,$t3)=@_[8..12];
-
-        &swapmove       (@x[0,1],1,$bs0,$t2,$t3);
-$code.=<<___;
-        #&swapmove(@x[2,3],1,$t0,$t2,$t3);
-        movdqa  @x[0], @x[2]
-        movdqa  @x[1], @x[3]
-___
-        #&swapmove2x(@x[4,5,6,7],1,$t0,$t2,$t3);
-
-        &swapmove2x     (@x[0,2,1,3],2,$bs1,$t2,$t3);
-$code.=<<___;
-        #&swapmove2x(@x[4,6,5,7],2,$t1,$t2,$t3);
-        movdqa  @x[0], @x[4]
-        movdqa  @x[2], @x[6]
-        movdqa  @x[1], @x[5]
-        movdqa  @x[3], @x[7]
-___
-        &swapmove2x     (@x[0,4,1,5],4,$bs2,$t2,$t3);
-        &swapmove2x     (@x[2,6,3,7],4,$bs2,$t2,$t3);
-}
-
-$code.=<<___;
-.type   _bsaes_key_convert,\@abi-omnipotent
-.align  16
-_bsaes_key_convert:
-        _CET_ENDBR
-        lea     .Lmasks(%rip), $const
-        movdqu  ($inp), %xmm7           # load round 0 key
-        lea     0x10($inp), $inp
-        movdqa  0x00($const), %xmm0     # 0x01...
-        movdqa  0x10($const), %xmm1     # 0x02...
-        movdqa  0x20($const), %xmm2     # 0x04...
-        movdqa  0x30($const), %xmm3     # 0x08...
-        movdqa  0x40($const), %xmm4     # .LM0
-        pcmpeqd %xmm5, %xmm5            # .LNOT
-
-        movdqu  ($inp), %xmm6           # load round 1 key
-        movdqa  %xmm7, ($out)           # save round 0 key
-        lea     0x10($out), $out
-        dec     $rounds
-        jmp     .Lkey_loop
-.align  16
-.Lkey_loop:
-        pshufb  %xmm4, %xmm6            # .LM0
-
-        movdqa  %xmm0,  %xmm8
-        movdqa  %xmm1,  %xmm9
-
-        pand    %xmm6,  %xmm8
-        pand    %xmm6,  %xmm9
-        movdqa  %xmm2,  %xmm10
-        pcmpeqb %xmm0,  %xmm8
-        psllq   \$4,    %xmm0           # 0x10...
-        movdqa  %xmm3,  %xmm11
-        pcmpeqb %xmm1,  %xmm9
-        psllq   \$4,    %xmm1           # 0x20...
-
-        pand    %xmm6,  %xmm10
-        pand    %xmm6,  %xmm11
-        movdqa  %xmm0,  %xmm12
-        pcmpeqb %xmm2,  %xmm10
-        psllq   \$4,    %xmm2           # 0x40...
-        movdqa  %xmm1,  %xmm13
-        pcmpeqb %xmm3,  %xmm11
-        psllq   \$4,    %xmm3           # 0x80...
-
-        movdqa  %xmm2,  %xmm14
-        movdqa  %xmm3,  %xmm15
-         pxor   %xmm5,  %xmm8           # "pnot"
-         pxor   %xmm5,  %xmm9
-
-        pand    %xmm6,  %xmm12
-        pand    %xmm6,  %xmm13
-         movdqa %xmm8, 0x00($out)       # write bit-sliced round key
-        pcmpeqb %xmm0,  %xmm12
-        psrlq   \$4,    %xmm0           # 0x01...
-         movdqa %xmm9, 0x10($out)
-        pcmpeqb %xmm1,  %xmm13
-        psrlq   \$4,    %xmm1           # 0x02...
-         lea    0x10($inp), $inp
-
-        pand    %xmm6,  %xmm14
-        pand    %xmm6,  %xmm15
-         movdqa %xmm10, 0x20($out)
-        pcmpeqb %xmm2,  %xmm14
-        psrlq   \$4,    %xmm2           # 0x04...
-         movdqa %xmm11, 0x30($out)
-        pcmpeqb %xmm3,  %xmm15
-        psrlq   \$4,    %xmm3           # 0x08...
-         movdqu ($inp), %xmm6           # load next round key
-
-        pxor    %xmm5, %xmm13           # "pnot"
-        pxor    %xmm5, %xmm14
-        movdqa  %xmm12, 0x40($out)
-        movdqa  %xmm13, 0x50($out)
-        movdqa  %xmm14, 0x60($out)
-        movdqa  %xmm15, 0x70($out)
-        lea     0x80($out),$out
-        dec     $rounds
-        jnz     .Lkey_loop
-
-        movdqa  0x50($const), %xmm7     # .L63
-        #movdqa %xmm6, ($out)           # don't save last round key
-        ret
-.size   _bsaes_key_convert,.-_bsaes_key_convert
-___
-}
-
-if (0 && !$win64) {     # following four functions are unsupported interface
-                        # used for benchmarking...
-$code.=<<___;
-.globl  bsaes_enc_key_convert
-.type   bsaes_enc_key_convert,\@function,2
-.align  16
-bsaes_enc_key_convert:
-        _CET_ENDBR
-        mov     240($inp),%r10d         # pass rounds
-        mov     $inp,%rcx               # pass key
-        mov     $out,%rax               # pass key schedule
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-        ret
-.size   bsaes_enc_key_convert,.-bsaes_enc_key_convert
-
-.globl  bsaes_encrypt_128
-.type   bsaes_encrypt_128,\@function,4
-.align  16
-bsaes_encrypt_128:
-.Lenc128_loop:
-        _CET_ENDBR
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        movdqu  0x60($inp), @XMM[6]
-        movdqu  0x70($inp), @XMM[7]
-        mov     $key, %rax              # pass the $key
-        lea     0x80($inp), $inp
-        mov     \$10,%r10d
-
-        call    _bsaes_encrypt8
-
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$0x80,$len
-        ja      .Lenc128_loop
-        ret
-.size   bsaes_encrypt_128,.-bsaes_encrypt_128
-
-.globl  bsaes_dec_key_convert
-.type   bsaes_dec_key_convert,\@function,2
-.align  16
-bsaes_dec_key_convert:
-        _CET_ENDBR
-        mov     240($inp),%r10d         # pass rounds
-        mov     $inp,%rcx               # pass key
-        mov     $out,%rax               # pass key schedule
-        call    _bsaes_key_convert
-        pxor    ($out),%xmm7            # fix up round 0 key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,($out)
-        ret
-.size   bsaes_dec_key_convert,.-bsaes_dec_key_convert
-
-.globl  bsaes_decrypt_128
-.type   bsaes_decrypt_128,\@function,4
-.align  16
-bsaes_decrypt_128:
-        _CET_ENDBR
-.Ldec128_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        movdqu  0x60($inp), @XMM[6]
-        movdqu  0x70($inp), @XMM[7]
-        mov     $key, %rax              # pass the $key
-        lea     0x80($inp), $inp
-        mov     \$10,%r10d
-
-        call    _bsaes_decrypt8
-
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$0x80,$len
-        ja      .Ldec128_loop
-        ret
-.size   bsaes_decrypt_128,.-bsaes_decrypt_128
-___
-}
-{
-######################################################################
-#
-# OpenSSL interface
-#
-my ($arg1,$arg2,$arg3,$arg4,$arg5,$arg6)=$win64 ? ("%rcx","%rdx","%r8","%r9","%r10","%r11d")
-                                                : ("%rdi","%rsi","%rdx","%rcx","%r8","%r9d");
-my ($inp,$out,$len,$key)=("%r12","%r13","%r14","%r15");
-
-if ($ecb) {
-$code.=<<___;
-.globl  bsaes_ecb_encrypt_blocks
-.type   bsaes_ecb_encrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ecb_encrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lecb_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp),%rsp
-___
-$code.=<<___ if ($win64);
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lecb_enc_body:
-___
-$code.=<<___;
-        mov     %rsp,%rbp               # backup %rsp
-        mov     240($arg4),%eax         # rounds
-        mov     $arg1,$inp              # backup arguments
-        mov     $arg2,$out
-        mov     $arg3,$len
-        mov     $arg4,$key
-        cmp     \$8,$arg3
-        jb      .Lecb_enc_short
-
-        mov     %eax,%ebx               # backup rounds
-        shl     \$7,%rax                # 128 bytes per inner round key
-        sub     \$`128-32`,%rax         # size of bit-sliced key schedule
-        sub     %rax,%rsp
-        mov     %rsp,%rax               # pass key schedule
-        mov     $key,%rcx               # pass key
-        mov     %ebx,%r10d              # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-
-        sub     \$8,$len
-.Lecb_enc_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %ebx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        lea     0x80($inp), $inp
-
-        call    _bsaes_encrypt8
-
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lecb_enc_loop
-
-        add     \$8,$len
-        jz      .Lecb_enc_done
-
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %ebx,%r10d              # pass rounds
-        cmp     \$2,$len
-        jb      .Lecb_enc_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lecb_enc_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lecb_enc_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lecb_enc_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lecb_enc_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lecb_enc_six
-        movdqu  0x60($inp), @XMM[6]
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_six:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_five:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_four:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_three:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_two:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_one:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_short:
-        lea     ($inp), $arg1
-        lea     ($out), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt
-        lea     16($inp), $inp
-        lea     16($out), $out
-        dec     $len
-        jnz     .Lecb_enc_short
-
-.Lecb_enc_done:
-        lea     (%rsp),%rax
-        pxor    %xmm0, %xmm0
-.Lecb_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        jb      .Lecb_enc_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lecb_enc_epilogue:
-        ret
-.size   bsaes_ecb_encrypt_blocks,.-bsaes_ecb_encrypt_blocks
-
-.globl  bsaes_ecb_decrypt_blocks
-.type   bsaes_ecb_decrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ecb_decrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lecb_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp),%rsp
-___
-$code.=<<___ if ($win64);
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lecb_dec_body:
-___
-$code.=<<___;
-        mov     %rsp,%rbp               # backup %rsp
-        mov     240($arg4),%eax         # rounds
-        mov     $arg1,$inp              # backup arguments
-        mov     $arg2,$out
-        mov     $arg3,$len
-        mov     $arg4,$key
-        cmp     \$8,$arg3
-        jb      .Lecb_dec_short
-
-        mov     %eax,%ebx               # backup rounds
-        shl     \$7,%rax                # 128 bytes per inner round key
-        sub     \$`128-32`,%rax         # size of bit-sliced key schedule
-        sub     %rax,%rsp
-        mov     %rsp,%rax               # pass key schedule
-        mov     $key,%rcx               # pass key
-        mov     %ebx,%r10d              # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp),%xmm7            # fix up 0 round key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,(%rsp)
-
-        sub     \$8,$len
-.Lecb_dec_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %ebx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        lea     0x80($inp), $inp
-
-        call    _bsaes_decrypt8
-
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lecb_dec_loop
-
-        add     \$8,$len
-        jz      .Lecb_dec_done
-
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %ebx,%r10d              # pass rounds
-        cmp     \$2,$len
-        jb      .Lecb_dec_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lecb_dec_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lecb_dec_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lecb_dec_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lecb_dec_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lecb_dec_six
-        movdqu  0x60($inp), @XMM[6]
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_six:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_five:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_four:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_three:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_two:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_one:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_short:
-        lea     ($inp), $arg1
-        lea     ($out), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_decrypt
-        lea     16($inp), $inp
-        lea     16($out), $out
-        dec     $len
-        jnz     .Lecb_dec_short
-
-.Lecb_dec_done:
-        lea     (%rsp),%rax
-        pxor    %xmm0, %xmm0
-.Lecb_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        jb      .Lecb_dec_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lecb_dec_epilogue:
-        ret
-.size   bsaes_ecb_decrypt_blocks,.-bsaes_ecb_decrypt_blocks
-___
-}
-$code.=<<___;
-.extern asm_AES_cbc_encrypt
-.globl  bsaes_cbc_encrypt
-.type   bsaes_cbc_encrypt,\@abi-omnipotent
-.align  16
-bsaes_cbc_encrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        mov     48(%rsp),$arg6          # pull direction flag
-___
-$code.=<<___;
-        cmp     \$0,$arg6
-        jne     asm_AES_cbc_encrypt
-        cmp     \$128,$arg3
-        jb      asm_AES_cbc_encrypt
-
-        mov     %rsp, %rax
-.Lcbc_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lcbc_dec_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     240($arg4), %eax        # rounds
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        mov     $arg5, %rbx
-        shr     \$4, $len               # bytes to blocks
-
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp),%xmm7            # fix up 0 round key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,(%rsp)
-
-        movdqu  (%rbx), @XMM[15]        # load IV
-        sub     \$8,$len
-.Lcbc_dec_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %edx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-
-        call    _bsaes_decrypt8
-
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[12], @XMM[7]
-        movdqu  0x60($inp), @XMM[14]
-        pxor    @XMM[13], @XMM[3]
-        movdqu  0x70($inp), @XMM[15]    # IV
-        pxor    @XMM[14], @XMM[5]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x80($inp), $inp
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lcbc_dec_loop
-
-        add     \$8,$len
-        jz      .Lcbc_dec_done
-
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        cmp     \$2,$len
-        jb      .Lcbc_dec_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lcbc_dec_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lcbc_dec_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lcbc_dec_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lcbc_dec_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lcbc_dec_six
-        movdqu  0x60($inp), @XMM[6]
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[12], @XMM[7]
-        movdqu  0x60($inp), @XMM[15]    # IV
-        pxor    @XMM[13], @XMM[3]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_six:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[15]    # IV
-        pxor    @XMM[12], @XMM[7]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_five:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[15]    # IV
-        pxor    @XMM[11], @XMM[2]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_four:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[15]    # IV
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_three:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[15]    # IV
-        pxor    @XMM[9], @XMM[6]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_two:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[15]    # IV
-        pxor    @XMM[8], @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_one:
-        lea     ($inp), $arg1
-        lea     0x20(%rbp), $arg2       # buffer output
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[15]    # ^= IV
-        movdqu  @XMM[15], ($out)        # write output
-        movdqa  @XMM[0], @XMM[15]       # IV
-
-.Lcbc_dec_done:
-        movdqu  @XMM[15], (%rbx)        # return IV
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lcbc_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lcbc_dec_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lcbc_dec_epilogue:
-        ret
-.size   bsaes_cbc_encrypt,.-bsaes_cbc_encrypt
-
-.globl  bsaes_ctr32_encrypt_blocks
-.type   bsaes_ctr32_encrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ctr32_encrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lctr_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lctr_enc_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        movdqu  ($arg5), %xmm0          # load counter
-        mov     240($arg4), %eax        # rounds
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        movdqa  %xmm0, 0x20(%rbp)       # copy counter
-        cmp     \$8, $arg3
-        jb      .Lctr_enc_short
-
-        mov     %eax, %ebx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %ebx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-
-        movdqa  (%rsp), @XMM[9]         # load round0 key
-        lea     .LADD1(%rip), %r11
-        movdqa  0x20(%rbp), @XMM[0]     # counter copy
-        movdqa  -0x20(%r11), @XMM[8]    # .LSWPUP
-        pshufb  @XMM[8], @XMM[9]        # byte swap upper part
-        pshufb  @XMM[8], @XMM[0]
-        movdqa  @XMM[9], (%rsp)         # save adjusted round0 key
-        jmp     .Lctr_enc_loop
-.align  16
-.Lctr_enc_loop:
-        movdqa  @XMM[0], 0x20(%rbp)     # save counter
-        movdqa  @XMM[0], @XMM[1]        # prepare 8 counter values
-        movdqa  @XMM[0], @XMM[2]
-        paddd   0x00(%r11), @XMM[1]     # .LADD1
-        movdqa  @XMM[0], @XMM[3]
-        paddd   0x10(%r11), @XMM[2]     # .LADD2
-        movdqa  @XMM[0], @XMM[4]
-        paddd   0x20(%r11), @XMM[3]     # .LADD3
-        movdqa  @XMM[0], @XMM[5]
-        paddd   0x30(%r11), @XMM[4]     # .LADD4
-        movdqa  @XMM[0], @XMM[6]
-        paddd   0x40(%r11), @XMM[5]     # .LADD5
-        movdqa  @XMM[0], @XMM[7]
-        paddd   0x50(%r11), @XMM[6]     # .LADD6
-        paddd   0x60(%r11), @XMM[7]     # .LADD7
-
-        # Borrow prologue from _bsaes_encrypt8 to use the opportunity
-        # to flip byte order in 32-bit counter
-        movdqa  (%rsp), @XMM[9]         # round 0 key
-        lea     0x10(%rsp), %rax        # pass key schedule
-        movdqa  -0x10(%r11), @XMM[8]    # .LSWPUPM0SR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-        lea     .LBS0(%rip), %r11       # constants table
-         pshufb @XMM[8], @XMM[7]
-        mov     %ebx,%r10d              # pass rounds
-
-        call    _bsaes_encrypt8_bitslice
-
-        sub     \$8,$len
-        jc      .Lctr_enc_loop_done
-
-        movdqu  0x00($inp), @XMM[8]     # load input
-        movdqu  0x10($inp), @XMM[9]
-        movdqu  0x20($inp), @XMM[10]
-        movdqu  0x30($inp), @XMM[11]
-        movdqu  0x40($inp), @XMM[12]
-        movdqu  0x50($inp), @XMM[13]
-        movdqu  0x60($inp), @XMM[14]
-        movdqu  0x70($inp), @XMM[15]
-        lea     0x80($inp),$inp
-        pxor    @XMM[0], @XMM[8]
-        movdqa  0x20(%rbp), @XMM[0]     # load counter
-        pxor    @XMM[9], @XMM[1]
-        movdqu  @XMM[8], 0x00($out)     # write output
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    @XMM[11], @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    @XMM[12], @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    @XMM[13], @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    @XMM[14], @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    @XMM[15], @XMM[5]
-        movdqu  @XMM[2], 0x60($out)
-        lea     .LADD1(%rip), %r11
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        paddd   0x70(%r11), @XMM[0]     # .LADD8
-        jnz     .Lctr_enc_loop
-
-        jmp     .Lctr_enc_done
-.align  16
-.Lctr_enc_loop_done:
-        add     \$8, $len
-        movdqu  0x00($inp), @XMM[8]     # load input
-        pxor    @XMM[8], @XMM[0]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        cmp     \$2,$len
-        jb      .Lctr_enc_done
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[9], @XMM[1]
-        movdqu  @XMM[1], 0x10($out)
-        je      .Lctr_enc_done
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[4], 0x20($out)
-        cmp     \$4,$len
-        jb      .Lctr_enc_done
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[11], @XMM[6]
-        movdqu  @XMM[6], 0x30($out)
-        je      .Lctr_enc_done
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[12], @XMM[3]
-        movdqu  @XMM[3], 0x40($out)
-        cmp     \$6,$len
-        jb      .Lctr_enc_done
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[13], @XMM[7]
-        movdqu  @XMM[7], 0x50($out)
-        je      .Lctr_enc_done
-        movdqu  0x60($inp), @XMM[14]
-        pxor    @XMM[14], @XMM[2]
-        movdqu  @XMM[2], 0x60($out)
-        jmp     .Lctr_enc_done
-
-.align  16
-.Lctr_enc_short:
-        lea     0x20(%rbp), $arg1
-        lea     0x30(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt
-        movdqu  ($inp), @XMM[1]
-        lea     16($inp), $inp
-        mov     0x2c(%rbp), %eax        # load 32-bit counter
-        bswap   %eax
-        pxor    0x30(%rbp), @XMM[1]
-        inc     %eax                    # increment
-        movdqu  @XMM[1], ($out)
-        bswap   %eax
-        lea     16($out), $out
-        mov     %eax, 0x2c(%rsp)        # save 32-bit counter
-        dec     $len
-        jnz     .Lctr_enc_short
-
-.Lctr_enc_done:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lctr_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lctr_enc_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lctr_enc_epilogue:
-        ret
-.size   bsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks
-___
-######################################################################
-# void bsaes_xts_[en|de]crypt(const char *inp,char *out,size_t len,
-#       const AES_KEY *key1, const AES_KEY *key2,
-#       const unsigned char iv[16]);
-#
-my ($twmask,$twres,$twtmp)=@XMM[13..15];
-$arg6=~s/d$//;
-
-$code.=<<___;
-.globl  bsaes_xts_encrypt
-.type   bsaes_xts_encrypt,\@abi-omnipotent
-.align  16
-bsaes_xts_encrypt:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lxts_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull key2
-        mov     0xa8(%rsp),$arg6        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lxts_enc_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-
-        lea     ($arg6), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($arg5), $arg3
-        call    asm_AES_encrypt         # generate initial tweak
-
-        mov     240($key), %eax         # rounds
-        mov     $len, %rbx              # backup $len
-
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6, %xmm7            # fix up last round key
-        movdqa  %xmm7, (%rax)           # save last round key
-
-        and     \$-16, $len
-        sub     \$0x80, %rsp            # place for tweak[8]
-        movdqa  0x20(%rbp), @XMM[7]     # initial tweak
-
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-
-        sub     \$0x80, $len
-        jc      .Lxts_enc_short
-        jmp     .Lxts_enc_loop
-
-.align  16
-.Lxts_enc_loop:
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqu  0x70($inp), @XMM[8+7]
-        lea     0x80($inp), $inp
-        movdqa  @XMM[7], 0x70(%rsp)
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        pxor    @XMM[8+7], @XMM[7]
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    0x60(%rsp), @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    0x70(%rsp), @XMM[5]
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-
-        movdqa  0x70(%rsp), @XMM[7]     # prepare next iteration tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-
-        sub     \$0x80,$len
-        jnc     .Lxts_enc_loop
-
-.Lxts_enc_short:
-        add     \$0x80, $len
-        jz      .Lxts_enc_done
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-        cmp     \$`0x10*$i`,$len
-        je      .Lxts_enc_$i
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqa  @XMM[7], 0x70(%rsp)
-        lea     0x70($inp), $inp
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    0x60(%rsp), @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        lea     0x70($out), $out
-
-        movdqa  0x70(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_6:
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x60($inp), $inp
-        pxor    @XMM[8+5], @XMM[5]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        lea     0x60($out), $out
-
-        movdqa  0x60(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_5:
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x50($inp), $inp
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        lea     0x50($out), $out
-
-        movdqa  0x50(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_4:
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x40($inp), $inp
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        lea     0x40($out), $out
-
-        movdqa  0x40(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_3:
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x30($inp), $inp
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        lea     0x30($out), $out
-
-        movdqa  0x30(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_2:
-        pxor    @XMM[8+0], @XMM[0]
-        lea     0x20($inp), $inp
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_encrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        lea     0x20($out), $out
-
-        movdqa  0x20(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_1:
-        pxor    @XMM[0], @XMM[8]
-        lea     0x10($inp), $inp
-        movdqa  @XMM[8], 0x20(%rbp)
-        lea     0x20(%rbp), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[0]     # ^= tweak[]
-        #pxor   @XMM[8], @XMM[0]
-        #lea    0x80(%rsp), %rax        # pass key schedule
-        #mov    %edx, %r10d             # pass rounds
-        #call   _bsaes_encrypt8
-        #pxor   0x00(%rsp), @XMM[0]     # ^= tweak[]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x10($out), $out
-
-        movdqa  0x10(%rsp), @XMM[7]     # next iteration tweak
-
-.Lxts_enc_done:
-        and     \$15, %ebx
-        jz      .Lxts_enc_ret
-        mov     $out, %rdx
-
-.Lxts_enc_steal:
-        movzb   ($inp), %eax
-        movzb   -16(%rdx), %ecx
-        lea     1($inp), $inp
-        mov     %al, -16(%rdx)
-        mov     %cl, 0(%rdx)
-        lea     1(%rdx), %rdx
-        sub     \$1,%ebx
-        jnz     .Lxts_enc_steal
-
-        movdqu  -16($out), @XMM[0]
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[7], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_encrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[7]
-        movdqu  @XMM[7], -16($out)
-
-.Lxts_enc_ret:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lxts_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lxts_enc_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lxts_enc_epilogue:
-        ret
-.size   bsaes_xts_encrypt,.-bsaes_xts_encrypt
-
-.globl  bsaes_xts_decrypt
-.type   bsaes_xts_decrypt,\@abi-omnipotent
-.align  16
-bsaes_xts_decrypt:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lxts_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull key2
-        mov     0xa8(%rsp),$arg6        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lxts_dec_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-
-        lea     ($arg6), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($arg5), $arg3
-        call    asm_AES_encrypt         # generate initial tweak
-
-        mov     240($key), %eax         # rounds
-        mov     $len, %rbx              # backup $len
-
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp), %xmm7           # fix up round 0 key
-        movdqa  %xmm6, (%rax)           # save last round key
-        movdqa  %xmm7, (%rsp)
-
-        xor     %eax, %eax              # if ($len%16) len-=16;
-        and     \$-16, $len
-        test    \$15, %ebx
-        setnz   %al
-        shl     \$4, %rax
-        sub     %rax, $len
-
-        sub     \$0x80, %rsp            # place for tweak[8]
-        movdqa  0x20(%rbp), @XMM[7]     # initial tweak
-
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-
-        sub     \$0x80, $len
-        jc      .Lxts_dec_short
-        jmp     .Lxts_dec_loop
-
-.align  16
-.Lxts_dec_loop:
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqu  0x70($inp), @XMM[8+7]
-        lea     0x80($inp), $inp
-        movdqa  @XMM[7], 0x70(%rsp)
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        pxor    @XMM[8+7], @XMM[7]
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        pxor    0x60(%rsp), @XMM[3]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    0x70(%rsp), @XMM[5]
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-
-        movdqa  0x70(%rsp), @XMM[7]     # prepare next iteration tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-
-        sub     \$0x80,$len
-        jnc     .Lxts_dec_loop
-
-.Lxts_dec_short:
-        add     \$0x80, $len
-        jz      .Lxts_dec_done
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-        cmp     \$`0x10*$i`,$len
-        je      .Lxts_dec_$i
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqa  @XMM[7], 0x70(%rsp)
-        lea     0x70($inp), $inp
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        pxor    0x60(%rsp), @XMM[3]
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        lea     0x70($out), $out
-
-        movdqa  0x70(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_6:
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x60($inp), $inp
-        pxor    @XMM[8+5], @XMM[5]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        lea     0x60($out), $out
-
-        movdqa  0x60(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_5:
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x50($inp), $inp
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        lea     0x50($out), $out
-
-        movdqa  0x50(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_4:
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x40($inp), $inp
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        lea     0x40($out), $out
-
-        movdqa  0x40(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_3:
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x30($inp), $inp
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        lea     0x30($out), $out
-
-        movdqa  0x30(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_2:
-        pxor    @XMM[8+0], @XMM[0]
-        lea     0x20($inp), $inp
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-
-        call    _bsaes_decrypt8
-
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        lea     0x20($out), $out
-
-        movdqa  0x20(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_1:
-        pxor    @XMM[0], @XMM[8]
-        lea     0x10($inp), $inp
-        movdqa  @XMM[8], 0x20(%rbp)
-        lea     0x20(%rbp), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[0]     # ^= tweak[]
-        #pxor   @XMM[8], @XMM[0]
-        #lea    0x80(%rsp), %rax        # pass key schedule
-        #mov    %edx, %r10d             # pass rounds
-        #call   _bsaes_decrypt8
-        #pxor   0x00(%rsp), @XMM[0]     # ^= tweak[]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x10($out), $out
-
-        movdqa  0x10(%rsp), @XMM[7]     # next iteration tweak
-
-.Lxts_dec_done:
-        and     \$15, %ebx
-        jz      .Lxts_dec_ret
-
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        movdqa  @XMM[7], @XMM[6]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        movdqu  ($inp), @XMM[0]
-        pxor    $twres, @XMM[7]
-
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[7], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[7]
-        mov     $out, %rdx
-        movdqu  @XMM[7], ($out)
-
-.Lxts_dec_steal:
-        movzb   16($inp), %eax
-        movzb   (%rdx), %ecx
-        lea     1($inp), $inp
-        mov     %al, (%rdx)
-        mov     %cl, 16(%rdx)
-        lea     1(%rdx), %rdx
-        sub     \$1,%ebx
-        jnz     .Lxts_dec_steal
-
-        movdqu  ($out), @XMM[0]
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[6], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[6]
-        movdqu  @XMM[6], ($out)
-
-.Lxts_dec_ret:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lxts_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lxts_dec_bzero
-
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lxts_dec_epilogue:
-        ret
-.size   bsaes_xts_decrypt,.-bsaes_xts_decrypt
-___
-}
-$code.=<<___;
-.section .rodata
-.type   _bsaes_const,\@object
-.align  64
-_bsaes_const:
-.LM0ISR:        # InvShiftRows constants
-        .quad   0x0a0e0206070b0f03, 0x0004080c0d010509
-.LISRM0:
-        .quad   0x01040b0e0205080f, 0x0306090c00070a0d
-.LISR:
-        .quad   0x0504070602010003, 0x0f0e0d0c080b0a09
-.LBS0:          # bit-slice constants
-        .quad   0x5555555555555555, 0x5555555555555555
-.LBS1:
-        .quad   0x3333333333333333, 0x3333333333333333
-.LBS2:
-        .quad   0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f
-.LSR:           # shiftrows constants
-        .quad   0x0504070600030201, 0x0f0e0d0c0a09080b
-.LSRM0:
-        .quad   0x0304090e00050a0f, 0x01060b0c0207080d
-.LM0SR:
-        .quad   0x0a0e02060f03070b, 0x0004080c05090d01
-.LSWPUP:        # byte-swap upper dword
-        .quad   0x0706050403020100, 0x0c0d0e0f0b0a0908
-.LSWPUPM0SR:
-        .quad   0x0a0d02060c03070b, 0x0004080f05090e01
-.LADD1:         # counter increment constants
-        .quad   0x0000000000000000, 0x0000000100000000
-.LADD2:
-        .quad   0x0000000000000000, 0x0000000200000000
-.LADD3:
-        .quad   0x0000000000000000, 0x0000000300000000
-.LADD4:
-        .quad   0x0000000000000000, 0x0000000400000000
-.LADD5:
-        .quad   0x0000000000000000, 0x0000000500000000
-.LADD6:
-        .quad   0x0000000000000000, 0x0000000600000000
-.LADD7:
-        .quad   0x0000000000000000, 0x0000000700000000
-.LADD8:
-        .quad   0x0000000000000000, 0x0000000800000000
-.Lxts_magic:
-        .long   0x87,0,1,0
-.Lmasks:
-        .quad   0x0101010101010101, 0x0101010101010101
-        .quad   0x0202020202020202, 0x0202020202020202
-        .quad   0x0404040404040404, 0x0404040404040404
-        .quad   0x0808080808080808, 0x0808080808080808
-.LM0:
-        .quad   0x02060a0e03070b0f, 0x0004080c0105090d
-.L63:
-        .quad   0x6363636363636363, 0x6363636363636363
-.align  64
-.size   _bsaes_const,.-_bsaes_const
-.text
-___
-
-# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
-#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
-if ($win64) {
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-
-$code.=<<___;
-.extern __imp_RtlVirtualUnwind
-.type   se_handler,\@abi-omnipotent
-.align  16
-se_handler:
-        _CET_ENDBR
-        push    %rsi
-        push    %rdi
-        push    %rbx
-        push    %rbp
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        pushfq
-        sub     \$64,%rsp
-
-        mov     120($context),%rax      # pull context->Rax
-        mov     248($context),%rbx      # pull context->Rip
-
-        mov     8($disp),%rsi           # disp->ImageBase
-        mov     56($disp),%r11          # disp->HandlerData
-
-        mov     0(%r11),%r10d           # HandlerData[0]
-        lea     (%rsi,%r10),%r10        # prologue label
-        cmp     %r10,%rbx               # context->Rip<prologue label
-        jb      .Lin_prologue
-
-        mov     152($context),%rax      # pull context->Rsp
-
-        mov     4(%r11),%r10d           # HandlerData[1]
-        lea     (%rsi,%r10),%r10        # epilogue label
-        cmp     %r10,%rbx               # context->Rip>=epilogue label
-        jae     .Lin_prologue
-
-        mov     160($context),%rax      # pull context->Rbp
-
-        lea     0x40(%rax),%rsi         # %xmm save area
-        lea     512($context),%rdi      # &context.Xmm6
-        mov     \$20,%ecx               # 10*sizeof(%xmm0)/sizeof(%rax)
-        .long   0xa548f3fc              # cld; rep movsq
-        lea     0xa0(%rax),%rax         # adjust stack pointer
-
-        mov     0x70(%rax),%rbp
-        mov     0x68(%rax),%rbx
-        mov     0x60(%rax),%r12
-        mov     0x58(%rax),%r13
-        mov     0x50(%rax),%r14
-        mov     0x48(%rax),%r15
-        lea     0x78(%rax),%rax         # adjust stack pointer
-        mov     %rbx,144($context)      # restore context->Rbx
-        mov     %rbp,160($context)      # restore context->Rbp
-        mov     %r12,216($context)      # restore context->R12
-        mov     %r13,224($context)      # restore context->R13
-        mov     %r14,232($context)      # restore context->R14
-        mov     %r15,240($context)      # restore context->R15
-
-.Lin_prologue:
-        mov     %rax,152($context)      # restore context->Rsp
-
-        mov     40($disp),%rdi          # disp->ContextRecord
-        mov     $context,%rsi           # context
-        mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
-        .long   0xa548f3fc              # cld; rep movsq
-
-        mov     $disp,%rsi
-        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
-        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
-        mov     0(%rsi),%r8             # arg3, disp->ControlPc
-        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
-        mov     40(%rsi),%r10           # disp->ContextRecord
-        lea     56(%rsi),%r11           # &disp->HandlerData
-        lea     24(%rsi),%r12           # &disp->EstablisherFrame
-        mov     %r10,32(%rsp)           # arg5
-        mov     %r11,40(%rsp)           # arg6
-        mov     %r12,48(%rsp)           # arg7
-        mov     %rcx,56(%rsp)           # arg8, (NULL)
-        call    *__imp_RtlVirtualUnwind(%rip)
-
-        mov     \$1,%eax                # ExceptionContinueSearch
-        add     \$64,%rsp
-        popfq
-        pop     %r15
-        pop     %r14
-        pop     %r13
-        pop     %r12
-        pop     %rbp
-        pop     %rbx
-        pop     %rdi
-        pop     %rsi
-        ret
-.size   se_handler,.-se_handler
-
-.section        .pdata
-.align  4
-___
-$code.=<<___ if ($ecb);
-        .rva    .Lecb_enc_prologue
-        .rva    .Lecb_enc_epilogue
-        .rva    .Lecb_enc_info
-
-        .rva    .Lecb_dec_prologue
-        .rva    .Lecb_dec_epilogue
-        .rva    .Lecb_dec_info
-___
-$code.=<<___;
-        .rva    .Lcbc_dec_prologue
-        .rva    .Lcbc_dec_epilogue
-        .rva    .Lcbc_dec_info
-
-        .rva    .Lctr_enc_prologue
-        .rva    .Lctr_enc_epilogue
-        .rva    .Lctr_enc_info
-
-        .rva    .Lxts_enc_prologue
-        .rva    .Lxts_enc_epilogue
-        .rva    .Lxts_enc_info
-
-        .rva    .Lxts_dec_prologue
-        .rva    .Lxts_dec_epilogue
-        .rva    .Lxts_dec_info
-
-.section        .xdata
-.align  8
-___
-$code.=<<___ if ($ecb);
-.Lecb_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lecb_enc_body,.Lecb_enc_epilogue       # HandlerData[]
-.Lecb_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lecb_dec_body,.Lecb_dec_epilogue       # HandlerData[]
-___
-$code.=<<___;
-.Lcbc_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lcbc_dec_body,.Lcbc_dec_epilogue       # HandlerData[]
-.Lctr_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lctr_enc_body,.Lctr_enc_epilogue       # HandlerData[]
-.Lxts_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lxts_enc_body,.Lxts_enc_epilogue       # HandlerData[]
-.Lxts_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lxts_dec_body,.Lxts_dec_epilogue       # HandlerData[]
-___
-}
-
-$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-
-print $code;
-
-close STDOUT;
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86.pl b/src/lib/libcrypto/aes/asm/vpaes-x86.pl
deleted file mode 100644
index 6e7bd36d05..0000000000
--- a/src/lib/libcrypto/aes/asm/vpaes-x86.pl
+++ /dev/null
@@ -1,911 +0,0 @@
-#!/usr/bin/env perl
-
-######################################################################
-## Constant-time SSSE3 AES core implementation.
-## version 0.1
-##
-## By Mike Hamburg (Stanford University), 2009
-## Public domain.
-##
-## For details see http://shiftleft.org/papers/vector_aes/ and
-## http://crypto.stanford.edu/vpaes/.
-
-######################################################################
-# September 2011.
-#
-# Port vpaes-x86_64.pl as 32-bit "almost" drop-in replacement for
-# aes-586.pl. "Almost" refers to the fact that AES_cbc_encrypt
-# doesn't handle partial vectors (doesn't have to if called from
-# EVP only). "Drop-in" implies that this module doesn't share key
-# schedule structure with the original nor does it make assumption
-# about its alignment...
-#
-# Performance summary. aes-586.pl column lists large-block CBC
-# encrypt/decrypt/with-hyper-threading-off(*) results in cycles per
-# byte processed with 128-bit key, and vpaes-x86.pl column - [also
-# large-block CBC] encrypt/decrypt.
-#
-#               aes-586.pl              vpaes-x86.pl
-#
-# Core 2(**)    29.1/42.3/18.3          22.0/25.6(***)
-# Nehalem       27.9/40.4/18.1          10.3/12.0
-# Atom          102./119./60.1          64.5/85.3(***)
-#
-# (*)   "Hyper-threading" in the context refers rather to cache shared
-#       among multiple cores, than to specifically Intel HTT. As vast
-#       majority of contemporary cores share cache, slower code path
-#       is common place. In other words "with-hyper-threading-off"
-#       results are presented mostly for reference purposes.
-#
-# (**)  "Core 2" refers to initial 65nm design, a.k.a. Conroe.
-#
-# (***) Less impressive improvement on Core 2 and Atom is due to slow
-#       pshufb, yet it's respectable +32%/65%  improvement on Core 2
-#       and +58%/40% on Atom (as implied, over "hyper-threading-safe"
-#       code path).
-#
-#                                               <appro@openssl.org>
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-push(@INC,"${dir}","${dir}../../perlasm");
-require "x86asm.pl";
-
-&asm_init($ARGV[0],"vpaes-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
-
-$PREFIX="vpaes";
-
-my  ($round, $base, $magic, $key, $const, $inp, $out)=
-    ("eax",  "ebx", "ecx",  "edx","ebp",  "esi","edi");
-
-        &rodataseg();
-&static_label("_vpaes_consts");
-&static_label("_vpaes_schedule_low_round");
-
-&set_label("_vpaes_consts",64);
-$k_inv=-0x30;           # inv, inva
-        &data_word(0x0D080180,0x0E05060F,0x0A0B0C02,0x04070309);
-        &data_word(0x0F0B0780,0x01040A06,0x02050809,0x030D0E0C);
-
-$k_s0F=-0x10;           # s0F
-        &data_word(0x0F0F0F0F,0x0F0F0F0F,0x0F0F0F0F,0x0F0F0F0F);
-
-$k_ipt=0x00;            # input transform (lo, hi)
-        &data_word(0x5A2A7000,0xC2B2E898,0x52227808,0xCABAE090);
-        &data_word(0x317C4D00,0x4C01307D,0xB0FDCC81,0xCD80B1FC);
-
-$k_sb1=0x20;            # sb1u, sb1t
-        &data_word(0xCB503E00,0xB19BE18F,0x142AF544,0xA5DF7A6E);
-        &data_word(0xFAE22300,0x3618D415,0x0D2ED9EF,0x3BF7CCC1);
-$k_sb2=0x40;            # sb2u, sb2t
-        &data_word(0x0B712400,0xE27A93C6,0xBC982FCD,0x5EB7E955);
-        &data_word(0x0AE12900,0x69EB8840,0xAB82234A,0xC2A163C8);
-$k_sbo=0x60;            # sbou, sbot
-        &data_word(0x6FBDC700,0xD0D26D17,0xC502A878,0x15AABF7A);
-        &data_word(0x5FBB6A00,0xCFE474A5,0x412B35FA,0x8E1E90D1);
-
-$k_mc_forward=0x80;     # mc_forward
-        &data_word(0x00030201,0x04070605,0x080B0A09,0x0C0F0E0D);
-        &data_word(0x04070605,0x080B0A09,0x0C0F0E0D,0x00030201);
-        &data_word(0x080B0A09,0x0C0F0E0D,0x00030201,0x04070605);
-        &data_word(0x0C0F0E0D,0x00030201,0x04070605,0x080B0A09);
-
-$k_mc_backward=0xc0;    # mc_backward
-        &data_word(0x02010003,0x06050407,0x0A09080B,0x0E0D0C0F);
-        &data_word(0x0E0D0C0F,0x02010003,0x06050407,0x0A09080B);
-        &data_word(0x0A09080B,0x0E0D0C0F,0x02010003,0x06050407);
-        &data_word(0x06050407,0x0A09080B,0x0E0D0C0F,0x02010003);
-
-$k_sr=0x100;            # sr
-        &data_word(0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C);
-        &data_word(0x0F0A0500,0x030E0904,0x07020D08,0x0B06010C);
-        &data_word(0x0B020900,0x0F060D04,0x030A0108,0x070E050C);
-        &data_word(0x070A0D00,0x0B0E0104,0x0F020508,0x0306090C);
-
-$k_rcon=0x140;          # rcon
-        &data_word(0xAF9DEEB6,0x1F8391B9,0x4D7C7D81,0x702A9808);
-
-$k_s63=0x150;           # s63: all equal to 0x63 transformed
-        &data_word(0x5B5B5B5B,0x5B5B5B5B,0x5B5B5B5B,0x5B5B5B5B);
-
-$k_opt=0x160;           # output transform
-        &data_word(0xD6B66000,0xFF9F4929,0xDEBE6808,0xF7974121);
-        &data_word(0x50BCEC00,0x01EDBD51,0xB05C0CE0,0xE10D5DB1);
-
-$k_deskew=0x180;        # deskew tables: inverts the sbox's "skew"
-        &data_word(0x47A4E300,0x07E4A340,0x5DBEF91A,0x1DFEB95A);
-        &data_word(0x83EA6900,0x5F36B5DC,0xF49D1E77,0x2841C2AB);
-##
-##  Decryption stuff
-##  Key schedule constants
-##
-$k_dksd=0x1a0;          # decryption key schedule: invskew x*D
-        &data_word(0xA3E44700,0xFEB91A5D,0x5A1DBEF9,0x0740E3A4);
-        &data_word(0xB5368300,0x41C277F4,0xAB289D1E,0x5FDC69EA);
-$k_dksb=0x1c0;          # decryption key schedule: invskew x*B
-        &data_word(0x8550D500,0x9A4FCA1F,0x1CC94C99,0x03D65386);
-        &data_word(0xB6FC4A00,0x115BEDA7,0x7E3482C8,0xD993256F);
-$k_dkse=0x1e0;          # decryption key schedule: invskew x*E + 0x63
-        &data_word(0x1FC9D600,0xD5031CCA,0x994F5086,0x53859A4C);
-        &data_word(0x4FDC7BE8,0xA2319605,0x20B31487,0xCD5EF96A);
-$k_dks9=0x200;          # decryption key schedule: invskew x*9
-        &data_word(0x7ED9A700,0xB6116FC8,0x82255BFC,0x4AED9334);
-        &data_word(0x27143300,0x45765162,0xE9DAFDCE,0x8BB89FAC);
-
-##
-##  Decryption stuff
-##  Round function constants
-##
-$k_dipt=0x220;          # decryption input transform
-        &data_word(0x0B545F00,0x0F505B04,0x114E451A,0x154A411E);
-        &data_word(0x60056500,0x86E383E6,0xF491F194,0x12771772);
-
-$k_dsb9=0x240;          # decryption sbox output *9*u, *9*t
-        &data_word(0x9A86D600,0x851C0353,0x4F994CC9,0xCAD51F50);
-        &data_word(0xECD74900,0xC03B1789,0xB2FBA565,0x725E2C9E);
-$k_dsbd=0x260;          # decryption sbox output *D*u, *D*t
-        &data_word(0xE6B1A200,0x7D57CCDF,0x882A4439,0xF56E9B13);
-        &data_word(0x24C6CB00,0x3CE2FAF7,0x15DEEFD3,0x2931180D);
-$k_dsbb=0x280;          # decryption sbox output *B*u, *B*t
-        &data_word(0x96B44200,0xD0226492,0xB0F2D404,0x602646F6);
-        &data_word(0xCD596700,0xC19498A6,0x3255AA6B,0xF3FF0C3E);
-$k_dsbe=0x2a0;          # decryption sbox output *E*u, *E*t
-        &data_word(0x26D4D000,0x46F29296,0x64B4F6B0,0x22426004);
-        &data_word(0xFFAAC100,0x0C55A6CD,0x98593E32,0x9467F36B);
-$k_dsbo=0x2c0;          # decryption sbox final output
-        &data_word(0x7EF94000,0x1387EA53,0xD4943E2D,0xC7AA6DB9);
-        &data_word(0x93441D00,0x12D7560F,0xD8C58E9C,0xCA4B8159);
-        &previous();
-
-&function_begin_B("_vpaes_preheat");
-        &movdqa ("xmm7",&QWP($k_inv,$const));
-        &movdqa ("xmm6",&QWP($k_s0F,$const));
-        &ret    ();
-&function_end_B("_vpaes_preheat");
-
-##
-##  _aes_encrypt_core
-##
-##  AES-encrypt %xmm0.
-##
-##  Inputs:
-##     %xmm0 = input
-##     %xmm6-%xmm7 as in _vpaes_preheat
-##    (%edx) = scheduled keys
-##
-##  Output in %xmm0
-##  Clobbers  %xmm1-%xmm5, %eax, %ebx, %ecx, %edx
-##
-##
-&function_begin_B("_vpaes_encrypt_core");
-        &mov    ($magic,16);
-        &mov    ($round,&DWP(240,$key));
-        &movdqa ("xmm1","xmm6")
-        &movdqa ("xmm2",&QWP($k_ipt,$const));
-        &pandn  ("xmm1","xmm0");
-        &movdqu ("xmm5",&QWP(0,$key));
-        &psrld  ("xmm1",4);
-        &pand   ("xmm0","xmm6");
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP($k_ipt+16,$const));
-        &pshufb ("xmm0","xmm1");
-        &pxor   ("xmm2","xmm5");
-        &pxor   ("xmm0","xmm2");
-        &add    ($key,16);
-        &lea    ($base,&DWP($k_mc_backward,$const));
-        &jmp    (&label("enc_entry"));
-
-
-&set_label("enc_loop",16);
-        # middle of middle round
-        &movdqa ("xmm4",&QWP($k_sb1,$const));   # 4 : sb1u
-        &pshufb ("xmm4","xmm2");                # 4 = sb1u
-        &pxor   ("xmm4","xmm5");                # 4 = sb1u + k
-        &movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sb1t
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &movdqa ("xmm5",&QWP($k_sb2,$const));   # 4 : sb2u
-        &pshufb ("xmm5","xmm2");                # 4 = sb2u
-        &movdqa ("xmm1",&QWP(-0x40,$base,$magic));# .Lk_mc_forward[]
-        &movdqa ("xmm2",&QWP($k_sb2+16,$const));# 2 : sb2t
-        &pshufb ("xmm2","xmm3");                # 2 = sb2t
-        &pxor   ("xmm2","xmm5");                # 2 = 2A
-        &movdqa ("xmm4",&QWP(0,$base,$magic));  # .Lk_mc_backward[]
-        &movdqa ("xmm3","xmm0");                # 3 = A
-        &pshufb ("xmm0","xmm1");                # 0 = B
-        &add    ($key,16);                      # next key
-        &pxor   ("xmm0","xmm2");                # 0 = 2A+B
-        &pshufb ("xmm3","xmm4");                # 3 = D
-        &add    ($magic,16);                    # next mc
-        &pxor   ("xmm3","xmm0");                # 3 = 2A+B+D
-        &pshufb ("xmm0","xmm1");                # 0 = 2B+C
-        &and    ($magic,0x30);                  # ... mod 4
-        &pxor   ("xmm0","xmm3");                # 0 = 2A+3B+C+D
-        &sub    ($round,1);                     # nr--
-
-&set_label("enc_entry");
-        # top of round
-        &movdqa ("xmm1","xmm6");                # 1 : i
-        &pandn  ("xmm1","xmm0");                # 1 = i<<4
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm6");                # 0 = k
-        &movdqa ("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm5","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm7");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm5");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm7");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm5");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm7");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm7");                # 3 : 1/jak
-        &movdqu ("xmm5",&QWP(0,$key));
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &jnz    (&label("enc_loop"));
-
-        # middle of last round
-        &movdqa ("xmm4",&QWP($k_sbo,$const));   # 3 : sbou      .Lk_sbo
-        &movdqa ("xmm0",&QWP($k_sbo+16,$const));# 3 : sbot      .Lk_sbo+16
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &pxor   ("xmm4","xmm5");                # 4 = sb1u + k
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &movdqa ("xmm1",&QWP(0x40,$base,$magic));# .Lk_sr[]
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &pshufb ("xmm0","xmm1");
-        &ret    ();
-&function_end_B("_vpaes_encrypt_core");
-
-##
-##  Decryption core
-##
-##  Same API as encryption core.
-##
-&function_begin_B("_vpaes_decrypt_core");
-        &mov    ($round,&DWP(240,$key));
-        &lea    ($base,&DWP($k_dsbd,$const));
-        &movdqa ("xmm1","xmm6");
-        &movdqa ("xmm2",&QWP($k_dipt-$k_dsbd,$base));
-        &pandn  ("xmm1","xmm0");
-        &mov    ($magic,$round);
-        &psrld  ("xmm1",4)
-        &movdqu ("xmm5",&QWP(0,$key));
-        &shl    ($magic,4);
-        &pand   ("xmm0","xmm6");
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP($k_dipt-$k_dsbd+16,$base));
-        &xor    ($magic,0x30);
-        &pshufb ("xmm0","xmm1");
-        &and    ($magic,0x30);
-        &pxor   ("xmm2","xmm5");
-        &movdqa ("xmm5",&QWP($k_mc_forward+48,$const));
-        &pxor   ("xmm0","xmm2");
-        &add    ($key,16);
-        &lea    ($magic,&DWP($k_sr-$k_dsbd,$base,$magic));
-        &jmp    (&label("dec_entry"));
-
-&set_label("dec_loop",16);
-##
-##  Inverse mix columns
-##
-        &movdqa ("xmm4",&QWP(-0x20,$base));     # 4 : sb9u
-        &pshufb ("xmm4","xmm2");                # 4 = sb9u
-        &pxor   ("xmm4","xmm0");
-        &movdqa ("xmm0",&QWP(-0x10,$base));     # 0 : sb9t
-        &pshufb ("xmm0","xmm3");                # 0 = sb9t
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &add    ($key,16);                      # next round key
-
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0,$base));         # 4 : sbdu
-        &pshufb ("xmm4","xmm2");                # 4 = sbdu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x10,$base));      # 0 : sbdt
-        &pshufb ("xmm0","xmm3");                # 0 = sbdt
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &sub    ($round,1);                     # nr--
-
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0x20,$base));      # 4 : sbbu
-        &pshufb ("xmm4","xmm2");                # 4 = sbbu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x30,$base));      # 0 : sbbt
-        &pshufb ("xmm0","xmm3");                # 0 = sbbt
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0x40,$base));      # 4 : sbeu
-        &pshufb ("xmm4","xmm2");                # 4 = sbeu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x50,$base));      # 0 : sbet
-        &pshufb ("xmm0","xmm3");                # 0 = sbet
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-
-        &palignr("xmm5","xmm5",12);
-
-&set_label("dec_entry");
-        # top of round
-        &movdqa ("xmm1","xmm6");                # 1 : i
-        &pandn  ("xmm1","xmm0");                # 1 = i<<4
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm6");                # 0 = k
-        &movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm2","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm7");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm2");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm7");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm2");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm7");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm7");                # 3 : 1/jak
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &movdqu ("xmm0",&QWP(0,$key));
-        &jnz    (&label("dec_loop"));
-
-        # middle of last round
-        &movdqa ("xmm4",&QWP(0x60,$base));      # 3 : sbou
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &pxor   ("xmm4","xmm0");                # 4 = sb1u + k
-        &movdqa ("xmm0",&QWP(0x70,$base));      # 0 : sbot
-        &movdqa ("xmm2",&QWP(0,$magic));
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &pshufb ("xmm0","xmm2");
-        &ret    ();
-&function_end_B("_vpaes_decrypt_core");
-
-########################################################
-##                                                    ##
-##                  AES key schedule                  ##
-##                                                    ##
-########################################################
-&function_begin_B("_vpaes_schedule_core");
-        &movdqu ("xmm0",&QWP(0,$inp));          # load key (unaligned)
-        &movdqa ("xmm2",&QWP($k_rcon,$const));  # load rcon
-
-        # input transform
-        &movdqa ("xmm3","xmm0");
-        &lea    ($base,&DWP($k_ipt,$const));
-        &movdqa (&QWP(4,"esp"),"xmm2");         # xmm8
-        &call   ("_vpaes_schedule_transform");
-        &movdqa ("xmm7","xmm0");
-
-        &test   ($out,$out);
-        &jnz    (&label("schedule_am_decrypting"));
-
-        # encrypting, output zeroth round key after transform
-        &movdqu (&QWP(0,$key),"xmm0");
-        &jmp    (&label("schedule_go"));
-
-&set_label("schedule_am_decrypting");
-        # decrypting, output zeroth round key after shiftrows
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm3","xmm1");
-        &movdqu (&QWP(0,$key),"xmm3");
-        &xor    ($magic,0x30);
-
-&set_label("schedule_go");
-        &cmp    ($round,192);
-        &ja     (&label("schedule_256"));
-        &je     (&label("schedule_192"));
-        # 128: fall though
-
-##
-##  .schedule_128
-##
-##  128-bit specific part of key schedule.
-##
-##  This schedule is really simple, because all its parts
-##  are accomplished by the subroutines.
-##
-&set_label("schedule_128");
-        &mov    ($round,10);
-
-&set_label("loop_schedule_128");
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     # write output
-        &jmp    (&label("loop_schedule_128"));
-
-##
-##  .aes_schedule_192
-##
-##  192-bit specific part of key schedule.
-##
-##  The main body of this schedule is the same as the 128-bit
-##  schedule, but with more smearing.  The long, high side is
-##  stored in %xmm7 as before, and the short, low side is in
-##  the high bits of %xmm6.
-##
-##  This schedule is somewhat nastier, however, because each
-##  round produces 192 bits of key material, or 1.5 round keys.
-##  Therefore, on each cycle we do 2 rounds and produce 3 round
-##  keys.
-##
-&set_label("schedule_192",16);
-        &movdqu ("xmm0",&QWP(8,$inp));          # load key part 2 (very unaligned)
-        &call   ("_vpaes_schedule_transform");  # input transform       
-        &movdqa ("xmm6","xmm0");                # save short part
-        &pxor   ("xmm4","xmm4");                # clear 4
-        &movhlps("xmm6","xmm4");                # clobber low side with zeros
-        &mov    ($round,4);
-
-&set_label("loop_schedule_192");
-        &call   ("_vpaes_schedule_round");
-        &palignr("xmm0","xmm6",8);
-        &call   ("_vpaes_schedule_mangle");     # save key n
-        &call   ("_vpaes_schedule_192_smear");
-        &call   ("_vpaes_schedule_mangle");     # save key n+1
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     # save key n+2
-        &call   ("_vpaes_schedule_192_smear");
-        &jmp    (&label("loop_schedule_192"));
-
-##
-##  .aes_schedule_256
-##
-##  256-bit specific part of key schedule.
-##
-##  The structure here is very similar to the 128-bit
-##  schedule, but with an additional "low side" in
-##  %xmm6.  The low side's rounds are the same as the
-##  high side's, except no rcon and no rotation.
-##
-&set_label("schedule_256",16);
-        &movdqu ("xmm0",&QWP(16,$inp));         # load key part 2 (unaligned)
-        &call   ("_vpaes_schedule_transform");  # input transform       
-        &mov    ($round,7);
-
-&set_label("loop_schedule_256");
-        &call   ("_vpaes_schedule_mangle");     # output low result
-        &movdqa ("xmm6","xmm0");                # save cur_lo in xmm6
-
-        # high round
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     
-
-        # low round. swap xmm7 and xmm6
-        &pshufd ("xmm0","xmm0",0xFF);
-        &movdqa (&QWP(20,"esp"),"xmm7");
-        &movdqa ("xmm7","xmm6");
-        &call   ("_vpaes_schedule_low_round");
-        &movdqa ("xmm7",&QWP(20,"esp"));
-
-        &jmp    (&label("loop_schedule_256"));
-
-##
-##  .aes_schedule_mangle_last
-##
-##  Mangler for last round of key schedule
-##  Mangles %xmm0
-##    when encrypting, outputs out(%xmm0) ^ 63
-##    when decrypting, outputs unskew(%xmm0)
-##
-##  Always called right before return... jumps to cleanup and exits
-##
-&set_label("schedule_mangle_last",16);
-        # schedule last round key from xmm0
-        &lea    ($base,&DWP($k_deskew,$const));
-        &test   ($out,$out);
-        &jnz    (&label("schedule_mangle_last_dec"));
-
-        # encrypting
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm0","xmm1");                # output permute
-        &lea    ($base,&DWP($k_opt,$const));    # prepare to output transform
-        &add    ($key,32);
-
-&set_label("schedule_mangle_last_dec");
-        &add    ($key,-16);
-        &pxor   ("xmm0",&QWP($k_s63,$const));
-        &call   ("_vpaes_schedule_transform");  # output transform
-        &movdqu (&QWP(0,$key),"xmm0");          # save last key
-
-        # cleanup
-        &pxor   ("xmm0","xmm0");
-        &pxor   ("xmm1","xmm1");
-        &pxor   ("xmm2","xmm2");
-        &pxor   ("xmm3","xmm3");
-        &pxor   ("xmm4","xmm4");
-        &pxor   ("xmm5","xmm5");
-        &pxor   ("xmm6","xmm6");
-        &pxor   ("xmm7","xmm7");
-        &ret    ();
-&function_end_B("_vpaes_schedule_core");
-
-##
-##  .aes_schedule_192_smear
-##
-##  Smear the short, low side in the 192-bit key schedule.
-##
-##  Inputs:
-##    %xmm7: high side, b  a  x  y
-##    %xmm6:  low side, d  c  0  0
-##    %xmm13: 0
-##
-##  Outputs:
-##    %xmm6: b+c+d  b+c  0  0
-##    %xmm0: b+c+d  b+c  b  a
-##
-&function_begin_B("_vpaes_schedule_192_smear");
-        &pshufd ("xmm0","xmm6",0x80);           # d c 0 0 -> c 0 0 0
-        &pxor   ("xmm6","xmm0");                # -> c+d c 0 0
-        &pshufd ("xmm0","xmm7",0xFE);           # b a _ _ -> b b b a
-        &pxor   ("xmm6","xmm0");                # -> b+c+d b+c b a
-        &movdqa ("xmm0","xmm6");
-        &pxor   ("xmm1","xmm1");
-        &movhlps("xmm6","xmm1");                # clobber low side with zeros
-        &ret    ();
-&function_end_B("_vpaes_schedule_192_smear");
-
-##
-##  .aes_schedule_round
-##
-##  Runs one main round of the key schedule on %xmm0, %xmm7
-##
-##  Specifically, runs subbytes on the high dword of %xmm0
-##  then rotates it by one byte and xors into the low dword of
-##  %xmm7.
-##
-##  Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-##  next rcon.
-##
-##  Smears the dwords of %xmm7 by xoring the low into the
-##  second low, result into third, result into highest.
-##
-##  Returns results in %xmm7 = %xmm0.
-##  Clobbers %xmm1-%xmm5.
-##
-&function_begin_B("_vpaes_schedule_round");
-        # extract rcon from xmm8
-        &movdqa ("xmm2",&QWP(8,"esp"));         # xmm8
-        &pxor   ("xmm1","xmm1");
-        &palignr("xmm1","xmm2",15);
-        &palignr("xmm2","xmm2",15);
-        &pxor   ("xmm7","xmm1");
-
-        # rotate
-        &pshufd ("xmm0","xmm0",0xFF);
-        &palignr("xmm0","xmm0",1);
-
-        # fall through...
-        &movdqa (&QWP(8,"esp"),"xmm2");         # xmm8
-
-        # low round: same as high round, but no rotation and no rcon.
-&set_label("_vpaes_schedule_low_round");
-        # smear xmm7
-        &movdqa ("xmm1","xmm7");
-        &pslldq ("xmm7",4);
-        &pxor   ("xmm7","xmm1");
-        &movdqa ("xmm1","xmm7");
-        &pslldq ("xmm7",8);
-        &pxor   ("xmm7","xmm1");
-        &pxor   ("xmm7",&QWP($k_s63,$const));
-
-        # subbyte
-        &movdqa ("xmm4",&QWP($k_s0F,$const));
-        &movdqa ("xmm5",&QWP($k_inv,$const));   # 4 : 1/j
-        &movdqa ("xmm1","xmm4");        
-        &pandn  ("xmm1","xmm0");
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm4");                # 0 = k
-        &movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm2","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm5");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm2");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm5");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm2");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm5");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm5");                # 3 : 1/jak
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &movdqa ("xmm4",&QWP($k_sb1,$const));   # 4 : sbou
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sbot
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = sbox output
-
-        # add in smeared stuff
-        &pxor   ("xmm0","xmm7");
-        &movdqa ("xmm7","xmm0");
-        &ret    ();
-&function_end_B("_vpaes_schedule_round");
-
-##
-##  .aes_schedule_transform
-##
-##  Linear-transform %xmm0 according to tables at (%ebx)
-##
-##  Output in %xmm0
-##  Clobbers %xmm1, %xmm2
-##
-&function_begin_B("_vpaes_schedule_transform");
-        &movdqa ("xmm2",&QWP($k_s0F,$const));
-        &movdqa ("xmm1","xmm2");
-        &pandn  ("xmm1","xmm0");
-        &psrld  ("xmm1",4);
-        &pand   ("xmm0","xmm2");
-        &movdqa ("xmm2",&QWP(0,$base));
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP(16,$base));
-        &pshufb ("xmm0","xmm1");
-        &pxor   ("xmm0","xmm2");
-        &ret    ();
-&function_end_B("_vpaes_schedule_transform");
-
-##
-##  .aes_schedule_mangle
-##
-##  Mangle xmm0 from (basis-transformed) standard version
-##  to our version.
-##
-##  On encrypt,
-##    xor with 0x63
-##    multiply by circulant 0,1,1,1
-##    apply shiftrows transform
-##
-##  On decrypt,
-##    xor with 0x63
-##    multiply by "inverse mixcolumns" circulant E,B,D,9
-##    deskew
-##    apply shiftrows transform
-##
-##
-##  Writes out to (%edx), and increments or decrements it
-##  Keeps track of round number mod 4 in %ecx
-##  Preserves xmm0
-##  Clobbers xmm1-xmm5
-##
-&function_begin_B("_vpaes_schedule_mangle");
-        &movdqa ("xmm4","xmm0");        # save xmm0 for later
-        &movdqa ("xmm5",&QWP($k_mc_forward,$const));
-        &test   ($out,$out);
-        &jnz    (&label("schedule_mangle_dec"));
-
-        # encrypting
-        &add    ($key,16);
-        &pxor   ("xmm4",&QWP($k_s63,$const));
-        &pshufb ("xmm4","xmm5");
-        &movdqa ("xmm3","xmm4");
-        &pshufb ("xmm4","xmm5");
-        &pxor   ("xmm3","xmm4");
-        &pshufb ("xmm4","xmm5");
-        &pxor   ("xmm3","xmm4");
-
-        &jmp    (&label("schedule_mangle_both"));
-
-&set_label("schedule_mangle_dec",16);
-        # inverse mix columns
-        &movdqa ("xmm2",&QWP($k_s0F,$const));
-        &lea    ($inp,&DWP($k_dksd,$const));
-        &movdqa ("xmm1","xmm2");
-        &pandn  ("xmm1","xmm4");
-        &psrld  ("xmm1",4);                     # 1 = hi
-        &pand   ("xmm4","xmm2");                # 4 = lo
-
-        &movdqa ("xmm2",&QWP(0,$inp));
-        &pshufb ("xmm2","xmm4");
-        &movdqa ("xmm3",&QWP(0x10,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-
-        &movdqa ("xmm2",&QWP(0x20,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x30,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-
-        &movdqa ("xmm2",&QWP(0x40,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x50,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-
-        &movdqa ("xmm2",&QWP(0x60,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x70,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-
-        &add    ($key,-16);
-
-&set_label("schedule_mangle_both");
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm3","xmm1");
-        &add    ($magic,-16);
-        &and    ($magic,0x30);
-        &movdqu (&QWP(0,$key),"xmm3");
-        &ret    ();
-&function_end_B("_vpaes_schedule_mangle");
-
-#
-# Interface to OpenSSL
-#
-&function_begin("${PREFIX}_set_encrypt_key");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($round,&wparam(1));            # bits
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-
-        &mov    ($base,$round);
-        &shr    ($base,5);
-        &add    ($base,5);
-        &mov    (&DWP(240,$key),$base);         # AES_KEY->rounds = nbits/32+5;
-        &mov    ($magic,0x30);
-        &mov    ($out,0);
-
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-
-        &call   ("_vpaes_schedule_core");
-
-        &mov    ("esp",&DWP(48,"esp"));
-        &xor    ("eax","eax");
-&function_end("${PREFIX}_set_encrypt_key");
-
-&function_begin("${PREFIX}_set_decrypt_key");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($round,&wparam(1));            # bits
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-
-        &mov    ($base,$round);
-        &shr    ($base,5);
-        &add    ($base,5);
-        &mov    (&DWP(240,$key),$base); # AES_KEY->rounds = nbits/32+5;
-        &shl    ($base,4);
-        &lea    ($key,&DWP(16,$key,$base));
-
-        &mov    ($out,1);
-        &mov    ($magic,$round);
-        &shr    ($magic,1);
-        &and    ($magic,32);
-        &xor    ($magic,32);                    # nbist==192?0:32;
-
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-
-        &call   ("_vpaes_schedule_core");
-
-        &mov    ("esp",&DWP(48,"esp"));
-        &xor    ("eax","eax");
-&function_end("${PREFIX}_set_decrypt_key");
-
-&function_begin("${PREFIX}_encrypt");
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-
-        &call   ("_vpaes_preheat");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($out,&wparam(1));              # out
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-
-        &movdqu ("xmm0",&QWP(0,$inp));
-        &call   ("_vpaes_encrypt_core");
-        &movdqu (&QWP(0,$out),"xmm0");
-
-        &mov    ("esp",&DWP(48,"esp"));
-&function_end("${PREFIX}_encrypt");
-
-&function_begin("${PREFIX}_decrypt");
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-
-        &call   ("_vpaes_preheat");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($out,&wparam(1));              # out
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-
-        &movdqu ("xmm0",&QWP(0,$inp));
-        &call   ("_vpaes_decrypt_core");
-        &movdqu (&QWP(0,$out),"xmm0");
-
-        &mov    ("esp",&DWP(48,"esp"));
-&function_end("${PREFIX}_decrypt");
-
-&function_begin("${PREFIX}_cbc_encrypt");
-        &mov    ($inp,&wparam(0));              # inp
-        &mov    ($out,&wparam(1));              # out
-        &mov    ($round,&wparam(2));            # len
-        &mov    ($key,&wparam(3));              # key
-        &sub    ($round,16);
-        &jc     (&label("cbc_abort"));
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($const,&wparam(4));            # ivp
-        &and    ($base,-16);
-        &mov    ($magic,&wparam(5));            # enc
-        &xchg   ($base,"esp");                  # alloca
-        &movdqu ("xmm1",&QWP(0,$const));        # load IV
-        &sub    ($out,$inp);
-        &mov    (&DWP(48,"esp"),$base);
-
-        &mov    (&DWP(0,"esp"),$out);           # save out
-        &mov    (&DWP(4,"esp"),$key)            # save key
-        &mov    (&DWP(8,"esp"),$const);         # save ivp
-        &mov    ($out,$round);                  # $out works as $len
-
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-
-        &call   ("_vpaes_preheat");
-        &cmp    ($magic,0);
-        &je     (&label("cbc_dec_loop"));
-        &jmp    (&label("cbc_enc_loop"));
-
-&set_label("cbc_enc_loop",16);
-        &movdqu ("xmm0",&QWP(0,$inp));          # load input
-        &pxor   ("xmm0","xmm1");                # inp^=iv
-        &call   ("_vpaes_encrypt_core");
-        &mov    ($base,&DWP(0,"esp"));          # restore out
-        &mov    ($key,&DWP(4,"esp"));           # restore key
-        &movdqa ("xmm1","xmm0");
-        &movdqu (&QWP(0,$base,$inp),"xmm0");    # write output
-        &lea    ($inp,&DWP(16,$inp));
-        &sub    ($out,16);
-        &jnc    (&label("cbc_enc_loop"));
-        &jmp    (&label("cbc_done"));
-
-&set_label("cbc_dec_loop",16);
-        &movdqu ("xmm0",&QWP(0,$inp));          # load input
-        &movdqa (&QWP(16,"esp"),"xmm1");        # save IV
-        &movdqa (&QWP(32,"esp"),"xmm0");        # save future IV
-        &call   ("_vpaes_decrypt_core");
-        &mov    ($base,&DWP(0,"esp"));          # restore out
-        &mov    ($key,&DWP(4,"esp"));           # restore key
-        &pxor   ("xmm0",&QWP(16,"esp"));        # out^=iv
-        &movdqa ("xmm1",&QWP(32,"esp"));        # load next IV
-        &movdqu (&QWP(0,$base,$inp),"xmm0");    # write output
-        &lea    ($inp,&DWP(16,$inp));
-        &sub    ($out,16);
-        &jnc    (&label("cbc_dec_loop"));
-
-&set_label("cbc_done");
-        &mov    ($base,&DWP(8,"esp"));          # restore ivp
-        &mov    ("esp",&DWP(48,"esp"));
-        &movdqu (&QWP(0,$base),"xmm1");         # write IV
-&set_label("cbc_abort");
-&function_end("${PREFIX}_cbc_encrypt");
-
-&asm_finish();
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
deleted file mode 100644
index 7d92e8d8ca..0000000000
--- a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
+++ /dev/null
@@ -1,1222 +0,0 @@
-#!/usr/bin/env perl
-
-######################################################################
-## Constant-time SSSE3 AES core implementation.
-## version 0.1
-##
-## By Mike Hamburg (Stanford University), 2009
-## Public domain.
-##
-## For details see http://shiftleft.org/papers/vector_aes/ and
-## http://crypto.stanford.edu/vpaes/.
-
-######################################################################
-# September 2011.
-#
-# Interface to OpenSSL as "almost" drop-in replacement for
-# aes-x86_64.pl. "Almost" refers to the fact that AES_cbc_encrypt
-# doesn't handle partial vectors (doesn't have to if called from
-# EVP only). "Drop-in" implies that this module doesn't share key
-# schedule structure with the original nor does it make assumption
-# about its alignment...
-#
-# Performance summary. aes-x86_64.pl column lists large-block CBC
-# encrypt/decrypt/with-hyper-threading-off(*) results in cycles per
-# byte processed with 128-bit key, and vpaes-x86_64.pl column -
-# [also large-block CBC] encrypt/decrypt.
-#
-#               aes-x86_64.pl           vpaes-x86_64.pl
-#
-# Core 2(**)    30.5/43.7/14.3          21.8/25.7(***)
-# Nehalem       30.5/42.2/14.6           9.8/11.8
-# Atom          63.9/79.0/32.1          64.0/84.8(***)
-#
-# (*)   "Hyper-threading" in the context refers rather to cache shared
-#       among multiple cores, than to specifically Intel HTT. As vast
-#       majority of contemporary cores share cache, slower code path
-#       is common place. In other words "with-hyper-threading-off"
-#       results are presented mostly for reference purposes.
-#
-# (**)  "Core 2" refers to initial 65nm design, a.k.a. Conroe.
-#
-# (***) Less impressive improvement on Core 2 and Atom is due to slow
-#       pshufb, yet it's respectable +40%/78% improvement on Core 2
-#       (as implied, over "hyper-threading-safe" code path).
-#
-#                                               <appro@openssl.org>
-
-$flavour = shift;
-$output  = shift;
-if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-
-$PREFIX="vpaes";
-
-$code.=<<___;
-.text
-
-##
-##  _aes_encrypt_core
-##
-##  AES-encrypt %xmm0.
-##
-##  Inputs:
-##     %xmm0 = input
-##     %xmm9-%xmm15 as in _vpaes_preheat
-##    (%rdx) = scheduled keys
-##
-##  Output in %xmm0
-##  Clobbers  %xmm1-%xmm5, %r9, %r10, %r11, %rax
-##  Preserves %xmm6 - %xmm8 so you get some local vectors
-##
-##
-.type   _vpaes_encrypt_core,\@abi-omnipotent
-.align 16
-_vpaes_encrypt_core:
-        _CET_ENDBR
-        mov     %rdx,   %r9
-        mov     \$16,   %r11
-        mov     240(%rdx),%eax
-        movdqa  %xmm9,  %xmm1
-        movdqa  .Lk_ipt(%rip), %xmm2    # iptlo
-        pandn   %xmm0,  %xmm1
-        movdqu  (%r9),  %xmm5           # round0 key
-        psrld   \$4,    %xmm1
-        pand    %xmm9,  %xmm0
-        pshufb  %xmm0,  %xmm2
-        movdqa  .Lk_ipt+16(%rip), %xmm0 # ipthi
-        pshufb  %xmm1,  %xmm0
-        pxor    %xmm5,  %xmm2
-        pxor    %xmm2,  %xmm0
-        add     \$16,   %r9
-        lea     .Lk_mc_backward(%rip),%r10
-        jmp     .Lenc_entry
-
-.align 16
-.Lenc_loop:
-        # middle of middle round
-        movdqa  %xmm13, %xmm4   # 4 : sb1u
-        pshufb  %xmm2,  %xmm4   # 4 = sb1u
-        pxor    %xmm5,  %xmm4   # 4 = sb1u + k
-        movdqa  %xmm12, %xmm0   # 0 : sb1t
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        pxor    %xmm4,  %xmm0   # 0 = A
-        movdqa  %xmm15, %xmm5   # 4 : sb2u
-        pshufb  %xmm2,  %xmm5   # 4 = sb2u
-        movdqa  -0x40(%r11,%r10), %xmm1         # .Lk_mc_forward[]
-        movdqa  %xmm14, %xmm2   # 2 : sb2t
-        pshufb  %xmm3,  %xmm2   # 2 = sb2t
-        pxor    %xmm5,  %xmm2   # 2 = 2A
-        movdqa  (%r11,%r10), %xmm4              # .Lk_mc_backward[]
-        movdqa  %xmm0,  %xmm3   # 3 = A
-        pshufb  %xmm1,  %xmm0   # 0 = B
-        add     \$16,   %r9     # next key
-        pxor    %xmm2,  %xmm0   # 0 = 2A+B
-        pshufb  %xmm4,  %xmm3   # 3 = D
-        add     \$16,   %r11    # next mc
-        pxor    %xmm0,  %xmm3   # 3 = 2A+B+D
-        pshufb  %xmm1,  %xmm0   # 0 = 2B+C
-        and     \$0x30, %r11    # ... mod 4
-        pxor    %xmm3,  %xmm0   # 0 = 2A+3B+C+D
-        sub     \$1,%rax        # nr--
-
-.Lenc_entry:
-        # top of round
-        movdqa  %xmm9,  %xmm1   # 1 : i
-        pandn   %xmm0,  %xmm1   # 1 = i<<4
-        psrld   \$4,    %xmm1   # 1 = i
-        pand    %xmm9,  %xmm0   # 0 = k
-        movdqa  %xmm11, %xmm5   # 2 : a/k
-        pshufb  %xmm0,  %xmm5   # 2 = a/k
-        pxor    %xmm1,  %xmm0   # 0 = j
-        movdqa  %xmm10, %xmm3   # 3 : 1/i
-        pshufb  %xmm1,  %xmm3   # 3 = 1/i
-        pxor    %xmm5,  %xmm3   # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4   # 4 : 1/j
-        pshufb  %xmm0,  %xmm4   # 4 = 1/j
-        pxor    %xmm5,  %xmm4   # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2   # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2   # 2 = 1/iak
-        pxor    %xmm0,  %xmm2   # 2 = io
-        movdqa  %xmm10, %xmm3   # 3 : 1/jak
-        movdqu  (%r9),  %xmm5
-        pshufb  %xmm4,  %xmm3   # 3 = 1/jak
-        pxor    %xmm1,  %xmm3   # 3 = jo
-        jnz     .Lenc_loop
-
-        # middle of last round
-        movdqa  -0x60(%r10), %xmm4      # 3 : sbou      .Lk_sbo
-        movdqa  -0x50(%r10), %xmm0      # 0 : sbot      .Lk_sbo+16
-        pshufb  %xmm2,  %xmm4   # 4 = sbou
-        pxor    %xmm5,  %xmm4   # 4 = sb1u + k
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        movdqa  0x40(%r11,%r10), %xmm1          # .Lk_sr[]
-        pxor    %xmm4,  %xmm0   # 0 = A
-        pshufb  %xmm1,  %xmm0
-        ret
-.size   _vpaes_encrypt_core,.-_vpaes_encrypt_core
-        
-##
-##  Decryption core
-##
-##  Same API as encryption core.
-##
-.type   _vpaes_decrypt_core,\@abi-omnipotent
-.align  16
-_vpaes_decrypt_core:
-        _CET_ENDBR
-        mov     %rdx,   %r9             # load key
-        mov     240(%rdx),%eax
-        movdqa  %xmm9,  %xmm1
-        movdqa  .Lk_dipt(%rip), %xmm2   # iptlo
-        pandn   %xmm0,  %xmm1
-        mov     %rax,   %r11
-        psrld   \$4,    %xmm1
-        movdqu  (%r9),  %xmm5           # round0 key
-        shl     \$4,    %r11
-        pand    %xmm9,  %xmm0
-        pshufb  %xmm0,  %xmm2
-        movdqa  .Lk_dipt+16(%rip), %xmm0 # ipthi
-        xor     \$0x30, %r11
-        lea     .Lk_dsbd(%rip),%r10
-        pshufb  %xmm1,  %xmm0
-        and     \$0x30, %r11
-        pxor    %xmm5,  %xmm2
-        movdqa  .Lk_mc_forward+48(%rip), %xmm5
-        pxor    %xmm2,  %xmm0
-        add     \$16,   %r9
-        add     %r10,   %r11
-        jmp     .Ldec_entry
-
-.align 16
-.Ldec_loop:
-##
-##  Inverse mix columns
-##
-        movdqa  -0x20(%r10),%xmm4       # 4 : sb9u
-        pshufb  %xmm2,  %xmm4           # 4 = sb9u
-        pxor    %xmm0,  %xmm4
-        movdqa  -0x10(%r10),%xmm0       # 0 : sb9t
-        pshufb  %xmm3,  %xmm0           # 0 = sb9t
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        add     \$16, %r9               # next round key
-
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x00(%r10),%xmm4        # 4 : sbdu
-        pshufb  %xmm2,  %xmm4           # 4 = sbdu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x10(%r10),%xmm0        # 0 : sbdt
-        pshufb  %xmm3,  %xmm0           # 0 = sbdt
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        sub     \$1,%rax                # nr--
-        
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x20(%r10),%xmm4        # 4 : sbbu
-        pshufb  %xmm2,  %xmm4           # 4 = sbbu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x30(%r10),%xmm0        # 0 : sbbt
-        pshufb  %xmm3,  %xmm0           # 0 = sbbt
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x40(%r10),%xmm4        # 4 : sbeu
-        pshufb  %xmm2,  %xmm4           # 4 = sbeu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x50(%r10),%xmm0        # 0 : sbet
-        pshufb  %xmm3,  %xmm0           # 0 = sbet
-        pxor    %xmm4,  %xmm0           # 0 = ch
-
-        palignr \$12,   %xmm5,  %xmm5
-        
-.Ldec_entry:
-        # top of round
-        movdqa  %xmm9,  %xmm1   # 1 : i
-        pandn   %xmm0,  %xmm1   # 1 = i<<4
-        psrld   \$4,    %xmm1   # 1 = i
-        pand    %xmm9,  %xmm0   # 0 = k
-        movdqa  %xmm11, %xmm2   # 2 : a/k
-        pshufb  %xmm0,  %xmm2   # 2 = a/k
-        pxor    %xmm1,  %xmm0   # 0 = j
-        movdqa  %xmm10, %xmm3   # 3 : 1/i
-        pshufb  %xmm1,  %xmm3   # 3 = 1/i
-        pxor    %xmm2,  %xmm3   # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4   # 4 : 1/j
-        pshufb  %xmm0,  %xmm4   # 4 = 1/j
-        pxor    %xmm2,  %xmm4   # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2   # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2   # 2 = 1/iak
-        pxor    %xmm0,  %xmm2   # 2 = io
-        movdqa  %xmm10, %xmm3   # 3 : 1/jak
-        pshufb  %xmm4,  %xmm3   # 3 = 1/jak
-        pxor    %xmm1,  %xmm3   # 3 = jo
-        movdqu  (%r9),  %xmm0
-        jnz     .Ldec_loop
-
-        # middle of last round
-        movdqa  0x60(%r10), %xmm4       # 3 : sbou
-        pshufb  %xmm2,  %xmm4   # 4 = sbou
-        pxor    %xmm0,  %xmm4   # 4 = sb1u + k
-        movdqa  0x70(%r10), %xmm0       # 0 : sbot
-        movdqa  -0x160(%r11), %xmm2     # .Lk_sr-.Lk_dsbd=-0x160
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        pxor    %xmm4,  %xmm0   # 0 = A
-        pshufb  %xmm2,  %xmm0
-        ret
-.size   _vpaes_decrypt_core,.-_vpaes_decrypt_core
-
-########################################################
-##                                                    ##
-##                  AES key schedule                  ##
-##                                                    ##
-########################################################
-.type   _vpaes_schedule_core,\@abi-omnipotent
-.align  16
-_vpaes_schedule_core:
-        _CET_ENDBR
-        # rdi = key
-        # rsi = size in bits
-        # rdx = buffer
-        # rcx = direction.  0=encrypt, 1=decrypt
-
-        call    _vpaes_preheat          # load the tables
-        movdqa  .Lk_rcon(%rip), %xmm8   # load rcon
-        movdqu  (%rdi), %xmm0           # load key (unaligned)
-
-        # input transform
-        movdqa  %xmm0,  %xmm3
-        lea     .Lk_ipt(%rip), %r11
-        call    _vpaes_schedule_transform
-        movdqa  %xmm0,  %xmm7
-
-        lea     .Lk_sr(%rip),%r10
-        test    %rcx,   %rcx
-        jnz     .Lschedule_am_decrypting
-
-        # encrypting, output zeroth round key after transform
-        movdqu  %xmm0,  (%rdx)
-        jmp     .Lschedule_go
-
-.Lschedule_am_decrypting:
-        # decrypting, output zeroth round key after shiftrows
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,  %xmm3
-        movdqu  %xmm3,  (%rdx)
-        xor     \$0x30, %r8
-
-.Lschedule_go:
-        cmp     \$192,  %esi
-        ja      .Lschedule_256
-        je      .Lschedule_192
-        # 128: fall though
-
-##
-##  .schedule_128
-##
-##  128-bit specific part of key schedule.
-##
-##  This schedule is really simple, because all its parts
-##  are accomplished by the subroutines.
-##
-.Lschedule_128:
-        mov     \$10, %esi
-        
-.Loop_schedule_128:
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  # write output
-        jmp     .Loop_schedule_128
-
-##
-##  .aes_schedule_192
-##
-##  192-bit specific part of key schedule.
-##
-##  The main body of this schedule is the same as the 128-bit
-##  schedule, but with more smearing.  The long, high side is
-##  stored in %xmm7 as before, and the short, low side is in
-##  the high bits of %xmm6.
-##
-##  This schedule is somewhat nastier, however, because each
-##  round produces 192 bits of key material, or 1.5 round keys.
-##  Therefore, on each cycle we do 2 rounds and produce 3 round
-##  keys.
-##
-.align  16
-.Lschedule_192:
-        movdqu  8(%rdi),%xmm0           # load key part 2 (very unaligned)
-        call    _vpaes_schedule_transform       # input transform
-        movdqa  %xmm0,  %xmm6           # save short part
-        pxor    %xmm4,  %xmm4           # clear 4
-        movhlps %xmm4,  %xmm6           # clobber low side with zeros
-        mov     \$4,    %esi
-
-.Loop_schedule_192:
-        call    _vpaes_schedule_round
-        palignr \$8,%xmm6,%xmm0 
-        call    _vpaes_schedule_mangle  # save key n
-        call    _vpaes_schedule_192_smear
-        call    _vpaes_schedule_mangle  # save key n+1
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  # save key n+2
-        call    _vpaes_schedule_192_smear
-        jmp     .Loop_schedule_192
-
-##
-##  .aes_schedule_256
-##
-##  256-bit specific part of key schedule.
-##
-##  The structure here is very similar to the 128-bit
-##  schedule, but with an additional "low side" in
-##  %xmm6.  The low side's rounds are the same as the
-##  high side's, except no rcon and no rotation.
-##
-.align  16
-.Lschedule_256:
-        movdqu  16(%rdi),%xmm0          # load key part 2 (unaligned)
-        call    _vpaes_schedule_transform       # input transform
-        mov     \$7, %esi
-        
-.Loop_schedule_256:
-        call    _vpaes_schedule_mangle  # output low result
-        movdqa  %xmm0,  %xmm6           # save cur_lo in xmm6
-
-        # high round
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  
-
-        # low round. swap xmm7 and xmm6
-        pshufd  \$0xFF, %xmm0,  %xmm0
-        movdqa  %xmm7,  %xmm5
-        movdqa  %xmm6,  %xmm7
-        call    _vpaes_schedule_low_round
-        movdqa  %xmm5,  %xmm7
-        
-        jmp     .Loop_schedule_256
-
-        
-##
-##  .aes_schedule_mangle_last
-##
-##  Mangler for last round of key schedule
-##  Mangles %xmm0
-##    when encrypting, outputs out(%xmm0) ^ 63
-##    when decrypting, outputs unskew(%xmm0)
-##
-##  Always called right before return... jumps to cleanup and exits
-##
-.align  16
-.Lschedule_mangle_last:
-        # schedule last round key from xmm0
-        lea     .Lk_deskew(%rip),%r11   # prepare to deskew
-        test    %rcx,   %rcx
-        jnz     .Lschedule_mangle_last_dec
-
-        # encrypting
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,  %xmm0           # output permute
-        lea     .Lk_opt(%rip),  %r11    # prepare to output transform
-        add     \$32,   %rdx
-
-.Lschedule_mangle_last_dec:
-        add     \$-16,  %rdx
-        pxor    .Lk_s63(%rip),  %xmm0
-        call    _vpaes_schedule_transform # output transform
-        movdqu  %xmm0,  (%rdx)          # save last key
-
-        # cleanup
-        pxor    %xmm0,  %xmm0
-        pxor    %xmm1,  %xmm1
-        pxor    %xmm2,  %xmm2
-        pxor    %xmm3,  %xmm3
-        pxor    %xmm4,  %xmm4
-        pxor    %xmm5,  %xmm5
-        pxor    %xmm6,  %xmm6
-        pxor    %xmm7,  %xmm7
-        ret
-.size   _vpaes_schedule_core,.-_vpaes_schedule_core
-
-##
-##  .aes_schedule_192_smear
-##
-##  Smear the short, low side in the 192-bit key schedule.
-##
-##  Inputs:
-##    %xmm7: high side, b  a  x  y
-##    %xmm6:  low side, d  c  0  0
-##    %xmm13: 0
-##
-##  Outputs:
-##    %xmm6: b+c+d  b+c  0  0
-##    %xmm0: b+c+d  b+c  b  a
-##
-.type   _vpaes_schedule_192_smear,\@abi-omnipotent
-.align  16
-_vpaes_schedule_192_smear:
-        _CET_ENDBR
-        pshufd  \$0x80, %xmm6,  %xmm0   # d c 0 0 -> c 0 0 0
-        pxor    %xmm0,  %xmm6           # -> c+d c 0 0
-        pshufd  \$0xFE, %xmm7,  %xmm0   # b a _ _ -> b b b a
-        pxor    %xmm0,  %xmm6           # -> b+c+d b+c b a
-        movdqa  %xmm6,  %xmm0
-        pxor    %xmm1,  %xmm1
-        movhlps %xmm1,  %xmm6           # clobber low side with zeros
-        ret
-.size   _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear
-
-##
-##  .aes_schedule_round
-##
-##  Runs one main round of the key schedule on %xmm0, %xmm7
-##
-##  Specifically, runs subbytes on the high dword of %xmm0
-##  then rotates it by one byte and xors into the low dword of
-##  %xmm7.
-##
-##  Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-##  next rcon.
-##
-##  Smears the dwords of %xmm7 by xoring the low into the
-##  second low, result into third, result into highest.
-##
-##  Returns results in %xmm7 = %xmm0.
-##  Clobbers %xmm1-%xmm4, %r11.
-##
-.type   _vpaes_schedule_round,\@abi-omnipotent
-.align  16
-_vpaes_schedule_round:
-        _CET_ENDBR
-        # extract rcon from xmm8
-        pxor    %xmm1,  %xmm1
-        palignr \$15,   %xmm8,  %xmm1
-        palignr \$15,   %xmm8,  %xmm8
-        pxor    %xmm1,  %xmm7
-
-        # rotate
-        pshufd  \$0xFF, %xmm0,  %xmm0
-        palignr \$1,    %xmm0,  %xmm0
-        
-        # fall through...
-        
-        # low round: same as high round, but no rotation and no rcon.
-_vpaes_schedule_low_round:
-        # smear xmm7
-        movdqa  %xmm7,  %xmm1
-        pslldq  \$4,    %xmm7
-        pxor    %xmm1,  %xmm7
-        movdqa  %xmm7,  %xmm1
-        pslldq  \$8,    %xmm7
-        pxor    %xmm1,  %xmm7
-        pxor    .Lk_s63(%rip), %xmm7
-
-        # subbytes
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm0,  %xmm1
-        psrld   \$4,    %xmm1           # 1 = i
-        pand    %xmm9,  %xmm0           # 0 = k
-        movdqa  %xmm11, %xmm2           # 2 : a/k
-        pshufb  %xmm0,  %xmm2           # 2 = a/k
-        pxor    %xmm1,  %xmm0           # 0 = j
-        movdqa  %xmm10, %xmm3           # 3 : 1/i
-        pshufb  %xmm1,  %xmm3           # 3 = 1/i
-        pxor    %xmm2,  %xmm3           # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4           # 4 : 1/j
-        pshufb  %xmm0,  %xmm4           # 4 = 1/j
-        pxor    %xmm2,  %xmm4           # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2           # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2           # 2 = 1/iak
-        pxor    %xmm0,  %xmm2           # 2 = io
-        movdqa  %xmm10, %xmm3           # 3 : 1/jak
-        pshufb  %xmm4,  %xmm3           # 3 = 1/jak
-        pxor    %xmm1,  %xmm3           # 3 = jo
-        movdqa  %xmm13, %xmm4           # 4 : sbou
-        pshufb  %xmm2,  %xmm4           # 4 = sbou
-        movdqa  %xmm12, %xmm0           # 0 : sbot
-        pshufb  %xmm3,  %xmm0           # 0 = sb1t
-        pxor    %xmm4,  %xmm0           # 0 = sbox output
-
-        # add in smeared stuff
-        pxor    %xmm7,  %xmm0   
-        movdqa  %xmm0,  %xmm7
-        ret
-.size   _vpaes_schedule_round,.-_vpaes_schedule_round
-
-##
-##  .aes_schedule_transform
-##
-##  Linear-transform %xmm0 according to tables at (%r11)
-##
-##  Requires that %xmm9 = 0x0F0F... as in preheat
-##  Output in %xmm0
-##  Clobbers %xmm1, %xmm2
-##
-.type   _vpaes_schedule_transform,\@abi-omnipotent
-.align  16
-_vpaes_schedule_transform:
-        _CET_ENDBR
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm0,  %xmm1
-        psrld   \$4,    %xmm1
-        pand    %xmm9,  %xmm0
-        movdqa  (%r11), %xmm2   # lo
-        pshufb  %xmm0,  %xmm2
-        movdqa  16(%r11), %xmm0 # hi
-        pshufb  %xmm1,  %xmm0
-        pxor    %xmm2,  %xmm0
-        ret
-.size   _vpaes_schedule_transform,.-_vpaes_schedule_transform
-
-##
-##  .aes_schedule_mangle
-##
-##  Mangle xmm0 from (basis-transformed) standard version
-##  to our version.
-##
-##  On encrypt,
-##    xor with 0x63
-##    multiply by circulant 0,1,1,1
-##    apply shiftrows transform
-##
-##  On decrypt,
-##    xor with 0x63
-##    multiply by "inverse mixcolumns" circulant E,B,D,9
-##    deskew
-##    apply shiftrows transform
-##
-##
-##  Writes out to (%rdx), and increments or decrements it
-##  Keeps track of round number mod 4 in %r8
-##  Preserves xmm0
-##  Clobbers xmm1-xmm5
-##
-.type   _vpaes_schedule_mangle,\@abi-omnipotent
-.align  16
-_vpaes_schedule_mangle:
-        _CET_ENDBR
-        movdqa  %xmm0,  %xmm4   # save xmm0 for later
-        movdqa  .Lk_mc_forward(%rip),%xmm5
-        test    %rcx,   %rcx
-        jnz     .Lschedule_mangle_dec
-
-        # encrypting
-        add     \$16,   %rdx
-        pxor    .Lk_s63(%rip),%xmm4
-        pshufb  %xmm5,  %xmm4
-        movdqa  %xmm4,  %xmm3
-        pshufb  %xmm5,  %xmm4
-        pxor    %xmm4,  %xmm3
-        pshufb  %xmm5,  %xmm4
-        pxor    %xmm4,  %xmm3
-
-        jmp     .Lschedule_mangle_both
-.align  16
-.Lschedule_mangle_dec:
-        # inverse mix columns
-        lea     .Lk_dksd(%rip),%r11
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm4,  %xmm1
-        psrld   \$4,    %xmm1   # 1 = hi
-        pand    %xmm9,  %xmm4   # 4 = lo
-
-        movdqa  0x00(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        movdqa  0x10(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-
-        movdqa  0x20(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x30(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-
-        movdqa  0x40(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x50(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-
-        movdqa  0x60(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x70(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-
-        add     \$-16,  %rdx
-
-.Lschedule_mangle_both:
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,%xmm3
-        add     \$-16,  %r8
-        and     \$0x30, %r8
-        movdqu  %xmm3,  (%rdx)
-        ret
-.size   _vpaes_schedule_mangle,.-_vpaes_schedule_mangle
-
-#
-# Interface to OpenSSL
-#
-.globl  ${PREFIX}_set_encrypt_key
-.type   ${PREFIX}_set_encrypt_key,\@function,3
-.align  16
-${PREFIX}_set_encrypt_key:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lenc_key_body:
-___
-$code.=<<___;
-        mov     %esi,%eax
-        shr     \$5,%eax
-        add     \$5,%eax
-        mov     %eax,240(%rdx)  # AES_KEY->rounds = nbits/32+5;
-
-        mov     \$0,%ecx
-        mov     \$0x30,%r8d
-        call    _vpaes_schedule_core
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lenc_key_epilogue:
-___
-$code.=<<___;
-        xor     %eax,%eax
-        ret
-.size   ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
-
-.globl  ${PREFIX}_set_decrypt_key
-.type   ${PREFIX}_set_decrypt_key,\@function,3
-.align  16
-${PREFIX}_set_decrypt_key:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Ldec_key_body:
-___
-$code.=<<___;
-        mov     %esi,%eax
-        shr     \$5,%eax
-        add     \$5,%eax
-        mov     %eax,240(%rdx)  # AES_KEY->rounds = nbits/32+5;
-        shl     \$4,%eax
-        lea     16(%rdx,%rax),%rdx
-
-        mov     \$1,%ecx
-        mov     %esi,%r8d
-        shr     \$1,%r8d
-        and     \$32,%r8d
-        xor     \$32,%r8d       # nbits==192?0:32
-        call    _vpaes_schedule_core
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Ldec_key_epilogue:
-___
-$code.=<<___;
-        xor     %eax,%eax
-        ret
-.size   ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
-
-.globl  ${PREFIX}_encrypt
-.type   ${PREFIX}_encrypt,\@function,3
-.align  16
-${PREFIX}_encrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lenc_body:
-___
-$code.=<<___;
-        movdqu  (%rdi),%xmm0
-        call    _vpaes_preheat
-        call    _vpaes_encrypt_core
-        movdqu  %xmm0,(%rsi)
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lenc_epilogue:
-___
-$code.=<<___;
-        ret
-.size   ${PREFIX}_encrypt,.-${PREFIX}_encrypt
-
-.globl  ${PREFIX}_decrypt
-.type   ${PREFIX}_decrypt,\@function,3
-.align  16
-${PREFIX}_decrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Ldec_body:
-___
-$code.=<<___;
-        movdqu  (%rdi),%xmm0
-        call    _vpaes_preheat
-        call    _vpaes_decrypt_core
-        movdqu  %xmm0,(%rsi)
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Ldec_epilogue:
-___
-$code.=<<___;
-        ret
-.size   ${PREFIX}_decrypt,.-${PREFIX}_decrypt
-___
-{
-my ($inp,$out,$len,$key,$ivp,$enc)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
-# void AES_cbc_encrypt (const void char *inp, unsigned char *out,
-#                       size_t length, const AES_KEY *key,
-#                       unsigned char *ivp,const int enc);
-$code.=<<___;
-.globl  ${PREFIX}_cbc_encrypt
-.type   ${PREFIX}_cbc_encrypt,\@function,6
-.align  16
-${PREFIX}_cbc_encrypt:
-        _CET_ENDBR
-        xchg    $key,$len
-___
-($len,$key)=($key,$len);
-$code.=<<___;
-        sub     \$16,$len
-        jc      .Lcbc_abort
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lcbc_body:
-___
-$code.=<<___;
-        movdqu  ($ivp),%xmm6            # load IV
-        sub     $inp,$out
-        call    _vpaes_preheat
-        cmp     \$0,${enc}d
-        je      .Lcbc_dec_loop
-        jmp     .Lcbc_enc_loop
-.align  16
-.Lcbc_enc_loop:
-        movdqu  ($inp),%xmm0
-        pxor    %xmm6,%xmm0
-        call    _vpaes_encrypt_core
-        movdqa  %xmm0,%xmm6
-        movdqu  %xmm0,($out,$inp)
-        lea     16($inp),$inp
-        sub     \$16,$len
-        jnc     .Lcbc_enc_loop
-        jmp     .Lcbc_done
-.align  16
-.Lcbc_dec_loop:
-        movdqu  ($inp),%xmm0
-        movdqa  %xmm0,%xmm7
-        call    _vpaes_decrypt_core
-        pxor    %xmm6,%xmm0
-        movdqa  %xmm7,%xmm6
-        movdqu  %xmm0,($out,$inp)
-        lea     16($inp),$inp
-        sub     \$16,$len
-        jnc     .Lcbc_dec_loop
-.Lcbc_done:
-        movdqu  %xmm6,($ivp)            # save IV
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lcbc_epilogue:
-___
-$code.=<<___;
-.Lcbc_abort:
-        ret
-.size   ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
-___
-}
-$code.=<<___;
-##
-##  _aes_preheat
-##
-##  Fills register %r10 -> .aes_consts (so you can -fPIC)
-##  and %xmm9-%xmm15 as specified below.
-##
-.type   _vpaes_preheat,\@abi-omnipotent
-.align  16
-_vpaes_preheat:
-        _CET_ENDBR
-        lea     .Lk_s0F(%rip), %r10
-        movdqa  -0x20(%r10), %xmm10     # .Lk_inv
-        movdqa  -0x10(%r10), %xmm11     # .Lk_inv+16
-        movdqa  0x00(%r10), %xmm9       # .Lk_s0F
-        movdqa  0x30(%r10), %xmm13      # .Lk_sb1
-        movdqa  0x40(%r10), %xmm12      # .Lk_sb1+16
-        movdqa  0x50(%r10), %xmm15      # .Lk_sb2
-        movdqa  0x60(%r10), %xmm14      # .Lk_sb2+16
-        ret
-.size   _vpaes_preheat,.-_vpaes_preheat
-########################################################
-##                                                    ##
-##                     Constants                      ##
-##                                                    ##
-########################################################
-.section .rodata
-.type   _vpaes_consts,\@object
-.align  64
-_vpaes_consts:
-.Lk_inv:        # inv, inva
-        .quad   0x0E05060F0D080180, 0x040703090A0B0C02
-        .quad   0x01040A060F0B0780, 0x030D0E0C02050809
-
-.Lk_s0F:        # s0F
-        .quad   0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F
-
-.Lk_ipt:        # input transform (lo, hi)
-        .quad   0xC2B2E8985A2A7000, 0xCABAE09052227808
-        .quad   0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81
-
-.Lk_sb1:        # sb1u, sb1t
-        .quad   0xB19BE18FCB503E00, 0xA5DF7A6E142AF544
-        .quad   0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF
-.Lk_sb2:        # sb2u, sb2t
-        .quad   0xE27A93C60B712400, 0x5EB7E955BC982FCD
-        .quad   0x69EB88400AE12900, 0xC2A163C8AB82234A
-.Lk_sbo:        # sbou, sbot
-        .quad   0xD0D26D176FBDC700, 0x15AABF7AC502A878
-        .quad   0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA
-
-.Lk_mc_forward: # mc_forward
-        .quad   0x0407060500030201, 0x0C0F0E0D080B0A09
-        .quad   0x080B0A0904070605, 0x000302010C0F0E0D
-        .quad   0x0C0F0E0D080B0A09, 0x0407060500030201
-        .quad   0x000302010C0F0E0D, 0x080B0A0904070605
-
-.Lk_mc_backward:# mc_backward
-        .quad   0x0605040702010003, 0x0E0D0C0F0A09080B
-        .quad   0x020100030E0D0C0F, 0x0A09080B06050407
-        .quad   0x0E0D0C0F0A09080B, 0x0605040702010003
-        .quad   0x0A09080B06050407, 0x020100030E0D0C0F
-
-.Lk_sr:         # sr
-        .quad   0x0706050403020100, 0x0F0E0D0C0B0A0908
-        .quad   0x030E09040F0A0500, 0x0B06010C07020D08
-        .quad   0x0F060D040B020900, 0x070E050C030A0108
-        .quad   0x0B0E0104070A0D00, 0x0306090C0F020508
-
-.Lk_rcon:       # rcon
-        .quad   0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81
-
-.Lk_s63:        # s63: all equal to 0x63 transformed
-        .quad   0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B
-
-.Lk_opt:        # output transform
-        .quad   0xFF9F4929D6B66000, 0xF7974121DEBE6808
-        .quad   0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0
-
-.Lk_deskew:     # deskew tables: inverts the sbox's "skew"
-        .quad   0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A
-        .quad   0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77
-
-##
-##  Decryption stuff
-##  Key schedule constants
-##
-.Lk_dksd:       # decryption key schedule: invskew x*D
-        .quad   0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9
-        .quad   0x41C277F4B5368300, 0x5FDC69EAAB289D1E
-.Lk_dksb:       # decryption key schedule: invskew x*B
-        .quad   0x9A4FCA1F8550D500, 0x03D653861CC94C99
-        .quad   0x115BEDA7B6FC4A00, 0xD993256F7E3482C8
-.Lk_dkse:       # decryption key schedule: invskew x*E + 0x63
-        .quad   0xD5031CCA1FC9D600, 0x53859A4C994F5086
-        .quad   0xA23196054FDC7BE8, 0xCD5EF96A20B31487
-.Lk_dks9:       # decryption key schedule: invskew x*9
-        .quad   0xB6116FC87ED9A700, 0x4AED933482255BFC
-        .quad   0x4576516227143300, 0x8BB89FACE9DAFDCE
-
-##
-##  Decryption stuff
-##  Round function constants
-##
-.Lk_dipt:       # decryption input transform
-        .quad   0x0F505B040B545F00, 0x154A411E114E451A
-        .quad   0x86E383E660056500, 0x12771772F491F194
-
-.Lk_dsb9:       # decryption sbox output *9*u, *9*t
-        .quad   0x851C03539A86D600, 0xCAD51F504F994CC9
-        .quad   0xC03B1789ECD74900, 0x725E2C9EB2FBA565
-.Lk_dsbd:       # decryption sbox output *D*u, *D*t
-        .quad   0x7D57CCDFE6B1A200, 0xF56E9B13882A4439
-        .quad   0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3
-.Lk_dsbb:       # decryption sbox output *B*u, *B*t
-        .quad   0xD022649296B44200, 0x602646F6B0F2D404
-        .quad   0xC19498A6CD596700, 0xF3FF0C3E3255AA6B
-.Lk_dsbe:       # decryption sbox output *E*u, *E*t
-        .quad   0x46F2929626D4D000, 0x2242600464B4F6B0
-        .quad   0x0C55A6CDFFAAC100, 0x9467F36B98593E32
-.Lk_dsbo:       # decryption sbox final output
-        .quad   0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
-        .quad   0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.align  64
-.size   _vpaes_consts,.-_vpaes_consts
-.text
-___
-
-if ($win64) {
-# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
-#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-
-$code.=<<___;
-.extern __imp_RtlVirtualUnwind
-.type   se_handler,\@abi-omnipotent
-.align  16
-se_handler:
-        _CET_ENDBR
-        push    %rsi
-        push    %rdi
-        push    %rbx
-        push    %rbp
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        pushfq
-        sub     \$64,%rsp
-
-        mov     120($context),%rax      # pull context->Rax
-        mov     248($context),%rbx      # pull context->Rip
-
-        mov     8($disp),%rsi           # disp->ImageBase
-        mov     56($disp),%r11          # disp->HandlerData
-
-        mov     0(%r11),%r10d           # HandlerData[0]
-        lea     (%rsi,%r10),%r10        # prologue label
-        cmp     %r10,%rbx               # context->Rip<prologue label
-        jb      .Lin_prologue
-
-        mov     152($context),%rax      # pull context->Rsp
-
-        mov     4(%r11),%r10d           # HandlerData[1]
-        lea     (%rsi,%r10),%r10        # epilogue label
-        cmp     %r10,%rbx               # context->Rip>=epilogue label
-        jae     .Lin_prologue
-
-        lea     16(%rax),%rsi           # %xmm save area
-        lea     512($context),%rdi      # &context.Xmm6
-        mov     \$20,%ecx               # 10*sizeof(%xmm0)/sizeof(%rax)
-        .long   0xa548f3fc              # cld; rep movsq
-        lea     0xb8(%rax),%rax         # adjust stack pointer
-
-.Lin_prologue:
-        mov     8(%rax),%rdi
-        mov     16(%rax),%rsi
-        mov     %rax,152($context)      # restore context->Rsp
-        mov     %rsi,168($context)      # restore context->Rsi
-        mov     %rdi,176($context)      # restore context->Rdi
-
-        mov     40($disp),%rdi          # disp->ContextRecord
-        mov     $context,%rsi           # context
-        mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
-        .long   0xa548f3fc              # cld; rep movsq
-
-        mov     $disp,%rsi
-        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
-        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
-        mov     0(%rsi),%r8             # arg3, disp->ControlPc
-        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
-        mov     40(%rsi),%r10           # disp->ContextRecord
-        lea     56(%rsi),%r11           # &disp->HandlerData
-        lea     24(%rsi),%r12           # &disp->EstablisherFrame
-        mov     %r10,32(%rsp)           # arg5
-        mov     %r11,40(%rsp)           # arg6
-        mov     %r12,48(%rsp)           # arg7
-        mov     %rcx,56(%rsp)           # arg8, (NULL)
-        call    *__imp_RtlVirtualUnwind(%rip)
-
-        mov     \$1,%eax                # ExceptionContinueSearch
-        add     \$64,%rsp
-        popfq
-        pop     %r15
-        pop     %r14
-        pop     %r13
-        pop     %r12
-        pop     %rbp
-        pop     %rbx
-        pop     %rdi
-        pop     %rsi
-        ret
-.size   se_handler,.-se_handler
-
-.section        .pdata
-.align  4
-        .rva    .LSEH_begin_${PREFIX}_set_encrypt_key
-        .rva    .LSEH_end_${PREFIX}_set_encrypt_key
-        .rva    .LSEH_info_${PREFIX}_set_encrypt_key
-
-        .rva    .LSEH_begin_${PREFIX}_set_decrypt_key
-        .rva    .LSEH_end_${PREFIX}_set_decrypt_key
-        .rva    .LSEH_info_${PREFIX}_set_decrypt_key
-
-        .rva    .LSEH_begin_${PREFIX}_encrypt
-        .rva    .LSEH_end_${PREFIX}_encrypt
-        .rva    .LSEH_info_${PREFIX}_encrypt
-
-        .rva    .LSEH_begin_${PREFIX}_decrypt
-        .rva    .LSEH_end_${PREFIX}_decrypt
-        .rva    .LSEH_info_${PREFIX}_decrypt
-
-        .rva    .LSEH_begin_${PREFIX}_cbc_encrypt
-        .rva    .LSEH_end_${PREFIX}_cbc_encrypt
-        .rva    .LSEH_info_${PREFIX}_cbc_encrypt
-
-.section        .xdata
-.align  8
-.LSEH_info_${PREFIX}_set_encrypt_key:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lenc_key_body,.Lenc_key_epilogue       # HandlerData[]
-.LSEH_info_${PREFIX}_set_decrypt_key:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Ldec_key_body,.Ldec_key_epilogue       # HandlerData[]
-.LSEH_info_${PREFIX}_encrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lenc_body,.Lenc_epilogue               # HandlerData[]
-.LSEH_info_${PREFIX}_decrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Ldec_body,.Ldec_epilogue               # HandlerData[]
-.LSEH_info_${PREFIX}_cbc_encrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lcbc_body,.Lcbc_epilogue               # HandlerData[]
-___
-}
-
-$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-
-print $code;
-
-close STDOUT;
diff --git a/src/lib/libcrypto/arch/aarch64/Makefile.inc b/src/lib/libcrypto/arch/aarch64/Makefile.inc
index d93cb815ef..d1f22d87cd 100644
--- a/src/lib/libcrypto/arch/aarch64/Makefile.inc
+++ b/src/lib/libcrypto/arch/aarch64/Makefile.inc
@@ -1,9 +1,11 @@
-# $OpenBSD: Makefile.inc,v 1.16 2025/03/12 14:13:41 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.17 2025/06/28 12:51:08 jsing Exp $
 
 # aarch64-specific libcrypto build rules
 
 SRCS += crypto_cpu_caps.c
 
+SRCS += sha1_aarch64.c
+SRCS += sha1_aarch64_ce.S
 SRCS += sha256_aarch64.c
 SRCS += sha256_aarch64_ce.S
 SRCS += sha512_aarch64.c
diff --git a/src/lib/libcrypto/arch/aarch64/crypto_arch.h b/src/lib/libcrypto/arch/aarch64/crypto_arch.h
index 35ecba9394..51c8d79e2d 100644
--- a/src/lib/libcrypto/arch/aarch64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/aarch64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.4 2025/03/12 14:13:41 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.5 2025/06/28 12:51:08 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -35,6 +35,7 @@ extern uint64_t crypto_cpu_caps_aarch64;
 
 #ifndef OPENSSL_NO_ASM
 
+#define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_DATA_ORDER
 
diff --git a/src/lib/libcrypto/arch/aarch64/opensslconf.h b/src/lib/libcrypto/arch/aarch64/opensslconf.h
index 731b06aecc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/aarch64/opensslconf.h
+++ b/src/lib/libcrypto/arch/aarch64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/alpha/opensslconf.h b/src/lib/libcrypto/arch/alpha/opensslconf.h
index 0ec9c25891..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/alpha/opensslconf.h
+++ b/src/lib/libcrypto/arch/alpha/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,137 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/amd64/Makefile.inc b/src/lib/libcrypto/arch/amd64/Makefile.inc
index b03aad782f..de9666afdb 100644
--- a/src/lib/libcrypto/arch/amd64/Makefile.inc
+++ b/src/lib/libcrypto/arch/amd64/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.38 2025/04/18 13:19:39 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.42 2025/08/14 15:12:53 jsing Exp $
 
 # amd64-specific libcrypto build rules
 
@@ -11,8 +11,9 @@ SRCS += crypto_cpu_caps.c
 CFLAGS+= -DAES_ASM
 SSLASM+= aes aes-x86_64
 SSLASM+= aes aesni-x86_64
+SRCS += aes_amd64.c
+
 # bn
-CFLAGS+= -DOPENSSL_IA32_SSE2
 CFLAGS+= -DRSA_ASM
 SSLASM+= bn modexp512-x86_64
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
@@ -25,11 +26,21 @@ SRCS += bn_arch.c
 SRCS += bignum_add.S
 SRCS += bignum_cmadd.S
 SRCS += bignum_cmul.S
+SRCS += bignum_modadd.S
+SRCS += bignum_modsub.S
 SRCS += bignum_mul.S
+SRCS += bignum_mul_4_8.S
 SRCS += bignum_mul_4_8_alt.S
+SRCS += bignum_mul_6_12.S
+SRCS += bignum_mul_6_12_alt.S
+SRCS += bignum_mul_8_16.S
 SRCS += bignum_mul_8_16_alt.S
 SRCS += bignum_sqr.S
+SRCS += bignum_sqr_4_8.S
 SRCS += bignum_sqr_4_8_alt.S
+SRCS += bignum_sqr_6_12.S
+SRCS += bignum_sqr_6_12_alt.S
+SRCS += bignum_sqr_8_16.S
 SRCS += bignum_sqr_8_16_alt.S
 SRCS += bignum_sub.S
 SRCS += word_clz.S
@@ -37,11 +48,15 @@ SRCS += word_clz.S
 # md5
 CFLAGS+= -DMD5_ASM
 SRCS+= md5_amd64_generic.S
+
 # modes
 CFLAGS+= -DGHASH_ASM
 SSLASM+= modes ghash-x86_64
+SRCS += gcm128_amd64.c
+
 # rc4
 SSLASM+= rc4 rc4-x86_64
+
 # ripemd
 # sha
 SRCS+= sha1_amd64.c
diff --git a/src/lib/libcrypto/arch/amd64/crypto_arch.h b/src/lib/libcrypto/arch/amd64/crypto_arch.h
index 951374250d..a8f64cf235 100644
--- a/src/lib/libcrypto/arch/amd64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/amd64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.5 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.14 2025/08/14 15:11:01 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -21,21 +21,29 @@
 #define HEADER_CRYPTO_ARCH_H
 
 #define HAVE_CRYPTO_CPU_CAPS_INIT
-#define HAVE_CRYPTO_CPU_CAPS_IA32
 
 #ifndef __ASSEMBLER__
 extern uint64_t crypto_cpu_caps_amd64;
 #endif
 
-#define CRYPTO_CPU_CAPS_AMD64_SHA       (1ULL << 0)
+#define CRYPTO_CPU_CAPS_AMD64_ADX       (1ULL << 0)
+#define CRYPTO_CPU_CAPS_AMD64_AES       (1ULL << 1)
+#define CRYPTO_CPU_CAPS_AMD64_CLMUL     (1ULL << 2)
+#define CRYPTO_CPU_CAPS_AMD64_SHA       (1ULL << 3)
 
 #ifndef OPENSSL_NO_ASM
 
-#define HAVE_AES_CBC_ENCRYPT_INTERNAL
 #define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 #define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#define HAVE_AES_CCM64_ENCRYPT_INTERNAL
+#define HAVE_AES_CTR32_ENCRYPT_INTERNAL
+#define HAVE_AES_ECB_ENCRYPT_INTERNAL
+#define HAVE_AES_XTS_ENCRYPT_INTERNAL
+
+#define HAVE_GCM128_INIT
 
 #define HAVE_RC4_INTERNAL
 #define HAVE_RC4_SET_KEY_INTERNAL
diff --git a/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c b/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
index 63b7b64cda..51a2da4616 100644
--- a/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
+++ b/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_cpu_caps.c,v 1.4 2024/11/16 13:05:35 jsing Exp $ */
+/*      $OpenBSD: crypto_cpu_caps.c,v 1.8 2025/08/14 15:11:01 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -98,10 +98,14 @@ crypto_cpu_caps_init(void)
         if ((edx & IA32CAP_MASK0_SSE2) != 0)
                 caps |= CPUCAP_MASK_SSE2;
 
-        if ((ecx & IA32CAP_MASK1_AESNI) != 0)
+        if ((ecx & IA32CAP_MASK1_AESNI) != 0) {
                 caps |= CPUCAP_MASK_AESNI;
-        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0)
+                crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_AES;
+        }
+        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0) {
                 caps |= CPUCAP_MASK_PCLMUL;
+                crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_CLMUL;
+        }
         if ((ecx & IA32CAP_MASK1_SSSE3) != 0)
                 caps |= CPUCAP_MASK_SSSE3;
 
@@ -115,6 +119,10 @@ crypto_cpu_caps_init(void)
         if (max_cpuid >= 7) {
                 cpuid(7, NULL, &ebx, NULL, NULL);
 
+                /* Intel ADX feature bit - ebx[19]. */
+                if (((ebx >> 19) & 1) != 0)
+                        crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_ADX;
+
                 /* Intel SHA extensions feature bit - ebx[29]. */
                 if (((ebx >> 29) & 1) != 0)
                         crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_SHA;
@@ -126,9 +134,3 @@ crypto_cpu_caps_init(void)
 
         OPENSSL_ia32cap_P = caps;
 }
-
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return OPENSSL_ia32cap_P;
-}
diff --git a/src/lib/libcrypto/arch/amd64/opensslconf.h b/src/lib/libcrypto/arch/amd64/opensslconf.h
index cc193762f1..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/amd64/opensslconf.h
+++ b/src/lib/libcrypto/arch/amd64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,134 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/arm/Makefile.inc b/src/lib/libcrypto/arch/arm/Makefile.inc
index e078c51d98..271dff04f6 100644
--- a/src/lib/libcrypto/arch/arm/Makefile.inc
+++ b/src/lib/libcrypto/arch/arm/Makefile.inc
@@ -1,28 +1,3 @@
-# $oPenBSD: Makefile.inc,v 1.2 2014/05/02 18:21:39 miod Exp $
+# $OpenBSD: Makefile.inc,v 1.20 2025/05/24 07:07:18 jsing Exp $
 
 # arm-specific libcrypto build rules
-
-# aes
-CFLAGS+= -DAES_ASM
-SSLASM+= aes aes-armv4
-# bn
-CFLAGS+= -DOPENSSL_BN_ASM_MONT
-SSLASM+= bn armv4-mont
-# modes
-CFLAGS+= -DGHASH_ASM
-SSLASM+= modes ghash-armv4
-# sha
-SSLASM+= sha sha1-armv4-large
-SSLASM+= sha sha256-armv4
-SSLASM+= sha sha512-armv4
-
-.for dir f in ${SSLASM}
-SRCS+=  ${f}.S
-GENERATED+=${f}.S
-${f}.S: ${LCRYPTO_SRC}/${dir}/asm/${f}.pl
-        /usr/bin/perl \
-                ${LCRYPTO_SRC}/${dir}/asm/${f}.pl void ${.TARGET} > ${.TARGET}
-.endfor
-
-CFLAGS+= -DOPENSSL_CPUID_OBJ
-SRCS+=  armv4cpuid.S armcap.c
diff --git a/src/lib/libcrypto/arch/arm/arm_arch.h b/src/lib/libcrypto/arch/arm/arm_arch.h
deleted file mode 100644
index 5ac3b935f1..0000000000
--- a/src/lib/libcrypto/arch/arm/arm_arch.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* $OpenBSD: arm_arch.h,v 1.1 2022/03/23 15:13:31 tb Exp $ */
-#ifndef __ARM_ARCH_H__
-#define __ARM_ARCH_H__
-
-#if !defined(__ARM_ARCH__)
-# if defined(__CC_ARM)
-#  define __ARM_ARCH__ __TARGET_ARCH_ARM
-#  if defined(__BIG_ENDIAN)
-#   define __ARMEB__
-#  else
-#   define __ARMEL__
-#  endif
-# elif defined(__GNUC__)
-  /*
-   * Why doesn't gcc define __ARM_ARCH__? Instead it defines
-   * bunch of below macros. See all_architectures[] table in
-   * gcc/config/arm/arm.c. On a side note it defines
-   * __ARMEL__/__ARMEB__ for little-/big-endian.
-   */
-#  if   defined(__ARM_ARCH)
-#   define __ARM_ARCH__ __ARM_ARCH
-#  elif defined(__ARM_ARCH_8A__)
-#   define __ARM_ARCH__ 8
-#  elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__)     || \
-        defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__)     || \
-        defined(__ARM_ARCH_7EM__)
-#   define __ARM_ARCH__ 7
-#  elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__)     || \
-        defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__)     || \
-        defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__)    || \
-        defined(__ARM_ARCH_6T2__)
-#   define __ARM_ARCH__ 6
-#  elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__)     || \
-        defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__)    || \
-        defined(__ARM_ARCH_5TEJ__)
-#   define __ARM_ARCH__ 5
-#  elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__)
-#   define __ARM_ARCH__ 4
-#  else
-#   error "unsupported ARM architecture"
-#  endif
-# endif
-#endif
-
-#if !defined(__ASSEMBLER__)
-extern unsigned int OPENSSL_armcap_P;
-
-#define ARMV7_NEON      (1<<0)
-#define ARMV8_AES       (1<<1)
-#define ARMV8_SHA1      (1<<2)
-#define ARMV8_SHA256    (1<<3)
-#define ARMV8_PMULL     (1<<4)
-#endif
-
-#if defined(__OpenBSD__)
-#define __STRICT_ALIGNMENT
-#endif
-
-#endif
diff --git a/src/lib/libcrypto/arch/arm/armcap.c b/src/lib/libcrypto/arch/arm/armcap.c
deleted file mode 100644
index 0238195397..0000000000
--- a/src/lib/libcrypto/arch/arm/armcap.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: armcap.c,v 1.3 2024/08/29 03:30:05 deraadt Exp $ */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <setjmp.h>
-#include <signal.h>
-#include <openssl/crypto.h>
-
-#include "arm_arch.h"
-
-unsigned int OPENSSL_armcap_P;
-
-#if __ARM_ARCH__ >= 7
-static sigset_t all_masked;
-
-static sigjmp_buf ill_jmp;
-
-static void
-ill_handler(int sig)
-{
-        siglongjmp(ill_jmp, sig);
-}
-
-/*
- * Following subroutines could have been inlined, but it's not all
- * ARM compilers support inline assembler...
- */
-void _armv7_neon_probe(void);
-void _armv8_aes_probe(void);
-void _armv8_sha1_probe(void);
-void _armv8_sha256_probe(void);
-void _armv8_pmull_probe(void);
-#endif
-
-void
-OPENSSL_cpuid_setup(void)
-{
-#if __ARM_ARCH__ >= 7
-        struct sigaction        ill_oact, ill_act;
-        sigset_t                oset;
-#endif
-        static int trigger = 0;
-
-        if (trigger)
-                return;
-        trigger = 1;
-
-        OPENSSL_armcap_P = 0;
-
-#if __ARM_ARCH__ >= 7
-        sigfillset(&all_masked);
-        sigdelset(&all_masked, SIGILL);
-        sigdelset(&all_masked, SIGTRAP);
-        sigdelset(&all_masked, SIGFPE);
-        sigdelset(&all_masked, SIGBUS);
-        sigdelset(&all_masked, SIGSEGV);
-
-        memset(&ill_act, 0, sizeof(ill_act));
-        ill_act.sa_handler = ill_handler;
-        ill_act.sa_mask = all_masked;
-
-        sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
-        sigaction(SIGILL, &ill_act, &ill_oact);
-
-        if (sigsetjmp(ill_jmp, 1) == 0) {
-                _armv7_neon_probe();
-                OPENSSL_armcap_P |= ARMV7_NEON;
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_pmull_probe();
-                        OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES;
-                } else if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_aes_probe();
-                        OPENSSL_armcap_P |= ARMV8_AES;
-                }
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_sha1_probe();
-                        OPENSSL_armcap_P |= ARMV8_SHA1;
-                }
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_sha256_probe();
-                        OPENSSL_armcap_P |= ARMV8_SHA256;
-                }
-        }
-
-        sigaction (SIGILL, &ill_oact, NULL);
-        sigprocmask(SIG_SETMASK, &oset, NULL);
-#endif
-}
diff --git a/src/lib/libcrypto/arch/arm/armv4cpuid.S b/src/lib/libcrypto/arch/arm/armv4cpuid.S
deleted file mode 100644
index db0b54e496..0000000000
--- a/src/lib/libcrypto/arch/arm/armv4cpuid.S
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "arm_arch.h"
-
-.text
-#if defined(__thumb2__) && !defined(__APPLE__)
-.syntax unified
-.thumb
-#else
-.code   32
-#undef  __thumb2__
-#endif
-
-#if __ARM_ARCH__>=7
-.arch   armv7-a
-.fpu    neon
-
-.align  5
-.globl  _armv7_neon_probe
-.type   _armv7_neon_probe,%function
-_armv7_neon_probe:
-        vorr    q0,q0,q0
-        bx      lr
-.size   _armv7_neon_probe,.-_armv7_neon_probe
-
-.globl  _armv8_aes_probe
-.type   _armv8_aes_probe,%function
-_armv8_aes_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0xb0,0xff,0x00,0x03     @ aese.8        q0,q0
-#else
-.byte   0x00,0x03,0xb0,0xf3     @ aese.8        q0,q0
-#endif
-        bx      lr
-.size   _armv8_aes_probe,.-_armv8_aes_probe
-
-.globl  _armv8_sha1_probe
-.type   _armv8_sha1_probe,%function
-_armv8_sha1_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0x00,0xef,0x40,0x0c     @ sha1c.32      q0,q0,q0
-#else
-.byte   0x40,0x0c,0x00,0xf2     @ sha1c.32      q0,q0,q0
-#endif
-        bx      lr
-.size   _armv8_sha1_probe,.-_armv8_sha1_probe
-
-.globl  _armv8_sha256_probe
-.type   _armv8_sha256_probe,%function
-_armv8_sha256_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0x00,0xff,0x40,0x0c     @ sha256h.32    q0,q0,q0
-#else
-.byte   0x40,0x0c,0x00,0xf3     @ sha256h.32    q0,q0,q0
-#endif
-        bx      lr
-.size   _armv8_sha256_probe,.-_armv8_sha256_probe
-.globl  _armv8_pmull_probe
-.type   _armv8_pmull_probe,%function
-_armv8_pmull_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0xa0,0xef,0x00,0x0e     @ vmull.p64     q0,d0,d0
-#else
-.byte   0x00,0x0e,0xa0,0xf2     @ vmull.p64     q0,d0,d0
-#endif
-        bx      lr
-.size   _armv8_pmull_probe,.-_armv8_pmull_probe
-#endif
-
-.comm   OPENSSL_armcap_P,4,4
-.hidden OPENSSL_armcap_P
diff --git a/src/lib/libcrypto/arch/arm/crypto_arch.h b/src/lib/libcrypto/arch/arm/crypto_arch.h
index 07d7829fe3..732a59cf72 100644
--- a/src/lib/libcrypto/arch/arm/crypto_arch.h
+++ b/src/lib/libcrypto/arch/arm/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.3 2025/05/24 07:07:18 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -20,20 +20,6 @@
 
 #ifndef OPENSSL_NO_ASM
 
-#define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
-#define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
-#define HAVE_AES_ENCRYPT_INTERNAL
-#define HAVE_AES_DECRYPT_INTERNAL
-
-#define HAVE_SHA1_BLOCK_DATA_ORDER
-#define HAVE_SHA1_BLOCK_GENERIC
-
-#define HAVE_SHA256_BLOCK_DATA_ORDER
-#define HAVE_SHA256_BLOCK_GENERIC
-
-#define HAVE_SHA512_BLOCK_DATA_ORDER
-#define HAVE_SHA512_BLOCK_GENERIC
-
 #endif
 
 #endif
diff --git a/src/lib/libcrypto/arch/arm/opensslconf.h b/src/lib/libcrypto/arch/arm/opensslconf.h
index a5d26b6fdc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/arm/opensslconf.h
+++ b/src/lib/libcrypto/arch/arm/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/hppa/opensslconf.h b/src/lib/libcrypto/arch/hppa/opensslconf.h
index a5d26b6fdc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/hppa/opensslconf.h
+++ b/src/lib/libcrypto/arch/hppa/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/i386/Makefile.inc b/src/lib/libcrypto/arch/i386/Makefile.inc
index 4bcf8e2bbc..bfc701687e 100644
--- a/src/lib/libcrypto/arch/i386/Makefile.inc
+++ b/src/lib/libcrypto/arch/i386/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.28 2025/04/18 13:19:39 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.31 2025/06/28 12:39:10 jsing Exp $
 
 # i386-specific libcrypto build rules
 
@@ -11,20 +11,26 @@ SRCS += crypto_cpu_caps.c
 CFLAGS+= -DAES_ASM
 SSLASM+= aes aes-586
 SSLASM+= aes aesni-x86
+SRCS += aes_i386.c
+
 # bn
-CFLAGS+= -DOPENSSL_IA32_SSE2
 SSLASM+= bn bn-586
 SSLASM+= bn co-586
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 SSLASM+= bn x86-mont
+
 # md5
 CFLAGS+= -DMD5_ASM
 SSLASM+= md5 md5-586
+
 # modes
 CFLAGS+= -DGHASH_ASM
 SSLASM+= modes ghash-x86
+SRCS += gcm128_i386.c
+
 # rc4
 SSLASM+= rc4 rc4-586
+
 # sha
 SSLASM+= sha sha1-586
 SSLASM+= sha sha256-586
diff --git a/src/lib/libcrypto/arch/i386/crypto_arch.h b/src/lib/libcrypto/arch/i386/crypto_arch.h
index 3df3963d0b..d2faa36e2e 100644
--- a/src/lib/libcrypto/arch/i386/crypto_arch.h
+++ b/src/lib/libcrypto/arch/i386/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.4 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.12 2025/07/22 09:18:02 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -15,19 +15,34 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <stdint.h>
+
 #ifndef HEADER_CRYPTO_ARCH_H
 #define HEADER_CRYPTO_ARCH_H
 
 #define HAVE_CRYPTO_CPU_CAPS_INIT
-#define HAVE_CRYPTO_CPU_CAPS_IA32
+
+#ifndef __ASSEMBLER__
+extern uint64_t crypto_cpu_caps_i386;
+#endif
+
+#define CRYPTO_CPU_CAPS_I386_AES        (1ULL << 0)
+#define CRYPTO_CPU_CAPS_I386_CLMUL      (1ULL << 1)
+#define CRYPTO_CPU_CAPS_I386_MMX        (1ULL << 2)
 
 #ifndef OPENSSL_NO_ASM
 
-#define HAVE_AES_CBC_ENCRYPT_INTERNAL
 #define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 #define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#define HAVE_AES_CCM64_ENCRYPT_INTERNAL
+#define HAVE_AES_CTR32_ENCRYPT_INTERNAL
+#define HAVE_AES_ECB_ENCRYPT_INTERNAL
+#define HAVE_AES_XTS_ENCRYPT_INTERNAL
+
+#define HAVE_GCM128_INIT
 
 #define HAVE_RC4_INTERNAL
 #define HAVE_RC4_SET_KEY_INTERNAL
diff --git a/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c b/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
index 6bb77411af..07d60f9a3f 100644
--- a/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
+++ b/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_cpu_caps.c,v 1.3 2024/11/12 13:14:57 jsing Exp $ */
+/*      $OpenBSD: crypto_cpu_caps.c,v 1.6 2025/07/22 09:18:02 jsing Exp $ */
 /*
  * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
  *
@@ -19,11 +19,15 @@
 
 #include <openssl/crypto.h>
 
+#include "crypto_arch.h"
 #include "x86_arch.h"
 
 /* Legacy architecture specific capabilities, used by perlasm. */
 uint64_t OPENSSL_ia32cap_P;
 
+/* Machine dependent CPU capabilities. */
+uint64_t crypto_cpu_caps_i386;
+
 /* Machine independent CPU capabilities. */
 extern uint64_t crypto_cpu_caps;
 
@@ -85,17 +89,23 @@ crypto_cpu_caps_init(void)
                 caps |= CPUCAP_MASK_FXSR;
         if ((edx & IA32CAP_MASK0_HT) != 0)
                 caps |= CPUCAP_MASK_HT;
-        if ((edx & IA32CAP_MASK0_MMX) != 0)
+        if ((edx & IA32CAP_MASK0_MMX) != 0) {
                 caps |= CPUCAP_MASK_MMX;
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_MMX;
+        }
         if ((edx & IA32CAP_MASK0_SSE) != 0)
                 caps |= CPUCAP_MASK_SSE;
         if ((edx & IA32CAP_MASK0_SSE2) != 0)
                 caps |= CPUCAP_MASK_SSE2;
 
-        if ((ecx & IA32CAP_MASK1_AESNI) != 0)
+        if ((ecx & IA32CAP_MASK1_AESNI) != 0) {
                 caps |= CPUCAP_MASK_AESNI;
-        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0)
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_AES;
+        }
+        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0) {
                 caps |= CPUCAP_MASK_PCLMUL;
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_CLMUL;
+        }
         if ((ecx & IA32CAP_MASK1_SSSE3) != 0)
                 caps |= CPUCAP_MASK_SSSE3;
 
@@ -112,9 +122,3 @@ crypto_cpu_caps_init(void)
 
         OPENSSL_ia32cap_P = caps;
 }
-
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return OPENSSL_ia32cap_P;
-}
diff --git a/src/lib/libcrypto/arch/i386/opensslconf.h b/src/lib/libcrypto/arch/i386/opensslconf.h
index 03cf31b940..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/i386/opensslconf.h
+++ b/src/lib/libcrypto/arch/i386/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned long
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#define DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/m88k/opensslconf.h b/src/lib/libcrypto/arch/m88k/opensslconf.h
index a5d26b6fdc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/m88k/opensslconf.h
+++ b/src/lib/libcrypto/arch/m88k/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/mips64/opensslconf.h b/src/lib/libcrypto/arch/mips64/opensslconf.h
index 36cdd2840b..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/mips64/opensslconf.h
+++ b/src/lib/libcrypto/arch/mips64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/powerpc/opensslconf.h b/src/lib/libcrypto/arch/powerpc/opensslconf.h
index a5d26b6fdc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/powerpc/opensslconf.h
+++ b/src/lib/libcrypto/arch/powerpc/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/powerpc64/opensslconf.h b/src/lib/libcrypto/arch/powerpc64/opensslconf.h
index cc193762f1..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/powerpc64/opensslconf.h
+++ b/src/lib/libcrypto/arch/powerpc64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,134 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/riscv64/opensslconf.h b/src/lib/libcrypto/arch/riscv64/opensslconf.h
index 731b06aecc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/riscv64/opensslconf.h
+++ b/src/lib/libcrypto/arch/riscv64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/sh/opensslconf.h b/src/lib/libcrypto/arch/sh/opensslconf.h
index a5d26b6fdc..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/sh/opensslconf.h
+++ b/src/lib/libcrypto/arch/sh/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/sparc64/opensslconf.h b/src/lib/libcrypto/arch/sparc64/opensslconf.h
index 36cdd2840b..c31bcc01ad 100644
--- a/src/lib/libcrypto/arch/sparc64/opensslconf.h
+++ b/src/lib/libcrypto/arch/sparc64/opensslconf.h
@@ -1,9 +1,4 @@
 #include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
 
 #undef OPENSSL_EXPORT_VAR_AS_FUNCTION
 
@@ -16,139 +11,3 @@
 #define OPENSSL_LINE __LINE__
 #endif
 #endif
-
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-
-/* Should we define BN_DIV2W here? */
-
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index d5d00c4d44..3d1e49c49a 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.43 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,10 +63,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_BIT_STRING_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index 5d3a3dd0c7..ac5033ea8a 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_enum.c,v 1.30 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_enum.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 
 /*
  * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 0d9b6577d7..f171e330f6 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_int.c,v 1.48 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_int.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,9 +64,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_INTEGER_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index f050f97539..38398ad1d1 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_mbstr.c,v 1.27 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: a_mbstr.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int traverse_string(const unsigned char *p, int len, int inform,
     int (*rfunc)(unsigned long value, void *in), void *arg);
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 2f3ca1398f..333ac60348 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.55 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_object.c,v 1.56 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,11 +62,11 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_OBJECT_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_pkey.c b/src/lib/libcrypto/asn1/a_pkey.c
index a730728076..636b602377 100644
--- a/src/lib/libcrypto/asn1/a_pkey.c
+++ b/src/lib/libcrypto/asn1/a_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pkey.c,v 1.8 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pkey.c,v 1.9 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,12 +62,12 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_pubkey.c b/src/lib/libcrypto/asn1/a_pubkey.c
index 544f3d2cf0..f846b6cda5 100644
--- a/src/lib/libcrypto/asn1/a_pubkey.c
+++ b/src/lib/libcrypto/asn1/a_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pubkey.c,v 1.7 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pubkey.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
@@ -76,6 +75,7 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "err_local.h"
 #include "evp_local.h"
 
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_string.c b/src/lib/libcrypto/asn1/a_string.c
index ec492e71f0..70e9c95f22 100644
--- a/src/lib/libcrypto/asn1/a_string.c
+++ b/src/lib/libcrypto/asn1/a_string.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_string.c,v 1.17 2023/08/15 18:05:15 tb Exp $ */
+/* $OpenBSD: a_string.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 ASN1_STRING *
 ASN1_STRING_new(void)
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 5fa60b9ce7..3519d6725d 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strnid.c,v 1.31 2024/03/02 08:54:02 tb Exp $ */
+/* $OpenBSD: a_strnid.c,v 1.32 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,7 +62,6 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 /*
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 15ac1af5c4..3deff56eda 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time.c,v 1.38 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_time.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -65,7 +65,6 @@
 #include <time.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
 
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index a1f329be96..dd2893167f 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.42 2024/05/03 18:33:27 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
@@ -22,10 +22,10 @@
 #include <time.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 
-#include "bytestring.h"
 #include "asn1_local.h"
+#include "bytestring.h"
+#include "err_local.h"
 
 #define RFC5280 0
 #define GENTIME_LENGTH 15
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index ef0a76e810..502db42a73 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_type.c,v 1.27 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: a_type.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,10 +59,10 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 typedef struct {
         ASN1_INTEGER *num;
diff --git a/src/lib/libcrypto/asn1/asn1_gen.c b/src/lib/libcrypto/asn1/asn1_gen.c
index edd6743993..b409e83c7d 100644
--- a/src/lib/libcrypto/asn1/asn1_gen.c
+++ b/src/lib/libcrypto/asn1/asn1_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_gen.c,v 1.27 2025/03/06 07:25:01 tb Exp $ */
+/* $OpenBSD: asn1_gen.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2002.
  */
@@ -59,11 +59,11 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 #define ASN1_GEN_FLAG           0x10000
diff --git a/src/lib/libcrypto/asn1/asn1_item.c b/src/lib/libcrypto/asn1/asn1_item.c
index 86c800e3ad..621d65711b 100644
--- a/src/lib/libcrypto/asn1/asn1_item.c
+++ b/src/lib/libcrypto/asn1/asn1_item.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_item.c,v 1.21 2024/04/09 13:55:02 beck Exp $ */
+/* $OpenBSD: asn1_item.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,11 +112,11 @@
 #include <limits.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/asn1/asn1_old.c b/src/lib/libcrypto/asn1/asn1_old.c
index 7992fccdef..c47ea8e74a 100644
--- a/src/lib/libcrypto/asn1/asn1_old.c
+++ b/src/lib/libcrypto/asn1/asn1_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old.c,v 1.6 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1_old.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 #ifndef NO_OLD_ASN1
 
diff --git a/src/lib/libcrypto/asn1/asn1_old_lib.c b/src/lib/libcrypto/asn1/asn1_old_lib.c
index 80362ae689..541ac7b615 100644
--- a/src/lib/libcrypto/asn1/asn1_old_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_old_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old_lib.c,v 1.6 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_old_lib.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static void asn1_put_length(unsigned char **pp, int length);
 
diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index 3995fc547c..d42dd8663e 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.35 2025/01/17 05:02:18 tb Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.37 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -59,10 +59,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* Generalised MIME like utilities for streaming ASN1. Although many
@@ -507,8 +507,9 @@ SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
                         *bcont = sk_BIO_value(parts, 0);
                         BIO_free(asnin);
                         sk_BIO_free(parts);
-                } else sk_BIO_pop_free(parts, BIO_vfree);
-                        return val;
+                } else
+                        sk_BIO_pop_free(parts, BIO_vfree);
+                return val;
         }
 
         /* OK, if not multipart/signed try opaque signature */
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index e3c7d09446..a9a752cc38 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_moid.c,v 1.18 2024/08/31 09:26:18 tb Exp $ */
+/* $OpenBSD: asn_moid.c,v 1.20 2025/05/10 11:51:01 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -60,13 +60,13 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 /* Simple ASN1 OID module: add all objects in a given section */
 
diff --git a/src/lib/libcrypto/asn1/bio_ndef.c b/src/lib/libcrypto/asn1/bio_ndef.c
index 98bb1cd197..d001ffb0ae 100644
--- a/src/lib/libcrypto/asn1/bio_ndef.c
+++ b/src/lib/libcrypto/asn1/bio_ndef.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ndef.c,v 1.24 2023/07/28 09:58:30 tb Exp $ */
+/* $OpenBSD: bio_ndef.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -57,9 +57,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 int BIO_asn1_set_prefix(BIO *b, asn1_ps_func *prefix, asn1_ps_func *prefix_free);
 int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix, asn1_ps_func *suffix_free);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 582d2d9a9b..668bf5d7c1 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.28 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.30 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,11 +61,14 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
+/* RFC 8018, section 6.1 specifies an eight-octet salt for PBES1. */
+#define PKCS5_PBE1_SALT_LEN     8
+
 /* PKCS#5 password based encryption structure */
 
 static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = {
@@ -139,7 +142,7 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                 goto err;
         }
         if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE1_SALT_LEN;
         if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
                 ASN1error(ERR_R_MALLOC_FAILURE);
                 goto err;
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 76872a8dec..64924d9b38 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.35 2024/03/26 07:03:10 tb Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.38 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -61,12 +61,18 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
+/*
+ * RFC 8018, sections 6.2 and 4 specify at least 64 bits for PBES2, apparently
+ * FIPS will require at least 128 bits in the future, OpenSSL does that.
+ */
+#define PKCS5_PBE2_SALT_LEN     16
+
 /* PKCS#5 v2.0 password based encryption structures */
 
 static const ASN1_TEMPLATE PBE2PARAM_seq_tt[] = {
@@ -187,7 +193,7 @@ PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
     int saltlen)
 {
         X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-        int prf_nid = NID_hmacWithSHA1;
+        int prf_nid = NID_hmacWithSHA256;
         int alg_nid, keylen;
         EVP_CIPHER_CTX ctx;
         unsigned char iv[EVP_MAX_IV_LENGTH];
@@ -292,7 +298,7 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
         kdf->salt->type = V_ASN1_OCTET_STRING;
 
         if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE2_SALT_LEN;
         if (!(osalt->data = malloc (saltlen)))
                 goto merr;
 
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 6449e7f199..295ab6c050 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_crl.c,v 1.26 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_crl.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,11 +61,11 @@
 
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index 1d4be9865d..51e4b4f651 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_req.c,v 1.28 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_req.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -74,6 +73,7 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 7cf4557314..71f97a8214 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.51 2025/02/08 03:41:36 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.54 2025/07/01 06:46:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,13 +65,13 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
@@ -106,6 +106,28 @@ X509_print(BIO *bp, X509 *x)
 }
 LCRYPTO_ALIAS(X509_print);
 
+static int
+x509_print_uids(BIO *bp, const X509 *x, int indent)
+{
+        const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
+
+        X509_get0_uids(x, &issuerUID, &subjectUID);
+        if (issuerUID != NULL) {
+                if (BIO_printf(bp, "%*sIssuer Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, issuerUID, indent + 4))
+                        return 0;
+        }
+        if (subjectUID != NULL) {
+                if (BIO_printf(bp, "%*sSubject Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, subjectUID, indent + 4))
+                        return 0;
+        }
+
+        return 1;
+}
+
 int
 X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 {
@@ -127,9 +149,9 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 
         ci = x->cert_info;
         if (!(cflag & X509_FLAG_NO_HEADER)) {
-                if (BIO_write(bp, "Certificate:\n", 13) <= 0)
+                if (BIO_printf(bp, "Certificate:\n") <= 0)
                         goto err;
-                if (BIO_write(bp, "    Data:\n", 10) <= 0)
+                if (BIO_printf(bp, "    Data:\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_VERSION)) {
@@ -145,7 +167,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 }
         }
         if (!(cflag & X509_FLAG_NO_SERIAL)) {
-                if (BIO_write(bp, "        Serial Number:", 22) <= 0)
+                if (BIO_printf(bp, "        Serial Number:") <= 0)
                         goto err;
 
                 bs = X509_get_serialNumber(x);
@@ -196,21 +218,21 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 if (X509_NAME_print_ex(bp, X509_get_issuer_name(x),
                     nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_VALIDITY)) {
-                if (BIO_write(bp, "        Validity\n", 17) <= 0)
+                if (BIO_printf(bp, "        Validity\n") <= 0)
                         goto err;
-                if (BIO_write(bp, "            Not Before: ", 24) <= 0)
+                if (BIO_printf(bp, "            Not Before: ") <= 0)
                         goto err;
                 if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
                         goto err;
-                if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
+                if (BIO_printf(bp, "\n            Not After : ") <= 0)
                         goto err;
                 if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_SUBJECT)) {
@@ -219,12 +241,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 if (X509_NAME_print_ex(bp, X509_get_subject_name(x),
                     nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-                if (BIO_write(bp, "        Subject Public Key Info:\n",
-                    33) <= 0)
+                if (BIO_printf(bp, "        Subject Public Key Info:\n") <= 0)
                         goto err;
                 if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
                         goto err;
@@ -243,6 +264,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 }
         }
 
+        if (!(cflag & X509_FLAG_NO_IDS)) {
+                if (!x509_print_uids(bp, x, 8))
+                        goto err;
+        }
+
         if (!(cflag & X509_FLAG_NO_EXTENSIONS))
                 X509V3_extensions_print(bp, "X509v3 extensions",
                     ci->extensions, cflag, 8);
@@ -325,7 +351,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
         s = sig->data;
         for (i = 0; i < n; i++) {
                 if ((i % 18) == 0) {
-                        if (BIO_write(bp, "\n", 1) <= 0)
+                        if (BIO_printf(bp, "\n") <= 0)
                                 return 0;
                         if (BIO_indent(bp, indent, indent) <= 0)
                                 return 0;
@@ -334,7 +360,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
                     ((i + 1) == n) ? "" : ":") <= 0)
                         return 0;
         }
-        if (BIO_write(bp, "\n", 1) != 1)
+        if (BIO_printf(bp, "\n") != 1)
                 return 0;
 
         return 1;
@@ -375,7 +401,7 @@ ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
                 return ASN1_UTCTIME_print(bp, tm);
         if (tm->type == V_ASN1_GENERALIZEDTIME)
                 return ASN1_GENERALIZEDTIME_print(bp, tm);
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_TIME_print);
@@ -435,7 +461,7 @@ ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
                 return (1);
 
  err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_print);
@@ -479,7 +505,7 @@ ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
                 return (1);
 
  err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_UTCTIME_print);
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 31b9efee54..1bffae8a94 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.88 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.89 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 
 /*
  * Constructed types with a recursive definition (such as can be found in PKCS7)
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index b71993a139..a65fb5b7e7 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.33 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,10 +61,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
     const ASN1_ITEM *it, int tag, int aclass);
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index 0e259a13ab..c3de668483 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
+/* $OpenBSD: tasn_fre.c,v 1.25 2025/08/14 19:02:17 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -147,8 +147,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
                                 return;
                 }
                 asn1_enc_cleanup(pval, it);
-                /* If we free up as normal we will invalidate any
-                 * ANY DEFINED BY field and we wont be able to
+                /*
+                 * If we free up as normal, we will invalidate any
+                 * ANY DEFINED BY field and we won't be able to
                  * determine the type of the field it defines. So
                  * free up in reverse order.
                  */
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index 10c1137dbf..e17810b832 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_new.c,v 1.25 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_new.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -60,11 +60,11 @@
 #include <stddef.h>
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <string.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 07764fc091..4db6d61111 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_prn.c,v 1.27 2024/03/02 09:04:07 tb Exp $ */
+/* $OpenBSD: tasn_prn.c,v 1.29 2025/06/07 09:28:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,7 +61,6 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 
@@ -411,7 +410,7 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it,
         if (!asn1_print_fsname(out, indent, fname, sname, pctx))
                 return 0;
 
-        if (it != NULL && it->funcs != NULL) {
+        if (it->funcs != NULL) {
                 const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
 
                 if (pf->prim_print == NULL)
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
index ae546edd4b..178a364c89 100644
--- a/src/lib/libcrypto/asn1/tasn_utl.c
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_utl.c,v 1.18 2022/12/26 07:18:51 jmc Exp $ */
+/* $OpenBSD: tasn_utl.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -63,9 +63,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 /* Utility functions for manipulating fields and offsets */
 
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 7ad8350f3d..19caf56cec 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.48 2025/02/27 20:13:41 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.50 2025/07/10 18:48:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
@@ -540,6 +540,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+        /*
+         * The CertificateList's signature AlgorithmIdentifier must match
+         * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+         */
+        if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+                return 0;
         return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
             crl->crl, pkey);
 }
diff --git a/src/lib/libcrypto/asn1/x_info.c b/src/lib/libcrypto/asn1/x_info.c
deleted file mode 100644
index d2c4bcfe7a..0000000000
--- a/src/lib/libcrypto/asn1/x_info.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* $OpenBSD: x_info.c,v 1.22 2024/12/11 10:28:03 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-
-X509_INFO *
-X509_INFO_new(void)
-{
-        X509_INFO *ret;
-
-        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        ret->references = 1;
-
-        return ret;
-}
-LCRYPTO_ALIAS(X509_INFO_new);
-
-void
-X509_INFO_free(X509_INFO *x)
-{
-        if (x == NULL)
-                return;
-
-        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
-                return;
-
-        X509_free(x->x509);
-        X509_CRL_free(x->crl);
-        X509_PKEY_free(x->x_pkey);
-        free(x->enc_data);
-
-        free(x);
-}
-LCRYPTO_ALIAS(X509_INFO_free);
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index 5e673f4521..a72411f30c 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_long.c,v 1.21 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: x_long.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 /*
  * Custom primitive type for long handling. This converts between an
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index c60714b74f..09536666fc 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.45 2025/03/20 09:41:47 tb Exp $ */
+/* $OpenBSD: x_name.c,v 1.46 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,10 +61,10 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
diff --git a/src/lib/libcrypto/asn1/x_pkey.c b/src/lib/libcrypto/asn1/x_pkey.c
deleted file mode 100644
index 5c96c13ab9..0000000000
--- a/src/lib/libcrypto/asn1/x_pkey.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* $OpenBSD: x_pkey.c,v 1.24 2024/04/09 13:55:02 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-
-X509_PKEY *
-X509_PKEY_new(void)
-{
-        X509_PKEY *ret = NULL;
-
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
-
- err:
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
-}
-LCRYPTO_ALIAS(X509_PKEY_new);
-
-void
-X509_PKEY_free(X509_PKEY *x)
-{
-        int i;
-
-        if (x == NULL)
-                return;
-
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
-        if (i > 0)
-                return;
-
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_PKEY_free);
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 1e772a3458..ec847861ea 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_pubkey.c,v 1.37 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: x_pubkey.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_DSA
@@ -72,6 +71,7 @@
 #endif
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/bf/bf_local.h b/src/lib/libcrypto/bf/bf_local.h
index 8fc5a5dbd8..2fe65eb85c 100644
--- a/src/lib/libcrypto/bf/bf_local.h
+++ b/src/lib/libcrypto/bf/bf_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_local.h,v 1.3 2024/03/27 11:54:29 jsing Exp $ */
+/* $OpenBSD: bf_local.h,v 1.4 2025/06/11 04:08:16 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,11 +56,11 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h> /* BF_PTR */
-
 #ifndef HEADER_BF_LOCL_H
 #define HEADER_BF_LOCL_H
 
+#include <openssl/opensslconf.h>
+
 /* NOTE - c is not incremented as per n2l */
 #define n2ln(c,l1,l2,n) { \
                         c+=n; \
@@ -104,46 +104,6 @@
                          *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
                          *((c)++)=(unsigned char)(((l)     )&0xff))
 
-/* This is actually a big endian algorithm, the most significant byte
- * is used to lookup array 0 */
-
-#if defined(BF_PTR)
-
-#ifndef BF_LONG_LOG2
-#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
-#endif
-#define BF_M  (0xFF<<BF_LONG_LOG2)
-#define BF_0  (24-BF_LONG_LOG2)
-#define BF_1  (16-BF_LONG_LOG2)
-#define BF_2  ( 8-BF_LONG_LOG2)
-#define BF_3  BF_LONG_LOG2 /* left shift */
-
-/*
- * This is normally very good on RISC platforms where normally you
- * have to explicitly "multiply" array index by sizeof(BF_LONG)
- * in order to calculate the effective address. This implementation
- * excuses CPU from this extra work. Power[PC] uses should have most
- * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
- * rlwinm. So let'em double-check if their compiler does it.
- */
-
-#define BF_ENC(LL,R,S,P) ( \
-        LL^=P, \
-        LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
-                *(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
-                *(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
-                *(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
-        )
-#else
-
-/*
- * This is a *generic* version. Seem to perform best on platforms that
- * offer explicit support for extraction of 8-bit nibbles preferably
- * complemented with "multiplying" of array index by sizeof(BF_LONG).
- * For the moment of this writing the list comprises Alpha CPU featuring
- * extbl and s[48]addq instructions.
- */
-
 #define BF_ENC(LL,R,S,P) ( \
         LL^=P, \
         LL^=((( S[       ((int)(R>>24)&0xff)] + \
@@ -151,6 +111,5 @@
                 S[0x0200+((int)(R>> 8)&0xff)])+ \
                 S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
         )
-#endif
 
 #endif
diff --git a/src/lib/libcrypto/bio/b_dump.c b/src/lib/libcrypto/bio/b_dump.c
index 4dcf710bbe..3f673205c1 100644
--- a/src/lib/libcrypto/bio/b_dump.c
+++ b/src/lib/libcrypto/bio/b_dump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: b_dump.c,v 1.30 2024/03/02 09:21:24 tb Exp $ */
+/* $OpenBSD: b_dump.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 #include <string.h>
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
 
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 00bbe9c37e..9ef9953b95 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: b_sock.c,v 1.71 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: b_sock.c,v 1.72 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
  *
@@ -32,7 +32,8 @@
 
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
+
+#include "err_local.h"
 
 int
 BIO_get_host_ip(const char *str, unsigned char *ip)
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index 226c16835a..36b6fabde3 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_buff.c,v 1.28 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bf_buff.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 static int buffer_write(BIO *h, const char *buf, int num);
 static int buffer_read(BIO *h, char *buf, int size);
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index 8327ffc071..a8108054e7 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -1,25 +1,25 @@
-/* $OpenBSD: bio.h,v 1.64 2024/05/19 07:12:50 jsg Exp $ */
+/* $OpenBSD: bio.h,v 1.65 2025/07/16 18:12:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -34,10 +34,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
@@ -96,8 +96,8 @@ extern "C" {
 #define BIO_TYPE_BIO            (19|0x0400)             /* (half a) BIO pair */
 #define BIO_TYPE_LINEBUFFER     (20|0x0200)             /* filter */
 #define BIO_TYPE_DGRAM          (21|0x0400|0x0100)
-#define BIO_TYPE_ASN1           (22|0x0200)             /* filter */
-#define BIO_TYPE_COMP           (23|0x0200)             /* filter */
+#define BIO_TYPE_ASN1           (22|0x0200)             /* filter */
+#define BIO_TYPE_COMP           (23|0x0200)             /* filter */
 
 #define BIO_TYPE_DESCRIPTOR     0x0100  /* socket, fd, connect or accept */
 #define BIO_TYPE_FILTER         0x0200
@@ -139,14 +139,14 @@ extern "C" {
 #define BIO_CTRL_DGRAM_CONNECT       31  /* BIO dgram special */
 #define BIO_CTRL_DGRAM_SET_CONNECTED 32  /* allow for an externally
                                           * connected socket to be
-                                          * passed in */ 
+                                          * passed in */
 #define BIO_CTRL_DGRAM_SET_RECV_TIMEOUT 33 /* setsockopt, essentially */
 #define BIO_CTRL_DGRAM_GET_RECV_TIMEOUT 34 /* getsockopt, essentially */
 #define BIO_CTRL_DGRAM_SET_SEND_TIMEOUT 35 /* setsockopt, essentially */
 #define BIO_CTRL_DGRAM_GET_SEND_TIMEOUT 36 /* getsockopt, essentially */
 
 #define BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP 37 /* flag whether the last */
-#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation tiemd out */
+#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation timed out */
 
 /* #ifdef IP_MTU_DISCOVER */
 #define BIO_CTRL_DGRAM_MTU_DISCOVER       39 /* set DF bit on egress packets */
@@ -232,7 +232,7 @@ void BIO_clear_flags(BIO *b, int flags);
 
 /* The next three are used in conjunction with the
  * BIO_should_io_special() condition.  After this returns true,
- * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO 
+ * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO
  * stack and return the 'reason' for the special and the offending BIO.
  * Given a BIO, BIO_get_retry_reason(bio) will return the code. */
 /* Returned from the SSL bio when the certificate retrieval code had an error */
@@ -380,7 +380,7 @@ int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
 #define BIO_set_conn_int_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,3,(char *)port)
 #define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 #define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
-#define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
+#define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
 #define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
 
 
@@ -571,7 +571,6 @@ const BIO_METHOD *BIO_s_socket(void);
 const BIO_METHOD *BIO_s_connect(void);
 const BIO_METHOD *BIO_s_accept(void);
 const BIO_METHOD *BIO_s_fd(void);
-const BIO_METHOD *BIO_s_log(void);
 const BIO_METHOD *BIO_s_bio(void);
 const BIO_METHOD *BIO_s_null(void);
 const BIO_METHOD *BIO_f_null(void);
diff --git a/src/lib/libcrypto/bio/bio_cb.c b/src/lib/libcrypto/bio/bio_cb.c
index 18e9be8d68..990cb20708 100644
--- a/src/lib/libcrypto/bio/bio_cb.c
+++ b/src/lib/libcrypto/bio/bio_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_cb.c,v 1.19 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bio_cb.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,7 +60,6 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/bio.h>
 
 #include "bio_local.h"
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 463d2ad23a..04e8f4c295 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_lib.c,v 1.54 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio_lib.c,v 1.55 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,10 +62,10 @@
 
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/stack.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 /*
  * Helper function to work out whether to call the new style callback or the old
diff --git a/src/lib/libcrypto/bio/bss_acpt.c b/src/lib/libcrypto/bio/bss_acpt.c
index d74c710a7f..60e61100b1 100644
--- a/src/lib/libcrypto/bio/bss_acpt.c
+++ b/src/lib/libcrypto/bio/bss_acpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_acpt.c,v 1.31 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_acpt.c,v 1.33 2025/06/02 12:18:21 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,9 +65,9 @@
 
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 #define SOCKET_PROTOCOL IPPROTO_TCP
 
@@ -261,11 +261,12 @@ again:
                 if (c->bio_chain != NULL) {
                         if ((dbio = BIO_dup_chain(c->bio_chain)) == NULL)
                                 goto err;
-                        if (!BIO_push(dbio, bio)) goto err;
-                                bio = dbio;
+                        if (!BIO_push(dbio, bio))
+                                goto err;
+                        bio = dbio;
                 }
-                if (BIO_push(b, bio)
-                        == NULL) goto err;
+                if (BIO_push(b, bio) == NULL)
+                        goto err;
 
                 c->state = ACPT_S_OK;
                 return (1);
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 39d8d1e46c..f1d1bbeecd 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_bio.c,v 1.29 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bss_bio.c,v 1.30 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
@@ -81,10 +81,10 @@
 #include <sys/types.h>
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/crypto.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 static int bio_new(BIO *bio);
 static int bio_free(BIO *bio);
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index 3b0e3d3bdd..14f410f59d 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_conn.c,v 1.41 2024/04/19 09:54:36 tb Exp $ */
+/* $OpenBSD: bss_conn.c,v 1.43 2025/06/02 12:18:21 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,9 +68,9 @@
 
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 #define SOCKET_PROTOCOL IPPROTO_TCP
 
@@ -141,7 +141,7 @@ conn_state(BIO *b, BIO_CONNECT *c)
                         }
                         for (; *p != '\0'; p++) {
                                 if ((*p == ':') || (*p == '/'))
-                                break;
+                                        break;
                         }
 
                         i= *p;
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 9b6ca2bdd8..21f71718bb 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_file.c,v 1.35 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_file.c,v 1.36 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -88,9 +88,9 @@
 #include <string.h>
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 static int file_write(BIO *h, const char *buf, int num);
 static int file_read(BIO *h, char *buf, int size);
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
deleted file mode 100644
index 9e2e882646..0000000000
--- a/src/lib/libcrypto/bio/bss_log.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/* $OpenBSD: bss_log.c,v 1.24 2023/07/05 21:23:37 beck Exp $ */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/*
-        Why BIO_s_log?
-
-        BIO_s_log is useful for system daemons (or services under NT).
-        It is one-way BIO, it sends all stuff to syslogd (on system that
-        commonly use that), or event log (on NT), or OPCOM (on OpenVMS).
-
-*/
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <syslog.h>
-
-#include <openssl/buffer.h>
-#include <openssl/err.h>
-
-#include "bio_local.h"
-
-#ifndef NO_SYSLOG
-
-static int slg_write(BIO *h, const char *buf, int num);
-static int slg_puts(BIO *h, const char *str);
-static long slg_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int slg_new(BIO *h);
-static int slg_free(BIO *data);
-static void xopenlog(BIO* bp, char* name, int level);
-static void xsyslog(BIO* bp, int priority, const char* string);
-static void xcloselog(BIO* bp);
-
-static const BIO_METHOD methods_slg = {
-        .type = BIO_TYPE_MEM,
-        .name = "syslog",
-        .bwrite = slg_write,
-        .bputs = slg_puts,
-        .ctrl = slg_ctrl,
-        .create = slg_new,
-        .destroy = slg_free
-};
-
-const BIO_METHOD *
-BIO_s_log(void)
-{
-        return (&methods_slg);
-}
-LCRYPTO_ALIAS(BIO_s_log);
-
-static int
-slg_new(BIO *bi)
-{
-        bi->init = 1;
-        bi->num = 0;
-        bi->ptr = NULL;
-        xopenlog(bi, "application", LOG_DAEMON);
-        return (1);
-}
-
-static int
-slg_free(BIO *a)
-{
-        if (a == NULL)
-                return (0);
-        xcloselog(a);
-        return (1);
-}
-
-static int
-slg_write(BIO *b, const char *in, int inl)
-{
-        int ret = inl;
-        char* buf;
-        char* pp;
-        int priority, i;
-        static const struct {
-                int strl;
-                char str[10];
-                int log_level;
-        }
-        mapping[] = {
-                { 6, "PANIC ", LOG_EMERG },
-                { 6, "EMERG ", LOG_EMERG },
-                { 4, "EMR ", LOG_EMERG },
-                { 6, "ALERT ", LOG_ALERT },
-                { 4, "ALR ", LOG_ALERT },
-                { 5, "CRIT ", LOG_CRIT },
-                { 4, "CRI ", LOG_CRIT },
-                { 6, "ERROR ", LOG_ERR },
-                { 4, "ERR ", LOG_ERR },
-                { 8, "WARNING ", LOG_WARNING },
-                { 5, "WARN ", LOG_WARNING },
-                { 4, "WAR ", LOG_WARNING },
-                { 7, "NOTICE ", LOG_NOTICE },
-                { 5, "NOTE ", LOG_NOTICE },
-                { 4, "NOT ", LOG_NOTICE },
-                { 5, "INFO ", LOG_INFO },
-                { 4, "INF ", LOG_INFO },
-                { 6, "DEBUG ", LOG_DEBUG },
-                { 4, "DBG ", LOG_DEBUG },
-                { 0, "", LOG_ERR } /* The default */
-        };
-
-        if ((buf = malloc(inl + 1)) == NULL) {
-                return (0);
-        }
-        strlcpy(buf, in, inl + 1);
-        i = 0;
-        while (strncmp(buf, mapping[i].str, mapping[i].strl) != 0)
-                i++;
-        priority = mapping[i].log_level;
-        pp = buf + mapping[i].strl;
-
-        xsyslog(b, priority, pp);
-
-        free(buf);
-        return (ret);
-}
-
-static long
-slg_ctrl(BIO *b, int cmd, long num, void *ptr)
-{
-        switch (cmd) {
-        case BIO_CTRL_SET:
-                xcloselog(b);
-                xopenlog(b, ptr, num);
-                break;
-        default:
-                break;
-        }
-        return (0);
-}
-
-static int
-slg_puts(BIO *bp, const char *str)
-{
-        int n, ret;
-
-        n = strlen(str);
-        ret = slg_write(bp, str, n);
-        return (ret);
-}
-
-
-static void
-xopenlog(BIO* bp, char* name, int level)
-{
-        openlog(name, LOG_PID|LOG_CONS, level);
-}
-
-static void
-xsyslog(BIO *bp, int priority, const char *string)
-{
-        syslog(priority, "%s", string);
-}
-
-static void
-xcloselog(BIO* bp)
-{
-        closelog();
-}
-
-#endif /* NO_SYSLOG */
diff --git a/src/lib/libcrypto/bio/bss_mem.c b/src/lib/libcrypto/bio/bss_mem.c
index 6d0d54db84..0fa6317a2b 100644
--- a/src/lib/libcrypto/bio/bss_mem.c
+++ b/src/lib/libcrypto/bio/bss_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_mem.c,v 1.22 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_mem.c,v 1.27 2025/05/31 11:31:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,10 +62,10 @@
 #include <string.h>
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 
 #include "bio_local.h"
+#include "err_local.h"
 
 struct bio_mem {
         BUF_MEM *buf;
@@ -140,6 +140,7 @@ BIO_new_mem_buf(const void *buf, int buf_len)
                 return NULL;
 
         bm = bio->ptr;
+        free(bm->buf->data);
         bm->buf->data = (void *)buf; /* Trust in the BIO_FLAGS_MEM_RDONLY flag. */
         bm->buf->length = buf_len;
         bm->buf->max = buf_len;
@@ -162,6 +163,12 @@ mem_new(BIO *bio)
                 free(bm);
                 return 0;
         }
+        if (BUF_MEM_grow_clean(bm->buf, 64) != 64) {
+                BUF_MEM_free(bm->buf);
+                free(bm);
+                return 0;
+        }
+        bm->buf->length = 0;
 
         bio->shutdown = 1;
         bio->init = 1;
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S b/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
index 5fe4aae7a1..1d4e6d08ef 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_add.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Add, z := x + y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
 //
-//    extern uint64_t bignum_add
-//     (uint64_t p, uint64_t *z,
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+//    extern uint64_t bignum_add(uint64_t p, uint64_t *z, uint64_t m,
+//                               const uint64_t *x, uint64_t n, const uint64_t *y);
 //
 // Does the z := x + y operation, truncating modulo p words in general and
 // returning a top carry (0 or 1) in the p'th place, only adding the input
@@ -49,7 +50,7 @@
 
 
 S2N_BN_SYMBOL(bignum_add):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -75,7 +76,7 @@ S2N_BN_SYMBOL(bignum_add):
         cmp     p, n
         cmovc   n, p
         cmp     m, n
-        jc      ylonger
+        jc      bignum_add_ylonger
 
 // The case where x is longer or of the same size (p >= m >= n)
 
@@ -83,27 +84,27 @@ S2N_BN_SYMBOL(bignum_add):
         sub     m, n
         inc     m
         test    n, n
-        jz      xtest
-xmainloop:
+        jz      bignum_add_xtest
+bignum_add_xmainloop:
         mov     a, [x+8*i]
         adc     a, [y+8*i]
         mov     [z+8*i],a
         inc     i
         dec     n
-        jnz     xmainloop
-        jmp     xtest
-xtoploop:
+        jnz     bignum_add_xmainloop
+        jmp     bignum_add_xtest
+bignum_add_xtoploop:
         mov     a, [x+8*i]
         adc     a, 0
         mov     [z+8*i],a
         inc     i
-xtest:
+bignum_add_xtest:
         dec     m
-        jnz     xtoploop
+        jnz     bignum_add_xtoploop
         mov     ashort, 0
         adc     a, 0
         test    p, p
-        jnz     tails
+        jnz     bignum_add_tails
 #if WINDOWS_ABI
         pop    rsi
         pop    rdi
@@ -112,30 +113,30 @@ xtest:
 
 // The case where y is longer (p >= n > m)
 
-ylonger:
+bignum_add_ylonger:
 
         sub     p, n
         sub     n, m
         test    m, m
-        jz      ytoploop
-ymainloop:
+        jz      bignum_add_ytoploop
+bignum_add_ymainloop:
         mov     a, [x+8*i]
         adc     a, [y+8*i]
         mov     [z+8*i],a
         inc     i
         dec     m
-        jnz     ymainloop
-ytoploop:
+        jnz     bignum_add_ymainloop
+bignum_add_ytoploop:
         mov     a, [y+8*i]
         adc     a, 0
         mov     [z+8*i],a
         inc     i
         dec     n
-        jnz     ytoploop
+        jnz     bignum_add_ytoploop
         mov     ashort, 0
         adc     a, 0
         test    p, p
-        jnz     tails
+        jnz     bignum_add_tails
 #if WINDOWS_ABI
         pop    rsi
         pop    rdi
@@ -144,16 +145,16 @@ ytoploop:
 
 // Adding a non-trivial tail, when p > max(m,n)
 
-tails:
+bignum_add_tails:
         mov     [z+8*i],a
         xor     a, a
-        jmp     tail
-tailloop:
+        jmp     bignum_add_tail
+bignum_add_tailloop:
         mov     [z+8*i],a
-tail:
+bignum_add_tail:
         inc     i
         dec     p
-        jnz     tailloop
+        jnz     bignum_add_tailloop
 #if WINDOWS_ABI
         pop    rsi
         pop    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
index 25ba17bce2..a611919603 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_cmadd.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply-add with single-word multiplier, z := z + c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
 //
-//    extern uint64_t bignum_cmadd
-//     (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+//    extern uint64_t bignum_cmadd(uint64_t k, uint64_t *z, uint64_t c, uint64_t n,
+//                                 const uint64_t *y);
 //
 // Does the "z := z + c * y" operation where y is n digits, result z is p.
 // Truncates the result in general.
@@ -54,7 +56,7 @@
 
 
 S2N_BN_SYMBOL(bignum_cmadd):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -82,7 +84,7 @@ S2N_BN_SYMBOL(bignum_cmadd):
 
         xor     h, h
         test    n, n
-        jz      end
+        jz      bignum_cmadd_end
 
 // Move c into a safer register as multiplies overwrite rdx
 
@@ -96,11 +98,11 @@ S2N_BN_SYMBOL(bignum_cmadd):
         mov     h, rdx
         mov     ishort, 1
         dec     n
-        jz      hightail
+        jz      bignum_cmadd_hightail
 
 // Main loop, where we always have CF + previous high part h to add in
 
-loop:
+bignum_cmadd_loop:
         adc     h, [z+8*i]
         sbb     r, r
         mov     rax, [x+8*i]
@@ -111,36 +113,36 @@ loop:
         mov     h, rdx
         inc     i
         dec     n
-        jnz     loop
+        jnz     bignum_cmadd_loop
 
-hightail:
+bignum_cmadd_hightail:
         adc     h, 0
 
 // Propagate the carry all the way to the end with h as extra carry word
 
-tail:
+bignum_cmadd_tail:
         test    p, p
-        jz      end
+        jz      bignum_cmadd_end
 
         add     [z+8*i], h
         mov     hshort, 0
         inc     i
         dec     p
-        jz      highend
+        jz      bignum_cmadd_highend
 
-tloop:
+bignum_cmadd_tloop:
         adc     [z+8*i], h
         inc     i
         dec     p
-        jnz     tloop
+        jnz     bignum_cmadd_tloop
 
-highend:
+bignum_cmadd_highend:
 
         adc     h, 0
 
 // Return the high/carry word
 
-end:
+bignum_cmadd_end:
         mov     rax, h
 
         pop     rbx
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
index 12f785d63a..eb71d9da44 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_cmul.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply by a single word, z := c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
 //
-//    extern uint64_t bignum_cmul
-//     (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+//    extern uint64_t bignum_cmul(uint64_t k, uint64_t *z, uint64_t c, uint64_t n,
+//                                const uint64_t *y);
 //
 // Does the "z := c * y" operation where y is n digits, result z is p.
 // Truncates the result in general unless p >= n + 1.
@@ -51,7 +53,7 @@
 
 
 S2N_BN_SYMBOL(bignum_cmul):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -76,7 +78,7 @@ S2N_BN_SYMBOL(bignum_cmul):
         xor     h, h
         xor     i, i
         test    n, n
-        jz      tail
+        jz      bignum_cmul_tail
 
 // Move c into a safer register as multiplies overwrite rdx
 
@@ -90,11 +92,11 @@ S2N_BN_SYMBOL(bignum_cmul):
         mov     h, rdx
         inc     i
         cmp     i, n
-        jz      tail
+        jz      bignum_cmul_tail
 
 // Main loop doing the multiplications
 
-loop:
+bignum_cmul_loop:
         mov     rax, [x+8*i]
         mul     c
         add     rax, h
@@ -103,28 +105,28 @@ loop:
         mov     h, rdx
         inc     i
         cmp     i, n
-        jc      loop
+        jc      bignum_cmul_loop
 
 // Add a tail when the destination is longer
 
-tail:
+bignum_cmul_tail:
         cmp     i, p
-        jnc     end
+        jnc     bignum_cmul_end
         mov     [z+8*i], h
         xor     h, h
         inc     i
         cmp     i, p
-        jnc     end
+        jnc     bignum_cmul_end
 
-tloop:
+bignum_cmul_tloop:
         mov     [z+8*i], h
         inc     i
         cmp     i, p
-        jc      tloop
+        jc      bignum_cmul_tloop
 
 // Return the high/carry word
 
-end:
+bignum_cmul_end:
         mov     rax, h
 
 #if WINDOWS_ABI
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S b/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S
new file mode 100644
index 0000000000..baf27fdc7f
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S
@@ -0,0 +1,112 @@
+// $OpenBSD: bignum_modadd.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Add modulo m, z := (x + y) mod m, assuming x and y reduced
+// Inputs x[k], y[k], m[k]; output z[k]
+//
+//    extern void bignum_modadd(uint64_t k, uint64_t *z, const uint64_t *x,
+//                              const uint64_t *y, const uint64_t *m);
+//
+// Standard x86-64 ABI: RDI = k, RSI = z, RDX = x, RCX = y, R8 = m
+// Microsoft x64 ABI:   RCX = k, RDX = z, R8 = x, R9 = y, [RSP+40] = m
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_modadd)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_modadd)
+        .text
+
+#define k rdi
+#define z rsi
+#define x rdx
+#define y rcx
+#define m r8
+#define i r9
+#define j r10
+#define a rax
+#define c r11
+
+S2N_BN_SYMBOL(bignum_modadd):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+        mov     rcx, r9
+        mov     r8, [rsp+56]
+#endif
+
+// If k = 0 do nothing
+
+        test    k, k
+        jz      bignum_modadd_end
+
+// First just add (c::z) := x + y
+
+        xor     c, c
+        mov     j, k
+        xor     i, i
+bignum_modadd_addloop:
+        mov     a, [x+8*i]
+        adc     a, [y+8*i]
+        mov     [z+8*i], a
+        inc     i
+        dec     j
+        jnz     bignum_modadd_addloop
+        adc     c, 0
+
+// Now do a comparison subtraction (c::z) - m, recording mask for (c::z) >= m
+
+        mov     j, k
+        xor     i, i
+bignum_modadd_cmploop:
+        mov     a, [z+8*i]
+        sbb     a, [m+8*i]
+        inc     i
+        dec     j
+        jnz     bignum_modadd_cmploop
+        sbb     c, 0
+        not     c
+
+// Now do a masked subtraction z := z - [c] * m
+
+        xor     i, i
+bignum_modadd_subloop:
+        mov     a, [m+8*i]
+        and     a, c
+        neg     j
+        sbb     [z+8*i], a
+        sbb     j, j
+        inc     i
+        cmp     i, k
+        jc      bignum_modadd_subloop
+
+bignum_modadd_end:
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S b/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S
new file mode 100644
index 0000000000..63b3230e35
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S
@@ -0,0 +1,99 @@
+// $OpenBSD: bignum_modsub.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Subtract modulo m, z := (x - y) mod m, assuming x and y reduced
+// Inputs x[k], y[k], m[k]; output z[k]
+//
+//    extern void bignum_modsub(uint64_t k, uint64_t *z, const uint64_t *x,
+//                              const uint64_t *y, const uint64_t *m);
+//
+// Standard x86-64 ABI: RDI = k, RSI = z, RDX = x, RCX = y, R8 = m
+// Microsoft x64 ABI:   RCX = k, RDX = z, R8 = x, R9 = y, [RSP+40] = m
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_modsub)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_modsub)
+        .text
+
+#define k rdi
+#define z rsi
+#define x rdx
+#define y rcx
+#define m r8
+#define i r9
+#define j r10
+#define a rax
+#define c r11
+
+S2N_BN_SYMBOL(bignum_modsub):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+        mov     rcx, r9
+        mov     r8, [rsp+56]
+#endif
+
+// If k = 0 do nothing
+
+        test    k, k
+        jz      bignum_modsub_end
+
+// Subtract z := x - y and record a mask for the carry x - y < 0
+
+        xor     c, c
+        mov     j, k
+        xor     i, i
+bignum_modsub_subloop:
+        mov     a, [x+8*i]
+        sbb     a, [y+8*i]
+        mov     [z+8*i], a
+        inc     i
+        dec     j
+        jnz     bignum_modsub_subloop
+        sbb     c, c
+
+// Now do a masked addition z := z + [c] * m
+
+        xor     i, i
+bignum_modsub_addloop:
+        mov     a, [m+8*i]
+        and     a, c
+        neg     j
+        adc     [z+8*i], a
+        sbb     j, j
+        inc     i
+        cmp     i, k
+        jc      bignum_modsub_addloop
+
+bignum_modsub_end:
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
index a3552679a2..538cce9af7 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Multiply z := x * y
 // Inputs x[m], y[n]; output z[k]
 //
-//    extern void bignum_mul
-//     (uint64_t k, uint64_t *z,
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+//    extern void bignum_mul(uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x,
+//                           uint64_t n, const uint64_t *y);
 //
 // Does the "z := x * y" operation where x is m digits, y is n, result z is k.
 // Truncates the result in general unless k >= m + n
@@ -59,7 +60,7 @@
 
 
 S2N_BN_SYMBOL(bignum_mul):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -88,7 +89,7 @@ S2N_BN_SYMBOL(bignum_mul):
 // If we did a multiply-add variant, however, then we could
 
         test    p, p
-        jz      end
+        jz      bignum_mul_end
 
 // Set initial 2-part sum to zero (we zero c inside the body)
 
@@ -99,7 +100,7 @@ S2N_BN_SYMBOL(bignum_mul):
 
         xor     k, k
 
-outerloop:
+bignum_mul_outerloop:
 
 // Zero our carry term first; we eventually want it and a zero is useful now
 // Set a =  max 0 (k + 1 - n), i = min (k + 1) m
@@ -125,11 +126,11 @@ outerloop:
         mov     d, k
         sub     d, i
         sub     i, a
-        jbe     innerend
+        jbe     bignum_mul_innerend
         lea     x,[rcx+8*a]
         lea     y,[r9+8*d-8]
 
-innerloop:
+bignum_mul_innerloop:
         mov     rax, [y+8*i]
         mul     QWORD PTR  [x]
         add     x, 8
@@ -137,9 +138,9 @@ innerloop:
         adc     h, rdx
         adc     c, 0
         dec     i
-        jnz     innerloop
+        jnz     bignum_mul_innerloop
 
-innerend:
+bignum_mul_innerend:
 
         mov     [z], l
         mov     l, h
@@ -147,9 +148,9 @@ innerend:
         add     z, 8
 
         cmp     k, p
-        jc      outerloop
+        jc      bignum_mul_outerloop
 
-end:
+bignum_mul_end:
         pop     r15
         pop     r14
         pop     r13
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S
new file mode 100644
index 0000000000..d6ad514020
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S
@@ -0,0 +1,187 @@
+// $OpenBSD: bignum_mul_4_8.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[4], y[4]; output z[8]
+//
+//    extern void bignum_mul_4_8(uint64_t z[static 8], const uint64_t x[static 4],
+//                               const uint64_t y[static 4]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_4_8)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_4_8)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// Copied in or set up
+
+#define y rcx
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// Add in x[i] * rdx to the (i,i+1) position with the register window
+// Would be nice to have conditional expressions reg[i], reg[i+1] ...
+
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg2]
+.if ((\arg1 + \arg2) % 4 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 4 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 4 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 4 == 3)
+        adcx    r11, rax
+        adox    r8, rbx
+.endif
+
+.endm
+
+
+// Add in the whole j'th row
+
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+
+        mulpadd \arg1, 0
+
+.if (\arg1 % 4 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 4 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 4 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 4 == 3)
+        mov     [z+8*\arg1],r11
+.endif
+
+        mulpadd \arg1, 1
+        mulpadd \arg1, 2
+
+.if (\arg1 % 4 == 0)
+        mulx    r8, rax, [x+24]
+        adcx    r11, rax
+        adox    r8, zero
+        adcx    r8, zero
+.elseif (\arg1 % 4 == 1)
+        mulx    r9, rax, [x+24]
+        adcx    r8, rax
+        adox    r9, zero
+        adcx    r9, zero
+.elseif (\arg1 % 4 == 2)
+        mulx    r10, rax, [x+24]
+        adcx    r9, rax
+        adox    r10, zero
+        adcx    r10, zero
+.elseif (\arg1 % 4 == 3)
+        mulx    r11, rax, [x+24]
+        adcx    r10, rax
+        adox    r11, zero
+        adcx    r11, zero
+.endif
+
+.endm
+
+
+
+S2N_BN_SYMBOL(bignum_mul_4_8):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    rbx
+
+// Copy y into a safe register to start with
+
+        mov     y, rdx
+
+// Zero a register, which also makes sure we don't get a fake carry-in
+
+        xor     zeroe, zeroe
+
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r11,r10,r9 as y[0] * x from 1..4
+
+        mov     rdx, [y]
+
+        mulx    r9, r8, [x]
+        mov     [z], r8
+
+        mulx    r10, rbx, [x+8]
+        adcx    r9, rbx
+
+        mulx    r11, rbx, [x+16]
+        adcx    r10, rbx
+
+        mulx    r8, rbx, [x+24]
+        adcx    r11, rbx
+        adcx    r8, zero
+
+// Now all the other rows in a uniform pattern
+
+        addrow  1
+        addrow  2
+        addrow  3
+
+// Now write back the additional columns
+
+        mov     [z+32], r8
+        mov     [z+40], r9
+        mov     [z+48], r10
+        mov     [z+56], r11
+
+// Restore registers and return
+
+        pop     rbx
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
index 70ff69e372..2592d1d658 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul_4_8_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply z := x * y
 // Inputs x[4], y[4]; output z[8]
 //
-//    extern void bignum_mul_4_8_alt
-//      (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
+//    extern void bignum_mul_4_8_alt(uint64_t z[static 8], const uint64_t x[static 4],
+//                                   const uint64_t y[static 4]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
 // Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
@@ -72,7 +74,7 @@
         adc     h, rdx
 
 S2N_BN_SYMBOL(bignum_mul_4_8_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S
new file mode 100644
index 0000000000..56cbdf06e0
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S
@@ -0,0 +1,223 @@
+// $OpenBSD: bignum_mul_6_12.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[6], y[6]; output z[12]
+//
+//    extern void bignum_mul_6_12(uint64_t z[static 12], const uint64_t x[static 6],
+//                                const uint64_t y[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_6_12)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_6_12)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// Copied in or set up
+
+#define y rcx
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// Add in x[i] * rdx to the (i,i+1) position with the register window
+// Would be nice to have conditional expressions reg[i], reg[i+1] ...
+
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg2]
+.if ((\arg1 + \arg2) % 6 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 6 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 6 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 6 == 3)
+        adcx    r11, rax
+        adox    r12, rbx
+.elseif ((\arg1 + \arg2) % 6 == 4)
+        adcx    r12, rax
+        adox    r13, rbx
+.elseif ((\arg1 + \arg2) % 6 == 5)
+        adcx    r13, rax
+        adox    r8, rbx
+.endif
+
+.endm
+
+
+// Add in the whole j'th row
+
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+
+        mulpadd \arg1, 0
+
+.if (\arg1 % 6 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 6 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 6 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 6 == 3)
+        mov     [z+8*\arg1],r11
+.elseif (\arg1 % 6 == 4)
+        mov     [z+8*\arg1],r12
+.elseif (\arg1 % 6 == 5)
+        mov     [z+8*\arg1],r13
+.endif
+
+        mulpadd \arg1, 1
+        mulpadd \arg1, 2
+        mulpadd \arg1, 3
+        mulpadd \arg1, 4
+
+.if (\arg1 % 6 == 0)
+        mulx    r8, rax, [x+40]
+        adcx    r13, rax
+        adox    r8, zero
+        adcx    r8, zero
+.elseif (\arg1 % 6 == 1)
+        mulx    r9, rax, [x+40]
+        adcx    r8, rax
+        adox    r9, zero
+        adcx    r9, zero
+.elseif (\arg1 % 6 == 2)
+        mulx    r10, rax, [x+40]
+        adcx    r9, rax
+        adox    r10, zero
+        adcx    r10, zero
+.elseif (\arg1 % 6 == 3)
+        mulx    r11, rax, [x+40]
+        adcx    r10, rax
+        adox    r11, zero
+        adcx    r11, zero
+.elseif (\arg1 % 6 == 4)
+        mulx    r12, rax, [x+40]
+        adcx    r11, rax
+        adox    r12, zero
+        adcx    r12, zero
+.elseif (\arg1 % 6 == 5)
+        mulx    r13, rax, [x+40]
+        adcx    r12, rax
+        adox    r13, zero
+        adcx    r13, zero
+.endif
+
+.endm
+
+
+
+S2N_BN_SYMBOL(bignum_mul_6_12):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+
+// Copy y into a safe register to start with
+
+        mov     y, rdx
+
+// Zero a register, which also makes sure we don't get a fake carry-in
+
+        xor     zeroe, zeroe
+
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r13,r12,r11,r10,r9 as y[0] * x from 1..6
+
+        mov     rdx, [y]
+
+        mulx    r9, r8, [x]
+        mov     [z], r8
+
+        mulx    r10, rbx, [x+8]
+        adcx    r9, rbx
+
+        mulx    r11, rbx, [x+16]
+        adcx    r10, rbx
+
+        mulx    r12, rbx, [x+24]
+        adcx    r11, rbx
+
+        mulx    r13, rbx, [x+32]
+        adcx    r12, rbx
+
+        mulx    r8, rbx, [x+40]
+        adcx    r13, rbx
+        adcx    r8, zero
+
+// Now all the other rows in a uniform pattern
+
+        addrow  1
+        addrow  2
+        addrow  3
+        addrow  4
+        addrow  5
+
+// Now write back the additional columns
+
+        mov     [z+48], r8
+        mov     [z+56], r9
+        mov     [z+64], r10
+        mov     [z+72], r11
+        mov     [z+80], r12
+        mov     [z+88], r13
+
+// Restore registers and return
+
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S
new file mode 100644
index 0000000000..077c52b38e
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S
@@ -0,0 +1,199 @@
+// $OpenBSD: bignum_mul_6_12_alt.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[6], y[6]; output z[12]
+//
+//    extern void bignum_mul_6_12_alt(uint64_t z[static 12],
+//                                    const uint64_t x[static 6],
+//                                    const uint64_t y[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_6_12_alt)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_6_12_alt)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// This is moved from rdx to free it for muls
+
+#define y rcx
+
+// Other variables used as a rotating 3-word window to add terms to
+
+#define t0 r8
+#define t1 r9
+#define t2 r10
+
+// Macro for the key "multiply and add to (c,h,l)" step
+
+#define combadd(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+
+// A minutely shorter form for when c = 0 initially
+
+#define combadz(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, c
+
+// A short form where we don't expect a top carry
+
+#define combads(h,l,numa,numb)                  \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx
+
+S2N_BN_SYMBOL(bignum_mul_6_12_alt):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+
+// Copy y into a safe register to start with
+
+        mov     y, rdx
+
+// Result term 0
+
+        mov     rax, [x]
+        mul     QWORD PTR [y]
+
+        mov     [z], rax
+        mov     t0, rdx
+        xor     t1, t1
+
+// Result term 1
+
+        xor     t2, t2
+        combads(t1,t0,[x],[y+8])
+        combadz(t2,t1,t0,[x+8],[y])
+        mov     [z+8], t0
+
+// Result term 2
+
+        xor     t0, t0
+        combadz(t0,t2,t1,[x],[y+16])
+        combadd(t0,t2,t1,[x+8],[y+8])
+        combadd(t0,t2,t1,[x+16],[y])
+        mov     [z+16], t1
+
+// Result term 3
+
+        xor     t1, t1
+        combadz(t1,t0,t2,[x],[y+24])
+        combadd(t1,t0,t2,[x+8],[y+16])
+        combadd(t1,t0,t2,[x+16],[y+8])
+        combadd(t1,t0,t2,[x+24],[y])
+        mov     [z+24], t2
+
+// Result term 4
+
+        xor     t2, t2
+        combadz(t2,t1,t0,[x],[y+32])
+        combadd(t2,t1,t0,[x+8],[y+24])
+        combadd(t2,t1,t0,[x+16],[y+16])
+        combadd(t2,t1,t0,[x+24],[y+8])
+        combadd(t2,t1,t0,[x+32],[y])
+        mov     [z+32], t0
+
+// Result term 5
+
+        xor     t0, t0
+        combadz(t0,t2,t1,[x],[y+40])
+        combadd(t0,t2,t1,[x+8],[y+32])
+        combadd(t0,t2,t1,[x+16],[y+24])
+        combadd(t0,t2,t1,[x+24],[y+16])
+        combadd(t0,t2,t1,[x+32],[y+8])
+        combadd(t0,t2,t1,[x+40],[y])
+        mov     [z+40], t1
+
+// Result term 6
+
+        xor     t1, t1
+        combadz(t1,t0,t2,[x+8],[y+40])
+        combadd(t1,t0,t2,[x+16],[y+32])
+        combadd(t1,t0,t2,[x+24],[y+24])
+        combadd(t1,t0,t2,[x+32],[y+16])
+        combadd(t1,t0,t2,[x+40],[y+8])
+        mov     [z+48], t2
+
+// Result term 7
+
+        xor     t2, t2
+        combadz(t2,t1,t0,[x+16],[y+40])
+        combadd(t2,t1,t0,[x+24],[y+32])
+        combadd(t2,t1,t0,[x+32],[y+24])
+        combadd(t2,t1,t0,[x+40],[y+16])
+        mov     [z+56], t0
+
+// Result term 8
+
+        xor     t0, t0
+        combadz(t0,t2,t1,[x+24],[y+40])
+        combadd(t0,t2,t1,[x+32],[y+32])
+        combadd(t0,t2,t1,[x+40],[y+24])
+        mov     [z+64], t1
+
+// Result term 9
+
+        xor     t1, t1
+        combadz(t1,t0,t2,[x+32],[y+40])
+        combadd(t1,t0,t2,[x+40],[y+32])
+        mov     [z+72], t2
+
+// Result term 10
+
+        combads(t1,t0,[x+40],[y+40])
+        mov     [z+80], t0
+
+// Result term 11
+
+        mov     [z+88], t1
+
+// Return
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S
new file mode 100644
index 0000000000..faa0196d8e
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S
@@ -0,0 +1,273 @@
+// $OpenBSD: bignum_mul_8_16.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[8], y[8]; output z[16]
+//
+//    extern void bignum_mul_8_16(uint64_t z[static 16], const uint64_t x[static 8],
+//                                const uint64_t y[static 8]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_8_16)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_8_16)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// Copied in or set up
+
+#define y rcx
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// mulpadd i, j adds x[i] * rdx (now assumed = y[j]) into the window at i+j
+
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg1]
+.if ((\arg1 + \arg2) % 8 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        adcx    r11, rax
+        adox    r12, rbx
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        adcx    r12, rax
+        adox    r13, rbx
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        adcx    r13, rax
+        adox    r14, rbx
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        adcx    r14, rax
+        adox    r15, rbx
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        adcx    r15, rax
+        adox    r8, rbx
+.endif
+
+.endm
+
+// mulpade i, j adds x[i] * rdx (now assumed = y[j]) into the window at i+j
+// but re-creates the top word assuming nothing to add there
+
+.macro mulpade arg1,arg2
+.if ((\arg1 + \arg2) % 8 == 0)
+        mulx    r9, rax, [x+8*\arg1]
+        adcx    r8, rax
+        adox    r9, zero
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        mulx    r10, rax, [x+8*\arg1]
+        adcx    r9, rax
+        adox    r10, zero
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        mulx    r11, rax, [x+8*\arg1]
+        adcx    r10, rax
+        adox    r11, zero
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        mulx    r12, rax, [x+8*\arg1]
+        adcx    r11, rax
+        adox    r12, zero
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        mulx    r13, rax, [x+8*\arg1]
+        adcx    r12, rax
+        adox    r13, zero
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        mulx    r14, rax, [x+8*\arg1]
+        adcx    r13, rax
+        adox    r14, zero
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        mulx    r15, rax, [x+8*\arg1]
+        adcx    r14, rax
+        adox    r15, zero
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        mulx    r8, rax, [x+8*\arg1]
+        adcx    r15, rax
+        adox    r8, zero
+.endif
+
+.endm
+
+// Add in the whole j'th row
+
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+
+        mulpadd 0, \arg1
+
+.if (\arg1 % 8 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 8 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 8 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 8 == 3)
+        mov     [z+8*\arg1],r11
+.elseif (\arg1 % 8 == 4)
+        mov     [z+8*\arg1],r12
+.elseif (\arg1 % 8 == 5)
+        mov     [z+8*\arg1],r13
+.elseif (\arg1 % 8 == 6)
+        mov     [z+8*\arg1],r14
+.elseif (\arg1 % 8 == 7)
+        mov     [z+8*\arg1],r15
+.endif
+
+        mulpadd 1, \arg1
+        mulpadd 2, \arg1
+        mulpadd 3, \arg1
+        mulpadd 4, \arg1
+        mulpadd 5, \arg1
+        mulpadd 6, \arg1
+        mulpade 7, \arg1
+
+.if (\arg1 % 8 == 0)
+        adc     r8, zero
+.elseif (\arg1 % 8 == 1)
+        adc     r9, zero
+.elseif (\arg1 % 8 == 2)
+        adc     r10, zero
+.elseif (\arg1 % 8 == 3)
+        adc     r11, zero
+.elseif (\arg1 % 8 == 4)
+        adc     r12, zero
+.elseif (\arg1 % 8 == 5)
+        adc     r13, zero
+.elseif (\arg1 % 8 == 6)
+        adc     r14, zero
+.elseif (\arg1 % 8 == 7)
+        adc     r15, zero
+.endif
+
+.endm
+
+
+S2N_BN_SYMBOL(bignum_mul_8_16):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+
+// Copy y into a safe register to start with
+
+        mov     y, rdx
+
+// Zero a register, which also makes sure we don't get a fake carry-in
+
+        xor     zeroe, zeroe
+
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r15,r14,r13,r12,r11,r10,r9 as y[0] * x from 1..8
+
+        mov     rdx, [y]
+
+        mulx    r9, r8, [x]
+        mov     [z], r8
+
+        mulx    r10, rbx, [x+8]
+        adc     r9, rbx
+
+        mulx    r11, rbx, [x+16]
+        adc     r10, rbx
+
+        mulx    r12, rbx, [x+24]
+        adc     r11, rbx
+
+        mulx    r13, rbx, [x+32]
+        adc     r12, rbx
+
+        mulx    r14, rbx, [x+40]
+        adc     r13, rbx
+
+        mulx    r15, rbx, [x+48]
+        adc     r14, rbx
+
+        mulx    r8, rbx, [x+56]
+        adc     r15, rbx
+        adc     r8, zero
+
+// Now all the other rows in a uniform pattern
+
+        addrow  1
+        addrow  2
+        addrow  3
+        addrow  4
+        addrow  5
+        addrow  6
+        addrow  7
+
+// Now write back the additional columns
+
+        mov     [z+64], r8
+        mov     [z+72], r9
+        mov     [z+80], r10
+        mov     [z+88], r11
+        mov     [z+96], r12
+        mov     [z+104], r13
+        mov     [z+112], r14
+        mov     [z+120], r15
+
+// Real epilog
+
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
index 066403b074..0e30b9170f 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul_8_16_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,9 @@
 // Multiply z := x * y
 // Inputs x[8], y[8]; output z[16]
 //
-//    extern void bignum_mul_8_16_alt
-//     (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
+//    extern void bignum_mul_8_16_alt(uint64_t z[static 16],
+//                                    const uint64_t x[static 8],
+//                                    const uint64_t y[static 8]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
 // Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
@@ -72,7 +75,7 @@
         adc     h, rdx
 
 S2N_BN_SYMBOL(bignum_mul_8_16_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
index 54e3f59442..86f1af2ac4 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,7 @@
 // Square z := x^2
 // Input x[n]; output z[k]
 //
-//    extern void bignum_sqr
-//     (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
+//    extern void bignum_sqr(uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
 //
 // Does the "z := x^2" operation where x is n digits and result z is k.
 // Truncates the result in general unless k >= 2 * n
@@ -62,7 +63,7 @@
 #define llshort ebp
 
 S2N_BN_SYMBOL(bignum_sqr):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -86,7 +87,7 @@ S2N_BN_SYMBOL(bignum_sqr):
 // If p = 0 the result is trivial and nothing needs doing
 
         test    p, p
-        jz      end
+        jz      bignum_sqr_end
 
 // initialize (hh,ll) = 0
 
@@ -97,7 +98,7 @@ S2N_BN_SYMBOL(bignum_sqr):
 
         xor     k, k
 
-outerloop:
+bignum_sqr_outerloop:
 
 // First let bot = MAX 0 (k + 1 - n) and top = MIN (k + 1) n
 // We want to accumulate all x[i] * x[k - i] for bot <= i < top
@@ -122,7 +123,7 @@ outerloop:
 // If htop <= bot then main doubled part of the sum is empty
 
         cmp     i, htop
-        jnc     nosumming
+        jnc     bignum_sqr_nosumming
 
 // Use a moving pointer for [y] = x[k-i] for the cofactor
 
@@ -132,7 +133,7 @@ outerloop:
 
 // Do the main part of the sum x[i] * x[k - i] for 2 * i < k
 
-innerloop:
+bignum_sqr_innerloop:
         mov     a, [x+8*i]
         mul     QWORD PTR [y]
         add     l, a
@@ -141,7 +142,7 @@ innerloop:
         sub     y, 8
         inc     i
         cmp     i, htop
-        jc      innerloop
+        jc      bignum_sqr_innerloop
 
 // Now double it
 
@@ -151,11 +152,11 @@ innerloop:
 
 // If k is even (which means 2 * i = k) and i < n add the extra x[i]^2 term
 
-nosumming:
+bignum_sqr_nosumming:
         test    k, 1
-        jnz     innerend
+        jnz     bignum_sqr_innerend
         cmp     i, n
-        jnc     innerend
+        jnc     bignum_sqr_innerend
 
         mov     a, [x+8*i]
         mul     a
@@ -165,7 +166,7 @@ nosumming:
 
 // Now add the local sum into the global sum, store and shift
 
-innerend:
+bignum_sqr_innerend:
         add     l, ll
         mov     [z+8*k], l
         adc     h, hh
@@ -175,11 +176,11 @@ innerend:
 
         inc     k
         cmp     k, p
-        jc      outerloop
+        jc      bignum_sqr_outerloop
 
 // Restore registers and return
 
-end:
+bignum_sqr_end:
         pop     r15
         pop     r14
         pop     r13
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S
new file mode 100644
index 0000000000..25664782f7
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S
@@ -0,0 +1,158 @@
+// $OpenBSD: bignum_sqr_4_8.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[4]; output z[8]
+//
+//    extern void bignum_sqr_4_8(uint64_t z[static 8], const uint64_t x[static 4]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_4_8)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_4_8)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// Other registers
+
+#define d1 r8
+#define d2 r9
+#define d3 r10
+#define d4 r11
+#define d5 r12
+#define d6 r13
+
+
+
+S2N_BN_SYMBOL(bignum_sqr_4_8):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    r12
+        push    r13
+
+// Set up an initial window [d6;...d1] = [23;03;01]
+
+        mov     rdx, [x]
+        mulx    d2, d1, [x+8]
+        mulx    d4, d3, [x+24]
+        mov     rdx, [x+16]
+        mulx    d6, d5, [x+24]
+
+// Clear our zero register, and also initialize the flags for the carry chain
+
+        xor     zeroe, zeroe
+
+// Chain in the addition of 02 + 12 + 13 to that window (no carry-out possible)
+// This gives all the "heterogeneous" terms of the squaring ready to double
+
+        mulx    rcx, rax, [x]
+        adcx    d2, rax
+        adox    d3, rcx
+        mulx    rcx, rax, [x+8]
+        adcx    d3, rax
+        adox    d4, rcx
+        mov     rdx, [x+24]
+        mulx    rcx, rax, [x+8]
+        adcx    d4, rax
+        adox    d5, rcx
+        adcx    d5, zero
+        adox    d6, zero
+        adcx    d6, zero
+
+// In principle this is otiose as CF and OF carries are absorbed at this point
+// However it seems helpful for the OOO engine to be told it's a fresh start
+
+        xor     zeroe, zeroe
+
+// Double and add to the 00 + 11 + 22 + 33 terms
+//
+// We could use shift-double but this seems tidier and in larger squarings
+// it was actually more efficient. I haven't experimented with this small
+// case to see how much that matters. Note: the writeback here is sprinkled
+// into the sequence in such a way that things still work if z = x, i.e. if
+// the output overwrites the input buffer and beyond.
+
+        mov     rdx, [x]
+        mulx    rdx, rax, rdx
+        mov     [z], rax
+        adcx    d1, d1
+        adox    d1, rdx
+        mov     rdx, [x+8]
+        mov     [z+8], d1
+        mulx    rdx, rax, rdx
+        adcx    d2, d2
+        adox    d2, rax
+        adcx    d3, d3
+        adox    d3, rdx
+        mov     rdx, [x+16]
+        mov     [z+16], d2
+        mulx    rdx, rax, rdx
+        adcx    d4, d4
+        adox    d4, rax
+        adcx    d5, d5
+        adox    d5, rdx
+        mov     rdx, [x+24]
+        mov     [z+24], d3
+        mulx    rdx, rax, rdx
+        mov     [z+32], d4
+        adcx    d6, d6
+        mov     [z+40], d5
+        adox    d6, rax
+        mov     [z+48], d6
+        adcx    rdx, zero
+        adox    rdx, zero
+        mov     [z+56], rdx
+
+// Restore saved registers and return
+
+        pop     r13
+        pop     r12
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
index 7c534ae907..7eafac3284 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr_4_8_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Square, z := x^2
 // Input x[4]; output z[8]
 //
-//    extern void bignum_sqr_4_8_alt
-//      (uint64_t z[static 8], uint64_t x[static 4]);
+//    extern void bignum_sqr_4_8_alt(uint64_t z[static 8],
+//                                   const uint64_t x[static 4]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x
 // Microsoft x64 ABI:   RCX = z, RDX = x
@@ -71,7 +73,7 @@
         adc     c, 0
 
 S2N_BN_SYMBOL(bignum_sqr_4_8_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S
new file mode 100644
index 0000000000..3f055e8b75
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S
@@ -0,0 +1,227 @@
+// $OpenBSD: bignum_sqr_6_12.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[6]; output z[12]
+//
+//    extern void bignum_sqr_6_12(uint64_t z[static 12], const uint64_t x[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_6_12)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_6_12)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// Other registers
+
+#define d1 r8
+#define d2 r9
+#define d3 r10
+#define d4 r11
+#define d5 r12
+#define d6 r13
+#define d7 r14
+#define d8 r15
+#define d9 rbx
+
+// Care is needed: re-using the zero register
+
+#define d10 rbp
+
+
+S2N_BN_SYMBOL(bignum_sqr_6_12):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+
+// Set up an initial window [d8;...d1] = [34;05;03;01]
+
+        mov     rdx, [x]
+        mulx    d2, d1, [x+8]
+        mulx    d4, d3, [x+24]
+        mulx    d6, d5, [x+40]
+        mov     rdx, [x+24]
+        mulx    d8, d7, [x+32]
+
+// Clear our zero register, and also initialize the flags for the carry chain
+
+        xor     zeroe, zeroe
+
+// Chain in the addition of 02 + 12 + 13 + 14 + 15 to that window
+// (no carry-out possible since we add it to the top of a product)
+
+        mov     rdx, [x+16]
+        mulx    rcx, rax, [x]
+        adcx    d2, rax
+        adox    d3, rcx
+        mulx    rcx, rax, [x+8]
+        adcx    d3, rax
+        adox    d4, rcx
+        mov     rdx, [x+8]
+        mulx    rcx, rax, [x+24]
+        adcx    d4, rax
+        adox    d5, rcx
+        mulx    rcx, rax, [x+32]
+        adcx    d5, rax
+        adox    d6, rcx
+        mulx    rcx, rax, [x+40]
+        adcx    d6, rax
+        adox    d7, rcx
+        adcx    d7, zero
+        adox    d8, zero
+        adcx    d8, zero
+
+// Again zero out the flags. Actually they are already cleared but it may
+// help decouple these in the OOO engine not to wait for the chain above
+
+        xor     zeroe, zeroe
+
+// Now chain in the 04 + 23 + 24 + 25 + 35 + 45 terms
+// We are running out of registers and here our zero register is not zero!
+
+        mov     rdx, [x+32]
+        mulx    rcx, rax, [x]
+        adcx    d4, rax
+        adox    d5, rcx
+        mov     rdx, [x+16]
+        mulx    rcx, rax, [x+24]
+        adcx    d5, rax
+        adox    d6, rcx
+        mulx    rcx, rax, [x+32]
+        adcx    d6, rax
+        adox    d7, rcx
+        mulx    rcx, rax, [x+40]
+        adcx    d7, rax
+        adox    d8, rcx
+        mov     rdx, [x+24]
+        mulx    d9, rax, [x+40]
+        adcx    d8, rax
+        adox    d9, zero
+        mov     rdx, [x+32]
+        mulx    d10, rax, [x+40]
+        adcx    d9, rax
+        mov     eax, 0
+        adox    d10, rax
+        adcx    d10, rax
+
+// Again, just for a clear fresh start for the flags
+
+        xor     eax, eax
+
+// Double and add to the 00 + 11 + 22 + 33 + 44 + 55 terms
+//
+// We could use shift-double but this seems tidier and in larger squarings
+// it was actually more efficient. I haven't experimented with this small
+// case to see how much that matters. Note: the writeback here is sprinkled
+// into the sequence in such a way that things still work if z = x, i.e. if
+// the output overwrites the input buffer and beyond.
+
+        mov     rdx, [x]
+        mulx    rdx, rax, rdx
+        mov     [z], rax
+        adcx    d1, d1
+        adox    d1, rdx
+        mov     rdx, [x+8]
+        mov     [z+8], d1
+        mulx    rdx, rax, rdx
+        adcx    d2, d2
+        adox    d2, rax
+        adcx    d3, d3
+        adox    d3, rdx
+        mov     rdx, [x+16]
+        mov     [z+16], d2
+        mulx    rdx, rax, rdx
+        adcx    d4, d4
+        adox    d4, rax
+        adcx    d5, d5
+        adox    d5, rdx
+        mov     rdx, [x+24]
+        mov     [z+24], d3
+        mulx    rdx, rax, rdx
+        adcx    d6, d6
+        adox    d6, rax
+        adcx    d7, d7
+        adox    d7, rdx
+        mov     rdx, [x+32]
+        mov     [z+32], d4
+        mulx    rdx, rax, rdx
+        adcx    d8, d8
+        adox    d8, rax
+        adcx    d9, d9
+        adox    d9, rdx
+        mov     rdx, [x+40]
+        mov     [z+40], d5
+        mulx    rdx, rax, rdx
+        mov     [z+48], d6
+        adcx    d10, d10
+        mov     [z+56], d7
+        adox    d10, rax
+        mov     [z+64], d8
+        mov     eax, 0
+        mov     [z+72], d9
+        adcx    rdx, rax
+        mov     [z+80], d10
+        adox    rdx, rax
+        mov     [z+88], rdx
+
+// Restore saved registers and return
+
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S
new file mode 100644
index 0000000000..eb43b0a15b
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S
@@ -0,0 +1,210 @@
+// $OpenBSD: bignum_sqr_6_12_alt.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[6]; output z[12]
+//
+//    extern void bignum_sqr_6_12_alt(uint64_t z[static 12],
+//                                    const uint64_t x[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_6_12_alt)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_6_12_alt)
+        .text
+
+// Input arguments
+
+#define z rdi
+#define x rsi
+
+// Other variables used as a rotating 3-word window to add terms to
+
+#define t0 r8
+#define t1 r9
+#define t2 r10
+
+// Additional temporaries for local windows to share doublings
+
+#define u0 rcx
+#define u1 r11
+
+// Macro for the key "multiply and add to (c,h,l)" step
+
+#define combadd(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+
+// Set up initial window (c,h,l) = numa * numb
+
+#define combaddz(c,h,l,numa,numb)               \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        xor     c, c;                           \
+        mov     l, rax;                         \
+        mov     h, rdx
+
+// Doubling step (c,h,l) = 2 * (c,hh,ll) + (0,h,l)
+
+#define doubladd(c,h,l,hh,ll)                   \
+        add     ll, ll;                         \
+        adc     hh, hh;                         \
+        adc     c, c;                           \
+        add     l, ll;                          \
+        adc     h, hh;                          \
+        adc     c, 0
+
+// Square term incorporation (c,h,l) += numba^2
+
+#define combadd1(c,h,l,numa)                    \
+        mov     rax, numa;                      \
+        mul     rax;                            \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+
+// A short form where we don't expect a top carry
+
+#define combads(h,l,numa)                       \
+        mov     rax, numa;                      \
+        mul     rax;                            \
+        add     l, rax;                         \
+        adc     h, rdx
+
+// A version doubling directly before adding, for single non-square terms
+
+#define combadd2(c,h,l,numa,numb)               \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     rax, rax;                       \
+        adc     rdx, rdx;                       \
+        adc     c, 0;                           \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+
+S2N_BN_SYMBOL(bignum_sqr_6_12_alt):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+
+// Result term 0
+
+        mov     rax, [x]
+        mul     rax
+
+        mov     [z], rax
+        mov     t0, rdx
+        xor     t1, t1
+
+// Result term 1
+
+        xor     t2, t2
+        combadd2(t2,t1,t0,[x],[x+8])
+        mov     [z+8], t0
+
+// Result term 2
+
+        xor     t0, t0
+        combadd1(t0,t2,t1,[x+8])
+        combadd2(t0,t2,t1,[x],[x+16])
+        mov     [z+16], t1
+
+// Result term 3
+
+        combaddz(t1,u1,u0,[x],[x+24])
+        combadd(t1,u1,u0,[x+8],[x+16])
+        doubladd(t1,t0,t2,u1,u0)
+        mov     [z+24], t2
+
+// Result term 4
+
+        combaddz(t2,u1,u0,[x],[x+32])
+        combadd(t2,u1,u0,[x+8],[x+24])
+        doubladd(t2,t1,t0,u1,u0)
+        combadd1(t2,t1,t0,[x+16])
+        mov     [z+32], t0
+
+// Result term 5
+
+        combaddz(t0,u1,u0,[x],[x+40])
+        combadd(t0,u1,u0,[x+8],[x+32])
+        combadd(t0,u1,u0,[x+16],[x+24])
+        doubladd(t0,t2,t1,u1,u0)
+        mov     [z+40], t1
+
+// Result term 6
+
+        combaddz(t1,u1,u0,[x+8],[x+40])
+        combadd(t1,u1,u0,[x+16],[x+32])
+        doubladd(t1,t0,t2,u1,u0)
+        combadd1(t1,t0,t2,[x+24])
+        mov     [z+48], t2
+
+// Result term 7
+
+        combaddz(t2,u1,u0,[x+16],[x+40])
+        combadd(t2,u1,u0,[x+24],[x+32])
+        doubladd(t2,t1,t0,u1,u0)
+        mov     [z+56], t0
+
+// Result term 8
+
+        xor     t0, t0
+        combadd2(t0,t2,t1,[x+24],[x+40])
+        combadd1(t0,t2,t1,[x+32])
+        mov     [z+64], t1
+
+// Result term 9
+
+        xor     t1, t1
+        combadd2(t1,t0,t2,[x+32],[x+40])
+        mov     [z+72], t2
+
+// Result term 10
+
+        combads(t1,t0,[x+40])
+        mov     [z+80], t0
+
+// Result term 11
+
+        mov     [z+88], t1
+
+// Return
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S
new file mode 100644
index 0000000000..41277b5b6a
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S
@@ -0,0 +1,311 @@
+// $OpenBSD: bignum_sqr_8_16.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[8]; output z[16]
+//
+//    extern void bignum_sqr_8_16(uint64_t z[static 16], const uint64_t x[static 8]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+
+#include "s2n_bignum_internal.h"
+
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_8_16)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_8_16)
+        .text
+
+// These are actually right
+
+#define z rdi
+#define x rsi
+
+// A zero register
+
+#define zero rbp
+#define zeroe ebp
+
+// mulpadd i, j adds rdx * x[i] into the window  at the i+j point
+
+.macro mulpadd arg1,arg2
+        mulx    rcx, rax, [x+8*\arg1]
+.if ((\arg1 + \arg2) % 8 == 0)
+        adcx    r8, rax
+        adox    r9, rcx
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        adcx    r9, rax
+        adox    r10, rcx
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        adcx    r10, rax
+        adox    r11, rcx
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        adcx    r11, rax
+        adox    r12, rcx
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        adcx    r12, rax
+        adox    r13, rcx
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        adcx    r13, rax
+        adox    r14, rcx
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        adcx    r14, rax
+        adox    r15, rcx
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        adcx    r15, rax
+        adox    r8, rcx
+.endif
+
+.endm
+
+// mulpade i, j adds rdx * x[i] into the window at i+j
+// but re-creates the top word assuming nothing to add there
+
+.macro mulpade arg1,arg2
+.if ((\arg1 + \arg2) % 8 == 0)
+        mulx    r9, rax, [x+8*\arg1]
+        adcx    r8, rax
+        adox    r9, zero
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        mulx    r10, rax, [x+8*\arg1]
+        adcx    r9, rax
+        adox    r10, zero
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        mulx    r11, rax, [x+8*\arg1]
+        adcx    r10, rax
+        adox    r11, zero
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        mulx    r12, rax, [x+8*\arg1]
+        adcx    r11, rax
+        adox    r12, zero
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        mulx    r13, rax, [x+8*\arg1]
+        adcx    r12, rax
+        adox    r13, zero
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        mulx    r14, rax, [x+8*\arg1]
+        adcx    r13, rax
+        adox    r14, zero
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        mulx    r15, rax, [x+8*\arg1]
+        adcx    r14, rax
+        adox    r15, zero
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        mulx    r8, rax, [x+8*\arg1]
+        adcx    r15, rax
+        adox    r8, zero
+.endif
+
+.endm
+
+.macro diagonals
+
+        xor     zeroe, zeroe
+
+// Set initial window [r8..r10] + 2 wb = 10 + 20 + 30 + 40 + 50 + 60 + 70
+
+        mov     rdx, [x]
+        mulx    rax, r9, [x+8]
+        mov     [z+8], r9
+        mulx    rcx, r10, [x+16]
+        adcx    r10, rax
+        mov     [z+16], r10
+        mulx    rax, r11, [x+24]
+        adcx    r11, rcx
+        mulx    rcx, r12, [x+32]
+        adcx    r12, rax
+        mulx    rax, r13, [x+40]
+        adcx    r13, rcx
+        mulx    rcx, r14, [x+48]
+        adcx    r14, rax
+        mulx    r8, r15, [x+56]
+        adcx    r15, rcx
+        adcx    r8, zero
+
+// Add in the next diagonal = 21 + 31 + 41 + 51 + 61 + 71 + 54
+
+        xor     zeroe, zeroe
+        mov     rdx, [x+8]
+        mulpadd 2, 1
+        mov     [z+24], r11
+        mulpadd 3, 1
+        mov     [z+32], r12
+        mulpadd 4, 1
+        mulpadd 5, 1
+        mulpadd 6, 1
+        mulpade 7, 1
+        mov     rdx, [x+32]
+        mulpade 5, 4
+        adcx    r10, zero
+
+// And the next one = 32 + 42 + 52 + 62 + 72 + 64 + 65
+
+        xor     zeroe, zeroe
+        mov     rdx, [x+16]
+        mulpadd 3, 2
+        mov     [z+40], r13
+        mulpadd 4, 2
+        mov     [z+48], r14
+        mulpadd 5, 2
+        mulpadd 6, 2
+        mulpadd 7, 2
+        mov     rdx, [x+48]
+        mulpade 4, 6
+        mulpade 5, 6
+        adcx    r12, zero
+
+// And the final one = 43 + 53 + 63 + 73 + 74 + 75 + 76
+
+        xor     zeroe, zeroe
+        mov     rdx, [x+24]
+        mulpadd 4, 3
+        mov     [z+56], r15
+        mulpadd 5, 3
+        mov     [z+64], r8
+        mulpadd 6, 3
+        mulpadd 7, 3
+        mov     rdx, [x+56]
+        mulpadd 4, 7
+        mulpade 5, 7
+        mulpade 6, 7
+        adcx    r14, zero
+
+// Double and add things; use z[1]..z[8] and thereafter the registers
+// r9..r15 which haven't been written back yet
+
+        xor     zeroe, zeroe
+        mov     rdx, [x]
+        mulx    rcx, rax, rdx
+        mov     [z], rax
+        mov     rax, [z+8]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+8], rax
+
+        mov     rax, [z+16]
+        mov     rdx, [x+8]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+16], rax
+        mov     rax, [z+24]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+24], rax
+
+        mov     rax, [z+32]
+        mov     rdx, [x+16]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+32], rax
+        mov     rax, [z+40]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+40], rax
+
+        mov     rax, [z+48]
+        mov     rdx, [x+24]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+48], rax
+        mov     rax, [z+56]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+56], rax
+
+        mov     rax, [z+64]
+        mov     rdx, [x+32]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+64], rax
+        adcx    r9, r9
+        adox    r9, rcx
+        mov     [z+72], r9
+
+        mov     rdx, [x+40]
+        mulx    rcx, rdx, rdx
+        adcx    r10, r10
+        adox    r10, rdx
+        mov     [z+80], r10
+        adcx    r11, r11
+        adox    r11, rcx
+        mov     [z+88], r11
+
+        mov     rdx, [x+48]
+        mulx    rcx, rdx, rdx
+        adcx    r12, r12
+        adox    r12, rdx
+        mov     [z+96], r12
+        adcx    r13, r13
+        adox    r13, rcx
+        mov     [z+104], r13
+
+        mov     rdx, [x+56]
+        mulx    r15, rdx, rdx
+        adcx    r14, r14
+        adox    r14, rdx
+        mov     [z+112], r14
+        adcx    r15, zero
+        adox    r15, zero
+        mov     [z+120], r15
+
+.endm
+
+
+S2N_BN_SYMBOL(bignum_sqr_8_16):
+        _CET_ENDBR
+
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+
+// Save more registers to play with
+
+        push    rbp
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+
+// Do the multiplication
+
+        diagonals
+
+// Real epilog
+
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbp
+
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
index ac0b6f96c2..cb10ba2a12 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr_8_16_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +18,8 @@
 // Square, z := x^2
 // Input x[8]; output z[16]
 //
-//    extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]);
+//    extern void bignum_sqr_8_16_alt(uint64_t z[static 16],
+//                                    const uint64_t x[static 8]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x
 // Microsoft x64 ABI:   RCX = z, RDX = x
@@ -103,7 +106,7 @@
         adc     c, 0
 
 S2N_BN_SYMBOL(bignum_sqr_8_16_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
index 3ff8a30510..7324d3a71e 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sub.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Subtract, z := x - y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
 //
-//    extern uint64_t bignum_sub
-//     (uint64_t p, uint64_t *z,
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+//    extern uint64_t bignum_sub(uint64_t p, uint64_t *z, uint64_t m,
+//                               const uint64_t *x, uint64_t n, const uint64_t *y);
 //
 // Does the z := x - y operation, truncating modulo p words in general and
 // returning a top borrow (0 or 1) in the p'th place, only subtracting input
@@ -49,7 +50,7 @@
 
 
 S2N_BN_SYMBOL(bignum_sub):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
@@ -75,7 +76,7 @@ S2N_BN_SYMBOL(bignum_sub):
         cmp     p, n
         cmovc   n, p
         cmp     m, n
-        jc      ylonger
+        jc      bignum_sub_ylonger
 
 // The case where x is longer or of the same size (p >= m >= n)
 
@@ -83,32 +84,32 @@ S2N_BN_SYMBOL(bignum_sub):
         sub     m, n
         inc     m
         test    n, n
-        jz      xtest
-xmainloop:
+        jz      bignum_sub_xtest
+bignum_sub_xmainloop:
         mov     a, [x+8*i]
         sbb     a, [y+8*i]
         mov     [z+8*i],a
         inc     i
         dec     n
-        jnz     xmainloop
-        jmp     xtest
-xtoploop:
+        jnz     bignum_sub_xmainloop
+        jmp     bignum_sub_xtest
+bignum_sub_xtoploop:
         mov     a, [x+8*i]
         sbb     a, 0
         mov     [z+8*i],a
         inc     i
-xtest:
+bignum_sub_xtest:
         dec     m
-        jnz     xtoploop
+        jnz     bignum_sub_xtoploop
         sbb     a, a
         test    p, p
-        jz      tailskip
-tailloop:
+        jz      bignum_sub_tailskip
+bignum_sub_tailloop:
         mov     [z+8*i],a
         inc     i
         dec     p
-        jnz     tailloop
-tailskip:
+        jnz     bignum_sub_tailloop
+bignum_sub_tailskip:
         neg     a
 #if WINDOWS_ABI
         pop    rsi
@@ -118,29 +119,29 @@ tailskip:
 
 // The case where y is longer (p >= n > m)
 
-ylonger:
+bignum_sub_ylonger:
 
         sub     p, n
         sub     n, m
         test    m, m
-        jz      ytoploop
-ymainloop:
+        jz      bignum_sub_ytoploop
+bignum_sub_ymainloop:
         mov     a, [x+8*i]
         sbb     a, [y+8*i]
         mov     [z+8*i],a
         inc     i
         dec     m
-        jnz     ymainloop
-ytoploop:
+        jnz     bignum_sub_ymainloop
+bignum_sub_ytoploop:
         mov     ashort, 0
         sbb     a, [y+8*i]
         mov     [z+8*i],a
         inc     i
         dec     n
-        jnz     ytoploop
+        jnz     bignum_sub_ytoploop
         sbb     a, a
         test    p, p
-        jnz     tailloop
+        jnz     bignum_sub_tailloop
         neg     a
 #if WINDOWS_ABI
         pop    rsi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
index a377a05681..9ff8920ca2 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
+++ b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.c,v 1.7 2023/06/24 16:01:44 jsing Exp $ */
+/*      $OpenBSD: bn_arch.c,v 1.12 2025/08/14 15:29:17 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -19,6 +19,7 @@
 
 #include "bn_arch.h"
 #include "bn_local.h"
+#include "crypto_arch.h"
 #include "s2n_bignum.h"
 
 #ifdef HAVE_BN_ADD
@@ -26,8 +27,8 @@ BN_ULONG
 bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
     int b_len)
 {
-        return bignum_add(r_len, (uint64_t *)r, a_len, (uint64_t *)a,
-            b_len, (uint64_t *)b);
+        return bignum_add(r_len, (uint64_t *)r, a_len, (const uint64_t *)a,
+            b_len, (const uint64_t *)b);
 }
 #endif
 
@@ -36,8 +37,8 @@ bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 BN_ULONG
 bn_add_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n)
 {
-        return bignum_add(n, (uint64_t *)rd, n, (uint64_t *)ad, n,
-            (uint64_t *)bd);
+        return bignum_add(n, (uint64_t *)rd, n, (const uint64_t *)ad, n,
+            (const uint64_t *)bd);
 }
 #endif
 
@@ -46,8 +47,8 @@ BN_ULONG
 bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
     int b_len)
 {
-        return bignum_sub(r_len, (uint64_t *)r, a_len, (uint64_t *)a,
-            b_len, (uint64_t *)b);
+        return bignum_sub(r_len, (uint64_t *)r, a_len, (const uint64_t *)a,
+            b_len, (const uint64_t *)b);
 }
 #endif
 
@@ -55,8 +56,28 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 BN_ULONG
 bn_sub_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n)
 {
-        return bignum_sub(n, (uint64_t *)rd, n, (uint64_t *)ad, n,
-            (uint64_t *)bd);
+        return bignum_sub(n, (uint64_t *)rd, n, (const uint64_t *)ad, n,
+            (const uint64_t *)bd);
+}
+#endif
+
+#ifdef HAVE_BN_MOD_ADD_WORDS
+void
+bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        bignum_modadd(n, (uint64_t *)r, (const uint64_t *)a,
+            (const uint64_t *)b, (const uint64_t *)m);
+}
+#endif
+
+#ifdef HAVE_BN_MOD_SUB_WORDS
+void
+bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        bignum_modsub(n, (uint64_t *)r, (const uint64_t *)a,
+            (const uint64_t *)b, (const uint64_t *)m);
 }
 #endif
 
@@ -64,7 +85,7 @@ bn_sub_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n)
 BN_ULONG
 bn_mul_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
 {
-        return bignum_cmadd(num, (uint64_t *)rd, w, num, (uint64_t *)ad);
+        return bignum_cmadd(num, (uint64_t *)rd, w, num, (const uint64_t *)ad);
 }
 #endif
 
@@ -72,25 +93,52 @@ bn_mul_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
 BN_ULONG
 bn_mul_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
 {
-        return bignum_cmul(num, (uint64_t *)rd, w, num, (uint64_t *)ad);
+        return bignum_cmul(num, (uint64_t *)rd, w, num, (const uint64_t *)ad);
 }
 #endif
 
 #ifdef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba4(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
-        bignum_mul_4_8_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_mul_4_8((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+
+        bignum_mul_4_8_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
+}
+#endif
+
+#ifdef HAVE_BN_MUL_COMBA6
+void
+bn_mul_comba6(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_mul_6_12((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+
+        bignum_mul_6_12_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
 }
 #endif
 
 #ifdef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba8(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
-        bignum_mul_8_16_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_mul_8_16((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+
+        bignum_mul_8_16_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
 }
 #endif
 
@@ -98,7 +146,7 @@ bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
 int
 bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx)
 {
-        bignum_sqr(r_len, (uint64_t *)r->d, a->top, (uint64_t *)a->d);
+        bignum_sqr(r_len, (uint64_t *)r->d, a->top, (const uint64_t *)a->d);
 
         return 1;
 }
@@ -108,8 +156,25 @@ bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx)
 void
 bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
-        bignum_sqr_4_8_alt((uint64_t *)rd, (uint64_t *)ad);
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_sqr_4_8((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+
+        bignum_sqr_4_8_alt((uint64_t *)rd, (const uint64_t *)ad);
+}
+#endif
+
+#ifdef HAVE_BN_SQR_COMBA6
+void
+bn_sqr_comba6(BN_ULONG *rd, const BN_ULONG *ad)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_sqr_6_12((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+
+        bignum_sqr_6_12_alt((uint64_t *)rd, (const uint64_t *)ad);
 }
 #endif
 
@@ -117,8 +182,12 @@ bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad)
 void
 bn_sqr_comba8(BN_ULONG *rd, const BN_ULONG *ad)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
-        bignum_sqr_8_16_alt((uint64_t *)rd, (uint64_t *)ad);
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_sqr_8_16((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+
+        bignum_sqr_8_16_alt((uint64_t *)rd, (const uint64_t *)ad);
 }
 #endif
 
diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h b/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
index 927cd75208..7359f993a7 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.14 2024/03/26 06:09:25 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.16 2025/08/14 15:22:54 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -27,13 +27,18 @@
 
 #define HAVE_BN_DIV_WORDS
 
+#define HAVE_BN_MOD_ADD_WORDS
+#define HAVE_BN_MOD_SUB_WORDS
+
 #define HAVE_BN_MUL_ADD_WORDS
 #define HAVE_BN_MUL_COMBA4
+#define HAVE_BN_MUL_COMBA6
 #define HAVE_BN_MUL_COMBA8
 #define HAVE_BN_MUL_WORDS
 
 #define HAVE_BN_SQR
 #define HAVE_BN_SQR_COMBA4
+#define HAVE_BN_SQR_COMBA6
 #define HAVE_BN_SQR_COMBA8
 
 #define HAVE_BN_SUB
diff --git a/src/lib/libcrypto/bn/arch/amd64/word_clz.S b/src/lib/libcrypto/bn/arch/amd64/word_clz.S
index 3926fcd4b0..705fbdbbda 100644
--- a/src/lib/libcrypto/bn/arch/amd64/word_clz.S
+++ b/src/lib/libcrypto/bn/arch/amd64/word_clz.S
@@ -1,3 +1,5 @@
+// $OpenBSD: word_clz.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +18,7 @@
 // Count leading zero bits in a single word
 // Input a; output function return
 //
-//    extern uint64_t word_clz (uint64_t a);
+//    extern uint64_t word_clz(uint64_t a);
 //
 // Standard x86-64 ABI: RDI = a, returns RAX
 // Microsoft x64 ABI:   RCX = a, returns RAX
@@ -30,7 +32,7 @@
         .text
 
 S2N_BN_SYMBOL(word_clz):
-        _CET_ENDBR
+        _CET_ENDBR
 
 #if WINDOWS_ABI
         push    rdi
diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl
index 71b775af8d..19a1afdbbe 100644
--- a/src/lib/libcrypto/bn/asm/bn-586.pl
+++ b/src/lib/libcrypto/bn/asm/bn-586.pl
@@ -6,8 +6,7 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],$0);
 
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=1;
 
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
 
diff --git a/src/lib/libcrypto/bn/asm/x86-mont.pl b/src/lib/libcrypto/bn/asm/x86-mont.pl
index 6524651748..3be440f11f 100755
--- a/src/lib/libcrypto/bn/asm/x86-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86-mont.pl
@@ -32,8 +32,7 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],$0);
 
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=1;
 
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
 
diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c
index 86768a312a..81fa60e429 100644
--- a/src/lib/libcrypto/bn/bn_add.c
+++ b/src/lib/libcrypto/bn/bn_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_add.c,v 1.26 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_add.c,v 1.29 2025/05/25 04:53:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,44 +60,10 @@
 #include <limits.h>
 #include <stdio.h>
 
-#include <openssl/err.h>
-
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
-
-/*
- * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
- * are both arrays of words. Any carry resulting from the addition is returned.
- */
-#ifndef HAVE_BN_ADD_WORDS
-BN_ULONG
-bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG carry = 0;
-
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-
-        while (n & ~3) {
-                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return carry;
-}
-#endif
+#include "err_local.h"
 
 /*
  * bn_add() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b are both
@@ -147,40 +113,6 @@ bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 #endif
 
 /*
- * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
- * are both arrays of words. Any borrow resulting from the subtraction is
- * returned.
- */
-#ifndef HAVE_BN_SUB_WORDS
-BN_ULONG
-bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG borrow = 0;
-
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-
-        while (n & ~3) {
-                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return borrow;
-}
-#endif
-
-/*
  * bn_sub() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b are both
  * arrays of words (r may be the same as a or b). The length of a and b may
  * differ, while r must be at least max(a_len, b_len) in length. Any borrow
@@ -208,7 +140,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
         /* XXX - consider doing four at a time to match bn_sub_words. */
         while (diff_len < 0) {
                 /* Compute r[0] = 0 - b[0] - borrow. */
-                bn_subw(0 - b[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(0, b[0], borrow, &borrow, &r[0]);
                 diff_len++;
                 b++;
                 r++;
@@ -217,7 +149,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
         /* XXX - consider doing four at a time to match bn_sub_words. */
         while (diff_len > 0) {
                 /* Compute r[0] = a[0] - 0 - borrow. */
-                bn_subw(a[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(a[0], 0, borrow, &borrow, &r[0]);
                 diff_len--;
                 a++;
                 r++;
diff --git a/src/lib/libcrypto/bn/bn_add_sub.c b/src/lib/libcrypto/bn/bn_add_sub.c
new file mode 100644
index 0000000000..5c9d5a2b1a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_add_sub.c
@@ -0,0 +1,178 @@
+/* $OpenBSD: bn_add_sub.c,v 1.1 2025/05/25 04:30:55 jsing Exp $ */
+/*
+ * Copyright (c) 2023,2024,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/bn.h>
+
+#include "bn_internal.h"
+
+/*
+ * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
+ * are both arrays of words. Any carry resulting from the addition is returned.
+ */
+#ifndef HAVE_BN_ADD_WORDS
+BN_ULONG
+bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG carry = 0;
+
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+
+        return carry;
+}
+#endif
+
+/*
+ * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
+ * are both arrays of words. Any borrow resulting from the subtraction is
+ * returned.
+ */
+#ifndef HAVE_BN_SUB_WORDS
+BN_ULONG
+bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG borrow = 0;
+
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+
+        return borrow;
+}
+#endif
+
+/*
+ * bn_sub_borrow() computes a[i] - b[i], returning the resulting borrow only.
+ */
+#ifndef HAVE_BN_SUB_WORDS_BORROW
+BN_ULONG
+bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n)
+{
+        BN_ULONG borrow = 0;
+        BN_ULONG r;
+
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r, &r, &r, &r);
+                a += 4;
+                b += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r);
+                a++;
+                b++;
+                n--;
+        }
+
+        return borrow;
+}
+#endif
+
+/*
+ * bn_add_words_masked() computes r[] = a[] + (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_ADD_WORDS_MASKED
+BN_ULONG
+bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG carry = 0;
+
+        /* XXX - consider conditional/masked versions of bn_addw_addw/bn_qwaddqw. */
+
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, carry, &carry, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0] & mask, carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+
+        return carry;
+}
+#endif
+
+/*
+ * bn_sub_words_masked() computes r[] = a[] - (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_SUB_WORDS_MASKED
+BN_ULONG
+bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG borrow = 0;
+
+        /* XXX - consider conditional/masked versions of bn_subw_subw/bn_qwsubqw. */
+
+        /* Compute conditional r[i] = a[i] - b[i]. */
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, borrow, &borrow, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0] & mask, borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+
+        return borrow;
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_convert.c b/src/lib/libcrypto/bn/bn_convert.c
index 6a6354f44e..ca5c7d7865 100644
--- a/src/lib/libcrypto/bn/bn_convert.c
+++ b/src/lib/libcrypto/bn/bn_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_convert.c,v 1.23 2024/11/08 14:18:44 jsing Exp $ */
+/* $OpenBSD: bn_convert.c,v 1.24 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,11 +65,11 @@
 
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "bytestring.h"
 #include "crypto_internal.h"
+#include "err_local.h"
 
 static int bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs);
 static int bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs);
diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c
index 129b9c9781..eda93dcaa4 100644
--- a/src/lib/libcrypto/bn/bn_ctx.c
+++ b/src/lib/libcrypto/bn/bn_ctx.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_ctx.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/*      $OpenBSD: bn_ctx.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -19,9 +19,9 @@
 #include <string.h>
 
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 
 #define BN_CTX_INITIAL_LEN      8
 
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 09a8a364df..1026b43add 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.41 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_div.c,v 1.42 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,11 +62,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 
 BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
 
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index e925d325d2..6a5c1c857a 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.58 2025/02/13 11:15:09 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.59 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,10 +112,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
 #include "constant_time.h"
+#include "err_local.h"
 
 /* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index fa5d71a7f3..319d9ca390 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.29 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.31 2025/06/02 12:40:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -109,9 +109,8 @@
  *
  */
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 static BIGNUM *
 euclid(BIGNUM *a, BIGNUM *b)
@@ -681,8 +680,10 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct
                                         /* A >= 2*B, so D=2 or D=3 */
                                         if (!BN_sub(M, A, T))
                                                 goto err;
-                                        if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
-                                                if (BN_ucmp(A, D) < 0) {
+                                        /* use D (:= 3*B) as temp */
+                                        if (!BN_add(D, T, B))
+                                                goto err;
+                                        if (BN_ucmp(A, D) < 0) {
                                                 /* A < 3*B, so D=2 */
                                                 if (!BN_set_word(D, 2))
                                                         goto err;
diff --git a/src/lib/libcrypto/bn/bn_internal.h b/src/lib/libcrypto/bn/bn_internal.h
index fd04bc9f8a..8b5145e225 100644
--- a/src/lib/libcrypto/bn/bn_internal.h
+++ b/src/lib/libcrypto/bn/bn_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_internal.h,v 1.15 2023/06/25 11:42:26 jsing Exp $ */
+/*      $OpenBSD: bn_internal.h,v 1.20 2025/08/02 16:20:00 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -26,6 +26,30 @@ int bn_word_clz(BN_ULONG w);
 
 int bn_bitsize(const BIGNUM *bn);
 
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n);
+BN_ULONG bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+BN_ULONG bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n);
+void bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n);
+
+void bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap,
+    const BN_ULONG *bp, const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0,
+    int n_len);
+void bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len);
+
 #ifndef HAVE_BN_CT_NE_ZERO
 static inline int
 bn_ct_ne_zero(BN_ULONG w)
diff --git a/src/lib/libcrypto/bn/bn_isqrt.c b/src/lib/libcrypto/bn/bn_isqrt.c
index 018d5f34bd..b725519e1a 100644
--- a/src/lib/libcrypto/bn/bn_isqrt.c
+++ b/src/lib/libcrypto/bn/bn_isqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_isqrt.c,v 1.10 2023/06/04 17:28:35 tb Exp $ */
+/*      $OpenBSD: bn_isqrt.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  *
@@ -19,10 +19,10 @@
 #include <stdint.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "crypto_internal.h"
+#include "err_local.h"
 
 /*
  * Calculate integer square root of |n| using a variant of Newton's method.
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 72b988650c..3e451a6191 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.93 2024/04/16 13:07:14 jsing Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.94 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,10 +63,9 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 
 BIGNUM *
 BN_new(void)
diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h
index 067ffab3d9..1bd4c16baf 100644
--- a/src/lib/libcrypto/bn/bn_local.h
+++ b/src/lib/libcrypto/bn/bn_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_local.h,v 1.50 2025/02/13 11:04:20 tb Exp $ */
+/* $OpenBSD: bn_local.h,v 1.54 2025/08/05 15:08:13 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -240,10 +240,12 @@ BN_ULONG bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len,
     const BN_ULONG *b, int b_len);
 
 void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
+void bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
+void bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
 
 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a);
 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
 
 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
@@ -254,10 +256,6 @@ int bn_expand_bits(BIGNUM *a, size_t bits);
 int bn_expand_bytes(BIGNUM *a, size_t bytes);
 int bn_wexpand(BIGNUM *a, int words);
 
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-    int num);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-    int num);
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
index 365f6fcf03..7198c02e3b 100644
--- a/src/lib/libcrypto/bn/bn_mod.c
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mod.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mod.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project. */
 /* ====================================================================
@@ -111,9 +111,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 int
 BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c
index 280002cc48..fc55f84317 100644
--- a/src/lib/libcrypto/bn/bn_mod_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_mod_sqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */
+/*      $OpenBSD: bn_mod_sqrt.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -16,9 +16,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 /*
  * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic
diff --git a/src/lib/libcrypto/bn/bn_mod_words.c b/src/lib/libcrypto/bn/bn_mod_words.c
new file mode 100644
index 0000000000..d9aee8701a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_mod_words.c
@@ -0,0 +1,114 @@
+/*      $OpenBSD: bn_mod_words.c,v 1.3 2025/08/05 15:15:54 jsing Exp $  */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "bn_local.h"
+#include "bn_internal.h"
+
+/*
+ * bn_mod_add_words() computes r[] = (a[] + b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_ADD_WORDS
+void
+bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG carry, mask;
+
+        /*
+         * Compute a + b, then compute r - m to determine if r >= m, considering
+         * any carry that resulted from the addition. Finally complete a
+         * conditional subtraction of r - m.
+         */
+        /* XXX - change bn_add_words to use size_t. */
+        carry = bn_add_words(r, a, b, n);
+        mask = ~(carry - bn_sub_words_borrow(r, m, n));
+        bn_sub_words_masked(r, r, m, mask, n);
+}
+#endif
+
+/*
+ * bn_mod_sub_words() computes r[] = (a[] - b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_SUB_WORDS
+void
+bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG borrow, mask;
+
+        /*
+         * Compute a - b, then complete a conditional addition of r + m
+         * based on the resulting borrow.
+         */
+        /* XXX - change bn_sub_words to use size_t. */
+        borrow = bn_sub_words(r, a, b, n);
+        mask = (0 - borrow);
+        bn_add_words_masked(r, r, m, mask, n);
+}
+#endif
+
+/*
+ * bn_mod_mul_words() computes r[] = (a[] * b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_MUL_WORDS
+void
+bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_mul_comba4(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 6) {
+                bn_mul_comba6(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 8) {
+                bn_mul_comba8(t, a, b);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else {
+                bn_montgomery_multiply_words(r, a, b, m, t, m0, n);
+        }
+}
+#endif
+
+/*
+ * bn_mod_sqr_words() computes r[] = (a[] * a[]) mod m[], where a, r and
+ * m are arrays of words with length n (r may be the same as a) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_SQR_WORDS
+void
+bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_sqr_comba4(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 6) {
+                bn_sqr_comba6(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else if (n == 8) {
+                bn_sqr_comba8(t, a);
+                bn_montgomery_reduce_words(r, t, m, m0, n);
+        } else {
+                bn_montgomery_multiply_words(r, a, a, m, t, m0, n);
+        }
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index edd7bcd0c8..8280a8db27 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.66 2025/03/09 15:22:40 tb Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.69 2025/08/03 10:33:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -116,6 +116,7 @@
  * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
  */
 
+#include <limits.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
@@ -214,7 +215,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                  goto err;
         mont->N.neg = 0;
         mont->ri = ((BN_num_bits(mod) + BN_BITS2 - 1) / BN_BITS2) * BN_BITS2;
-        if (mont->ri * 2 < mont->ri)
+        if (mont->ri > INT_MAX / 2)
                 goto err;
 
         /*
@@ -316,6 +317,44 @@ BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod,
 LCRYPTO_ALIAS(BN_MONT_CTX_set_locked);
 
 /*
+ * bn_montgomery_reduce_words() performs Montgomery reduction, reducing the input
+ * from its Montgomery form aR to a, returning the result in r. a must be twice
+ * the length of the modulus. Note that the input is mutated in the process of
+ * performing the reduction.
+ */
+void
+bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len)
+{
+        BN_ULONG v, mask;
+        BN_ULONG carry = 0;
+        int i;
+
+        /* Add multiples of the modulus, so that it becomes divisible by R. */
+        for (i = 0; i < n_len; i++) {
+                v = bn_mul_add_words(&a[i], n, n_len, a[i] * n0);
+                bn_addw_addw(v, a[i + n_len], carry, &carry, &a[i + n_len]);
+        }
+
+        /* Divide by R (this is the equivalent of right shifting by n_len). */
+        a = &a[n_len];
+
+        /*
+         * The output is now in the range of [0, 2N). Attempt to reduce once by
+         * subtracting the modulus. If the reduction was necessary then the
+         * result is already in r, otherwise copy the value prior to reduction
+         * from the top half of a.
+         */
+        mask = carry - bn_sub_words(r, a, n, n_len);
+
+        for (i = 0; i < n_len; i++) {
+                *r = (*r & ~mask) | (*a & mask);
+                r++;
+                a++;
+        }
+}
+
+/*
  * bn_montgomery_reduce() performs Montgomery reduction, reducing the input
  * from its Montgomery form aR to a, returning the result in r. Note that the
  * input is mutated in the process of performing the reduction, destroying its
@@ -325,7 +364,6 @@ static int
 bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
 {
         BIGNUM *n;
-        BN_ULONG *ap, *rp, n0, v, carry, mask;
         int i, max, n_len;
 
         n = &mctx->N;
@@ -341,7 +379,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
 
         /*
          * Expand a to twice the length of the modulus, zero if necessary.
-         * XXX - make this a requirement of the caller.
+         * XXX - make this a requirement of the caller or use a temporary
+         * allocation.
          */
         if ((max = 2 * n_len) < n_len)
                 return 0;
@@ -350,33 +389,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
         for (i = a->top; i < max; i++)
                 a->d[i] = 0;
 
-        carry = 0;
-        n0 = mctx->n0[0];
+        bn_montgomery_reduce_words(r->d, a->d, n->d, mctx->n0[0], n_len);
 
-        /* Add multiples of the modulus, so that it becomes divisible by R. */
-        for (i = 0; i < n_len; i++) {
-                v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0);
-                bn_addw_addw(v, a->d[i + n_len], carry, &carry,
-                    &a->d[i + n_len]);
-        }
-
-        /* Divide by R (this is the equivalent of right shifting by n_len). */
-        ap = &a->d[n_len];
-
-        /*
-         * The output is now in the range of [0, 2N). Attempt to reduce once by
-         * subtracting the modulus. If the reduction was necessary then the
-         * result is already in r, otherwise copy the value prior to reduction
-         * from the top half of a.
-         */
-        mask = carry - bn_sub_words(r->d, ap, n->d, n_len);
-
-        rp = r->d;
-        for (i = 0; i < n_len; i++) {
-                *rp = (*rp & ~mask) | (*ap & mask);
-                rp++;
-                ap++;
-        }
         r->top = n_len;
 
         bn_correct_top(r);
@@ -417,7 +431,7 @@ bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
         return ret;
 }
 
-static void
+static inline void
 bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
     BN_ULONG *tp, BN_ULONG w, BN_ULONG *carry_a, BN_ULONG *carry_n, int n_len)
 {
@@ -452,7 +466,7 @@ bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
  * given word arrays. The caller must ensure that rp, ap, bp and np are all
  * n_len words in length, while tp must be n_len * 2 + 2 words in length.
  */
-static void
+void
 bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
     const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0, int n_len)
 {
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index bdeb9b0fe8..a30d05fb02 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mul.c,v 1.39 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mul.c,v 1.43 2025/08/14 15:15:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,6 +57,7 @@
  */
 
 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -73,7 +74,7 @@
  */
 #ifndef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
         BN_ULONG c0, c1, c2;
 
@@ -103,13 +104,73 @@ bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 #endif
 
 /*
+ * bn_mul_comba6() computes r[] = a[] * b[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a and b are both
+ * six word arrays, producing a 12 word array result.
+ */
+#ifndef HAVE_BN_MUL_COMBA6
+void
+bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
+{
+        BN_ULONG c0, c1, c2;
+
+        bn_mulw_addtw(a[0], b[0],  0,  0,  0, &c2, &c1, &r[0]);
+
+        bn_mulw_addtw(a[0], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]);
+
+        bn_mulw_addtw(a[2], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]);
+
+        bn_mulw_addtw(a[0], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]);
+
+        bn_mulw_addtw(a[4], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[4], c2, c1, c0, &c2, &c1, &r[4]);
+
+        bn_mulw_addtw(a[0], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[0], c2, c1, c0, &c2, &c1, &r[5]);
+
+        bn_mulw_addtw(a[5], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[5], c2, c1, c0, &c2, &c1, &r[6]);
+
+        bn_mulw_addtw(a[2], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[2], c2, c1, c0, &c2, &c1, &r[7]);
+
+        bn_mulw_addtw(a[5], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[5], c2, c1, c0, &c2, &c1, &r[8]);
+
+        bn_mulw_addtw(a[4], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[4], c2, c1, c0, &c2, &c1, &r[9]);
+
+        bn_mulw_addtw(a[5], b[5],  0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+
+/*
  * bn_mul_comba8() computes r[] = a[] * b[] using Comba multiplication
  * (https://everything2.com/title/Comba+multiplication), where a and b are both
  * eight word arrays, producing a 16 word array result.
  */
 #ifndef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
         BN_ULONG c0, c1, c2;
 
@@ -338,14 +399,16 @@ BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
         if (rr == NULL)
                 goto err;
 
-        rn = a->top + b->top;
-        if (rn < a->top)
+        if (a->top > INT_MAX - b->top)
                 goto err;
+        rn = a->top + b->top;
         if (!bn_wexpand(rr, rn))
                 goto err;
 
         if (a->top == 4 && b->top == 4) {
                 bn_mul_comba4(rr->d, a->d, b->d);
+        } else if (a->top == 6 && b->top == 6) {
+                bn_mul_comba6(rr->d, a->d, b->d);
         } else if (a->top == 8 && b->top == 8) {
                 bn_mul_comba8(rr->d, a->d, b->d);
         } else {
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index 5a4aa50bf1..d85595e0dd 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.34 2023/07/20 06:26:27 tb Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.35 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,9 +112,8 @@
 #include <stdio.h>
 #include <time.h>
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 /* The quick sieve algorithm approach to weeding out primes is
  * Philip Zimmermann's, as implemented in PGP.  I have had a read of
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index 9cfcd8e2c0..d3b16f70a0 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.30 2024/03/16 20:42:33 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -115,9 +115,8 @@
 #include <string.h>
 #include <time.h>
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 static int
 bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index e3f22c52a9..ed5049b772 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_recp.c,v 1.33 2025/02/04 20:22:20 tb Exp $ */
+/* $OpenBSD: bn_recp.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,9 +58,8 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
-
 #include "bn_local.h"
+#include "err_local.h"
 
 struct bn_recp_ctx_st {
         BIGNUM *N;      /* the divisor */
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index 12edc7c0a0..b9f73cc322 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2022, 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -16,9 +16,9 @@
  */
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 
 static inline int
 bn_lshift(BIGNUM *r, const BIGNUM *a, int n)
diff --git a/src/lib/libcrypto/bn/bn_sqr.c b/src/lib/libcrypto/bn/bn_sqr.c
index 0dbccbf85d..2f7f71f819 100644
--- a/src/lib/libcrypto/bn/bn_sqr.c
+++ b/src/lib/libcrypto/bn/bn_sqr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_sqr.c,v 1.36 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_sqr.c,v 1.38 2025/08/14 15:15:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -97,6 +97,51 @@ bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
 #endif
 
 /*
+ * bn_sqr_comba6() computes r[] = a[] * a[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a is an
+ * six word array, producing an 12 word array result.
+ */
+#ifndef HAVE_BN_SQR_COMBA6
+void
+bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a)
+{
+        BN_ULONG c2, c1, c0;
+
+        bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]);
+
+        bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]);
+
+        bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]);
+
+        bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]);
+
+        bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[0], c2, c1, c0, &c2, &c1, &r[4]);
+
+        bn_mul2_mulw_addtw(a[5], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[2], c2, c1, c0, &c2, &c1, &r[5]);
+
+        bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[1], c2, c1, c0, &c2, &c1, &r[6]);
+
+        bn_mul2_mulw_addtw(a[5], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[3], c2, c1, c0, &c2, &c1, &r[7]);
+
+        bn_mulw_addtw(a[4], a[4], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[3], c2, c1, c0, &c2, &c1, &r[8]);
+
+        bn_mul2_mulw_addtw(a[5], a[4], 0, c2, c1, &c2, &c1, &r[9]);
+
+        bn_mulw_addtw(a[5], a[5], 0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+
+/*
  * bn_sqr_comba8() computes r[] = a[] * a[] using Comba multiplication
  * (https://everything2.com/title/Comba+multiplication), where a is an
  * eight word array, producing an 16 word array result.
@@ -281,6 +326,8 @@ BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 
         if (a->top == 4) {
                 bn_sqr_comba4(rr->d, a->d);
+        } else if (a->top == 6) {
+                bn_sqr_comba6(rr->d, a->d);
         } else if (a->top == 8) {
                 bn_sqr_comba8(rr->d, a->d);
         } else {
diff --git a/src/lib/libcrypto/bn/s2n_bignum.h b/src/lib/libcrypto/bn/s2n_bignum.h
index ce6e8cdc94..7d77894cdc 100644
--- a/src/lib/libcrypto/bn/s2n_bignum.h
+++ b/src/lib/libcrypto/bn/s2n_bignum.h
@@ -1,3 +1,5 @@
+// $OpenBSD: s2n_bignum.h,v 1.4 2025/08/12 10:01:37 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -34,182 +36,240 @@
 //        throughput, generally offering higher performance there.
 // ----------------------------------------------------------------------------
 
+
+#if defined(_MSC_VER) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L || defined(__STDC_NO_VLA__)
+#define S2N_BIGNUM_STATIC
+#else
+#define S2N_BIGNUM_STATIC static
+#endif
+
 // Add, z := x + y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
-extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Add modulo p_25519, z := (x + y) mod p_25519, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Add modulo p_256, z := (x + y) mod p_256, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Add modulo p_256k1, z := (x + y) mod p_256k1, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Add modulo p_384, z := (x + y) mod p_384, assuming x and y reduced
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_add_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_add_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 
 // Add modulo p_521, z := (x + y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_add_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_add_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+
+// Add modulo p_sm2, z := (x + y) mod p_sm2, assuming x and y reduced
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_add_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Compute "amontification" constant z :== 2^{128k} (congruent mod m)
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_amontifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_amontifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
 
 // Almost-Montgomery multiply, z :== (x * y / 2^{64k}) (congruent mod m)
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_amontmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_amontmul (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 
 // Almost-Montgomery reduce, z :== (x' / 2^{64p}) (congruent mod m)
 // Inputs x[n], m[k], p; output z[k]
-extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
+extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, const uint64_t *m, uint64_t p);
 
 // Almost-Montgomery square, z :== (x^2 / 2^{64k}) (congruent mod m)
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_amontsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_amontsqr (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 
 // Convert 4-digit (256-bit) bignum to/from big-endian form
 // Input x[4]; output z[4]
-extern void bignum_bigendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_bigendian_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert 6-digit (384-bit) bignum to/from big-endian form
 // Input x[6]; output z[6]
-extern void bignum_bigendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_bigendian_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Select bitfield starting at bit n with length l <= 64
 // Inputs x[k], n, l; output function return
-extern uint64_t bignum_bitfield (uint64_t k, uint64_t *x, uint64_t n, uint64_t l);
+extern uint64_t bignum_bitfield (uint64_t k, const uint64_t *x, uint64_t n, uint64_t l);
 
 // Return size of bignum in bits
 // Input x[k]; output function return
-extern uint64_t bignum_bitsize (uint64_t k, uint64_t *x);
+extern uint64_t bignum_bitsize (uint64_t k, const uint64_t *x);
 
 // Divide by a single (nonzero) word, z := x / m and return x mod m
 // Inputs x[n], m; outputs function return (remainder) and z[k]
-extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
+extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t m);
 
 // Divide by a single word, z := x / m when known to be exact
 // Inputs x[n], m; output z[k]
-extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
+extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t m);
 
 // Count leading zero digits (64-bit words)
 // Input x[k]; output function return
-extern uint64_t bignum_cld (uint64_t k, uint64_t *x);
+extern uint64_t bignum_cld (uint64_t k, const uint64_t *x);
 
 // Count leading zero bits
 // Input x[k]; output function return
-extern uint64_t bignum_clz (uint64_t k, uint64_t *x);
+extern uint64_t bignum_clz (uint64_t k, const uint64_t *x);
 
 // Multiply-add with single-word multiplier, z := z + c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 
 // Negated multiply-add with single-word multiplier, z := z - c * y
 // Inputs c, y[n]; outputs function return (negative carry-out) and z[k]
-extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 
 // Find modulus of bignum w.r.t. single nonzero word m, returning x mod m
 // Input x[k], m; output function return
-extern uint64_t bignum_cmod (uint64_t k, uint64_t *x, uint64_t m);
+extern uint64_t bignum_cmod (uint64_t k, const uint64_t *x, uint64_t m);
 
 // Multiply by a single word, z := c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 
 // Multiply by a single word modulo p_25519, z := (c * x) mod p_25519, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p25519 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
-extern void bignum_cmul_p25519_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_cmul_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Multiply by a single word modulo p_256, z := (c * x) mod p_256, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p256 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
-extern void bignum_cmul_p256_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_cmul_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Multiply by a single word modulo p_256k1, z := (c * x) mod p_256k1, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p256k1 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
-extern void bignum_cmul_p256k1_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_cmul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Multiply by a single word modulo p_384, z := (c * x) mod p_384, assuming x reduced
 // Inputs c, x[6]; output z[6]
-extern void bignum_cmul_p384 (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
-extern void bignum_cmul_p384_alt (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
+extern void bignum_cmul_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_cmul_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Multiply by a single word modulo p_521, z := (c * x) mod p_521, assuming x reduced
 // Inputs c, x[9]; output z[9]
-extern void bignum_cmul_p521 (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
-extern void bignum_cmul_p521_alt (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
+extern void bignum_cmul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 9]);
+extern void bignum_cmul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Multiply by a single word modulo p_sm2, z := (c * x) mod p_sm2, assuming x reduced
+// Inputs c, x[4]; output z[4]
+extern void bignum_cmul_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_cmul_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Test bignums for coprimality, gcd(x,y) = 1
 // Inputs x[m], y[n]; output function return; temporary buffer t[>=2*max(m,n)]
-extern uint64_t bignum_coprime (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y, uint64_t *t);
+extern uint64_t bignum_coprime (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y, uint64_t *t);
 
 // Copy bignum with zero-extension or truncation, z := x
 // Input x[n]; output z[k]
-extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
+extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
+
+// Given table: uint64_t[height*width], copy table[idx*width...(idx+1)*width-1]
+// into z[0..width-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*width]; output z[width]
+extern void bignum_copy_row_from_table (uint64_t *z, const uint64_t *table, uint64_t height,
+        uint64_t width, uint64_t idx);
+
+// Given table: uint64_t[height*width], copy table[idx*width...(idx+1)*width-1]
+// into z[0..width-1]. width must be a multiple of 8.
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*width]; output z[width]
+extern void bignum_copy_row_from_table_8n (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t width, uint64_t idx);
+
+// Given table: uint64_t[height*16], copy table[idx*16...(idx+1)*16-1] into z[0..row-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*16]; output z[16]
+extern void bignum_copy_row_from_table_16 (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t idx);
+
+// Given table: uint64_t[height*32], copy table[idx*32...(idx+1)*32-1] into z[0..row-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*32]; output z[32]
+extern void bignum_copy_row_from_table_32 (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t idx);
 
 // Count trailing zero digits (64-bit words)
 // Input x[k]; output function return
-extern uint64_t bignum_ctd (uint64_t k, uint64_t *x);
+extern uint64_t bignum_ctd (uint64_t k, const uint64_t *x);
 
 // Count trailing zero bits
 // Input x[k]; output function return
-extern uint64_t bignum_ctz (uint64_t k, uint64_t *x);
+extern uint64_t bignum_ctz (uint64_t k, const uint64_t *x);
 
 // Convert from almost-Montgomery form, z := (x / 2^256) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_deamont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_deamont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_deamont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_deamont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert from almost-Montgomery form, z := (x / 2^256) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_deamont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_deamont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert from almost-Montgomery form, z := (x / 2^384) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_deamont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
-extern void bignum_deamont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_deamont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_deamont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Convert from almost-Montgomery form z := (x / 2^576) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_deamont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_deamont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Convert from almost-Montgomery form z := (x / 2^256) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_deamont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert from (almost-)Montgomery form z := (x / 2^{64k}) mod m
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_demont (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_demont (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 
 // Convert from Montgomery form z := (x / 2^256) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_demont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_demont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_demont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_demont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert from Montgomery form z := (x / 2^256) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_demont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_demont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert from Montgomery form z := (x / 2^384) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_demont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
-extern void bignum_demont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_demont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_demont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Convert from Montgomery form z := (x / 2^576) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_demont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_demont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Convert from Montgomery form z := (x / 2^256) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_demont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Select digit x[n]
 // Inputs x[k], n; output function return
-extern uint64_t bignum_digit (uint64_t k, uint64_t *x, uint64_t n);
+extern uint64_t bignum_digit (uint64_t k, const uint64_t *x, uint64_t n);
 
 // Return size of bignum in digits (64-bit word)
 // Input x[k]; output function return
-extern uint64_t bignum_digitsize (uint64_t k, uint64_t *x);
+extern uint64_t bignum_digitsize (uint64_t k, const uint64_t *x);
 
 // Divide bignum by 10: z' := z div 10, returning remainder z mod 10
 // Inputs z[k]; outputs function return (remainder) and z[k]
@@ -217,294 +277,391 @@ extern uint64_t bignum_divmod10 (uint64_t k, uint64_t *z);
 
 // Double modulo p_25519, z := (2 * x) mod p_25519, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Double modulo p_256, z := (2 * x) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Double modulo p_256k1, z := (2 * x) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Double modulo p_384, z := (2 * x) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_double_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_double_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Double modulo p_521, z := (2 * x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_double_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_double_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Double modulo p_sm2, z := (2 * x) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_double_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Extended Montgomery reduce, returning results in input-output buffer
 // Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
-extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
+extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t w);
 
 // Extended Montgomery reduce in 8-digit blocks, results in input-output buffer
 // Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
-extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
+extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t w);
+// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
+// Temporary buffer m_precalc[12*(k/4-1)]
+extern uint64_t bignum_emontredc_8n_cdiff (uint64_t k, uint64_t *z, const uint64_t *m,
+                                          uint64_t w, uint64_t *m_precalc);
 
 // Test bignums for equality, x = y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_eq (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_eq (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Test bignum for even-ness
 // Input x[k]; output function return
-extern uint64_t bignum_even (uint64_t k, uint64_t *x);
+extern uint64_t bignum_even (uint64_t k, const uint64_t *x);
 
 // Convert 4-digit (256-bit) bignum from big-endian bytes
 // Input x[32] (bytes); output z[4]
-extern void bignum_frombebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
+extern void bignum_frombebytes_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint8_t x[S2N_BIGNUM_STATIC 32]);
 
 // Convert 6-digit (384-bit) bignum from big-endian bytes
 // Input x[48] (bytes); output z[6]
-extern void bignum_frombebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
+extern void bignum_frombebytes_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint8_t x[S2N_BIGNUM_STATIC 48]);
 
 // Convert 4-digit (256-bit) bignum from little-endian bytes
 // Input x[32] (bytes); output z[4]
-extern void bignum_fromlebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
+extern void bignum_fromlebytes_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint8_t x[S2N_BIGNUM_STATIC 32]);
 
 // Convert 6-digit (384-bit) bignum from little-endian bytes
 // Input x[48] (bytes); output z[6]
-extern void bignum_fromlebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
+extern void bignum_fromlebytes_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint8_t x[S2N_BIGNUM_STATIC 48]);
 
 // Convert little-endian bytes to 9-digit 528-bit bignum
 // Input x[66] (bytes); output z[9]
-extern void bignum_fromlebytes_p521 (uint64_t z[static 9],uint8_t x[static 66]);
+extern void bignum_fromlebytes_p521 (uint64_t z[S2N_BIGNUM_STATIC 9],const uint8_t x[S2N_BIGNUM_STATIC 66]);
 
 // Compare bignums, x >= y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_ge (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_ge (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Compare bignums, x > y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_gt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_gt (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Halve modulo p_256, z := (x / 2) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_half_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_half_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Halve modulo p_256k1, z := (x / 2) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_half_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_half_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Halve modulo p_384, z := (x / 2) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_half_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_half_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Halve modulo p_521, z := (x / 2) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_half_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_half_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Halve modulo p_sm2, z := (x / 2) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_half_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Modular inverse modulo p_25519 = 2^255 - 19
+// Input x[4]; output z[4]
+extern void bignum_inv_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Modular inverse modulo p_256 = 2^256 - 2^224 + 2^192 + 2^96 - 1
+// Input x[4]; output z[4]
+extern void bignum_inv_p256(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Modular inverse modulo p_384 = 2^384 - 2^128 - 2^96 + 2^32 - 1
+// Input x[6]; output z[6]
+extern void bignum_inv_p384(uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6]);
+
+// Modular inverse modulo p_521 = 2^521 - 1
+// Input x[9]; output z[9]
+extern void bignum_inv_p521(uint64_t z[S2N_BIGNUM_STATIC 9],const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Modular inverse modulo p_sm2 = 2^256 - 2^224 - 2^96 + 2^64 - 1
+// Input x[4]; output z[4]
+extern void bignum_inv_sm2(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Inverse square root modulo p_25519
+// Input x[4]; output function return (Legendre symbol) and z[4]
+extern int64_t bignum_invsqrt_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern int64_t bignum_invsqrt_p25519_alt(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Test bignum for zero-ness, x = 0
 // Input x[k]; output function return
-extern uint64_t bignum_iszero (uint64_t k, uint64_t *x);
+extern uint64_t bignum_iszero (uint64_t k, const uint64_t *x);
 
 // Multiply z := x * y
 // Inputs x[16], y[16]; output z[32]; temporary buffer t[>=32]
-extern void bignum_kmul_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t y[static 16], uint64_t t[static 32]);
+extern void bignum_kmul_16_32 (uint64_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 16], const uint64_t y[S2N_BIGNUM_STATIC 16], uint64_t t[S2N_BIGNUM_STATIC 32]);
 
 // Multiply z := x * y
 // Inputs x[32], y[32]; output z[64]; temporary buffer t[>=96]
-extern void bignum_kmul_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t y[static 32], uint64_t t[static 96]);
+extern void bignum_kmul_32_64 (uint64_t z[S2N_BIGNUM_STATIC 64], const uint64_t x[S2N_BIGNUM_STATIC 32], const uint64_t y[S2N_BIGNUM_STATIC 32], uint64_t t[S2N_BIGNUM_STATIC 96]);
 
 // Square, z := x^2
 // Input x[16]; output z[32]; temporary buffer t[>=24]
-extern void bignum_ksqr_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t t[static 24]);
+extern void bignum_ksqr_16_32 (uint64_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 16], uint64_t t[S2N_BIGNUM_STATIC 24]);
 
 // Square, z := x^2
 // Input x[32]; output z[64]; temporary buffer t[>=72]
-extern void bignum_ksqr_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t t[static 72]);
+extern void bignum_ksqr_32_64 (uint64_t z[S2N_BIGNUM_STATIC 64], const uint64_t x[S2N_BIGNUM_STATIC 32], uint64_t t[S2N_BIGNUM_STATIC 72]);
 
 // Compare bignums, x <= y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_le (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_le (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Convert 4-digit (256-bit) bignum to/from little-endian form
 // Input x[4]; output z[4]
-extern void bignum_littleendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_littleendian_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert 6-digit (384-bit) bignum to/from little-endian form
 // Input x[6]; output z[6]
-extern void bignum_littleendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_littleendian_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Compare bignums, x < y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_lt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_lt (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Multiply-add, z := z + x * y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
+
+// Multiply-add modulo the order of the curve25519/edwards25519 basepoint
+// Inputs x[4], y[4], c[4]; output z[4]
+extern void bignum_madd_n25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4], const uint64_t c[S2N_BIGNUM_STATIC 4]);
+extern void bignum_madd_n25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4], const uint64_t c[S2N_BIGNUM_STATIC 4]);
+
+// Reduce modulo group order, z := x mod m_25519
+// Input x[4]; output z[4]
+extern void bignum_mod_m25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Reduce modulo basepoint order, z := x mod n_25519
+// Input x[k]; output z[4]
+extern void bignum_mod_n25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+
+// Reduce modulo basepoint order, z := x mod n_25519
+// Input x[4]; output z[4]
+extern void bignum_mod_n25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo group order, z := x mod n_256
 // Input x[k]; output z[4]
-extern void bignum_mod_n256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
-extern void bignum_mod_n256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_n256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+extern void bignum_mod_n256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
 
 // Reduce modulo group order, z := x mod n_256
 // Input x[4]; output z[4]
-extern void bignum_mod_n256_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_n256_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo group order, z := x mod n_256k1
 // Input x[4]; output z[4]
-extern void bignum_mod_n256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_n256k1_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo group order, z := x mod n_384
 // Input x[k]; output z[6]
-extern void bignum_mod_n384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
-extern void bignum_mod_n384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_n384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
+extern void bignum_mod_n384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
 
 // Reduce modulo group order, z := x mod n_384
 // Input x[6]; output z[6]
-extern void bignum_mod_n384_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_mod_n384_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Reduce modulo group order, z := x mod n_521
 // Input x[9]; output z[9]
-extern void bignum_mod_n521_9 (uint64_t z[static 9], uint64_t x[static 9]);
-extern void bignum_mod_n521_9_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_mod_n521_9 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+extern void bignum_mod_n521_9_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Reduce modulo group order, z := x mod n_sm2
+// Input x[k]; output z[4]
+extern void bignum_mod_nsm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+extern void bignum_mod_nsm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+
+// Reduce modulo group order, z := x mod n_sm2
+// Input x[4]; output z[4]
+extern void bignum_mod_nsm2_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo field characteristic, z := x mod p_25519
 // Input x[4]; output z[4]
-extern void bignum_mod_p25519_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo field characteristic, z := x mod p_256
 // Input x[k]; output z[4]
-extern void bignum_mod_p256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
-extern void bignum_mod_p256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+extern void bignum_mod_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
 
 // Reduce modulo field characteristic, z := x mod p_256
 // Input x[4]; output z[4]
-extern void bignum_mod_p256_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p256_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo field characteristic, z := x mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_mod_p256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p256k1_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Reduce modulo field characteristic, z := x mod p_384
 // Input x[k]; output z[6]
-extern void bignum_mod_p384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
-extern void bignum_mod_p384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
+extern void bignum_mod_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
 
 // Reduce modulo field characteristic, z := x mod p_384
 // Input x[6]; output z[6]
-extern void bignum_mod_p384_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_mod_p384_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Reduce modulo field characteristic, z := x mod p_521
 // Input x[9]; output z[9]
-extern void bignum_mod_p521_9 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_mod_p521_9 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Reduce modulo field characteristic, z := x mod p_sm2
+// Input x[k]; output z[4]
+extern void bignum_mod_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+
+// Reduce modulo field characteristic, z := x mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_mod_sm2_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Add modulo m, z := (x + y) mod m, assuming x and y reduced
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_modadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_modadd (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 
 // Double modulo m, z := (2 * x) mod m, assuming x reduced
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_moddouble (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_moddouble (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
+
+// Modular exponentiation for arbitrary odd modulus, z := (a^p) mod m
+// Inputs a[k], p[k], m[k]; output z[k], temporary buffer t[>=3*k]
+extern void bignum_modexp(uint64_t k,uint64_t *z, const uint64_t *a,const uint64_t *p,const uint64_t *m,uint64_t *t);
 
 // Compute "modification" constant z := 2^{64k} mod m
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_modifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_modifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
 
 // Invert modulo m, z = (1/a) mod b, assuming b is an odd number > 1, a coprime to b
 // Inputs a[k], b[k]; output z[k]; temporary buffer t[>=3*k]
-extern void bignum_modinv (uint64_t k, uint64_t *z, uint64_t *a, uint64_t *b, uint64_t *t);
+extern void bignum_modinv (uint64_t k, uint64_t *z, const uint64_t *a, const uint64_t *b, uint64_t *t);
 
 // Optionally negate modulo m, z := (-x) mod m (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[k], m[k]; output z[k]
-extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x, uint64_t *m);
+extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, const uint64_t *x, const uint64_t *m);
 
 // Subtract modulo m, z := (x - y) mod m, assuming x and y reduced
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_modsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_modsub (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 
 // Compute "montification" constant z := 2^{128k} mod m
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_montifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_montifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
+
+// Montgomery inverse modulo p_256 = 2^256 - 2^224 + 2^192 + 2^96 - 1
+// Input x[4]; output z[4]
+extern void bignum_montinv_p256(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+
+// Montgomery inverse modulo p_384 = 2^384 - 2^128 - 2^96 + 2^32 - 1
+// Input x[6]; output z[6]
+extern void bignum_montinv_p384(uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6]);
+
+// Montgomery inverse modulo p_sm2 = 2^256 - 2^224 - 2^96 + 2^64 - 1
+// Input x[4]; output z[4]
+extern void bignum_montinv_sm2(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery multiply, z := (x * y / 2^{64k}) mod m
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_montmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_montmul (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 
 // Montgomery multiply, z := (x * y / 2^256) mod p_256
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_montmul_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
-extern void bignum_montmul_p256_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montmul_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery multiply, z := (x * y / 2^256) mod p_256k1
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_montmul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
-extern void bignum_montmul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montmul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery multiply, z := (x * y / 2^384) mod p_384
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_montmul_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
-extern void bignum_montmul_p384_alt (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_montmul_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
+extern void bignum_montmul_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 
 // Montgomery multiply, z := (x * y / 2^576) mod p_521
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_montmul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
-extern void bignum_montmul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_montmul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+extern void bignum_montmul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+
+// Montgomery multiply, z := (x * y / 2^256) mod p_sm2
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_montmul_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montmul_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery reduce, z := (x' / 2^{64p}) MOD m
 // Inputs x[n], m[k], p; output z[k]
-extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
+extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, const uint64_t *m, uint64_t p);
 
 // Montgomery square, z := (x^2 / 2^{64k}) mod m
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_montsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_montsqr (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 
 // Montgomery square, z := (x^2 / 2^256) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_montsqr_p256 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_montsqr_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montsqr_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery square, z := (x^2 / 2^256) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_montsqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_montsqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montsqr_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery square, z := (x^2 / 2^384) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_montsqr_p384 (uint64_t z[static 6], uint64_t x[static 6]);
-extern void bignum_montsqr_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_montsqr_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_montsqr_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Montgomery square, z := (x^2 / 2^576) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_montsqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
-extern void bignum_montsqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_montsqr_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+extern void bignum_montsqr_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Montgomery square, z := (x^2 / 2^256) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_montsqr_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montsqr_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Multiply z := x * y
 // Inputs x[m], y[n]; output z[k]
-extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Multiply z := x * y
 // Inputs x[4], y[4]; output z[8]
-extern void bignum_mul_4_8 (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
-extern void bignum_mul_4_8_alt (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_4_8 (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_mul_4_8_alt (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Multiply z := x * y
 // Inputs x[6], y[6]; output z[12]
-extern void bignum_mul_6_12 (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
-extern void bignum_mul_6_12_alt (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_mul_6_12 (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
+extern void bignum_mul_6_12_alt (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 
 // Multiply z := x * y
 // Inputs x[8], y[8]; output z[16]
-extern void bignum_mul_8_16 (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
-extern void bignum_mul_8_16_alt (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
+extern void bignum_mul_8_16 (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8], const uint64_t y[S2N_BIGNUM_STATIC 8]);
+extern void bignum_mul_8_16_alt (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8], const uint64_t y[S2N_BIGNUM_STATIC 8]);
 
 // Multiply modulo p_25519, z := (x * y) mod p_25519
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_mul_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
-extern void bignum_mul_p25519_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_mul_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Multiply modulo p_256k1, z := (x * y) mod p_256k1
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_mul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
-extern void bignum_mul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_mul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Multiply modulo p_521, z := (x * y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_mul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
-extern void bignum_mul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_mul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+extern void bignum_mul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
 
 // Multiply bignum by 10 and add word: z := 10 * z + d
 // Inputs z[k], d; outputs function return (carry) and z[k]
@@ -512,55 +669,59 @@ extern uint64_t bignum_muladd10 (uint64_t k, uint64_t *z, uint64_t d);
 
 // Multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[k], y[k]; output z[k]
-extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y);
+extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y);
 
 // 256-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[4], y[4]; output z[4]
-extern void bignum_mux_4 (uint64_t p, uint64_t z[static 4],uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mux_4 (uint64_t p, uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // 384-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[6], y[6]; output z[6]
-extern void bignum_mux_6 (uint64_t p, uint64_t z[static 6],uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_mux_6 (uint64_t p, uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 
 // Select element from 16-element table, z := xs[k*i]
 // Inputs xs[16*k], i; output z[k]
-extern void bignum_mux16 (uint64_t k, uint64_t *z, uint64_t *xs, uint64_t i);
+extern void bignum_mux16 (uint64_t k, uint64_t *z, const uint64_t *xs, uint64_t i);
 
 // Negate modulo p_25519, z := (-x) mod p_25519, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Negate modulo p_256, z := (-x) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Negate modulo p_256k1, z := (-x) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Negate modulo p_384, z := (-x) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_neg_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_neg_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Negate modulo p_521, z := (-x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_neg_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_neg_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Negate modulo p_sm2, z := (-x) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_neg_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Negated modular inverse, z := (-1/x) mod 2^{64k}
 // Input x[k]; output z[k]
-extern void bignum_negmodinv (uint64_t k, uint64_t *z, uint64_t *x);
+extern void bignum_negmodinv (uint64_t k, uint64_t *z, const uint64_t *x);
 
 // Test bignum for nonzero-ness x =/= 0
 // Input x[k]; output function return
-extern uint64_t bignum_nonzero (uint64_t k, uint64_t *x);
+extern uint64_t bignum_nonzero (uint64_t k, const uint64_t *x);
 
 // Test 256-bit bignum for nonzero-ness x =/= 0
 // Input x[4]; output function return
-extern uint64_t bignum_nonzero_4(uint64_t x[static 4]);
+extern uint64_t bignum_nonzero_4(const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Test 384-bit bignum for nonzero-ness x =/= 0
 // Input x[6]; output function return
-extern uint64_t bignum_nonzero_6(uint64_t x[static 6]);
+extern uint64_t bignum_nonzero_6(const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Normalize bignum in-place by shifting left till top bit is 1
 // Input z[k]; outputs function return (bits shifted left) and z[k]
@@ -568,7 +729,7 @@ extern uint64_t bignum_normalize (uint64_t k, uint64_t *z);
 
 // Test bignum for odd-ness
 // Input x[k]; output function return
-extern uint64_t bignum_odd (uint64_t k, uint64_t *x);
+extern uint64_t bignum_odd (uint64_t k, const uint64_t *x);
 
 // Convert single digit to bignum, z := n
 // Input n; output z[k]
@@ -576,39 +737,43 @@ extern void bignum_of_word (uint64_t k, uint64_t *z, uint64_t n);
 
 // Optionally add, z := x + y (if p nonzero) or z := x (if p zero)
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 
 // Optionally negate, z := -x (if p nonzero) or z := x (if p zero)
 // Inputs p, x[k]; outputs function return (nonzero input) and z[k]
-extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x);
+extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, const uint64_t *x);
 
 // Optionally negate modulo p_25519, z := (-x) mod p_25519 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p25519 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Optionally negate modulo p_256, z := (-x) mod p_256 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p256 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Optionally negate modulo p_256k1, z := (-x) mod p_256k1 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p256k1 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Optionally negate modulo p_384, z := (-x) mod p_384 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[6]; output z[6]
-extern void bignum_optneg_p384 (uint64_t z[static 6], uint64_t p, uint64_t x[static 6]);
+extern void bignum_optneg_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Optionally negate modulo p_521, z := (-x) mod p_521 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[9]; output z[9]
-extern void bignum_optneg_p521 (uint64_t z[static 9], uint64_t p, uint64_t x[static 9]);
+extern void bignum_optneg_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Optionally negate modulo p_sm2, z := (-x) mod p_sm2 (if p nonzero) or z := x (if p zero), assuming x reduced
+// Inputs p, x[4]; output z[4]
+extern void bignum_optneg_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Optionally subtract, z := x - y (if p nonzero) or z := x (if p zero)
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 
 // Optionally subtract or add, z := x + sgn(p) * y interpreting p as signed
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 
 // Return bignum of power of 2, z := 2^n
 // Input n; output z[k]
@@ -616,216 +781,376 @@ extern void bignum_pow2 (uint64_t k, uint64_t *z, uint64_t n);
 
 // Shift bignum left by c < 64 bits z := x * 2^c
 // Inputs x[n], c; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
+extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t c);
 
 // Shift bignum right by c < 64 bits z := floor(x / 2^c)
 // Inputs x[n], c; outputs function return (bits shifted out) and z[k]
-extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
+extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t c);
 
 // Square, z := x^2
 // Input x[n]; output z[k]
-extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
+extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
 
 // Square, z := x^2
 // Input x[4]; output z[8]
-extern void bignum_sqr_4_8 (uint64_t z[static 8], uint64_t x[static 4]);
-extern void bignum_sqr_4_8_alt (uint64_t z[static 8], uint64_t x[static 4]);
+extern void bignum_sqr_4_8 (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_sqr_4_8_alt (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Square, z := x^2
 // Input x[6]; output z[12]
-extern void bignum_sqr_6_12 (uint64_t z[static 12], uint64_t x[static 6]);
-extern void bignum_sqr_6_12_alt (uint64_t z[static 12], uint64_t x[static 6]);
+extern void bignum_sqr_6_12 (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_sqr_6_12_alt (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Square, z := x^2
 // Input x[8]; output z[16]
-extern void bignum_sqr_8_16 (uint64_t z[static 16], uint64_t x[static 8]);
-extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]);
+extern void bignum_sqr_8_16 (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8]);
+extern void bignum_sqr_8_16_alt (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8]);
 
 // Square modulo p_25519, z := (x^2) mod p_25519
 // Input x[4]; output z[4]
-extern void bignum_sqr_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_sqr_p25519_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_sqr_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Square modulo p_256k1, z := (x^2) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_sqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_sqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_sqr_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Square modulo p_521, z := (x^2) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_sqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
-extern void bignum_sqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_sqr_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+extern void bignum_sqr_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Square root modulo p_25519
+// Input x[4]; output function return (Legendre symbol) and z[4]
+extern int64_t bignum_sqrt_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern int64_t bignum_sqrt_p25519_alt(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Subtract, z := x - y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
-extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 
 // Subtract modulo p_25519, z := (x - y) mod p_25519, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Subtract modulo p_256, z := (x - y) mod p_256, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Subtract modulo p_256k1, z := (x - y) mod p_256k1, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Subtract modulo p_384, z := (x - y) mod p_384, assuming x and y reduced
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_sub_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_sub_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 
 // Subtract modulo p_521, z := (x - y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_sub_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_sub_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+
+// Subtract modulo p_sm2, z := (x - y) mod p_sm2, assuming x and y reduced
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_sub_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 
 // Convert 4-digit (256-bit) bignum to big-endian bytes
 // Input x[4]; output z[32] (bytes)
-extern void bignum_tobebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
+extern void bignum_tobebytes_4 (uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert 6-digit (384-bit) bignum to big-endian bytes
 // Input x[6]; output z[48] (bytes)
-extern void bignum_tobebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
+extern void bignum_tobebytes_6 (uint8_t z[S2N_BIGNUM_STATIC 48], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Convert 4-digit (256-bit) bignum to little-endian bytes
 // Input x[4]; output z[32] (bytes)
-extern void bignum_tolebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
+extern void bignum_tolebytes_4 (uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert 6-digit (384-bit) bignum to little-endian bytes
 // Input x[6]; output z[48] (bytes)
-extern void bignum_tolebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
+extern void bignum_tolebytes_6 (uint8_t z[S2N_BIGNUM_STATIC 48], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Convert 9-digit 528-bit bignum to little-endian bytes
 // Input x[6]; output z[66] (bytes)
-extern void bignum_tolebytes_p521 (uint8_t z[static 66], uint64_t x[static 9]);
+extern void bignum_tolebytes_p521 (uint8_t z[S2N_BIGNUM_STATIC 66], const uint64_t x[S2N_BIGNUM_STATIC 9]);
 
 // Convert to Montgomery form z := (2^256 * x) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_tomont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_tomont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_tomont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert to Montgomery form z := (2^256 * x) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_tomont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_tomont_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_tomont_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Convert to Montgomery form z := (2^384 * x) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_tomont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
-extern void bignum_tomont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_tomont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_tomont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Convert to Montgomery form z := (2^576 * x) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_tomont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_tomont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Convert to Montgomery form z := (2^256 * x) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_tomont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Triple modulo p_256, z := (3 * x) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_triple_p256 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_triple_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_triple_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Triple modulo p_256k1, z := (3 * x) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_triple_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
-extern void bignum_triple_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_triple_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Triple modulo p_384, z := (3 * x) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_triple_p384 (uint64_t z[static 6], uint64_t x[static 6]);
-extern void bignum_triple_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_triple_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
+extern void bignum_triple_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 
 // Triple modulo p_521, z := (3 * x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_triple_p521 (uint64_t z[static 9], uint64_t x[static 9]);
-extern void bignum_triple_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_triple_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+extern void bignum_triple_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+
+// Triple modulo p_sm2, z := (3 * x) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_triple_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_triple_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 
 // Montgomery ladder step for curve25519
 // Inputs point[8], pp[16], b; output rr[16]
-extern void curve25519_ladderstep(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
-extern void curve25519_ladderstep_alt(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
+extern void curve25519_ladderstep(uint64_t rr[16],const uint64_t point[8],const uint64_t pp[16],uint64_t b);
+extern void curve25519_ladderstep_alt(uint64_t rr[16],const uint64_t point[8],const uint64_t pp[16],uint64_t b);
 
 // Projective scalar multiplication, x coordinate only, for curve25519
 // Inputs scalar[4], point[4]; output res[8]
-extern void curve25519_pxscalarmul(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
-extern void curve25519_pxscalarmul_alt(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_pxscalarmul(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
+extern void curve25519_pxscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
 
 // x25519 function for curve25519
 // Inputs scalar[4], point[4]; output res[4]
-extern void curve25519_x25519(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
-extern void curve25519_x25519_alt(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_x25519(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
+extern void curve25519_x25519_alt(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
+
+// x25519 function for curve25519 (byte array arguments)
+// Inputs scalar[32] (bytes), point[32] (bytes); output res[32] (bytes)
+extern void curve25519_x25519_byte(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32],const uint8_t point[S2N_BIGNUM_STATIC 32]);
+extern void curve25519_x25519_byte_alt(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32],const uint8_t point[S2N_BIGNUM_STATIC 32]);
 
 // x25519 function for curve25519 on base element 9
 // Input scalar[4]; output res[4]
-extern void curve25519_x25519base(uint64_t res[static 4],uint64_t scalar[static 4]);
-extern void curve25519_x25519base_alt(uint64_t res[static 4],uint64_t scalar[static 4]);
+extern void curve25519_x25519base(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+extern void curve25519_x25519base_alt(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+
+// x25519 function for curve25519 on base element 9 (byte array arguments)
+// Input scalar[32] (bytes); output res[32] (bytes)
+extern void curve25519_x25519base_byte(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32]);
+extern void curve25519_x25519base_byte_alt(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32]);
+
+// Decode compressed 256-bit form of edwards25519 point
+// Input c[32] (bytes); output function return and z[8]
+extern uint64_t edwards25519_decode(uint64_t z[S2N_BIGNUM_STATIC 8], const uint8_t c[S2N_BIGNUM_STATIC 32]);
+extern uint64_t edwards25519_decode_alt(uint64_t z[S2N_BIGNUM_STATIC 8], const uint8_t c[S2N_BIGNUM_STATIC 32]);
+
+// Encode edwards25519 point into compressed form as 256-bit number
+// Input p[8]; output z[32] (bytes)
+extern void edwards25519_encode(uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t p[S2N_BIGNUM_STATIC 8]);
 
 // Extended projective addition for edwards25519
 // Inputs p1[16], p2[16]; output p3[16]
-extern void edwards25519_epadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
-extern void edwards25519_epadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
+extern void edwards25519_epadd(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 16]);
+extern void edwards25519_epadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 16]);
 
 // Extended projective doubling for edwards25519
 // Inputs p1[12]; output p3[16]
-extern void edwards25519_epdouble(uint64_t p3[static 16],uint64_t p1[static 12]);
-extern void edwards25519_epdouble_alt(uint64_t p3[static 16],uint64_t p1[static 12]);
+extern void edwards25519_epdouble(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void edwards25519_epdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 
 // Projective doubling for edwards25519
 // Inputs p1[12]; output p3[12]
-extern void edwards25519_pdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
-extern void edwards25519_pdouble_alt(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void edwards25519_pdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void edwards25519_pdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 
 // Extended projective + precomputed mixed addition for edwards25519
 // Inputs p1[16], p2[12]; output p3[16]
-extern void edwards25519_pepadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
-extern void edwards25519_pepadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
+extern void edwards25519_pepadd(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void edwards25519_pepadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+
+// Scalar multiplication by standard basepoint for edwards25519 (Ed25519)
+// Input scalar[4]; output res[8]
+extern void edwards25519_scalarmulbase(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+extern void edwards25519_scalarmulbase_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+
+// Double scalar multiplication for edwards25519, fresh and base point
+// Input scalar[4], point[8], bscalar[4]; output res[8]
+extern void edwards25519_scalarmuldouble(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4], const uint64_t point[S2N_BIGNUM_STATIC 8],const uint64_t bscalar[S2N_BIGNUM_STATIC 4]);
+extern void edwards25519_scalarmuldouble_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4], const uint64_t point[S2N_BIGNUM_STATIC 8],const uint64_t bscalar[S2N_BIGNUM_STATIC 4]);
+
+// Scalar product of 2-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[512], b[512], bt[256] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k2(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 512],const int16_t b[S2N_BIGNUM_STATIC 512],const int16_t bt[S2N_BIGNUM_STATIC 256]);
+
+// Scalar product of 3-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[768], b[768], bt[384] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k3(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 768],const int16_t b[S2N_BIGNUM_STATIC 768],const int16_t bt[S2N_BIGNUM_STATIC 384]);
+
+// Scalar product of 4-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[1024], b[1024], bt[512] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k4(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 1024],const int16_t b[S2N_BIGNUM_STATIC 1024],const int16_t bt[S2N_BIGNUM_STATIC 512]);
+
+// Inverse number-theoretic transform from ML-KEM
+// Input a[256] (signed 16-bit words), z_01234[80] (signed 16-bit words), z_56[384] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_intt(int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z_01234[S2N_BIGNUM_STATIC 80],const int16_t z_56[S2N_BIGNUM_STATIC 384]);
+
+// Precompute the mulcache data for a polynomial in the NTT domain
+// Inputs a[256], z[128] and t[128] (signed 16-bit words); output x[128] (signed 16-bit words)
+extern void mlkem_mulcache_compute(int16_t x[S2N_BIGNUM_STATIC 128],const int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z[S2N_BIGNUM_STATIC 128],const int16_t t[S2N_BIGNUM_STATIC 128]);
+
+// Forward number-theoretic transform from ML-KEM
+// Input a[256] (signed 16-bit words), z_01234[80] (signed 16-bit words), z_56[384] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_ntt(int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z_01234[S2N_BIGNUM_STATIC 80],const int16_t z_56[S2N_BIGNUM_STATIC 384]);
+
+// Canonical modular reduction of polynomial coefficients for ML-KEM
+// Input a[256] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_reduce(int16_t a[S2N_BIGNUM_STATIC 256]);
+
+// Pack ML-KEM polynomial coefficients as 12-bit numbers
+// Input a[256] (signed 16-bit words); output r[384] (bytes)
+extern void mlkem_tobytes(uint8_t r[S2N_BIGNUM_STATIC 384],const int16_t a[S2N_BIGNUM_STATIC 256]);
+
+// Conversion of ML-KEM polynomial coefficients to Montgomery form
+// Input a[256] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_tomont(int16_t a[S2N_BIGNUM_STATIC 256]);
+
+// Uniform rejection sampling for ML-KEM
+// Inputs *buf (unsigned bytes), buflen, table (unsigned bytes); output r[256] (signed 16-bit words), return
+extern uint64_t mlkem_rej_uniform_VARIABLE_TIME(int16_t r[S2N_BIGNUM_STATIC 256],const uint8_t *buf,uint64_t buflen,const uint8_t *table);
 
 // Point addition on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12], p2[12]; output p3[12]
-extern void p256_montjadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
+extern void p256_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
 
 // Point doubling on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12]; output p3[12]
-extern void p256_montjdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void p256_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 
 // Point mixed addition on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12], p2[8]; output p3[12]
-extern void p256_montjmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
+extern void p256_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void p256_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+
+// Montgomery-Jacobian form scalar multiplication for P-256
+// Input scalar[4], point[12]; output res[12]
+extern void p256_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+
+// Scalar multiplication for NIST curve P-256
+// Input scalar[4], point[8]; output res[8]
+extern void p256_scalarmul(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 8]);
+extern void p256_scalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 8]);
+
+// Scalar multiplication for precomputed point on NIST curve P-256
+// Input scalar[4], blocksize, table[]; output res[8]
+extern void p256_scalarmulbase(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],uint64_t blocksize,const uint64_t *table);
+extern void p256_scalarmulbase_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],uint64_t blocksize,const uint64_t *table);
 
 // Point addition on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18], p2[18]; output p3[18]
-extern void p384_montjadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 18]);
+extern void p384_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
 
 // Point doubling on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18]; output p3[18]
-extern void p384_montjdouble(uint64_t p3[static 18],uint64_t p1[static 18]);
+extern void p384_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18]);
 
 // Point mixed addition on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18], p2[12]; output p3[18]
-extern void p384_montjmixadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 12]);
+extern void p384_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void p384_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+
+// Montgomery-Jacobian form scalar multiplication for P-384
+// Input scalar[6], point[18]; output res[18]
+extern void p384_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 18],const uint64_t scalar[S2N_BIGNUM_STATIC 6],const uint64_t point[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 18],const uint64_t scalar[S2N_BIGNUM_STATIC 6],const uint64_t point[S2N_BIGNUM_STATIC 18]);
 
 // Point addition on NIST curve P-521 in Jacobian coordinates
 // Inputs p1[27], p2[27]; output p3[27]
-extern void p521_jadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 27]);
+extern void p521_jadd(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 27]);
+extern void p521_jadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 27]);
 
 // Point doubling on NIST curve P-521 in Jacobian coordinates
 // Input p1[27]; output p3[27]
-extern void p521_jdouble(uint64_t p3[static 27],uint64_t p1[static 27]);
+extern void p521_jdouble(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27]);
+extern void p521_jdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27]);
 
 // Point mixed addition on NIST curve P-521 in Jacobian coordinates
 // Inputs p1[27], p2[18]; output p3[27]
-extern void p521_jmixadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 18]);
+extern void p521_jmixadd(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+extern void p521_jmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+
+// Jacobian form scalar multiplication for P-521
+// Input scalar[9], point[27]; output res[27]
+extern void p521_jscalarmul(uint64_t res[S2N_BIGNUM_STATIC 27],const uint64_t scalar[S2N_BIGNUM_STATIC 9],const uint64_t point[S2N_BIGNUM_STATIC 27]);
+extern void p521_jscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 27],const uint64_t scalar[S2N_BIGNUM_STATIC 9],const uint64_t point[S2N_BIGNUM_STATIC 27]);
 
 // Point addition on SECG curve secp256k1 in Jacobian coordinates
 // Inputs p1[12], p2[12]; output p3[12]
-extern void secp256k1_jadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
+extern void secp256k1_jadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void secp256k1_jadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
 
 // Point doubling on SECG curve secp256k1 in Jacobian coordinates
 // Input p1[12]; output p3[12]
-extern void secp256k1_jdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void secp256k1_jdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void secp256k1_jdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 
 // Point mixed addition on SECG curve secp256k1 in Jacobian coordinates
 // Inputs p1[12], p2[8]; output p3[12]
-extern void secp256k1_jmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
+extern void secp256k1_jmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void secp256k1_jmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+
+// Keccak-f1600 permutation for SHA3
+// Inputs a[25], rc[24]; output a[25]
+extern void sha3_keccak_f1600(uint64_t a[S2N_BIGNUM_STATIC 25],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 25],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+
+// Batched 2-way Keccak-f1600 permutation for SHA3
+// Inputs a[50], rc[24]; output a[50]
+extern void sha3_keccak2_f1600(uint64_t a[S2N_BIGNUM_STATIC 50],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak2_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 50],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+
+// Batched 4-way Keccak-f1600 permutation for SHA3
+// Inputs a[100], rc[24]; output a[100]
+extern void sha3_keccak4_f1600(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak4_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak4_f1600_alt2(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+
+// Point addition on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12], p2[12]; output p3[12]
+extern void sm2_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+
+// Point doubling on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12]; output p3[12]
+extern void sm2_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+
+// Point mixed addition on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12], p2[8]; output p3[12]
+extern void sm2_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void sm2_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+
+// Montgomery-Jacobian form scalar multiplication for CC curve SM2
+// Input scalar[4], point[12]; output res[12]
+extern void sm2_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
 
 // Reverse the bytes in a single word
 // Input a; output function return
@@ -839,6 +1164,10 @@ extern uint64_t word_clz (uint64_t a);
 // Input a; output function return
 extern uint64_t word_ctz (uint64_t a);
 
+// Perform 59 "divstep" iterations and return signed matrix of updates
+// Inputs d, f, g; output m[2][2] and function return
+extern int64_t word_divstep59(int64_t m[2][2],int64_t d,uint64_t f,uint64_t g);
+
 // Return maximum of two unsigned 64-bit words
 // Inputs a, b; output function return
 extern uint64_t word_max (uint64_t a, uint64_t b);
@@ -851,6 +1180,10 @@ extern uint64_t word_min (uint64_t a, uint64_t b);
 // Input a; output function return
 extern uint64_t word_negmodinv (uint64_t a);
 
+// Count number of set bits in a single 64-bit word (population count)
+// Input a; output function return
+extern uint64_t word_popcount (uint64_t a);
+
 // Single-word reciprocal, 2^64 + ret = ceil(2^128/a) - 1 if MSB of "a" is set
 // Input a; output function return
 extern uint64_t word_recip (uint64_t a);
diff --git a/src/lib/libcrypto/bn/s2n_bignum_internal.h b/src/lib/libcrypto/bn/s2n_bignum_internal.h
index b82db7d019..37eebb4fd6 100644
--- a/src/lib/libcrypto/bn/s2n_bignum_internal.h
+++ b/src/lib/libcrypto/bn/s2n_bignum_internal.h
@@ -1,3 +1,5 @@
+// $OpenBSD: s2n_bignum_internal.h,v 1.5 2025/08/12 10:01:37 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -14,14 +16,14 @@
 
 #ifdef __APPLE__
 #   define S2N_BN_SYMBOL(NAME) _##NAME
+#   if defined(__AARCH64EL__) || defined(__ARMEL__)
+#     define __LF %%
+#   else
+#     define __LF ;
+#   endif
 #else
 #   define S2N_BN_SYMBOL(name) name
-#endif
-
-#ifdef __CET__
-#   include <cet.h>
-#else
-#   define _CET_ENDBR
+#   define __LF ;
 #endif
 
 #define S2N_BN_SYM_VISIBILITY_DIRECTIVE(name) .globl S2N_BN_SYMBOL(name)
@@ -34,3 +36,24 @@
 #else
 #   define S2N_BN_SYM_PRIVACY_DIRECTIVE(name)  /* NO-OP: S2N_BN_SYM_PRIVACY_DIRECTIVE */
 #endif
+
+// Enable indirect branch tracking support unless explicitly disabled
+// with -DNO_IBT. If the platform supports CET, simply inherit this from
+// the usual header. Otherwise manually define _CET_ENDBR, used at each
+// x86 entry point, to be the ENDBR64 instruction, with an explicit byte
+// sequence for compilers/assemblers that don't know about it. Note that
+// it is safe to use ENDBR64 on all platforms, since the encoding is by
+// design interpreted as a NOP on all pre-CET x86_64 processors. The only
+// downside is a small increase in code size and potentially a modest
+// slowdown from executing one more instruction.
+
+#if NO_IBT
+#   if defined(_CET_ENDBR)
+#     error "The s2n-bignum build option NO_IBT was configured, but _CET_ENDBR is defined in this compilation unit. That is weird, so failing the build."
+#   endif
+#   define _CET_ENDBR
+#elif defined(__CET__)
+#   include <cet.h>
+#elif !defined(_CET_ENDBR)
+#   define _CET_ENDBR .byte 0xf3,0x0f,0x1e,0xfa
+#endif
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 51ce90ff80..4a0c17c598 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: buffer.c,v 1.28 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: buffer.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,8 @@
 #include <string.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
+
+#include "err_local.h"
 
 /*
  * LIMIT_BEFORE_EXPANSION is the maximum n such that (n + 3) / 3 * 4 < 2**31.
diff --git a/src/lib/libcrypto/cert.pem b/src/lib/libcrypto/cert.pem
index a7fd3519fb..aadf2deb9b 100644
--- a/src/lib/libcrypto/cert.pem
+++ b/src/lib/libcrypto/cert.pem
@@ -1,4 +1,4 @@
-# $OpenBSD: cert.pem,v 1.31 2025/03/16 07:44:35 tb Exp $
+# $OpenBSD: cert.pem,v 1.32 2025/08/06 09:45:53 sthen Exp $
 ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
 
 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
@@ -960,49 +960,6 @@ AgEGMAoGCCqGSM49BAMDA2gAMGUCMBq8W9f+qdJUDkpd0m2xQNz0Q9XSSpkZElaA
 43j4ptZLvZuHjw/l1lOWqzzIQNph91Oj9w==
 -----END CERTIFICATE-----
 
-### Baltimore
-
-=== /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 33554617 (0x20000b9)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: May 12 18:46:00 2000 GMT
-            Not After : May 12 23:59:00 2025 GMT
-        Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-SHA1 Fingerprint=D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
-SHA256 Fingerprint=16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
------BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
------END CERTIFICATE-----
-
 ### Buypass AS-983163327
 
 === /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
@@ -1728,61 +1685,6 @@ v64fG9PiO/yzcnMcmyiQiRM9HcEARwmWmjgb3bHPDcK0RPOWlc4yOo80nOAXx17O
 rg3bhzjlP1v9mxnhMUF6cKojawHhRUzNlM47ni3niAIi9G7oyOzWPPO5std3eqx7
 -----END CERTIFICATE-----
 
-### Comodo CA Limited
-
-=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jan  1 00:00:00 2004 GMT
-            Not After : Dec 31 23:59:59 2028 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 CRL Distribution Points:
-
-                Full Name:
-                  URI:http://crl.comodoca.com/AAACertificateServices.crl
-
-                Full Name:
-                  URI:http://crl.comodo.net/AAACertificateServices.crl
-
-SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
-SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
------BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
------END CERTIFICATE-----
-
 ### Cybertrust Japan Co., Ltd.
 
 === /C=JP/O=Cybertrust Japan Co., Ltd./CN=SecureSign Root CA12
@@ -3070,53 +2972,6 @@ eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
 0vdXcDazv/wor3ElhVsT/h5/WrQ8
 -----END CERTIFICATE-----
 
-### Entrust.net
-
-=== /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 946069240 (0x3863def8)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Dec 24 17:50:51 1999 GMT
-            Not After : Jul 24 14:15:12 2029 GMT
-        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
-SHA1 Fingerprint=50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
-SHA256 Fingerprint=6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
------BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
------END CERTIFICATE-----
-
 ### FNMT-RCM
 
 === /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
@@ -3559,47 +3414,6 @@ u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP
 N3ec592kD3ZDZopD8p/7DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3
 vouXsXgxT7PntgMTzlSdriVZzH81Xwj3QEUxeCp6
 -----END CERTIFICATE-----
-=== /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            04:00:00:00:00:01:15:4b:5a:c3:94
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Sep  1 12:00:00 1998 GMT
-            Not After : Jan 28 12:00:00 2028 GMT
-        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
-SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
-SHA256 Fingerprint=EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
-A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
-b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
-MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
-YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
-aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
-jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
-xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
-1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
-snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
-U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
-9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
-AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
-yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
-38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
-AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
-DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
------END CERTIFICATE-----
 
 ### GoDaddy.com, Inc.
 
@@ -5481,52 +5295,6 @@ CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
 
 ### Starfield Technologies, Inc.
 
-=== /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jun 29 17:39:16 2004 GMT
-            Not After : Jun 29 17:39:16 2034 GMT
-        Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-            X509v3 Authority Key Identifier:
-                keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-                DirName:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-                serial:00
-
-            X509v3 Basic Constraints:
-                CA:TRUE
-SHA1 Fingerprint=AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
-SHA256 Fingerprint=14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58
------BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
------END CERTIFICATE-----
 === /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
 Certificate:
     Data:
@@ -6020,55 +5788,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx
 SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
 -----END CERTIFICATE-----
 
-### The Go Daddy Group, Inc.
-
-=== /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jun 29 17:06:20 2004 GMT
-            Not After : Jun 29 17:06:20 2034 GMT
-        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-            X509v3 Authority Key Identifier:
-                keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-                DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-                serial:00
-
-            X509v3 Basic Constraints:
-                CA:TRUE
-SHA1 Fingerprint=27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
-SHA256 Fingerprint=C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4
------BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
------END CERTIFICATE-----
-
 ### The USERTRUST Network
 
 === /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
@@ -6669,63 +6388,6 @@ rYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0EAwMDaAAwZQIwJsdpW9zV
 Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9
 -----END CERTIFICATE-----
 
-### XRamp Security Services Inc
-
-=== /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Nov  1 17:14:04 2004 GMT
-            Not After : Jan  1 05:37:19 2035 GMT
-        Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
-        X509v3 extensions:
-            1.3.6.1.4.1.311.20.2:
-                ...C.A
-            X509v3 Key Usage:
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B
-            X509v3 CRL Distribution Points:
-
-                Full Name:
-                  URI:http://crl.xrampsecurity.com/XGCA.crl
-
-            1.3.6.1.4.1.311.21.1:
-                ...
-SHA1 Fingerprint=B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
-SHA256 Fingerprint=CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
------BEGIN CERTIFICATE-----
-MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
-gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
-MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
-UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
-NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
-dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
-dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
-dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
-38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
-KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
-DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
-qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
-JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
-PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
-jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
-eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
-ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
-vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
-qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
-IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
-i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
-O+7ETPTsJ3xCwnR8gooJybQDJbw=
------END CERTIFICATE-----
-
 ### certSIGN
 
 === /C=RO/O=certSIGN/OU=certSIGN ROOT CA
diff --git a/src/lib/libcrypto/cms/cms_dd.c b/src/lib/libcrypto/cms/cms_dd.c
index 0a357094c5..daccbcd988 100644
--- a/src/lib/libcrypto/cms/cms_dd.c
+++ b/src/lib/libcrypto/cms/cms_dd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_dd.c,v 1.17 2023/10/26 09:08:57 tb Exp $ */
+/* $OpenBSD: cms_dd.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -56,11 +56,11 @@
 
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 /* CMS DigestedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index ef6925dbd6..928b396815 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.25 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -58,12 +58,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* CMS EncryptedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
index 629d23215e..7fa578466d 100644
--- a/src/lib/libcrypto/cms/cms_env.c
+++ b/src/lib/libcrypto/cms/cms_env.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.28 2024/11/01 18:42:10 tb Exp $ */
+/* $OpenBSD: cms_env.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -59,12 +59,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* CMS EnvelopedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
index f01dcf73ed..5435fa404c 100644
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -57,13 +57,13 @@
 
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 
 CMS_ReceiptRequest *
 d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len)
diff --git a/src/lib/libcrypto/cms/cms_io.c b/src/lib/libcrypto/cms/cms_io.c
index 84ada47c49..a9be5461a3 100644
--- a/src/lib/libcrypto/cms/cms_io.c
+++ b/src/lib/libcrypto/cms/cms_io.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_io.c,v 1.21 2024/03/30 01:53:05 joshua Exp $ */
+/* $OpenBSD: cms_io.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -54,12 +54,12 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 
 int
 CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms)
diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c
index 86b1ad9e83..c23da18058 100644
--- a/src/lib/libcrypto/cms/cms_kari.c
+++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_kari.c,v 1.17 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_kari.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -57,10 +57,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 
 /* Key Agreement Recipient Info (KARI) routines */
 
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
index 2d7a8d9f21..b9fc5c21c7 100644
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_lib.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_lib.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -57,13 +57,13 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 CMS_ContentInfo *
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index b6fe5df961..1f64fc71f7 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.31 2024/01/14 18:40:24 tb Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.32 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -58,13 +58,13 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
index 9cdd4ce143..abcac83e47 100644
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_sd.c,v 1.33 2024/04/20 10:11:55 tb Exp $ */
+/* $OpenBSD: cms_sd.c,v 1.36 2025/07/31 02:24:21 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -57,7 +57,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
@@ -66,6 +65,7 @@
 
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
@@ -484,35 +484,6 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
 }
 LCRYPTO_ALIAS(CMS_add1_signer);
 
-static int
-cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
-{
-        ASN1_TIME *tt;
-        int r = 0;
-
-        if (t)
-                tt = t;
-        else
-                tt = X509_gmtime_adj(NULL, 0);
-
-        if (!tt)
-                goto merr;
-
-        if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
-                                                tt->type, tt, -1) <= 0)
-                goto merr;
-
-        r = 1;
-
- merr:
-        if (!t)
-                ASN1_TIME_free(tt);
-        if (!r)
-                CMSerror(ERR_R_MALLOC_FAILURE);
-
-        return r;
-}
-
 EVP_PKEY_CTX *
 CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)
 {
@@ -778,6 +749,7 @@ cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
 int
 CMS_SignerInfo_sign(CMS_SignerInfo *si)
 {
+        ASN1_TIME *at = NULL;
         const EVP_MD *md;
         unsigned char *buf = NULL, *sig = NULL;
         int buf_len = 0;
@@ -788,7 +760,12 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
                 goto err;
 
         if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
-                if (!cms_add1_signingTime(si, NULL))
+                if ((at = X509_gmtime_adj(NULL, 0)) == NULL) {
+                        CMSerror(ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
+                    at->type, at, -1))
                         goto err;
         }
 
@@ -828,6 +805,7 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
         ret = 1;
 
  err:
+        ASN1_TIME_free(at);
         (void)EVP_MD_CTX_reset(si->mctx);
         freezero(buf, buf_len);
         freezero(sig, sig_len);
@@ -1012,6 +990,8 @@ LCRYPTO_ALIAS(CMS_add_smimecap);
  * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
  * set |*out_algs| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has
  * an integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also PKCS7_simple_smimecap().
  */
 int
 CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **out_algs, int nid, int keysize)
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 5a194748d9..85a0e6f6e5 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.28 2023/12/22 10:23:11 tb Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -59,7 +59,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
@@ -67,6 +66,7 @@
 #include <openssl/x509_vfy.h>
 
 #include "cms_local.h"
+#include "err_local.h"
 
 static BIO *
 cms_get_text_bio(BIO *out, unsigned int flags)
diff --git a/src/lib/libcrypto/conf/README b/src/lib/libcrypto/conf/README
deleted file mode 100644
index 96e53b34ed..0000000000
--- a/src/lib/libcrypto/conf/README
+++ /dev/null
@@ -1,73 +0,0 @@
-Configuration modules. These are a set of modules which can perform
-various configuration functions.
-
-Currently the routines should be called at most once when an application
-starts up: that is before it starts any threads.
-
-The routines read a configuration file set up like this:
-
------
-#default section
-openssl_conf=init_section
-
-[init_section]
-
-module1=value1
-#Second instance of module1
-module1.1=valueX
-module2=value2
-module3=dso_literal
-module4=dso_section
-
-[dso_section]
-
-path=/some/path/to/some/dso.so
-other_stuff=other_value
-----
-
-When this file is loaded a configuration module with the specified string
-(module* in the above example) is looked up and its init function called as:
-
-int conf_init_func(CONF_IMODULE *md, CONF *cnf);
-
-The function can then take whatever action is appropriate, for example further
-lookups based on the value. Multiple instances of the same config module can be
-loaded.
-
-When the application closes down the modules are cleaned up by calling an
-optional finish function:
-
-void conf_finish_func(CONF_IMODULE *md);
-
-The finish functions are called in reverse order: that is the last module
-loaded is the first one cleaned up.
-
-If no module exists with a given name then an attempt is made to load a DSO
-with the supplied name. This might mean that "module3" attempts to load a DSO
-called libmodule3.so or module3.dll for example. An explicit DSO name can be
-given by including a separate section as in the module4 example above.
-
-The DSO is expected to at least contain an initialization function:
-
-int OPENSSL_init(CONF_IMODULE *md, CONF *cnf);
-
-and may also include a finish function:
-
-void OPENSSL_finish(CONF_IMODULE *md);
-
-Static modules can also be added using,
-
-int CONF_module_add(char *name, dso_mod_init_func *ifunc, dso_mod_finish_func
-*ffunc);
-
-where "name" is the name in the configuration file this function corresponds
-to.
-
-A set of builtin modules (currently only an ASN1 non functional test module)
-can be added by calling OPENSSL_load_builtin_modules(). 
-
-The function OPENSSL_config() is intended as a simple configuration function
-that any application can call to perform various default configuration tasks.
-It uses the file openssl.cnf in the usual locations.
-
-
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 0173a7117c..fe9391685d 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_def.c,v 1.44 2024/08/31 09:46:17 tb Exp $ */
+/* $OpenBSD: conf_def.c,v 1.45 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,12 +63,12 @@
 
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 
 #include "conf_def.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 #define MAX_CONF_VALUE_LENGTH 65536
 
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
index 863e1c9475..84b4f8b0a7 100644
--- a/src/lib/libcrypto/conf/conf_lib.c
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_lib.c,v 1.25 2025/03/08 09:35:53 tb Exp $ */
+/* $OpenBSD: conf_lib.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
  * project 2000.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/lhash.h>
 
 #include "conf_local.h"
+#include "err_local.h"
 
 static const CONF_METHOD *default_CONF_method = NULL;
 
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index 0e07bb3ea5..6e697cc478 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_mod.c,v 1.40 2024/10/10 06:51:22 tb Exp $ */
+/* $OpenBSD: conf_mod.c,v 1.41 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -63,9 +63,10 @@
 
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 /* This structure contains data about supported modules. */
 struct conf_module_st {
         /* Name of the module */
diff --git a/src/lib/libcrypto/crypto_ex_data.c b/src/lib/libcrypto/crypto_ex_data.c
index ceb3a92e51..233905f888 100644
--- a/src/lib/libcrypto/crypto_ex_data.c
+++ b/src/lib/libcrypto/crypto_ex_data.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_ex_data.c,v 1.4 2024/08/03 07:45:26 tb Exp $ */
+/* $OpenBSD: crypto_ex_data.c,v 1.6 2025/06/15 15:58:56 tb Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -52,7 +52,7 @@ crypto_ex_data_classes_init(void)
                 return 1;
 
         if ((classes_new = calloc(CRYPTO_EX_INDEX__COUNT,
-            sizeof(struct crypto_ex_data_index))) == NULL)
+            sizeof(*classes_new))) == NULL)
                 return 0;
 
         CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
@@ -100,11 +100,10 @@ CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
                 goto err;
 
         if ((class = classes[class_index]) == NULL) {
-                if ((new_class = calloc(1,
-                    sizeof(struct crypto_ex_data_class))) == NULL)
+                if ((new_class = calloc(1, sizeof(*new_class))) == NULL)
                         goto err;
                 if ((new_class->indexes = calloc(CRYPTO_EX_DATA_MAX_INDEX,
-                    sizeof(struct crypto_ex_data_index *))) == NULL)
+                    sizeof(*new_class->indexes))) == NULL)
                         goto err;
                 new_class->indexes_len = CRYPTO_EX_DATA_MAX_INDEX;
                 new_class->next_index = 1;
@@ -119,7 +118,7 @@ CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
                 class = classes[class_index];
         }
 
-        if ((index = calloc(1, sizeof(struct crypto_ex_data_index))) == NULL)
+        if ((index = calloc(1, sizeof(*index))) == NULL)
                 goto err;
 
         index->new_func = new_func;
@@ -200,12 +199,12 @@ crypto_ex_data_init(CRYPTO_EX_DATA *exdata)
         if (exdata->sk != NULL)
                 goto err;
 
-        if ((ced = calloc(1, sizeof(struct crypto_ex_data))) == NULL)
+        if ((ced = calloc(1, sizeof(*ced))) == NULL)
                 goto err;
 
         ced->class_index = -1;
 
-        if ((ced->slots = calloc(CRYPTO_EX_DATA_MAX_INDEX, sizeof(void *))) == NULL)
+        if ((ced->slots = calloc(CRYPTO_EX_DATA_MAX_INDEX, sizeof(*ced->slots))) == NULL)
                 goto err;
         ced->slots_len = CRYPTO_EX_DATA_MAX_INDEX;
 
diff --git a/src/lib/libcrypto/crypto_init.c b/src/lib/libcrypto/crypto_init.c
index 6016d1ae40..ae4914e358 100644
--- a/src/lib/libcrypto/crypto_init.c
+++ b/src/lib/libcrypto/crypto_init.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_init.c,v 1.22 2024/10/17 14:27:57 jsing Exp $ */
+/*      $OpenBSD: crypto_init.c,v 1.26 2025/06/11 07:41:12 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -22,12 +22,12 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 
 #include "crypto_internal.h"
+#include "err_local.h"
 #include "x509_issuer_cache.h"
 
 int OpenSSL_config(const char *);
@@ -37,6 +37,30 @@ static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT;
 static pthread_t crypto_init_thread;
 static int crypto_init_cleaned_up;
 
+void openssl_init_crypto_constructor(void)  __attribute__((constructor));
+
+#ifndef HAVE_CRYPTO_CPU_CAPS_INIT
+void
+crypto_cpu_caps_init(void)
+{
+}
+#endif
+
+/*
+ * This function is invoked as a constructor when the library is loaded. The
+ * code run from here must not allocate memory or trigger signals. The only
+ * safe code is to read data and update global variables.
+ */
+void
+openssl_init_crypto_constructor(void)
+{
+        crypto_cpu_caps_init();
+}
+
+/*
+ * This is used by various configure scripts to check availability of libcrypto,
+ * so we need to keep it.
+ */
 void
 OPENSSL_init(void)
 {
@@ -48,8 +72,6 @@ OPENSSL_init_crypto_internal(void)
 {
         crypto_init_thread = pthread_self();
 
-        crypto_cpu_caps_init();
-
         ERR_load_crypto_strings();
 }
 
diff --git a/src/lib/libcrypto/crypto_internal.h b/src/lib/libcrypto/crypto_internal.h
index 09ae7fa466..058245e95e 100644
--- a/src/lib/libcrypto/crypto_internal.h
+++ b/src/lib/libcrypto/crypto_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_internal.h,v 1.15 2025/01/19 07:51:41 jsing Exp $ */
+/*      $OpenBSD: crypto_internal.h,v 1.16 2025/07/22 09:18:02 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -300,6 +300,4 @@ crypto_ror_u64(uint64_t v, size_t shift)
 
 void crypto_cpu_caps_init(void);
 
-uint64_t crypto_cpu_caps_ia32(void);
-
 #endif
diff --git a/src/lib/libcrypto/crypto_legacy.c b/src/lib/libcrypto/crypto_legacy.c
index d864fc4c3f..dcaa63236c 100644
--- a/src/lib/libcrypto/crypto_legacy.c
+++ b/src/lib/libcrypto/crypto_legacy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_legacy.c,v 1.6 2024/11/06 04:18:42 tb Exp $ */
+/* $OpenBSD: crypto_legacy.c,v 1.9 2025/07/22 09:18:02 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -123,10 +123,10 @@
 
 #include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 
 #include "crypto_internal.h"
 #include "crypto_local.h"
+#include "err_local.h"
 #include "x86_arch.h"
 
 /* Machine independent capabilities. */
@@ -306,29 +306,6 @@ void
 }
 LCRYPTO_ALIAS(CRYPTO_get_dynlock_destroy_callback);
 
-#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
-void
-OPENSSL_cpuid_setup(void)
-{
-}
-#endif
-
-#ifndef HAVE_CRYPTO_CPU_CAPS_INIT
-void
-crypto_cpu_caps_init(void)
-{
-        OPENSSL_cpuid_setup();
-}
-#endif
-
-#ifndef HAVE_CRYPTO_CPU_CAPS_IA32
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return 0;
-}
-#endif
-
 uint64_t
 OPENSSL_cpu_caps(void)
 {
diff --git a/src/lib/libcrypto/crypto_local.h b/src/lib/libcrypto/crypto_local.h
index 2b4c74552f..606f17cefb 100644
--- a/src/lib/libcrypto/crypto_local.h
+++ b/src/lib/libcrypto/crypto_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_local.h,v 1.4 2024/11/05 10:11:58 tb Exp $ */
+/* $OpenBSD: crypto_local.h,v 1.6 2025/06/09 14:37:48 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,10 @@
 extern "C" {
 #endif
 
+#ifndef OPENSSLDIR
+#define OPENSSLDIR "/etc/ssl"
+#endif
+
 #define X509_CERT_AREA          OPENSSLDIR
 #define X509_CERT_DIR           OPENSSLDIR "/certs"
 #define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
@@ -75,8 +79,6 @@ extern "C" {
 #define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
 #define CTLOG_FILE_EVP          "CTLOG_FILE"
 
-void OPENSSL_cpuid_setup(void);
-
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/ct/ct_b64.c b/src/lib/libcrypto/ct/ct_b64.c
index 101cd1e2b1..e6e0532add 100644
--- a/src/lib/libcrypto/ct/ct_b64.c
+++ b/src/lib/libcrypto/ct/ct_b64.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_b64.c,v 1.7 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_b64.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -61,11 +61,11 @@
 #include <string.h>
 
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
 #include "bytestring.h"
 #include "ct_local.h"
+#include "err_local.h"
 
 /*
  * Decodes the base64 string |in| into |out|.
diff --git a/src/lib/libcrypto/ct/ct_log.c b/src/lib/libcrypto/ct/ct_log.c
index 72045477ac..48611df979 100644
--- a/src/lib/libcrypto/ct/ct_log.c
+++ b/src/lib/libcrypto/ct/ct_log.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_log.c,v 1.9 2024/11/05 09:35:40 tb Exp $ */
+/*      $OpenBSD: ct_log.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /* Author: Adam Eijdenberg <adam.eijdenberg@gmail.com>. */
 /* ====================================================================
  * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
@@ -65,13 +65,13 @@
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 
 #include "conf_local.h"
 #include "crypto_local.h"
+#include "err_local.h"
 
 
 /*
diff --git a/src/lib/libcrypto/ct/ct_oct.c b/src/lib/libcrypto/ct/ct_oct.c
index 1f5e5c75d0..686d845f11 100644
--- a/src/lib/libcrypto/ct/ct_oct.c
+++ b/src/lib/libcrypto/ct/ct_oct.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_oct.c,v 1.9 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_oct.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -67,10 +67,10 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
 #include "ct_local.h"
+#include "err_local.h"
 
 int
 o2i_SCT_signature(SCT *sct, CBS *cbs)
diff --git a/src/lib/libcrypto/ct/ct_policy.c b/src/lib/libcrypto/ct/ct_policy.c
index eb2b312019..a242b0d8f8 100644
--- a/src/lib/libcrypto/ct/ct_policy.c
+++ b/src/lib/libcrypto/ct/ct_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_policy.c,v 1.6 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_policy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Implementations of Certificate Transparency SCT policies.
  * Written by Rob Percival (robpercival@google.com) for the OpenSSL project.
@@ -56,11 +56,12 @@
 # error "CT is disabled"
 #endif
 
-#include <openssl/ct.h>
-#include <openssl/err.h>
 #include <time.h>
 
+#include <openssl/ct.h>
+
 #include "ct_local.h"
+#include "err_local.h"
 
 /*
  * Number of seconds in the future that an SCT timestamp can be, by default,
diff --git a/src/lib/libcrypto/ct/ct_sct.c b/src/lib/libcrypto/ct/ct_sct.c
index 4b2716e734..d647e34d92 100644
--- a/src/lib/libcrypto/ct/ct_sct.c
+++ b/src/lib/libcrypto/ct/ct_sct.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_sct.c,v 1.10 2023/07/22 17:02:49 tb Exp $ */
+/*      $OpenBSD: ct_sct.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com), Stephen Henson (steve@openssl.org)
  * and Adam Eijdenberg (adam.eijdenberg@gmail.com) for the OpenSSL project 2016.
@@ -67,11 +67,11 @@
 
 #include <openssl/asn1.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "ct_local.h"
+#include "err_local.h"
 
 SCT *
 SCT_new(void)
diff --git a/src/lib/libcrypto/ct/ct_sct_ctx.c b/src/lib/libcrypto/ct/ct_sct_ctx.c
index b2b6d4e269..930c7df59b 100644
--- a/src/lib/libcrypto/ct/ct_sct_ctx.c
+++ b/src/lib/libcrypto/ct/ct_sct_ctx.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_sct_ctx.c,v 1.6 2022/06/30 11:14:47 tb Exp $ */
+/*      $OpenBSD: ct_sct_ctx.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -64,11 +64,11 @@
 #include <stddef.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "ct_local.h"
+#include "err_local.h"
 
 SCT_CTX *
 SCT_CTX_new(void)
diff --git a/src/lib/libcrypto/ct/ct_vfy.c b/src/lib/libcrypto/ct/ct_vfy.c
index 424117263a..5dbb2096e1 100644
--- a/src/lib/libcrypto/ct/ct_vfy.c
+++ b/src/lib/libcrypto/ct/ct_vfy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_vfy.c,v 1.6 2022/01/06 14:34:40 jsing Exp $ */
+/*      $OpenBSD: ct_vfy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
  * (steve@openssl.org) for the OpenSSL project 2014.
@@ -60,11 +60,11 @@
 #include <string.h>
 
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "ct_local.h"
+#include "err_local.h"
 
 typedef enum sct_signature_type_t {
         SIGNATURE_TYPE_NOT_SET = -1,
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 4e644c4280..0aa3d2855b 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.16 2023/07/08 15:12:49 beck Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.18 2025/07/29 10:52:20 tb Exp $ */
 /*
  * Copyright (c) 2015, Google Inc.
  *
@@ -3781,6 +3781,17 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
   }
 }
 
+/*
+ * int64_lshift21 returns |a << 21| but is defined when shifting bits into the
+ * sign bit. This works around a language flaw in C.
+ *
+ * XXX: This is a hack to avoid undefined behavior when shifting into the sign bit.
+ * We match BoringSSL's implementation here.
+ */
+static inline int64_t int64_lshift21(int64_t a) {
+  return (int64_t)((uint64_t)a << 21);
+}
+
 /* The set of scalars is \Z/l
  * where l = 2^252 + 27742317777372353535851937790883648493. */
 
@@ -3885,38 +3896,38 @@ x25519_sc_reduce(uint8_t *s) {
 
   carry6 = (s6 + (1 << 20)) >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry8 = (s8 + (1 << 20)) >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry10 = (s10 + (1 << 20)) >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
   carry12 = (s12 + (1 << 20)) >> 21;
   s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
   carry14 = (s14 + (1 << 20)) >> 21;
   s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
   carry16 = (s16 + (1 << 20)) >> 21;
   s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
 
   carry7 = (s7 + (1 << 20)) >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry9 = (s9 + (1 << 20)) >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry11 = (s11 + (1 << 20)) >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
   carry13 = (s13 + (1 << 20)) >> 21;
   s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
   carry15 = (s15 + (1 << 20)) >> 21;
   s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
 
   s5 += s17 * 666643;
   s6 += s17 * 470296;
@@ -3968,41 +3979,41 @@ x25519_sc_reduce(uint8_t *s) {
 
   carry0 = (s0 + (1 << 20)) >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry2 = (s2 + (1 << 20)) >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry4 = (s4 + (1 << 20)) >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry6 = (s6 + (1 << 20)) >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry8 = (s8 + (1 << 20)) >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry10 = (s10 + (1 << 20)) >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
 
   carry1 = (s1 + (1 << 20)) >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry3 = (s3 + (1 << 20)) >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry5 = (s5 + (1 << 20)) >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry7 = (s7 + (1 << 20)) >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry9 = (s9 + (1 << 20)) >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry11 = (s11 + (1 << 20)) >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
 
   s0 += s12 * 666643;
   s1 += s12 * 470296;
@@ -4014,40 +4025,40 @@ x25519_sc_reduce(uint8_t *s) {
 
   carry0 = s0 >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry1 = s1 >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry2 = s2 >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry3 = s3 >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry4 = s4 >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry5 = s5 >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry6 = s6 >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry7 = s7 >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry8 = s8 >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry9 = s9 >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry10 = s10 >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
   carry11 = s11 >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
 
   s0 += s12 * 666643;
   s1 += s12 * 470296;
@@ -4059,37 +4070,37 @@ x25519_sc_reduce(uint8_t *s) {
 
   carry0 = s0 >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry1 = s1 >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry2 = s2 >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry3 = s3 >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry4 = s4 >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry5 = s5 >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry6 = s6 >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry7 = s7 >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry8 = s8 >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry9 = s9 >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry10 = s10 >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
 
   s[0] = s0 >> 0;
   s[1] = s0 >> 8;
@@ -4257,74 +4268,74 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 
   carry0 = (s0 + (1 << 20)) >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry2 = (s2 + (1 << 20)) >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry4 = (s4 + (1 << 20)) >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry6 = (s6 + (1 << 20)) >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry8 = (s8 + (1 << 20)) >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry10 = (s10 + (1 << 20)) >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
   carry12 = (s12 + (1 << 20)) >> 21;
   s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
   carry14 = (s14 + (1 << 20)) >> 21;
   s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
   carry16 = (s16 + (1 << 20)) >> 21;
   s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
   carry18 = (s18 + (1 << 20)) >> 21;
   s19 += carry18;
-  s18 -= carry18 << 21;
+  s18 -= int64_lshift21(carry18);
   carry20 = (s20 + (1 << 20)) >> 21;
   s21 += carry20;
-  s20 -= carry20 << 21;
+  s20 -= int64_lshift21(carry20);
   carry22 = (s22 + (1 << 20)) >> 21;
   s23 += carry22;
-  s22 -= carry22 << 21;
+  s22 -= int64_lshift21(carry22);
 
   carry1 = (s1 + (1 << 20)) >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry3 = (s3 + (1 << 20)) >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry5 = (s5 + (1 << 20)) >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry7 = (s7 + (1 << 20)) >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry9 = (s9 + (1 << 20)) >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry11 = (s11 + (1 << 20)) >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
   carry13 = (s13 + (1 << 20)) >> 21;
   s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
   carry15 = (s15 + (1 << 20)) >> 21;
   s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
   carry17 = (s17 + (1 << 20)) >> 21;
   s18 += carry17;
-  s17 -= carry17 << 21;
+  s17 -= int64_lshift21(carry17);
   carry19 = (s19 + (1 << 20)) >> 21;
   s20 += carry19;
-  s19 -= carry19 << 21;
+  s19 -= int64_lshift21(carry19);
   carry21 = (s21 + (1 << 20)) >> 21;
   s22 += carry21;
-  s21 -= carry21 << 21;
+  s21 -= int64_lshift21(carry21);
 
   s11 += s23 * 666643;
   s12 += s23 * 470296;
@@ -4376,38 +4387,38 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 
   carry6 = (s6 + (1 << 20)) >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry8 = (s8 + (1 << 20)) >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry10 = (s10 + (1 << 20)) >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
   carry12 = (s12 + (1 << 20)) >> 21;
   s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
   carry14 = (s14 + (1 << 20)) >> 21;
   s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
   carry16 = (s16 + (1 << 20)) >> 21;
   s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
 
   carry7 = (s7 + (1 << 20)) >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry9 = (s9 + (1 << 20)) >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry11 = (s11 + (1 << 20)) >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
   carry13 = (s13 + (1 << 20)) >> 21;
   s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
   carry15 = (s15 + (1 << 20)) >> 21;
   s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
 
   s5 += s17 * 666643;
   s6 += s17 * 470296;
@@ -4459,41 +4470,41 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 
   carry0 = (s0 + (1 << 20)) >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry2 = (s2 + (1 << 20)) >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry4 = (s4 + (1 << 20)) >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry6 = (s6 + (1 << 20)) >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry8 = (s8 + (1 << 20)) >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry10 = (s10 + (1 << 20)) >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
 
   carry1 = (s1 + (1 << 20)) >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry3 = (s3 + (1 << 20)) >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry5 = (s5 + (1 << 20)) >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry7 = (s7 + (1 << 20)) >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry9 = (s9 + (1 << 20)) >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry11 = (s11 + (1 << 20)) >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
 
   s0 += s12 * 666643;
   s1 += s12 * 470296;
@@ -4505,40 +4516,40 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 
   carry0 = s0 >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry1 = s1 >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry2 = s2 >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry3 = s3 >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry4 = s4 >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry5 = s5 >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry6 = s6 >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry7 = s7 >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry8 = s8 >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry9 = s9 >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry10 = s10 >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
   carry11 = s11 >> 21;
   s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
 
   s0 += s12 * 666643;
   s1 += s12 * 470296;
@@ -4550,37 +4561,37 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
 
   carry0 = s0 >> 21;
   s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
   carry1 = s1 >> 21;
   s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
   carry2 = s2 >> 21;
   s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
   carry3 = s3 >> 21;
   s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
   carry4 = s4 >> 21;
   s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
   carry5 = s5 >> 21;
   s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
   carry6 = s6 >> 21;
   s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
   carry7 = s7 >> 21;
   s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
   carry8 = s8 >> 21;
   s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
   carry9 = s9 >> 21;
   s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
   carry10 = s10 >> 21;
   s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
 
   s[0] = s0 >> 0;
   s[1] = s0 >> 8;
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index 2d957a192c..ad7a418c01 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: des.h,v 1.23 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: des.h,v 1.26 2025/06/09 17:49:45 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,11 +56,20 @@
  * [including the GNU Public Licence.]
  */
 
-#ifndef HEADER_NEW_DES_H
-#define HEADER_NEW_DES_H
+#ifndef HEADER_DES_H
+#define HEADER_DES_H
 
 #include <openssl/opensslconf.h>
 
+#ifndef DES_LONG
+/* XXX - typedef to unsigned int everywhere. */
+#ifdef __i386__
+#define DES_LONG unsigned long
+#else
+#define DES_LONG unsigned int
+#endif
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index deec50bffb..cb89784fb0 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_enc.c,v 1.20 2024/08/31 16:17:13 jsing Exp $ */
+/* $OpenBSD: des_enc.c,v 1.21 2025/07/27 13:26:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -210,10 +210,8 @@ void
 DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 {
         DES_LONG l, r, t, u;
-#ifndef DES_UNROLL
-        int i;
-#endif
         DES_LONG *s;
+        int i;
 
         r = data[0];
         l = data[1];
@@ -231,56 +229,21 @@ DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
         l = ROTATE(l, 29) & 0xffffffffL;
 
         s = ks->ks->deslong;
-        /* I don't know if it is worth the effort of loop unrolling the
-         * inner loop */
+
         if (enc) {
-#ifdef DES_UNROLL
-                D_ENCRYPT(l, r, 0); /*  1 */
-                D_ENCRYPT(r, l, 2); /*  2 */
-                D_ENCRYPT(l, r, 4); /*  3 */
-                D_ENCRYPT(r, l, 6); /*  4 */
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#else
-                for (i = 0; i < 32; i += 4) {
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
+                for (i = 0; i < 32; i += 8) {
+                        D_ENCRYPT(l, r, i + 0);
+                        D_ENCRYPT(r, l, i + 2);
+                        D_ENCRYPT(l, r, i + 4);
+                        D_ENCRYPT(r, l, i + 6);
                 }
-#endif
         } else {
-#ifdef DES_UNROLL
-                D_ENCRYPT(l, r, 30); /* 16 */
-                D_ENCRYPT(r, l, 28); /* 15 */
-                D_ENCRYPT(l, r, 26); /* 14 */
-                D_ENCRYPT(r, l, 24); /* 13 */
-                D_ENCRYPT(l, r, 22); /* 12 */
-                D_ENCRYPT(r, l, 20); /* 11 */
-                D_ENCRYPT(l, r, 18); /* 10 */
-                D_ENCRYPT(r, l, 16); /*  9 */
-                D_ENCRYPT(l, r, 14); /*  8 */
-                D_ENCRYPT(r, l, 12); /*  7 */
-                D_ENCRYPT(l, r, 10); /*  6 */
-                D_ENCRYPT(r, l, 8); /*  5 */
-                D_ENCRYPT(l, r, 6); /*  4 */
-                D_ENCRYPT(r, l, 4); /*  3 */
-                D_ENCRYPT(l, r, 2); /*  2 */
-                D_ENCRYPT(r, l, 0); /*  1 */
-#else
-                for (i = 30; i > 0; i -= 4) {
-                        D_ENCRYPT(l, r, i - 0); /* 16 */
-                        D_ENCRYPT(r, l, i - 2); /* 15 */
+                for (i = 32; i > 0; i -= 8) {
+                        D_ENCRYPT(l, r, i - 2);
+                        D_ENCRYPT(r, l, i - 4);
+                        D_ENCRYPT(l, r, i - 6);
+                        D_ENCRYPT(r, l, i - 8);
                 }
-#endif
         }
 
         /* rotate and clear the top bits on machines with 8byte longs */
@@ -298,10 +261,8 @@ void
 DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
 {
         DES_LONG l, r, t, u;
-#ifndef DES_UNROLL
-        int i;
-#endif
         DES_LONG *s;
+        int i;
 
         r = data[0];
         l = data[1];
@@ -320,53 +281,19 @@ DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
         /* I don't know if it is worth the effort of loop unrolling the
          * inner loop */
         if (enc) {
-#ifdef DES_UNROLL
-                D_ENCRYPT(l, r, 0); /*  1 */
-                D_ENCRYPT(r, l, 2); /*  2 */
-                D_ENCRYPT(l, r, 4); /*  3 */
-                D_ENCRYPT(r, l, 6); /*  4 */
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#else
-                for (i = 0; i < 32; i += 4) {
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
+                for (i = 0; i < 32; i += 8) {
+                        D_ENCRYPT(l, r, i + 0);
+                        D_ENCRYPT(r, l, i + 2);
+                        D_ENCRYPT(l, r, i + 4);
+                        D_ENCRYPT(r, l, i + 6);
                 }
-#endif
         } else {
-#ifdef DES_UNROLL
-                D_ENCRYPT(l, r, 30); /* 16 */
-                D_ENCRYPT(r, l, 28); /* 15 */
-                D_ENCRYPT(l, r, 26); /* 14 */
-                D_ENCRYPT(r, l, 24); /* 13 */
-                D_ENCRYPT(l, r, 22); /* 12 */
-                D_ENCRYPT(r, l, 20); /* 11 */
-                D_ENCRYPT(l, r, 18); /* 10 */
-                D_ENCRYPT(r, l, 16); /*  9 */
-                D_ENCRYPT(l, r, 14); /*  8 */
-                D_ENCRYPT(r, l, 12); /*  7 */
-                D_ENCRYPT(l, r, 10); /*  6 */
-                D_ENCRYPT(r, l, 8); /*  5 */
-                D_ENCRYPT(l, r, 6); /*  4 */
-                D_ENCRYPT(r, l, 4); /*  3 */
-                D_ENCRYPT(l, r, 2); /*  2 */
-                D_ENCRYPT(r, l, 0); /*  1 */
-#else
-                for (i = 30; i > 0; i -= 4) {
-                        D_ENCRYPT(l, r, i - 0); /* 16 */
-                        D_ENCRYPT(r, l, i - 2); /* 15 */
+                for (i = 32; i > 0; i -= 8) {
+                        D_ENCRYPT(l, r, i - 2);
+                        D_ENCRYPT(r, l, i - 4);
+                        D_ENCRYPT(l, r, i - 6);
+                        D_ENCRYPT(r, l, i - 8);
                 }
-#endif
         }
         /* rotate and clear the top bits on machines with 8byte longs */
         data[0] = ROTATE(l, 3) & 0xffffffffL;
diff --git a/src/lib/libcrypto/des/des_fcrypt.c b/src/lib/libcrypto/des/des_fcrypt.c
index b33b1240c2..2dd071f5d0 100644
--- a/src/lib/libcrypto/des/des_fcrypt.c
+++ b/src/lib/libcrypto/des/des_fcrypt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_fcrypt.c,v 1.4 2024/08/31 16:22:18 jsing Exp $ */
+/* $OpenBSD: des_fcrypt.c,v 1.5 2025/07/27 13:26:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -90,8 +90,8 @@ fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
 {
         DES_LONG l, r, t, u;
         DES_LONG *s;
-        int j;
         DES_LONG E0, E1;
+        int i, j;
 
         l = 0;
         r = 0;
@@ -101,32 +101,12 @@ fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
         E1 = Eswap1;
 
         for (j = 0; j < 25; j++) {
-#ifndef DES_UNROLL
-                int i;
-
-                for (i = 0; i < 32; i += 4) {
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
+                for (i = 0; i < 32; i += 8) {
+                        D_ENCRYPT(l, r, i + 0);
+                        D_ENCRYPT(r, l, i + 2);
+                        D_ENCRYPT(l, r, i + 4);
+                        D_ENCRYPT(r, l, i + 6);
                 }
-#else
-                D_ENCRYPT(l, r, 0); /*  1 */
-                D_ENCRYPT(r, l, 2); /*  2 */
-                D_ENCRYPT(l, r, 4); /*  3 */
-                D_ENCRYPT(r, l, 6); /*  4 */
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#endif
-
                 t = l;
                 l = r;
                 r = t;
diff --git a/src/lib/libcrypto/dh/dh_ameth.c b/src/lib/libcrypto/dh/dh_ameth.c
index 289307bfd6..ec59245b9c 100644
--- a/src/lib/libcrypto/dh/dh_ameth.c
+++ b/src/lib/libcrypto/dh/dh_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_ameth.c,v 1.42 2025/01/17 05:04:25 tb Exp $ */
+/* $OpenBSD: dh_ameth.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -61,12 +61,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 static void
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index a880f9fca1..1ba85bc824 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_check.c,v 1.30 2024/11/29 15:59:57 tb Exp $ */
+/* $OpenBSD: dh_check.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,7 +60,6 @@
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "dh_local.h"
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 3ffa5d80f1..f28f75909c 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_gen.c,v 1.21 2023/07/08 15:29:03 beck Exp $ */
+/* $OpenBSD: dh_gen.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,10 +60,10 @@
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
             BN_GENCB *cb);
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 93b04f398f..89a02c8309 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.42 2024/05/09 20:43:36 tb Exp $ */
+/* $OpenBSD: dh_key.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,10 +60,10 @@
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 
 static int
 generate_key(DH *dh)
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 803aca6421..db76244550 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_lib.c,v 1.46 2024/11/29 15:59:57 tb Exp $ */
+/* $OpenBSD: dh_lib.c,v 1.47 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,9 +63,9 @@
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 
 #include "dh_local.h"
+#include "err_local.h"
 
 static const DH_METHOD *default_DH_method = NULL;
 
diff --git a/src/lib/libcrypto/dh/dh_pmeth.c b/src/lib/libcrypto/dh/dh_pmeth.c
index 1e5327b11f..18517b0cde 100644
--- a/src/lib/libcrypto/dh/dh_pmeth.c
+++ b/src/lib/libcrypto/dh/dh_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_pmeth.c,v 1.17 2024/08/26 22:00:47 op Exp $ */
+/* $OpenBSD: dh_pmeth.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -64,12 +64,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* DH pkey context structure */
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
index 866e5ec476..8e65cf68f7 100644
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.59 2024/04/13 14:02:51 tb Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.60 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -64,12 +64,12 @@
 #include <openssl/bn.h>
 #include <openssl/cms.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index de6ec46195..e8957a99ff 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_asn1.c,v 1.33 2024/07/08 17:11:05 beck Exp $ */
+/* $OpenBSD: dsa_asn1.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -63,9 +63,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 
 #include "dsa_local.h"
+#include "err_local.h"
 
 /* Override the default new methods */
 static int
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index daf2fa135b..ecd517cf8a 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_lib.c,v 1.48 2024/03/27 01:49:31 tb Exp $ */
+/* $OpenBSD: dsa_lib.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,7 +65,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
@@ -73,6 +72,7 @@
 
 #include "dh_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 
 static const DSA_METHOD *default_DSA_method = NULL;
 
diff --git a/src/lib/libcrypto/dsa/dsa_meth.c b/src/lib/libcrypto/dsa/dsa_meth.c
index c84b5287e1..c961bb13b4 100644
--- a/src/lib/libcrypto/dsa/dsa_meth.c
+++ b/src/lib/libcrypto/dsa/dsa_meth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dsa_meth.c,v 1.7 2023/07/08 14:28:15 beck Exp $       */
+/*      $OpenBSD: dsa_meth.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
  *
@@ -19,9 +19,9 @@
 #include <string.h>
 
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 
 #include "dsa_local.h"
+#include "err_local.h"
 
 DSA_METHOD *
 DSA_meth_new(const char *name, int flags)
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index c53c8b9001..6d1546f4fc 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.56 2024/05/11 06:43:50 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/sha.h>
 
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 
 /*
  * Since DSA parameters are entirely arbitrary and checking them to be
diff --git a/src/lib/libcrypto/dsa/dsa_pmeth.c b/src/lib/libcrypto/dsa/dsa_pmeth.c
index adc7319731..73889a8307 100644
--- a/src/lib/libcrypto/dsa/dsa_pmeth.c
+++ b/src/lib/libcrypto/dsa/dsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_pmeth.c,v 1.21 2024/10/19 14:39:44 tb Exp $ */
+/* $OpenBSD: dsa_pmeth.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -63,12 +63,12 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* DSA pkey context structure */
diff --git a/src/lib/libcrypto/dsa/dsa_prn.c b/src/lib/libcrypto/dsa/dsa_prn.c
index f276d82482..058b7d9ffd 100644
--- a/src/lib/libcrypto/dsa/dsa_prn.c
+++ b/src/lib/libcrypto/dsa/dsa_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_prn.c,v 1.10 2023/07/08 14:28:15 beck Exp $ */
+/* $OpenBSD: dsa_prn.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -59,9 +59,10 @@
 #include <stdio.h>
 
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
+#include "err_local.h"
+
 int
 DSA_print_fp(FILE *fp, const DSA *x, int off)
 {
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 903b18a8db..ddc8adea1e 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.73 2024/11/25 06:51:39 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.74 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -66,7 +66,6 @@
 #include <openssl/bn.h>
 #include <openssl/cms.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs7.h>
 #include <openssl/objects.h>
@@ -74,6 +73,7 @@
 
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index ef318f8d43..35f4f5b0ba 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.111 2025/03/13 10:31:12 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.112 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -66,12 +66,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 
 int
 EC_GROUP_get_basis_type(const EC_GROUP *group)
diff --git a/src/lib/libcrypto/ec/ec_convert.c b/src/lib/libcrypto/ec/ec_convert.c
index a18bc49132..84641a4e72 100644
--- a/src/lib/libcrypto/ec/ec_convert.c
+++ b/src/lib/libcrypto/ec/ec_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_convert.c,v 1.14 2025/01/05 16:07:08 tb Exp $ */
+/* $OpenBSD: ec_convert.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -64,10 +64,10 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 
 /*
  * Internal handling of the point conversion octet
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index a3ec2de7fb..2cfb219b50 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.54 2025/03/09 17:53:11 tb Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.58 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -78,10 +78,10 @@
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "ec_local.h"
+#include "err_local.h"
 
 static const struct {
         uint8_t seed[20];
@@ -130,6 +130,57 @@ static const struct {
 
 static const struct {
         uint8_t seed[20];
+        uint8_t p[32];
+        uint8_t a[32];
+        uint8_t b[32];
+        uint8_t x[32];
+        uint8_t y[32];
+        uint8_t order[32];
+} _EC_NIST_PRIME_256 = {
+        .seed = {
+                0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66,
+                0x78, 0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90,
+        },
+        .p = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xff,
+        },
+        .a = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xfc,
+        },
+        .b = {
+                0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb,
+                0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0,
+                0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2,
+                0x60, 0x4b,
+        },
+        .x = {
+                0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc,
+                0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
+                0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98,
+                0xc2, 0x96,
+        },
+        .y = {
+                0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7,
+                0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+                0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf,
+                0x51, 0xf5,
+        },
+        .order = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad,
+                0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63,
+                0x25, 0x51,
+        },
+};
+
+static const struct {
+        uint8_t seed[20];
         uint8_t p[48];
         uint8_t a[48];
         uint8_t b[48];
@@ -255,192 +306,6 @@ static const struct {
 };
 
 static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V1 = {
-        .seed = {
-                0xe4, 0x3b, 0xb4, 0x60, 0xf0, 0xb8, 0x0c, 0xc0, 0xc0, 0xb0,
-                0x75, 0x79, 0x8e, 0x94, 0x80, 0x60, 0xf8, 0x32, 0x1b, 0x7d,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x6b, 0x01, 0x6c, 0x3b, 0xdc, 0xf1, 0x89, 0x41, 0xd0, 0xd6,
-                0x54, 0x92, 0x14, 0x75, 0xca, 0x71, 0xa9, 0xdb, 0x2f, 0xb2,
-                0x7d, 0x1d, 0x37, 0x79, 0x61, 0x85, 0xc2, 0x94, 0x2c, 0x0a,
-        },
-        .x = {
-                0x0f, 0xfa, 0x96, 0x3c, 0xdc, 0xa8, 0x81, 0x6c, 0xcc, 0x33,
-                0xb8, 0x64, 0x2b, 0xed, 0xf9, 0x05, 0xc3, 0xd3, 0x58, 0x57,
-                0x3d, 0x3f, 0x27, 0xfb, 0xbd, 0x3b, 0x3c, 0xb9, 0xaa, 0xaf,
-        },
-        .y = {
-                0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40,
-                0x54, 0xca, 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18,
-                0xce, 0x22, 0x6b, 0x39, 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0x9e, 0x5e, 0x9a, 0x9f, 0x5d,
-                0x90, 0x71, 0xfb, 0xd1, 0x52, 0x26, 0x88, 0x90, 0x9d, 0x0b,
-        },
-};
-
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V2 = {
-        .seed = {
-                0xe8, 0xb4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xca, 0x3b,
-                0x80, 0x99, 0x98, 0x2b, 0xe0, 0x9f, 0xcb, 0x9a, 0xe6, 0x16,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x61, 0x7f, 0xab, 0x68, 0x32, 0x57, 0x6c, 0xbb, 0xfe, 0xd5,
-                0x0d, 0x99, 0xf0, 0x24, 0x9c, 0x3f, 0xee, 0x58, 0xb9, 0x4b,
-                0xa0, 0x03, 0x8c, 0x7a, 0xe8, 0x4c, 0x8c, 0x83, 0x2f, 0x2c,
-        },
-        .x = {
-                0x38, 0xaf, 0x09, 0xd9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xc9,
-                0x21, 0xbb, 0x5e, 0x9e, 0x26, 0x29, 0x6a, 0x3c, 0xdc, 0xf2,
-                0xf3, 0x57, 0x57, 0xa0, 0xea, 0xfd, 0x87, 0xb8, 0x30, 0xe7,
-        },
-        .y = {
-                0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d,
-                0xa0, 0xfc, 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55,
-                0xde, 0x6e, 0xf4, 0x60, 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x80, 0x00, 0x00, 0xcf, 0xa7, 0xe8, 0x59, 0x43,
-                0x77, 0xd4, 0x14, 0xc0, 0x38, 0x21, 0xbc, 0x58, 0x20, 0x63,
-        },
-};
-
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V3 = {
-        .seed = {
-                0x7d, 0x73, 0x74, 0x16, 0x8f, 0xfe, 0x34, 0x71, 0xb6, 0x0a,
-                0x85, 0x76, 0x86, 0xa1, 0x94, 0x75, 0xd3, 0xbf, 0xa2, 0xff,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x25, 0x57, 0x05, 0xfa, 0x2a, 0x30, 0x66, 0x54, 0xb1, 0xf4,
-                0xcb, 0x03, 0xd6, 0xa7, 0x50, 0xa3, 0x0c, 0x25, 0x01, 0x02,
-                0xd4, 0x98, 0x87, 0x17, 0xd9, 0xba, 0x15, 0xab, 0x6d, 0x3e,
-        },
-        .x = {
-                0x67, 0x68, 0xae, 0x8e, 0x18, 0xbb, 0x92, 0xcf, 0xcf, 0x00,
-                0x5c, 0x94, 0x9a, 0xa2, 0xc6, 0xd9, 0x48, 0x53, 0xd0, 0xe6,
-                0x60, 0xbb, 0xf8, 0x54, 0xb1, 0xc9, 0x50, 0x5f, 0xe9, 0x5a,
-        },
-        .y = {
-                0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d,
-                0x55, 0x2b, 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b,
-                0x6e, 0x81, 0x84, 0x99, 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0x97, 0x5d, 0xeb, 0x41, 0xb3,
-                0xa6, 0x05, 0x7c, 0x3c, 0x43, 0x21, 0x46, 0x52, 0x65, 0x51,
-        },
-};
-
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[32];
-        uint8_t a[32];
-        uint8_t b[32];
-        uint8_t x[32];
-        uint8_t y[32];
-        uint8_t order[32];
-} _EC_X9_62_PRIME_256V1 = {
-        .seed = {
-                0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66,
-                0x78, 0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90,
-        },
-        .p = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff,
-        },
-        .a = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xfc,
-        },
-        .b = {
-                0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb,
-                0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0,
-                0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2,
-                0x60, 0x4b,
-        },
-        .x = {
-                0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc,
-                0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
-                0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98,
-                0xc2, 0x96,
-        },
-        .y = {
-                0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7,
-                0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
-                0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf,
-                0x51, 0xf5,
-        },
-        .order = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad,
-                0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63,
-                0x25, 0x51,
-        },
-};
-
-static const struct {
         uint8_t p[29];
         uint8_t a[29];
         uint8_t b[29];
@@ -1121,7 +986,21 @@ static const struct ec_curve {
                 .order = _EC_SECG_PRIME_256K1.order,
                 .cofactor = 1,
         },
-        /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+        {
+                /* Everyone except OpenSSL calls this secp256r1 or P-256. */
+                .comment = "X9.62/SECG curve prime256v1",
+                .nid = NID_X9_62_prime256v1,
+                .seed_len = sizeof(_EC_NIST_PRIME_256.seed),
+                .param_len = sizeof(_EC_NIST_PRIME_256.p),
+                .seed = _EC_NIST_PRIME_256.seed,
+                .p = _EC_NIST_PRIME_256.p,
+                .a = _EC_NIST_PRIME_256.a,
+                .b = _EC_NIST_PRIME_256.b,
+                .x = _EC_NIST_PRIME_256.x,
+                .y = _EC_NIST_PRIME_256.y,
+                .order = _EC_NIST_PRIME_256.order,
+                .cofactor = 1,
+        },
         {
                 .comment = "NIST/SECG curve secp384r1",
                 .nid = NID_secp384r1,
@@ -1150,63 +1029,6 @@ static const struct ec_curve {
                 .order = _EC_NIST_PRIME_521.order,
                 .cofactor = 1,
         },
-        /* X9.62 curves */
-        {
-                .comment = "X9.62 curve prime239v1",
-                .nid = NID_X9_62_prime239v1,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V1.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V1.p),
-                .seed = _EC_X9_62_PRIME_239V1.seed,
-                .p = _EC_X9_62_PRIME_239V1.p,
-                .a = _EC_X9_62_PRIME_239V1.a,
-                .b = _EC_X9_62_PRIME_239V1.b,
-                .x = _EC_X9_62_PRIME_239V1.x,
-                .y = _EC_X9_62_PRIME_239V1.y,
-                .order = _EC_X9_62_PRIME_239V1.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62 curve prime239v2",
-                .nid = NID_X9_62_prime239v2,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V2.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V2.p),
-                .seed = _EC_X9_62_PRIME_239V2.seed,
-                .p = _EC_X9_62_PRIME_239V2.p,
-                .a = _EC_X9_62_PRIME_239V2.a,
-                .b = _EC_X9_62_PRIME_239V2.b,
-                .x = _EC_X9_62_PRIME_239V2.x,
-                .y = _EC_X9_62_PRIME_239V2.y,
-                .order = _EC_X9_62_PRIME_239V2.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62 curve prime239v3",
-                .nid = NID_X9_62_prime239v3,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V3.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V3.p),
-                .seed = _EC_X9_62_PRIME_239V3.seed,
-                .p = _EC_X9_62_PRIME_239V3.p,
-                .a = _EC_X9_62_PRIME_239V3.a,
-                .b = _EC_X9_62_PRIME_239V3.b,
-                .x = _EC_X9_62_PRIME_239V3.x,
-                .y = _EC_X9_62_PRIME_239V3.y,
-                .order = _EC_X9_62_PRIME_239V3.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62/SECG curve prime256v1",
-                .nid = NID_X9_62_prime256v1,
-                .seed_len = sizeof(_EC_X9_62_PRIME_256V1.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_256V1.p),
-                .seed = _EC_X9_62_PRIME_256V1.seed,
-                .p = _EC_X9_62_PRIME_256V1.p,
-                .a = _EC_X9_62_PRIME_256V1.a,
-                .b = _EC_X9_62_PRIME_256V1.b,
-                .x = _EC_X9_62_PRIME_256V1.x,
-                .y = _EC_X9_62_PRIME_256V1.y,
-                .order = _EC_X9_62_PRIME_256V1.order,
-                .cofactor = 1,
-        },
         /* RFC 5639 curves */
         {
                 .comment = "RFC 5639 curve brainpoolP224r1",
@@ -1221,7 +1043,7 @@ static const struct ec_curve {
                 .cofactor = 1,
         },
         {
-                .comment = "RFC 5639 curve brainpoolP224r2",
+                .comment = "RFC 5639 curve brainpoolP224t1",
                 .nid = NID_brainpoolP224t1,
                 .param_len = sizeof(_EC_brainpoolP224t1.p),
                 .p = _EC_brainpoolP224t1.p,
diff --git a/src/lib/libcrypto/ec/ec_field.c b/src/lib/libcrypto/ec/ec_field.c
new file mode 100644
index 0000000000..6576526e77
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_field.c
@@ -0,0 +1,202 @@
+/*      $OpenBSD: ec_field.c,v 1.3 2025/08/02 16:20:00 jsing Exp $      */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+
+#include <openssl/ec.h>
+
+#include "bn_local.h"
+#include "bn_internal.h"
+#include "ec_local.h"
+#include "ec_internal.h"
+
+int
+ec_field_modulus_from_bn(EC_FIELD_MODULUS *fm, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_MONT_CTX *mctx = NULL;
+        size_t i;
+        int ret = 0;
+
+        if (BN_is_negative(bn))
+                goto err;
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+
+        memset(fm, 0, sizeof(*fm));
+
+        fm->n = (BN_num_bits(bn) + BN_BITS2 - 1) / BN_BITS2;
+
+        for (i = 0; i < bn->top; i++)
+                fm->m.w[i] = bn->d[i];
+
+        /* XXX - implement this without BN_MONT_CTX. */
+        if ((mctx = BN_MONT_CTX_new()) == NULL)
+                goto err;
+        if (!BN_MONT_CTX_set(mctx, bn, ctx))
+                goto err;
+
+        for (i = 0; i < mctx->RR.top; i++)
+                fm->rr.w[i] = mctx->RR.d[i];
+
+        fm->minv0 = mctx->n0[0];
+
+        ret = 1;
+
+ err:
+        BN_MONT_CTX_free(mctx);
+
+        return ret;
+}
+
+int
+ec_field_element_from_bn(const EC_FIELD_MODULUS *fm, const EC_GROUP *group,
+    EC_FIELD_ELEMENT *fe, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        BIGNUM *tmp;
+        size_t i;
+        int ret = 0;
+
+        BN_CTX_start(ctx);
+
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+
+        /* XXX - enforce 0 <= n < p. */
+
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+
+        /* XXX - do this without BN. */
+        if (!BN_nnmod(tmp, bn, group->p, ctx))
+                goto err;
+
+        if (BN_num_bits(tmp) > EC_FIELD_ELEMENT_MAX_BITS)
+                abort();
+
+        memset(fe->w, 0, sizeof(fe->w));
+
+        for (i = 0; i < tmp->top; i++)
+                fe->w[i] = tmp->d[i];
+
+        bn_mod_mul_words(fe->w, fe->w, fm->rr.w, fm->m.w, t, fm->minv0, fm->n);
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+
+        return ret;
+}
+
+int
+ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe,
+    BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        size_t i;
+
+        if (!bn_wexpand(bn, fm->n))
+                return 0;
+
+        memset(t, 0, sizeof(t));
+        for (i = 0; i < fm->n; i++)
+                t[i] = fe->w[i];
+
+        bn_montgomery_reduce_words(bn->d, t, fm->m.w, fm->minv0, fm->n);
+
+        bn->top = fm->n;
+        bn_correct_top(bn);
+
+        return 1;
+}
+
+void
+ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src)
+{
+        memcpy(dst, src, sizeof(EC_FIELD_ELEMENT));
+}
+
+void
+ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional)
+{
+        BN_ULONG mask;
+        int i;
+
+        mask = bn_ct_eq_zero_mask(conditional);
+
+        for (i = 0; i < fm->n; i++)
+                r->w[i] = (a->w[i] & mask) | (b->w[i] & ~mask);
+}
+
+int
+ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
+    const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG v = 0;
+        int i;
+
+        for (i = 0; i < fm->n; i++)
+                v |= a->w[i] ^ b->w[i];
+
+        return bn_ct_eq_zero(v);
+}
+
+int
+ec_field_element_is_zero(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe)
+{
+        BN_ULONG v = 0;
+        int i;
+
+        for (i = 0; i < fm->n; i++)
+                v |= fe->w[i];
+
+        return bn_ct_eq_zero(v);
+}
+
+void
+ec_field_element_add(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_add_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+
+void
+ec_field_element_sub(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_sub_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+
+void
+ec_field_element_mul(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+
+        bn_mod_mul_words(r->w, a->w, b->w, m->m.w, t, m->minv0, m->n);
+}
+
+void
+ec_field_element_sqr(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+
+        bn_mod_sqr_words(r->w, a->w, m->m.w, t, m->minv0, m->n);
+}
diff --git a/src/lib/libcrypto/ec/ec_internal.h b/src/lib/libcrypto/ec/ec_internal.h
new file mode 100644
index 0000000000..327d9ea94d
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_internal.h
@@ -0,0 +1,65 @@
+/*      $OpenBSD: ec_internal.h,v 1.2 2025/08/02 15:44:09 jsing Exp $   */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/bn.h>
+
+#ifndef HEADER_EC_INTERNAL_H
+#define HEADER_EC_INTERNAL_H
+
+#define EC_FIELD_ELEMENT_MAX_BITS 521
+#define EC_FIELD_ELEMENT_MAX_BYTES \
+    (EC_FIELD_ELEMENT_MAX_BITS + 7) / 8
+#define EC_FIELD_ELEMENT_MAX_WORDS \
+    ((EC_FIELD_ELEMENT_MAX_BYTES + BN_BYTES - 1) / BN_BYTES)
+
+typedef struct {
+        BN_ULONG w[EC_FIELD_ELEMENT_MAX_WORDS];
+} EC_FIELD_ELEMENT;
+
+typedef struct {
+        size_t n;
+        EC_FIELD_ELEMENT m;
+        EC_FIELD_ELEMENT rr;
+        BN_ULONG minv0;
+} EC_FIELD_MODULUS;
+
+int ec_field_modulus_from_bn(EC_FIELD_MODULUS *fm, const BIGNUM *bn,
+    BN_CTX *ctx);
+
+int ec_field_element_from_bn(const EC_FIELD_MODULUS *fm, const EC_GROUP *group,
+    EC_FIELD_ELEMENT *fe, const BIGNUM *bn, BN_CTX *ctx);
+int ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe,
+    BIGNUM *bn, BN_CTX *ctx);
+
+void ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src);
+void ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional);
+
+int ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
+    const EC_FIELD_ELEMENT *b);
+int ec_field_element_is_zero(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe);
+
+void ec_field_element_add(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_sub(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_mul(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_sqr(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a);
+
+#endif
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 6257d67cd1..e9777019c8 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.51 2025/01/25 10:34:36 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.52 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -66,11 +66,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/ec.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
 #include "ecdsa_local.h"
+#include "err_local.h"
 
 EC_KEY *
 EC_KEY_new(void)
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 7982d23f06..36f42ecc05 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.126 2025/08/02 15:47:27 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -68,12 +68,12 @@
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/opensslv.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 
 EC_GROUP *
 EC_GROUP_new(const EC_METHOD *meth)
@@ -165,6 +165,10 @@ EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src)
 
         dst->a_is_minus3 = src->a_is_minus3;
 
+        memcpy(&dst->fm, &src->fm, sizeof(src->fm));
+        memcpy(&dst->fe_a, &src->fe_a, sizeof(src->fe_a));
+        memcpy(&dst->fe_b, &src->fe_b, sizeof(src->fe_b));
+
         BN_MONT_CTX_free(dst->mont_ctx);
         dst->mont_ctx = NULL;
         if (src->mont_ctx != NULL) {
@@ -860,6 +864,10 @@ EC_POINT_copy(EC_POINT *dst, const EC_POINT *src)
                 return 0;
         dst->Z_is_one = src->Z_is_one;
 
+        memcpy(&dst->fe_x, &src->fe_x, sizeof(dst->fe_x));
+        memcpy(&dst->fe_y, &src->fe_y, sizeof(dst->fe_y));
+        memcpy(&dst->fe_z, &src->fe_z, sizeof(dst->fe_z));
+
         return 1;
 }
 LCRYPTO_ALIAS(EC_POINT_copy);
@@ -894,11 +902,7 @@ EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
                 ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                 return 0;
         }
-
-        BN_zero(point->Z);
-        point->Z_is_one = 0;
-
-        return 1;
+        return point->meth->point_set_to_infinity(group, point);
 }
 LCRYPTO_ALIAS(EC_POINT_set_to_infinity);
 
@@ -1200,8 +1204,7 @@ EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
                 ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                 return 0;
         }
-
-        return BN_is_zero(point->Z);
+        return point->meth->point_is_at_infinity(group, point);
 }
 LCRYPTO_ALIAS(EC_POINT_is_at_infinity);
 
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index c7a54d3a2b..eac9e6d26c 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.67 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_local.h,v 1.70 2025/08/03 15:07:57 jsing Exp $ */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -76,6 +76,7 @@
 #include <openssl/objects.h>
 
 #include "bn_local.h"
+#include "ec_internal.h"
 
 __BEGIN_HIDDEN_DECLS
 
@@ -85,6 +86,9 @@ typedef struct ec_method_st {
         int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
             BIGNUM *b, BN_CTX *);
 
+        int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
+        int (*point_is_at_infinity)(const EC_GROUP *, const EC_POINT *);
+
         int (*point_is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
         int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
             BN_CTX *);
@@ -155,6 +159,10 @@ struct ec_group_st {
 
         /* Montgomery context used by EC_GFp_mont_method. */
         BN_MONT_CTX *mont_ctx;
+
+        EC_FIELD_MODULUS fm;
+        EC_FIELD_ELEMENT fe_a;
+        EC_FIELD_ELEMENT fe_b;
 } /* EC_GROUP */;
 
 struct ec_point_st {
@@ -168,10 +176,15 @@ struct ec_point_st {
         BIGNUM *Y;
         BIGNUM *Z;
         int Z_is_one; /* enable optimized point arithmetics for special case */
+
+        EC_FIELD_ELEMENT fe_x;
+        EC_FIELD_ELEMENT fe_y;
+        EC_FIELD_ELEMENT fe_z;
 } /* EC_POINT */;
 
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
+const EC_METHOD *EC_GFp_homogeneous_projective_method(void);
 
 /* Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. */
 int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 673696a9fd..d74c89cfe2 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_mult.c,v 1.58 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.59 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
  */
@@ -67,9 +67,9 @@
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 
 #include "ec_local.h"
+#include "err_local.h"
 
 /* Holds the wNAF digits of bn and the corresponding odd multiples of point. */
 struct ec_wnaf {
diff --git a/src/lib/libcrypto/ec/ec_pmeth.c b/src/lib/libcrypto/ec/ec_pmeth.c
index 85ac4822d1..69bf7e741a 100644
--- a/src/lib/libcrypto/ec/ec_pmeth.c
+++ b/src/lib/libcrypto/ec/ec_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_pmeth.c,v 1.26 2025/03/13 10:39:51 tb Exp $ */
+/* $OpenBSD: ec_pmeth.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -62,12 +62,12 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* EC pkey context structure */
diff --git a/src/lib/libcrypto/ec/eck_prn.c b/src/lib/libcrypto/ec/eck_prn.c
index c40a64966a..ed5fdce9c1 100644
--- a/src/lib/libcrypto/ec/eck_prn.c
+++ b/src/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.41 2025/01/25 10:30:17 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.42 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -66,12 +66,12 @@
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 
 int
 EC_KEY_print(BIO *bio, const EC_KEY *ec_key, int off)
diff --git a/src/lib/libcrypto/ec/ecp_hp_methods.c b/src/lib/libcrypto/ec/ecp_hp_methods.c
new file mode 100644
index 0000000000..0b34a55b9d
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_hp_methods.c
@@ -0,0 +1,943 @@
+/*      $OpenBSD: ecp_hp_methods.c,v 1.5 2025/08/03 15:44:00 jsing Exp $        */
+/*
+ * Copyright (c) 2024-2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+
+#include "bn_internal.h"
+#include "crypto_internal.h"
+#include "ec_local.h"
+#include "ec_internal.h"
+#include "err_local.h"
+
+static int
+ec_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
+    const BIGNUM *b, BN_CTX *ctx)
+{
+        BIGNUM *t;
+        int ret = 0;
+
+        BN_CTX_start(ctx);
+
+        /* XXX - p must be a prime > 3. */
+
+        if (!bn_copy(group->p, p))
+                goto err;
+        if (!bn_copy(group->a, a))
+                goto err;
+        if (!bn_copy(group->b, b))
+                goto err;
+
+        /* XXX */
+        BN_set_negative(group->p, 0);
+
+        /* XXX */
+        if (!BN_nnmod(group->a, group->a, group->p, ctx))
+                goto err;
+        if (!BN_nnmod(group->b, group->b, group->p, ctx))
+                goto err;
+
+        if ((t = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (!BN_set_word(t, 3))
+                goto err;
+        if (!BN_mod_add(t, t, a, group->p, ctx))
+                goto err;
+
+        group->a_is_minus3 = BN_is_zero(t);
+
+        if (!ec_field_modulus_from_bn(&group->fm, group->p, ctx))
+                goto err;
+        if (!ec_field_element_from_bn(&group->fm, group, &group->fe_a, group->a, ctx))
+                goto err;
+        if (!ec_field_element_from_bn(&group->fm, group, &group->fe_b, group->b, ctx))
+                goto err;
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+
+        return ret;
+}
+
+static int
+ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
+    BIGNUM *b, BN_CTX *ctx)
+{
+        if (p != NULL) {
+                if (!bn_copy(p, group->p))
+                        return 0;
+        }
+        if (a != NULL) {
+                if (!bn_copy(a, group->a))
+                        return 0;
+        }
+        if (b != NULL) {
+                if (!bn_copy(b, group->b))
+                        return 0;
+        }
+        return 1;
+}
+
+static int
+ec_point_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+{
+        /* Check if Z is equal to zero. */
+        return ec_field_element_is_zero(&group->fm, &point->fe_z);
+}
+
+static int
+ec_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+{
+        /* Infinity is (x = 0, y = 1, z = 0). */
+
+        memset(&point->fe_x, 0, sizeof(point->fe_x));
+        memset(&point->fe_y, 0, sizeof(point->fe_y));
+        memset(&point->fe_z, 0, sizeof(point->fe_z));
+
+        point->fe_y.w[0] = 1;
+
+        return 1;
+}
+
+static int
+ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
+    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+{
+        if (x == NULL || y == NULL) {
+                ECerror(ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+        }
+
+        if (!bn_copy(point->X, x))
+                return 0;
+        if (!bn_copy(point->Y, y))
+                return 0;
+        if (!BN_one(point->Z))
+                return 0;
+
+        /* XXX */
+        if (!BN_nnmod(point->X, point->X, group->p, ctx))
+                return 0;
+        if (!BN_nnmod(point->Y, point->Y, group->p, ctx))
+                return 0;
+
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_x, point->X, ctx))
+                return 0;
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_y, point->Y, ctx))
+                return 0;
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_z, point->Z, ctx))
+                return 0;
+
+        return 1;
+}
+
+static int
+ec_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
+    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+{
+        BIGNUM *zinv;
+        int ret = 0;
+
+        /*
+         * Convert homogeneous projective coordinates (XZ, YZ, Z) to affine
+         * coordinates (x = X/Z, y = Y/Z).
+         */
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_x, point->X, ctx))
+                return 0;
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_y, point->Y, ctx))
+                return 0;
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_z, point->Z, ctx))
+                return 0;
+
+        BN_CTX_start(ctx);
+
+        if ((zinv = BN_CTX_get(ctx)) == NULL)
+                goto err;
+
+        if (BN_mod_inverse_ct(zinv, point->Z, group->p, ctx) == NULL)
+                goto err;
+
+        if (x != NULL) {
+                if (!BN_mod_mul(x, point->X, zinv, group->p, ctx))
+                        goto err;
+        }
+        if (y != NULL) {
+                if (!BN_mod_mul(y, point->Y, zinv, group->p, ctx))
+                        goto err;
+        }
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+
+        return ret;
+}
+
+static int
+ec_point_add_a1(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X2, Y2, Z2, X3, Y3, Z3;
+        EC_FIELD_ELEMENT b3, t0, t1, t2, t3, t4, t5;
+        EC_FIELD_ELEMENT ga, gb;
+
+        /*
+         * Complete, projective point addition for arbitrary prime order short
+         * Weierstrass curves with arbitrary a - see
+         * https://eprint.iacr.org/2015/1060, algorithm 1 and appendix A.1.
+         */
+
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+
+        ec_field_element_copy(&X2, &b->fe_x);
+        ec_field_element_copy(&Y2, &b->fe_y);
+        ec_field_element_copy(&Z2, &b->fe_z);
+
+        /* b3 := 3 * b ; */
+        ec_field_element_add(&group->fm, &b3, &gb, &gb);
+        ec_field_element_add(&group->fm, &b3, &b3, &gb);
+
+        /* t0 := X1 * X2 ; t1 := Y1 * Y2 ; t2 := Z1 * Z2 ; */
+        ec_field_element_mul(&group->fm, &t0, &X1, &X2);
+        ec_field_element_mul(&group->fm, &t1, &Y1, &Y2);
+        ec_field_element_mul(&group->fm, &t2, &Z1, &Z2);
+
+        /* t3 := X1 + Y1 ; t4 := X2 + Y2 ; t3 := t3 * t4 ; */
+        ec_field_element_add(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t4, &X2, &Y2);
+        ec_field_element_mul(&group->fm, &t3, &t3, &t4);
+
+        /* t4 := t0 + t1 ; t3 := t3 - t4 ; t4 := X1 + Z1 ; */
+        ec_field_element_add(&group->fm, &t4, &t0, &t1);
+        ec_field_element_sub(&group->fm, &t3, &t3, &t4);
+        ec_field_element_add(&group->fm, &t4, &X1, &Z1);
+
+        /* t5 := X2 + Z2 ; t4 := t4 * t5 ; t5 := t0 + t2 ; */
+        ec_field_element_add(&group->fm, &t5, &X2, &Z2);
+        ec_field_element_mul(&group->fm, &t4, &t4, &t5);
+        ec_field_element_add(&group->fm, &t5, &t0, &t2);
+
+        /* t4 := t4 - t5 ; t5 := Y1 + Z1 ; X3 := Y2 + Z2 ; */
+        ec_field_element_sub(&group->fm, &t4, &t4, &t5);
+        ec_field_element_add(&group->fm, &t5, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &X3, &Y2, &Z2);
+
+        /* t5 := t5 * X3 ; X3 := t1 + t2 ; t5 := t5 - X3 ; */
+        ec_field_element_mul(&group->fm, &t5, &t5, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &t2);
+        ec_field_element_sub(&group->fm, &t5, &t5, &X3);
+
+        /* Z3 := a * t4 ; X3 := b3 * t2 ; Z3 := X3 + Z3 ; */
+        ec_field_element_mul(&group->fm, &Z3, &ga, &t4);
+        ec_field_element_mul(&group->fm, &X3, &b3, &t2);
+        ec_field_element_add(&group->fm, &Z3, &X3, &Z3);
+
+        /* X3 := t1 - Z3 ; Z3 := t1 + Z3 ; Y3 := X3 * Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &t1, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &t1, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Z3);
+
+        /* t1 := t0 + t0 ; t1 := t1 + t0 ; t2 := a * t2 ; */
+        ec_field_element_add(&group->fm, &t1, &t0, &t0);
+        ec_field_element_add(&group->fm, &t1, &t1, &t0);
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+
+        /* t4 := b3 * t4 ; t1 := t1 + t2 ; t2 := t0 - t2 ; */
+        ec_field_element_mul(&group->fm, &t4, &b3, &t4);
+        ec_field_element_add(&group->fm, &t1, &t1, &t2);
+        ec_field_element_sub(&group->fm, &t2, &t0, &t2);
+
+        /* t2 := a * t2 ; t4 := t4 + t2 ; t0 := t1 * t4 ; */
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+        ec_field_element_add(&group->fm, &t4, &t4, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t1, &t4);
+
+        /* Y3 := Y3 + t0 ; t0 := t5 * t4 ; X3 := t3 * X3 ; */
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+        ec_field_element_mul(&group->fm, &t0, &t5, &t4);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+
+        /* X3 := X3 - t0 ; t0 := t3 * t1 ; Z3 := t5 * Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t0);
+        ec_field_element_mul(&group->fm, &t0, &t3, &t1);
+        ec_field_element_mul(&group->fm, &Z3, &t5, &Z3);
+
+        /* Z3 := Z3 + t0 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t0);
+
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+
+        return 1;
+}
+
+static int
+ec_point_add_a2(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X2, Y2, Z2, X3, Y3, Z3;
+        EC_FIELD_ELEMENT t0, t1, t2, t3, t4;
+        EC_FIELD_ELEMENT gb;
+
+        /*
+         * Complete, projective point addition for arbitrary prime order short
+         * Weierstrass curves with a = -3 - see https://eprint.iacr.org/2015/1060,
+         * algorithm 4 and appendix A.2.
+         */
+
+        ec_field_element_copy(&gb, &group->fe_b);
+
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+
+        ec_field_element_copy(&X2, &b->fe_x);
+        ec_field_element_copy(&Y2, &b->fe_y);
+        ec_field_element_copy(&Z2, &b->fe_z);
+
+        /* t0 := X1 * X2 ; t1 := Y1 * Y2 ; t2 := Z1 * Z2 ; */
+        ec_field_element_mul(&group->fm, &t0, &X1, &X2);
+        ec_field_element_mul(&group->fm, &t1, &Y1, &Y2);
+        ec_field_element_mul(&group->fm, &t2, &Z1, &Z2);
+
+        /* t3 := X1 + Y1 ; t4 := X2 + Y2 ; t3 := t3 * t4 ; */
+        ec_field_element_add(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t4, &X2, &Y2);
+        ec_field_element_mul(&group->fm, &t3, &t3, &t4);
+
+        /* t4 := t0 + t1 ; t3 := t3 - t4 ; t4 := Y1 + Z1 ; */
+        ec_field_element_add(&group->fm, &t4, &t0, &t1);
+        ec_field_element_sub(&group->fm, &t3, &t3, &t4);
+        ec_field_element_add(&group->fm, &t4, &Y1, &Z1);
+
+        /* X3 := Y2 + Z2 ; t4 := t4 * X3 ; X3 := t1 + t2 ; */
+        ec_field_element_add(&group->fm, &X3, &Y2, &Z2);
+        ec_field_element_mul(&group->fm, &t4, &t4, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &t2);
+
+        /* t4 := t4 - X3 ; X3 := X1 + Z1 ; Y3 := X2 + Z2 ; */
+        ec_field_element_sub(&group->fm, &t4, &t4, &X3);
+        ec_field_element_add(&group->fm, &X3, &X1, &Z1);
+        ec_field_element_add(&group->fm, &Y3, &X2, &Z2);
+
+        /* X3 := X3 * Y3 ; Y3 := t0 + t2 ; Y3 := X3 - Y3 ; */
+        ec_field_element_mul(&group->fm, &X3, &X3, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &t0, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &X3, &Y3);
+
+        /* Z3 := b * t2 ; X3 := Y3 - Z3 ; Z3 := X3 + X3 ; */
+        ec_field_element_mul(&group->fm, &Z3, &gb, &t2);
+        ec_field_element_sub(&group->fm, &X3, &Y3, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &X3, &X3);
+
+        /* X3 := X3 + Z3 ; Z3 := t1 - X3 ; X3 := t1 + X3 ; */
+        ec_field_element_add(&group->fm, &X3, &X3, &Z3);
+        ec_field_element_sub(&group->fm, &Z3, &t1, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &X3);
+
+        /* Y3 := b * Y3 ; t1 := t2 + t2 ; t2 := t1 + t2 ; */
+        ec_field_element_mul(&group->fm, &Y3, &gb, &Y3);
+        ec_field_element_add(&group->fm, &t1, &t2, &t2);
+        ec_field_element_add(&group->fm, &t2, &t1, &t2);
+
+        /* Y3 := Y3 - t2 ; Y3 := Y3 - t0 ; t1 := Y3 + Y3 ; */
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &t0);
+        ec_field_element_add(&group->fm, &t1, &Y3, &Y3);
+
+        /* Y3 := t1 + Y3 ; t1 := t0 + t0 ; t0 := t1 + t0 ; */
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+        ec_field_element_add(&group->fm, &t1, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &t1, &t0);
+
+        /* t0 := t0 - t2 ; t1 := t4 * Y3 ; t2 := t0 * Y3 ; */
+        ec_field_element_sub(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t1, &t4, &Y3);
+        ec_field_element_mul(&group->fm, &t2, &t0, &Y3);
+
+        /* Y3 := X3 * Z3 ; Y3 := Y3 + t2 ; X3 := t3 * X3 ; */
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Z3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t2);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+
+        /* X3 := X3 - t1 ; Z3 := t4 * Z3 ; t1 := t3 * t0 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t1);
+        ec_field_element_mul(&group->fm, &Z3, &t4, &Z3);
+        ec_field_element_mul(&group->fm, &t1, &t3, &t0);
+
+        /* Z3 := Z3 + t1 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t1);
+
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+
+        return 1;
+}
+
+static int
+ec_point_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        if (group->a_is_minus3)
+                return ec_point_add_a2(group, r, a, b, ctx);
+
+        return ec_point_add_a1(group, r, a, b, ctx);
+}
+
+static int
+ec_point_dbl_a1(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X3, Y3, Z3;
+        EC_FIELD_ELEMENT b3, t0, t1, t2, t3;
+        EC_FIELD_ELEMENT ga, gb;
+
+        /*
+         * Exception-free point doubling for arbitrary prime order short
+         * Weierstrass curves with arbitrary a - see
+         * https://eprint.iacr.org/2015/1060, algorithm 3 and appendix A.1.
+         */
+
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+
+        /* b3 := 3 * b ; */
+        ec_field_element_add(&group->fm, &b3, &gb, &gb);
+        ec_field_element_add(&group->fm, &b3, &b3, &gb);
+
+        /* t0 := X^2; t1 := Y^2; t2 := Z^2 ; */
+        ec_field_element_sqr(&group->fm, &t0, &X1);
+        ec_field_element_sqr(&group->fm, &t1, &Y1);
+        ec_field_element_sqr(&group->fm, &t2, &Z1);
+
+        /* t3 := X * Y ; t3 := t3 + t3 ; Z3 := X * Z ; */
+        ec_field_element_mul(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t3, &t3, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &X1, &Z1);
+
+        /* Z3 := Z3 + Z3 ; X3 := a * Z3 ; Y3 := b3 * t2 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_mul(&group->fm, &X3, &ga, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &b3, &t2);
+
+        /* Y3 := X3 + Y3 ; X3 := t1 - Y3 ; Y3 := t1 + Y3 ; */
+        ec_field_element_add(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_sub(&group->fm, &X3, &t1, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+
+        /* Y3 := X3 * Y3 ; X3 := t3 * X3 ; Z3 := b3 * Z3 ; */
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+        ec_field_element_mul(&group->fm, &Z3, &b3, &Z3);
+
+        /* t2 := a * t2 ; t3 := t0 - t2 ; t3 := a * t3 ; */
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+        ec_field_element_sub(&group->fm, &t3, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t3, &ga, &t3);
+
+        /* t3 := t3 + Z3 ; Z3 := t0 + t0 ; t0 := Z3 + t0 ; */
+        ec_field_element_add(&group->fm, &t3, &t3, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &Z3, &t0);
+
+        /* t0 := t0 + t2 ; t0 := t0 * t3 ; Y3 := Y3 + t0 ; */
+        ec_field_element_add(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t0, &t3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+
+        /* t2 := Y * Z ; t2 := t2 + t2 ; t0 := t2 * t3 ; */
+        ec_field_element_mul(&group->fm, &t2, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &t2, &t2, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t2, &t3);
+
+        /* X3 := X3 - t0 ; Z3 := t2 * t1 ; Z3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t0);
+        ec_field_element_mul(&group->fm, &Z3, &t2, &t1);
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+
+        /* Z3 := Z3 + Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+
+        return 1;
+}
+
+static int
+ec_point_dbl_a2(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X3, Y3, Z3;
+        EC_FIELD_ELEMENT t0, t1, t2, t3;
+        EC_FIELD_ELEMENT ga, gb;
+
+        /*
+         * Exception-free point doubling for arbitrary prime order short
+         * Weierstrass curves with a = -3 - see https://eprint.iacr.org/2015/1060,
+         * algorithm 6 and appendix A.2.
+         */
+
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+
+        /* t0 := X^2; t1 := Y^2; t2 := Z^2 ; */
+        ec_field_element_sqr(&group->fm, &t0, &X1);
+        ec_field_element_sqr(&group->fm, &t1, &Y1);
+        ec_field_element_sqr(&group->fm, &t2, &Z1);
+
+        /* t3 := X * Y ; t3 := t3 + t3 ; Z3 := X * Z ; */
+        ec_field_element_mul(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t3, &t3, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &X1, &Z1);
+
+        /* Z3 := Z3 + Z3 ; Y3 := b * t2 ; Y3 := Y3 - Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &gb, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &Z3);
+
+        /* X3 := Y3 + Y3 ; Y3 := X3 + Y3 ; X3 := t1 - Y3 ; */
+        ec_field_element_add(&group->fm, &X3, &Y3, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_sub(&group->fm, &X3, &t1, &Y3);
+
+        /* Y3 := t1 + Y3 ; Y3 := X3 * Y3 ; X3 := X3 * t3 ; */
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_mul(&group->fm, &X3, &X3, &t3);
+
+        /* t3 := t2 + t2 ; t2 := t2 + t3 ; Z3 := b * Z3 ; */
+        ec_field_element_add(&group->fm, &t3, &t2, &t2);
+        ec_field_element_add(&group->fm, &t2, &t2, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &gb, &Z3);
+
+        /* Z3 := Z3 - t2 ; Z3 := Z3 - t0 ; t3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &Z3, &Z3, &t2);
+        ec_field_element_sub(&group->fm, &Z3, &Z3, &t0);
+        ec_field_element_add(&group->fm, &t3, &Z3, &Z3);
+
+        /* Z3 := Z3 + t3 ; t3 := t0 + t0 ; t0 := t3 + t0 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t3);
+        ec_field_element_add(&group->fm, &t3, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &t3, &t0);
+
+        /* t0 := t0 - t2 ; t0 := t0 * Z3 ; Y3 := Y3 + t0 ; */
+        ec_field_element_sub(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t0, &Z3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+
+        /* t0 := Y * Z ; t0 := t0 + t0 ; Z3 := t0 * Z3 ; */
+        ec_field_element_mul(&group->fm, &t0, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &t0, &t0, &t0);
+        ec_field_element_mul(&group->fm, &Z3, &t0, &Z3);
+
+        /* X3 := X3 - Z3 ; Z3 := t0 * t1 ; Z3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &Z3);
+        ec_field_element_mul(&group->fm, &Z3, &t0, &t1);
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+
+        /* Z3 := Z3 + Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+
+        return 1;
+}
+
+static int
+ec_point_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        if (group->a_is_minus3)
+                return ec_point_dbl_a2(group, r, a, ctx);
+
+        return ec_point_dbl_a1(group, r, a, ctx);
+}
+
+static int
+ec_point_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT y;
+        BN_ULONG mask;
+        int i;
+
+        /*
+         * Invert the point by setting Y = p - Y, if Y is non-zero and the point
+         * is not at infinity.
+         */
+
+        mask = ~(0 - (ec_point_is_at_infinity(group, point) |
+            ec_field_element_is_zero(&group->fm, &point->fe_y)));
+
+        /* XXX - masked/conditional subtraction? */
+        ec_field_element_sub(&group->fm, &y, &group->fm.m, &point->fe_y);
+
+        for (i = 0; i < group->fm.n; i++)
+                point->fe_y.w[i] = (point->fe_y.w[i] & ~mask) | (y.w[i] & mask);
+
+        return 1;
+}
+
+static int
+ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT sum, axz2, bz3, x3, y2z, z2;
+
+        /*
+         * Curve is defined by a Weierstrass equation y^2 = x^3 + a*x + b.
+         * The given point is in homogeneous projective coordinates
+         * (x = X/Z, y = Y/Z). Substitute and multiply by Z^3 in order to
+         * evaluate as zy^2 = x^3 + axz^2 + bz^3.
+         */
+
+        ec_field_element_sqr(&group->fm, &z2, &point->fe_z);
+
+        ec_field_element_sqr(&group->fm, &y2z, &point->fe_y);
+        ec_field_element_mul(&group->fm, &y2z, &y2z, &point->fe_z);
+
+        ec_field_element_sqr(&group->fm, &x3, &point->fe_x);
+        ec_field_element_mul(&group->fm, &x3, &x3, &point->fe_x);
+
+        ec_field_element_mul(&group->fm, &axz2, &group->fe_a, &point->fe_x);
+        ec_field_element_mul(&group->fm, &axz2, &axz2, &z2);
+
+        ec_field_element_mul(&group->fm, &bz3, &group->fe_b, &point->fe_z);
+        ec_field_element_mul(&group->fm, &bz3, &bz3, &z2);
+
+        ec_field_element_add(&group->fm, &sum, &x3, &axz2);
+        ec_field_element_add(&group->fm, &sum, &sum, &bz3);
+
+        return ec_field_element_equal(&group->fm, &y2z, &sum) |
+            ec_point_is_at_infinity(group, point);
+}
+
+static int
+ec_point_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT ax, ay, bx, by;
+
+        /*
+         * Compare two points that have homogeneous projection coordinates, that
+         * is (X_a/Z_a, Y_a/Z_a) == (X_b/Z_b, Y_b/Z_b). Return -1 on error, 0 on
+         * equality and 1 on inequality.
+         *
+         * If a and b are both at infinity, Z_a and Z_b will both be zero,
+         * resulting in all values becoming zero, resulting in equality. If a is
+         * at infinity and b is not, then Y_a will be one and Z_b will be
+         * non-zero, hence Y_a * Z_b will be non-zero. Z_a will be zero, hence
+         * Y_b * Z_a will be zero, resulting in inequality. The same applies if
+         * b is at infinity and a is not.
+         */
+
+        ec_field_element_mul(&group->fm, &ax, &a->fe_x, &b->fe_z);
+        ec_field_element_mul(&group->fm, &ay, &a->fe_y, &b->fe_z);
+        ec_field_element_mul(&group->fm, &bx, &b->fe_x, &a->fe_z);
+        ec_field_element_mul(&group->fm, &by, &b->fe_y, &a->fe_z);
+
+        return 1 - (ec_field_element_equal(&group->fm, &ax, &bx) &
+            ec_field_element_equal(&group->fm, &ay, &by));
+}
+
+#if 0
+static int
+ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
+    BN_CTX *ctx)
+{
+        size_t i;
+
+        /* XXX */
+        for (i = 0; i < num; i++) {
+                if (!EC_POINT_make_affine(group, points[0], ctx))
+                        return 0;
+        }
+
+        return 1;
+}
+#else
+
+static int
+ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
+    BN_CTX *ctx)
+{
+        BIGNUM **prod_Z = NULL;
+        BIGNUM *tmp, *tmp_Z;
+        size_t i;
+        int ret = 0;
+
+        if (num == 0)
+                return 1;
+
+        BN_CTX_start(ctx);
+
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((tmp_Z = BN_CTX_get(ctx)) == NULL)
+                goto err;
+
+        if ((prod_Z = calloc(num, sizeof *prod_Z)) == NULL)
+                goto err;
+        for (i = 0; i < num; i++) {
+                if ((prod_Z[i] = BN_CTX_get(ctx)) == NULL)
+                        goto err;
+        }
+
+        if (!BN_is_zero(points[0]->Z)) {
+                if (!bn_copy(prod_Z[0], points[0]->Z))
+                        goto err;
+        } else {
+                if (!BN_one(prod_Z[0]))
+                        goto err;
+        }
+
+        for (i = 1; i < num; i++) {
+                if (!BN_is_zero(points[i]->Z)) {
+                        if (!BN_mod_mul(prod_Z[i], prod_Z[i - 1], points[i]->Z,
+                            group->p, ctx))
+                                goto err;
+                } else {
+                        if (!bn_copy(prod_Z[i], prod_Z[i - 1]))
+                                goto err;
+                }
+        }
+
+        if (!BN_mod_inverse_nonct(tmp, prod_Z[num - 1], group->p, ctx)) {
+                ECerror(ERR_R_BN_LIB);
+                goto err;
+        }
+
+        for (i = num - 1; i > 0; i--) {
+                if (BN_is_zero(points[i]->Z))
+                        continue;
+
+                if (!BN_mod_mul(tmp_Z, prod_Z[i - 1], tmp, group->p, ctx))
+                        goto err;
+                if (!BN_mod_mul(tmp, tmp, points[i]->Z, group->p, ctx))
+                        goto err;
+                if (!bn_copy(points[i]->Z, tmp_Z))
+                        goto err;
+        }
+
+        for (i = 0; i < num; i++) {
+                EC_POINT *p = points[i];
+
+                if (BN_is_zero(p->Z))
+                        continue;
+
+                if (!BN_mod_mul(p->X, p->X, p->Z, group->p, ctx))
+                        goto err;
+                if (!BN_mod_mul(p->Y, p->Y, p->Z, group->p, ctx))
+                        goto err;
+
+                if (!BN_one(p->Z))
+                        goto err;
+        }
+
+        ret = 1;
+
+ err:
+        BN_CTX_end(ctx);
+        free(prod_Z);
+
+        return ret;
+}
+#endif
+
+static void
+ec_point_select(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, int conditional)
+{
+        ec_field_element_select(&group->fm, &r->fe_x, &a->fe_x, &b->fe_x, conditional);
+        ec_field_element_select(&group->fm, &r->fe_y, &a->fe_y, &b->fe_y, conditional);
+        ec_field_element_select(&group->fm, &r->fe_z, &a->fe_z, &b->fe_z, conditional);
+}
+
+static int
+ec_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point,
+    BN_CTX *ctx)
+{
+        BIGNUM *cardinality;
+        EC_POINT *multiples[15];
+        EC_POINT *rr = NULL, *t = NULL;
+        uint8_t *scalar_bytes = NULL;
+        int scalar_len = 0;
+        uint8_t j, wv;
+        int conditional, i;
+        int ret = 0;
+
+        memset(multiples, 0, sizeof(multiples));
+
+        BN_CTX_start(ctx);
+
+        /* XXX - consider blinding. */
+
+        if ((cardinality = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (!BN_mul(cardinality, group->order, group->cofactor, ctx))
+                goto err;
+
+        /* XXX - handle scalar > cardinality and/or negative. */
+
+        /* Convert scalar into big endian bytes. */
+        scalar_len = BN_num_bytes(cardinality);
+        if ((scalar_bytes = calloc(1, scalar_len)) == NULL)
+                goto err;
+        if (!BN_bn2binpad(scalar, scalar_bytes, scalar_len))
+                goto err;
+
+        /* Compute multiples of point. */
+        if ((multiples[0] = EC_POINT_dup(point, group)) == NULL)
+                goto err;
+        for (i = 1; i < 15; i += 2) {
+                if ((multiples[i] = EC_POINT_new(group)) == NULL)
+                        goto err;
+                if (!EC_POINT_dbl(group, multiples[i], multiples[i / 2], ctx))
+                        goto err;
+                if ((multiples[i + 1] = EC_POINT_new(group)) == NULL)
+                        goto err;
+                if (!EC_POINT_add(group, multiples[i + 1], multiples[i], point, ctx))
+                        goto err;
+        }
+
+        if ((rr = EC_POINT_new(group)) == NULL)
+                goto err;
+        if ((t = EC_POINT_new(group)) == NULL)
+                goto err;
+
+        if (!EC_POINT_set_to_infinity(group, rr))
+                goto err;
+
+        for (i = 0; i < scalar_len; i++) {
+                if (i != 0) {
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                }
+
+                if (!EC_POINT_set_to_infinity(group, t))
+                        goto err;
+
+                wv = scalar_bytes[i] >> 4;
+                for (j = 1; j < 16; j++) {
+                        conditional = crypto_ct_eq_u8(j, wv);
+                        ec_point_select(group, t, t, multiples[j - 1], conditional);
+                }
+                if (!EC_POINT_add(group, rr, rr, t, ctx))
+                        goto err;
+
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+
+                if (!EC_POINT_set_to_infinity(group, t))
+                        goto err;
+
+                wv = scalar_bytes[i] & 0xf;
+                for (j = 1; j < 16; j++) {
+                        conditional = crypto_ct_eq_u8(j, wv);
+                        ec_point_select(group, t, t, multiples[j - 1], conditional);
+                }
+                if (!EC_POINT_add(group, rr, rr, t, ctx))
+                        goto err;
+        }
+
+        if (!EC_POINT_copy(r, rr))
+                goto err;
+
+        ret = 1;
+
+ err:
+        for (i = 0; i < 15; i++)
+                EC_POINT_free(multiples[i]);
+
+        EC_POINT_free(rr);
+        EC_POINT_free(t);
+
+        freezero(scalar_bytes, scalar_len);
+
+        BN_CTX_end(ctx);
+
+        return ret;
+}
+
+static int
+ec_mul_single_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+    const EC_POINT *point, BN_CTX *ctx)
+{
+        return ec_mul(group, r, scalar, point, ctx);
+}
+
+static int
+ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
+{
+        return ec_wnaf_mul(group, r, scalar1, point1, scalar2, point2, ctx);
+}
+
+static const EC_METHOD ec_GFp_homogeneous_projective_method = {
+        .group_set_curve = ec_group_set_curve,
+        .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
+        .point_set_affine_coordinates = ec_point_set_affine_coordinates,
+        .point_get_affine_coordinates = ec_point_get_affine_coordinates,
+        .add = ec_point_add,
+        .dbl = ec_point_dbl,
+        .invert = ec_point_invert,
+        .point_is_on_curve = ec_point_is_on_curve,
+        .point_cmp = ec_point_cmp,
+        .points_make_affine = ec_points_make_affine,
+        .mul_single_ct = ec_mul_single_ct,
+        .mul_double_nonct = ec_mul_double_nonct,
+};
+
+const EC_METHOD *
+EC_GFp_homogeneous_projective_method(void)
+{
+        return &ec_GFp_homogeneous_projective_method;
+}
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index ced85ceb1e..fcb48d9e33 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.45 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.47 2025/05/24 08:25:58 jsing Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
  * for the OpenSSL project.
  * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -66,11 +66,11 @@
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 
 /*
  * Most method functions in this file are designed to work with non-trivial
@@ -180,6 +180,21 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
 }
 
 static int
+ec_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+{
+        BN_zero(point->Z);
+        point->Z_is_one = 0;
+
+        return 1;
+}
+
+static int
+ec_point_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+{
+        return BN_is_zero(point->Z);
+}
+
+static int
 ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
 {
         BIGNUM *rh, *tmp, *Z4, *Z6;
@@ -1281,6 +1296,8 @@ ec_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 static const EC_METHOD ec_GFp_simple_method = {
         .group_set_curve = ec_group_set_curve,
         .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
         .point_is_on_curve = ec_point_is_on_curve,
         .point_cmp = ec_point_cmp,
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
@@ -1304,6 +1321,8 @@ EC_GFp_simple_method(void)
 static const EC_METHOD ec_GFp_mont_method = {
         .group_set_curve = ec_mont_group_set_curve,
         .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
         .point_is_on_curve = ec_point_is_on_curve,
         .point_cmp = ec_point_cmp,
         .point_set_affine_coordinates = ec_point_set_affine_coordinates,
diff --git a/src/lib/libcrypto/ec/ecx_methods.c b/src/lib/libcrypto/ec/ecx_methods.c
index 6b5759d4fa..b08456d03b 100644
--- a/src/lib/libcrypto/ec/ecx_methods.c
+++ b/src/lib/libcrypto/ec/ecx_methods.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ecx_methods.c,v 1.14 2024/08/28 07:15:04 tb Exp $ */
+/*      $OpenBSD: ecx_methods.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
  *
@@ -20,13 +20,13 @@
 #include <openssl/cms.h>
 #include <openssl/curve25519.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
 #include "curve25519_internal.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/ecdh/ecdh.c b/src/lib/libcrypto/ecdh/ecdh.c
index dbb91f1991..c3affed682 100644
--- a/src/lib/libcrypto/ecdh/ecdh.c
+++ b/src/lib/libcrypto/ecdh/ecdh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdh.c,v 1.11 2025/02/17 09:25:45 tb Exp $ */
+/* $OpenBSD: ecdh.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -73,10 +73,10 @@
 
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
 #include "ec_local.h"
+#include "err_local.h"
 
 /*
  * Key derivation function from X9.63/SECG.
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c
index 5abc3586e3..4e00eb5ec8 100644
--- a/src/lib/libcrypto/ecdsa/ecdsa.c
+++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdsa.c,v 1.19 2024/04/15 15:49:37 tb Exp $ */
+/* $OpenBSD: ecdsa.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 
 #include "bn_local.h"
 #include "ec_local.h"
 #include "ecdsa_local.h"
+#include "err_local.h"
 
 static const ASN1_TEMPLATE ECDSA_SIG_seq_tt[] = {
         {
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 25fbb03875..a60769fc2a 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.c,v 1.75 2024/11/02 12:46:36 tb Exp $ */
+/* $OpenBSD: err.c,v 1.78 2025/06/10 08:53:37 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -484,33 +484,27 @@ err_build_SYS_str_reasons(void)
 {
         /* malloc cannot be used here, use static storage instead */
         static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+        const char *errstr;
         int save_errno;
         int i;
 
         /* strerror(3) will set errno to EINVAL when i is an unknown errno. */
         save_errno = errno;
-        for (i = 1; i <= NUM_SYS_STR_REASONS; i++) {
-                ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
-
-                str->error = (unsigned long)i;
-                if (str->string == NULL) {
-                        char (*dest)[LEN_SYS_STR_REASON] =
-                            &(strerror_tab[i - 1]);
-                        const char *src = strerror(i);
-                        if (src != NULL) {
-                                strlcpy(*dest, src, sizeof *dest);
-                                str->string = *dest;
-                        }
+        for (i = 0; i < NUM_SYS_STR_REASONS; i++) {
+                ERR_STRING_DATA *str = &SYS_str_reasons[i];
+
+                str->error = i + 1;
+                str->string = "unknown";
+
+                if ((errstr = strerror((int)str->error)) != NULL) {
+                        strlcpy(strerror_tab[i], errstr, sizeof(strerror_tab[i]));
+                        str->string = strerror_tab[i];
                 }
-                if (str->string == NULL)
-                        str->string = "unknown";
         }
         errno = save_errno;
 
-        /*
-         * Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
-         * as required by ERR_load_strings.
-         */
+        SYS_str_reasons[NUM_SYS_STR_REASONS].error = 0;
+        SYS_str_reasons[NUM_SYS_STR_REASONS].string = NULL;
 }
 #endif
 
@@ -830,7 +824,7 @@ err_clear_last_constant_time(int clear)
 
         es = ERR_get_state();
         if (es == NULL)
-        return;
+                return;
 
         top = es->top;
 
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index fe6c34dd0a..093db4316e 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.h,v 1.36 2025/03/09 15:12:18 tb Exp $ */
+/* $OpenBSD: err.h,v 1.38 2025/05/10 06:17:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -192,80 +192,9 @@ extern "C" {
 #define ERR_LIB_USER            128
 
 #ifndef LIBRESSL_INTERNAL
-#define SYSerr(f,r)  ERR_PUT_error(ERR_LIB_SYS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BNerr(f,r)   ERR_PUT_error(ERR_LIB_BN,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RSAerr(f,r)  ERR_PUT_error(ERR_LIB_RSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DHerr(f,r)   ERR_PUT_error(ERR_LIB_DH,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define EVPerr(f,r)  ERR_PUT_error(ERR_LIB_EVP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BUFerr(f,r)  ERR_PUT_error(ERR_LIB_BUF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OBJerr(f,r)  ERR_PUT_error(ERR_LIB_OBJ,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PEMerr(f,r)  ERR_PUT_error(ERR_LIB_PEM,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSAerr(f,r)  ERR_PUT_error(ERR_LIB_DSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509err(f,r) ERR_PUT_error(ERR_LIB_X509,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ASN1err(f,r) ERR_PUT_error(ERR_LIB_ASN1,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CONFerr(f,r) ERR_PUT_error(ERR_LIB_CONF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CRYPTOerr(f,r) ERR_PUT_error(ERR_LIB_CRYPTO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECerr(f,r)   ERR_PUT_error(ERR_LIB_EC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BIOerr(f,r)  ERR_PUT_error(ERR_LIB_BIO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSOerr(f,r) ERR_PUT_error(ERR_LIB_DSO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ENGINEerr(f,r) ERR_PUT_error(ERR_LIB_ENGINE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define GOSTerr(f,r) ERR_PUT_error(ERR_LIB_GOST,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CTerr(f, r) ERR_PUT_error(ERR_LIB_CT,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define KDFerr(f, r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#endif
-
-#ifdef LIBRESSL_INTERNAL
-#define SYSerror(r)  ERR_PUT_error(ERR_LIB_SYS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BNerror(r)   ERR_PUT_error(ERR_LIB_BN,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RSAerror(r)  ERR_PUT_error(ERR_LIB_RSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DHerror(r)   ERR_PUT_error(ERR_LIB_DH,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define EVPerror(r)  ERR_PUT_error(ERR_LIB_EVP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BUFerror(r)  ERR_PUT_error(ERR_LIB_BUF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OBJerror(r)  ERR_PUT_error(ERR_LIB_OBJ,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PEMerror(r)  ERR_PUT_error(ERR_LIB_PEM,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSAerror(r)  ERR_PUT_error(ERR_LIB_DSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509error(r) ERR_PUT_error(ERR_LIB_X509,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ASN1error(r) ERR_PUT_error(ERR_LIB_ASN1,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CONFerror(r) ERR_PUT_error(ERR_LIB_CONF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CRYPTOerror(r) ERR_PUT_error(ERR_LIB_CRYPTO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECerror(r)   ERR_PUT_error(ERR_LIB_EC,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BIOerror(r)  ERR_PUT_error(ERR_LIB_BIO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS7error(r) ERR_PUT_error(ERR_LIB_PKCS7,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509V3error(r) ERR_PUT_error(ERR_LIB_X509V3,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS12error(r) ERR_PUT_error(ERR_LIB_PKCS12,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RANDerror(r) ERR_PUT_error(ERR_LIB_RAND,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSOerror(r) ERR_PUT_error(ERR_LIB_DSO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ENGINEerror(r) ERR_PUT_error(ERR_LIB_ENGINE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OCSPerror(r) ERR_PUT_error(ERR_LIB_OCSP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define UIerror(r) ERR_PUT_error(ERR_LIB_UI,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define COMPerror(r) ERR_PUT_error(ERR_LIB_COMP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDSAerror(r)  ERR_PUT_error(ERR_LIB_ECDSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDHerror(r)  ERR_PUT_error(ERR_LIB_ECDH,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define STOREerror(r) ERR_PUT_error(ERR_LIB_STORE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define FIPSerror(r) ERR_PUT_error(ERR_LIB_FIPS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CMSerror(r) ERR_PUT_error(ERR_LIB_CMS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define TSerror(r) ERR_PUT_error(ERR_LIB_TS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define HMACerror(r) ERR_PUT_error(ERR_LIB_HMAC,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define JPAKEerror(r) ERR_PUT_error(ERR_LIB_JPAKE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define GOSTerror(r) ERR_PUT_error(ERR_LIB_GOST,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CTerror(r) ERR_PUT_error(ERR_LIB_CT,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define KDFerror(r) ERR_PUT_error(ERR_LIB_KDF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define PEMerr(f,r)     ERR_PUT_error(ERR_LIB_PEM,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define RSAerr(f,r)     ERR_PUT_error(ERR_LIB_RSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SSLerr(f,r)     ERR_PUT_error(ERR_LIB_SSL,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
 #endif
 
 #define ERR_PACK(l,f,r)         (((((unsigned long)l)&0xffL)<<24L)| \
diff --git a/src/lib/libcrypto/err/err_local.h b/src/lib/libcrypto/err/err_local.h
index d091b979cc..87cd40f4a8 100644
--- a/src/lib/libcrypto/err/err_local.h
+++ b/src/lib/libcrypto/err/err_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: err_local.h,v 1.1 2024/06/24 06:43:22 tb Exp $ */
+/*      $OpenBSD: err_local.h,v 1.5 2025/05/10 06:45:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,6 +118,34 @@ __BEGIN_HIDDEN_DECLS
 
 void ERR_load_const_strings(const ERR_STRING_DATA *str);
 
+#define ERR_PUT_ERROR(l, r) ERR_PUT_error((l), 0xfff, (r), OPENSSL_FILE, OPENSSL_LINE)
+
+#define ASN1error(r)    ERR_PUT_ERROR(ERR_LIB_ASN1, (r))
+#define BIOerror(r)     ERR_PUT_ERROR(ERR_LIB_BIO, (r))
+#define BNerror(r)      ERR_PUT_ERROR(ERR_LIB_BN, (r))
+#define BUFerror(r)     ERR_PUT_ERROR(ERR_LIB_BUF, (r))
+#define CMSerror(r)     ERR_PUT_ERROR(ERR_LIB_CMS, (r))
+#define CONFerror(r)    ERR_PUT_ERROR(ERR_LIB_CONF, (r))
+#define CRYPTOerror(r)  ERR_PUT_ERROR(ERR_LIB_CRYPTO, (r))
+#define CTerror(r)      ERR_PUT_ERROR(ERR_LIB_CT, (r))
+#define DHerror(r)      ERR_PUT_ERROR(ERR_LIB_DH, (r))
+#define DSAerror(r)     ERR_PUT_ERROR(ERR_LIB_DSA, (r))
+#define ECerror(r)      ERR_PUT_ERROR(ERR_LIB_EC, (r))
+#define EVPerror(r)     ERR_PUT_ERROR(ERR_LIB_EVP, (r))
+#define KDFerror(r)     ERR_PUT_ERROR(ERR_LIB_KDF, (r))
+#define OBJerror(r)     ERR_PUT_ERROR(ERR_LIB_OBJ, (r))
+#define OCSPerror(r)    ERR_PUT_ERROR(ERR_LIB_OCSP, (r))
+#define PEMerror(r)     ERR_PUT_ERROR(ERR_LIB_PEM, (r))
+#define PKCS12error(r)  ERR_PUT_ERROR(ERR_LIB_PKCS12, (r))
+#define PKCS7error(r)   ERR_PUT_ERROR(ERR_LIB_PKCS7, (r))
+#define RANDerror(r)    ERR_PUT_ERROR(ERR_LIB_RAND, (r))
+#define RSAerror(r)     ERR_PUT_ERROR(ERR_LIB_RSA, (r))
+#define SYSerror(r)     ERR_PUT_ERROR(ERR_LIB_SYS, (r))
+#define TSerror(r)      ERR_PUT_ERROR(ERR_LIB_TS, (r))
+#define UIerror(r)      ERR_PUT_ERROR(ERR_LIB_UI, (r))
+#define X509V3error(r)  ERR_PUT_ERROR(ERR_LIB_X509V3, (r))
+#define X509error(r)    ERR_PUT_ERROR(ERR_LIB_X509, (r))
+
 __END_HIDDEN_DECLS
 
 #endif /* HEADER_ERR_LOCAL_H */
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 5c52b6b258..e1ae1e9a5b 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.61 2025/04/18 13:25:03 jsing Exp $ */
+/* $OpenBSD: e_aes.c,v 1.83 2025/07/22 09:31:09 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -59,19 +59,15 @@
 
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
+#include "aes_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "modes_local.h"
 
 typedef struct {
         AES_KEY ks;
-        block128_f block;
-        union {
-                cbc128_f cbc;
-                ctr128_f ctr;
-        } stream;
 } EVP_AES_KEY;
 
 typedef struct {
@@ -84,15 +80,11 @@ typedef struct {
         int taglen;
         int iv_gen;             /* It is OK to generate IVs */
         int tls_aad_len;        /* TLS AAD length */
-        ctr128_f ctr;
 } EVP_AES_GCM_CTX;
 
 typedef struct {
         AES_KEY ks1, ks2;       /* AES key schedules to use */
-        XTS128_CONTEXT xts;
-        void (*stream)(const unsigned char *in, unsigned char *out,
-            size_t length, const AES_KEY *key1, const AES_KEY *key2,
-            const unsigned char iv[16]);
+        XTS128_CONTEXT xts;     /* XXX - replace with flags. */
 } EVP_AES_XTS_CTX;
 
 typedef struct {
@@ -103,99 +95,17 @@ typedef struct {
         int len_set;            /* Set if message length set */
         int L, M;               /* L and M parameters from RFC3610 */
         CCM128_CONTEXT ccm;
-        ccm128_f str;
 } EVP_AES_CCM_CTX;
 
 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
 
-#ifdef AES_CTR_ASM
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-    size_t blocks, const AES_KEY *key,
-    const unsigned char ivec[AES_BLOCK_SIZE]);
-#endif
-#ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-#endif
-
-#if     defined(AES_ASM) &&                             (  \
-        ((defined(__i386)       || defined(__i386__)    || \
-          defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-        defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      || \
-        defined(__INTEL__)                              )
-
-#include "x86_arch.h"
-
-/*
- * AES-NI section
- */
-#define AESNI_CAPABLE   (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
-
-int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-
-void aesni_encrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-void aesni_decrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-
-void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, int enc);
-void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
-
-void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char *ivec);
-
-void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-
-void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-
-void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char ivec[16],
-    unsigned char cmac[16]);
-
-void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char ivec[16],
-    unsigned char cmac[16]);
-
 static int
-aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc)
 {
-        int ret, mode;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-
-        mode = ctx->cipher->flags & EVP_CIPH_MODE;
-        if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
-            !enc) {
-                ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
-                    ctx->cipher_data);
-                dat->block = (block128_f)aesni_decrypt;
-                dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                    (cbc128_f)aesni_cbc_encrypt : NULL;
-        } else {
-                ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
-                    ctx->cipher_data);
-                dat->block = (block128_f)aesni_encrypt;
-                if (mode == EVP_CIPH_CBC_MODE)
-                        dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
-                else if (mode == EVP_CIPH_CTR_MODE)
-                        dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-                else
-                        dat->stream.cbc = NULL;
-        }
+        EVP_AES_KEY *eak = ctx->cipher_data;
 
-        if (ret < 0) {
+        if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
                 EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
                 return 0;
         }
@@ -204,192 +114,65 @@ aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 }
 
 static int
-aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, size_t len)
-{
-        aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
-            ctx->encrypt);
-
-        return 1;
-}
-
-static int
-aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, size_t len)
-{
-        size_t  bl = ctx->cipher->block_size;
-
-        if (len < bl)
-                return 1;
-
-        aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
-
-        return 1;
-}
-
-static int
-aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+aes_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int encrypt)
 {
-        EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
 
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
-                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
-                    (block128_f)aesni_encrypt);
-                gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-                /* If we have an iv can set it directly, otherwise use
-                 * saved IV.
-                 */
-                if (iv == NULL && gctx->iv_set)
-                        iv = gctx->iv;
-                if (iv) {
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
-                        gctx->iv_set = 1;
+        if (encrypt) {
+                if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
+                        return 0;
                 }
-                gctx->key_set = 1;
         } else {
-                /* If key set use IV, otherwise copy */
-                if (gctx->key_set)
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
-                else
-                        memcpy(gctx->iv, iv, gctx->ivlen);
-                gctx->iv_set = 1;
-                gctx->iv_gen = 0;
-        }
-        return 1;
-}
-
-static int
-aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-
-        if (!iv && !key)
-                return 1;
-
-        if (key) {
-                /* key_len is two AES keys */
-                if (enc) {
-                        aesni_set_encrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_encrypt;
-                        xctx->stream = aesni_xts_encrypt;
-                } else {
-                        aesni_set_decrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_decrypt;
-                        xctx->stream = aesni_xts_decrypt;
+                if (AES_set_decrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
+                        return 0;
                 }
-
-                aesni_set_encrypt_key(key + ctx->key_len / 2,
-                    ctx->key_len * 4, &xctx->ks2);
-                xctx->xts.block2 = (block128_f)aesni_encrypt;
-
-                xctx->xts.key1 = &xctx->ks1;
-        }
-
-        if (iv) {
-                xctx->xts.key2 = &xctx->ks2;
-                memcpy(ctx->iv, iv, 16);
         }
 
         return 1;
 }
 
 static int
-aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+    const unsigned char *in, size_t len)
 {
-        EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+
+        AES_cbc_encrypt(in, out, len, &eak->ks, ctx->iv, ctx->encrypt);
 
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
-                CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
-                    &cctx->ks, (block128_f)aesni_encrypt);
-                cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
-                    (ccm128_f)aesni_ccm64_decrypt_blocks;
-                cctx->key_set = 1;
-        }
-        if (iv) {
-                memcpy(ctx->iv, iv, 15 - cctx->L);
-                cctx->iv_set = 1;
-        }
         return 1;
 }
 
-#endif
-
 static int
-aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+aes_ecb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+    const unsigned char *iv, int encrypt)
 {
-        int ret, mode;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-
-        mode = ctx->cipher->flags & EVP_CIPH_MODE;
+        EVP_AES_KEY *eak = ctx->cipher_data;
 
-        if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) && !enc) {
-                ret = AES_set_decrypt_key(key, ctx->key_len * 8, &dat->ks);
-                dat->block = (block128_f)AES_decrypt;
-                dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                    (cbc128_f)AES_cbc_encrypt : NULL;
+        if (encrypt) {
+                if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
+                        return 0;
+                }
         } else {
-                ret = AES_set_encrypt_key(key, ctx->key_len * 8, &dat->ks);
-                dat->block = (block128_f)AES_encrypt;
-                dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                    (cbc128_f)AES_cbc_encrypt : NULL;
-#ifdef AES_CTR_ASM
-                if (mode == EVP_CIPH_CTR_MODE)
-                        dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
-#endif
-        }
-
-        if (ret < 0) {
-                EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-                return 0;
+                if (AES_set_decrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
+                        return 0;
+                }
         }
 
         return 1;
 }
 
 static int
-aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, size_t len)
-{
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-
-        if (dat->stream.cbc)
-                (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
-                    ctx->encrypt);
-        else if (ctx->encrypt)
-                CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
-                    dat->block);
-        else
-                CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
-                    dat->block);
-
-        return 1;
-}
-
-static int
 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
-        size_t  bl = ctx->cipher->block_size;
-        size_t  i;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
 
-        if (len < bl)
-                return 1;
-
-        for (i = 0, len -= bl; i <= len; i += bl)
-                (*dat->block)(in + i, out + i, &dat->ks);
+        aes_ecb_encrypt_internal(in, out, len, &eak->ks, ctx->encrypt);
 
         return 1;
 }
@@ -398,10 +181,10 @@ static int
 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+
+        AES_ofb128_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num);
 
-        CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            dat->block);
         return 1;
 }
 
@@ -409,10 +192,11 @@ static int
 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+
+        AES_cfb128_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
+            ctx->encrypt);
 
-        CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            ctx->encrypt, dat->block);
         return 1;
 }
 
@@ -420,10 +204,11 @@ static int
 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+
+        AES_cfb8_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
+            ctx->encrypt);
 
-        CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            ctx->encrypt, dat->block);
         return 1;
 }
 
@@ -431,24 +216,25 @@ static int
 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
 
-        if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
-                CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
-                    &ctx->num, ctx->encrypt, dat->block);
+        if ((ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
+                AES_cfb1_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
+                    ctx->encrypt);
                 return 1;
         }
 
         while (len >= MAXBITCHUNK) {
-                CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
-                    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
+                AES_cfb1_encrypt(in, out, MAXBITCHUNK * 8, &eak->ks, ctx->iv,
+                    &ctx->num, ctx->encrypt);
                 len -= MAXBITCHUNK;
                 in += MAXBITCHUNK;
                 out += MAXBITCHUNK;
         }
-        if (len)
-                CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
-                    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
+        if (len > 0) {
+                AES_cfb1_encrypt(in, out, len * 8, &eak->ks, ctx->iv, &ctx->num,
+                    ctx->encrypt);
+        }
 
         return 1;
 }
@@ -457,40 +243,23 @@ static int
 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     const unsigned char *in, size_t len)
 {
+        EVP_AES_KEY *eak = ctx->cipher_data;
         unsigned int num = ctx->num;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
 
-        if (dat->stream.ctr)
-                CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
-                    ctx->iv, ctx->buf, &num, dat->stream.ctr);
-        else
-                CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
-                    ctx->iv, ctx->buf, &num, dat->block);
+        AES_ctr128_encrypt(in, out, len, &eak->ks, ctx->iv, ctx->buf, &num);
+
         ctx->num = (size_t)num;
+
         return 1;
 }
 
-
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cbc = {
-        .nid = NID_aes_128_cbc,
-        .block_size = 16,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_cbc = {
         .nid = NID_aes_128_cbc,
         .block_size = 16,
         .key_len = 16,
         .iv_len = 16,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
         .do_cipher = aes_cbc_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -498,34 +267,17 @@ static const EVP_CIPHER aes_128_cbc = {
 const EVP_CIPHER *
 EVP_aes_128_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
-#else
         return &aes_128_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cbc);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ecb = {
-        .nid = NID_aes_128_ecb,
-        .block_size = 16,
-        .key_len = 16,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_ecb = {
         .nid = NID_aes_128_ecb,
         .block_size = 16,
         .key_len = 16,
         .iv_len = 0,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
         .do_cipher = aes_ecb_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -533,27 +285,10 @@ static const EVP_CIPHER aes_128_ecb = {
 const EVP_CIPHER *
 EVP_aes_128_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
-#else
         return &aes_128_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ecb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ofb = {
-        .nid = NID_aes_128_ofb128,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_ofb = {
         .nid = NID_aes_128_ofb128,
         .block_size = 1,
@@ -568,27 +303,10 @@ static const EVP_CIPHER aes_128_ofb = {
 const EVP_CIPHER *
 EVP_aes_128_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
-#else
         return &aes_128_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ofb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb = {
-        .nid = NID_aes_128_cfb128,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_cfb = {
         .nid = NID_aes_128_cfb128,
         .block_size = 1,
@@ -603,27 +321,10 @@ static const EVP_CIPHER aes_128_cfb = {
 const EVP_CIPHER *
 EVP_aes_128_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
-#else
         return &aes_128_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb128);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb1 = {
-        .nid = NID_aes_128_cfb1,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_cfb1 = {
         .nid = NID_aes_128_cfb1,
         .block_size = 1,
@@ -638,27 +339,10 @@ static const EVP_CIPHER aes_128_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_128_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
-#else
         return &aes_128_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb1);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb8 = {
-        .nid = NID_aes_128_cfb8,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_cfb8 = {
         .nid = NID_aes_128_cfb8,
         .block_size = 1,
@@ -673,27 +357,10 @@ static const EVP_CIPHER aes_128_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_128_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
-#else
         return &aes_128_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb8);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ctr = {
-        .nid = NID_aes_128_ctr,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_128_ctr = {
         .nid = NID_aes_128_ctr,
         .block_size = 1,
@@ -708,35 +375,17 @@ static const EVP_CIPHER aes_128_ctr = {
 const EVP_CIPHER *
 EVP_aes_128_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
-#else
         return &aes_128_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ctr);
 
-
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cbc = {
-        .nid = NID_aes_192_cbc,
-        .block_size = 16,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_cbc = {
         .nid = NID_aes_192_cbc,
         .block_size = 16,
         .key_len = 24,
         .iv_len = 16,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
         .do_cipher = aes_cbc_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -744,34 +393,17 @@ static const EVP_CIPHER aes_192_cbc = {
 const EVP_CIPHER *
 EVP_aes_192_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
-#else
         return &aes_192_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cbc);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ecb = {
-        .nid = NID_aes_192_ecb,
-        .block_size = 16,
-        .key_len = 24,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_ecb = {
         .nid = NID_aes_192_ecb,
         .block_size = 16,
         .key_len = 24,
         .iv_len = 0,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
         .do_cipher = aes_ecb_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -779,27 +411,10 @@ static const EVP_CIPHER aes_192_ecb = {
 const EVP_CIPHER *
 EVP_aes_192_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
-#else
         return &aes_192_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ecb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ofb = {
-        .nid = NID_aes_192_ofb128,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_ofb = {
         .nid = NID_aes_192_ofb128,
         .block_size = 1,
@@ -814,27 +429,10 @@ static const EVP_CIPHER aes_192_ofb = {
 const EVP_CIPHER *
 EVP_aes_192_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
-#else
         return &aes_192_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ofb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb = {
-        .nid = NID_aes_192_cfb128,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_cfb = {
         .nid = NID_aes_192_cfb128,
         .block_size = 1,
@@ -849,27 +447,10 @@ static const EVP_CIPHER aes_192_cfb = {
 const EVP_CIPHER *
 EVP_aes_192_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
-#else
         return &aes_192_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb128);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb1 = {
-        .nid = NID_aes_192_cfb1,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_cfb1 = {
         .nid = NID_aes_192_cfb1,
         .block_size = 1,
@@ -884,27 +465,10 @@ static const EVP_CIPHER aes_192_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_192_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
-#else
         return &aes_192_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb1);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb8 = {
-        .nid = NID_aes_192_cfb8,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_cfb8 = {
         .nid = NID_aes_192_cfb8,
         .block_size = 1,
@@ -919,27 +483,10 @@ static const EVP_CIPHER aes_192_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_192_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
-#else
         return &aes_192_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb8);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ctr = {
-        .nid = NID_aes_192_ctr,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_192_ctr = {
         .nid = NID_aes_192_ctr,
         .block_size = 1,
@@ -954,35 +501,17 @@ static const EVP_CIPHER aes_192_ctr = {
 const EVP_CIPHER *
 EVP_aes_192_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
-#else
         return &aes_192_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ctr);
 
-
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cbc = {
-        .nid = NID_aes_256_cbc,
-        .block_size = 16,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_cbc = {
         .nid = NID_aes_256_cbc,
         .block_size = 16,
         .key_len = 32,
         .iv_len = 16,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
         .do_cipher = aes_cbc_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -990,34 +519,17 @@ static const EVP_CIPHER aes_256_cbc = {
 const EVP_CIPHER *
 EVP_aes_256_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
-#else
         return &aes_256_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cbc);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ecb = {
-        .nid = NID_aes_256_ecb,
-        .block_size = 16,
-        .key_len = 32,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_ecb = {
         .nid = NID_aes_256_ecb,
         .block_size = 16,
         .key_len = 32,
         .iv_len = 0,
         .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
         .do_cipher = aes_ecb_cipher,
         .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -1025,27 +537,10 @@ static const EVP_CIPHER aes_256_ecb = {
 const EVP_CIPHER *
 EVP_aes_256_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
-#else
         return &aes_256_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ecb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ofb = {
-        .nid = NID_aes_256_ofb128,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_ofb = {
         .nid = NID_aes_256_ofb128,
         .block_size = 1,
@@ -1060,27 +555,10 @@ static const EVP_CIPHER aes_256_ofb = {
 const EVP_CIPHER *
 EVP_aes_256_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
-#else
         return &aes_256_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ofb);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb = {
-        .nid = NID_aes_256_cfb128,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_cfb = {
         .nid = NID_aes_256_cfb128,
         .block_size = 1,
@@ -1095,27 +573,10 @@ static const EVP_CIPHER aes_256_cfb = {
 const EVP_CIPHER *
 EVP_aes_256_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
-#else
         return &aes_256_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb128);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb1 = {
-        .nid = NID_aes_256_cfb1,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_cfb1 = {
         .nid = NID_aes_256_cfb1,
         .block_size = 1,
@@ -1130,27 +591,10 @@ static const EVP_CIPHER aes_256_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_256_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
-#else
         return &aes_256_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb1);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb8 = {
-        .nid = NID_aes_256_cfb8,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_cfb8 = {
         .nid = NID_aes_256_cfb8,
         .block_size = 1,
@@ -1165,27 +609,10 @@ static const EVP_CIPHER aes_256_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_256_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
-#else
         return &aes_256_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb8);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ctr = {
-        .nid = NID_aes_256_ctr,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
-
 static const EVP_CIPHER aes_256_ctr = {
         .nid = NID_aes_256_ctr,
         .block_size = 1,
@@ -1200,11 +627,7 @@ static const EVP_CIPHER aes_256_ctr = {
 const EVP_CIPHER *
 EVP_aes_256_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
-#else
         return &aes_256_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ctr);
 
@@ -1385,19 +808,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
         }
 }
 
-static ctr128_f
-aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
-    const unsigned char *key, size_t key_len)
-{
-        AES_set_encrypt_key(key, key_len * 8, aes_key);
-        CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
-#ifdef AES_CTR_ASM
-        return (ctr128_f)AES_ctr32_encrypt;
-#else
-        return NULL;
-#endif
-}
-
 static int
 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
     const unsigned char *iv, int enc)
@@ -1407,8 +817,8 @@ aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         if (!iv && !key)
                 return 1;
         if (key) {
-                gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
-                    key, ctx->key_len);
+                AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
+                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, aes_encrypt_block128);
 
                 /* If we have an iv can set it directly, otherwise use
                  * saved IV.
@@ -1468,14 +878,9 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
         if (ctx->encrypt) {
                 /* Encrypt payload */
-                if (gctx->ctr) {
-                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
-                            len, gctx->ctr))
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
+                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
+                    aes_ctr32_encrypt_ctr128f))
+                        goto err;
                 out += len;
 
                 /* Finally write tag */
@@ -1483,19 +888,15 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
         } else {
                 /* Decrypt */
-                if (gctx->ctr) {
-                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
-                            len, gctx->ctr))
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
+                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
+                    aes_ctr32_encrypt_ctr128f))
+                        goto err;
+
                 /* Retrieve tag */
                 CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
 
                 /* If tag mismatch wipe buffer */
-                if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
+                if (timingsafe_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN) != 0) {
                         explicit_bzero(out, len);
                         goto err;
                 }
@@ -1529,25 +930,13 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                         if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
                                 return -1;
                 } else if (ctx->encrypt) {
-                        if (gctx->ctr) {
-                                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
-                                    in, out, len, gctx->ctr))
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_encrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
+                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
+                                return -1;
                 } else {
-                        if (gctx->ctr) {
-                                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
-                                    in, out, len, gctx->ctr))
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_decrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
+                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
+                                return -1;
                 }
                 return len;
         } else {
@@ -1576,22 +965,6 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
       EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
       EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
 
-
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_gcm = {
-        .nid = NID_aes_128_gcm,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_128_gcm = {
         .nid = NID_aes_128_gcm,
         .block_size = 1,
@@ -1608,29 +981,10 @@ static const EVP_CIPHER aes_128_gcm = {
 const EVP_CIPHER *
 EVP_aes_128_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
-#else
         return &aes_128_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_gcm);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_gcm = {
-        .nid = NID_aes_192_gcm,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_192_gcm = {
         .nid = NID_aes_192_gcm,
         .block_size = 1,
@@ -1647,29 +1001,10 @@ static const EVP_CIPHER aes_192_gcm = {
 const EVP_CIPHER *
 EVP_aes_192_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
-#else
         return &aes_192_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_gcm);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_gcm = {
-        .nid = NID_aes_256_gcm,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_256_gcm = {
         .nid = NID_aes_256_gcm,
         .block_size = 1,
@@ -1686,11 +1021,7 @@ static const EVP_CIPHER aes_256_gcm = {
 const EVP_CIPHER *
 EVP_aes_256_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
-#else
         return &aes_256_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_gcm);
 
@@ -1732,36 +1063,24 @@ aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 
 static int
 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+    const unsigned char *iv, int encrypt)
 {
         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
 
-        if (!iv && !key)
-                return 1;
-
-        if (key) {
-#ifdef AES_XTS_ASM
-                xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
-#else
-                xctx->stream = NULL;
-#endif
+        if (key != NULL) {
                 /* key_len is two AES keys */
-                if (enc) {
+                if (encrypt)
                         AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_encrypt;
-                } else {
+                else
                         AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_decrypt;
-                }
 
-                AES_set_encrypt_key(key + ctx->key_len / 2,
-                    ctx->key_len * 4, &xctx->ks2);
-                xctx->xts.block2 = (block128_f)AES_encrypt;
+                AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4,
+                    &xctx->ks2);
 
                 xctx->xts.key1 = &xctx->ks1;
         }
 
-        if (iv) {
+        if (iv != NULL) {
                 xctx->xts.key2 = &xctx->ks2;
                 memcpy(ctx->iv, iv, 16);
         }
@@ -1775,17 +1094,15 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
         EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
 
-        if (!xctx->xts.key1 || !xctx->xts.key2)
-                return 0;
-        if (!out || !in || len < AES_BLOCK_SIZE)
+        if (xctx->xts.key1 == NULL || xctx->xts.key2 == NULL)
                 return 0;
 
-        if (xctx->stream)
-                (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
-                    ctx->iv);
-        else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
-            ctx->encrypt))
+        if (out == NULL || in == NULL || len < AES_BLOCK_SIZE)
                 return 0;
+
+        aes_xts_encrypt_internal(in, out, len, xctx->xts.key1, xctx->xts.key2,
+            ctx->iv, ctx->encrypt);
+
         return 1;
 }
 
@@ -1793,22 +1110,6 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
     ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
       EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
 
-
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_xts = {
-        .nid = NID_aes_128_xts,
-        .block_size = 1,
-        .key_len = 2 * 16,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_128_xts = {
         .nid = NID_aes_128_xts,
         .block_size = 1,
@@ -1825,29 +1126,10 @@ static const EVP_CIPHER aes_128_xts = {
 const EVP_CIPHER *
 EVP_aes_128_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
-#else
         return &aes_128_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_xts);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_xts = {
-        .nid = NID_aes_256_xts,
-        .block_size = 1,
-        .key_len = 2 * 32,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_256_xts = {
         .nid = NID_aes_256_xts,
         .block_size = 1,
@@ -1864,11 +1146,7 @@ static const EVP_CIPHER aes_256_xts = {
 const EVP_CIPHER *
 EVP_aes_256_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
-#else
         return &aes_256_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_xts);
 
@@ -1951,8 +1229,7 @@ aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
         if (key) {
                 AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
                 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
-                    &cctx->ks, (block128_f)AES_encrypt);
-                cctx->str = NULL;
+                    &cctx->ks, aes_encrypt_block128);
                 cctx->key_set = 1;
         }
         if (iv) {
@@ -1970,7 +1247,14 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
         CCM128_CONTEXT *ccm = &cctx->ccm;
 
         /* If not set up, return error */
-        if (!cctx->iv_set && !cctx->key_set)
+        if (!cctx->key_set)
+                return -1;
+
+        /* EVP_*Final() doesn't return any data */
+        if (in == NULL && out != NULL)
+                return 0;
+
+        if (!cctx->iv_set)
                 return -1;
         if (!ctx->encrypt && !cctx->tag_set)
                 return -1;
@@ -1989,9 +1273,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 CRYPTO_ccm128_aad(ccm, in, len);
                 return len;
         }
-        /* EVP_*Final() doesn't return any data */
-        if (!in)
-                return 0;
+
         /* If not set length yet do it */
         if (!cctx->len_set) {
                 if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
@@ -1999,18 +1281,18 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 cctx->len_set = 1;
         }
         if (ctx->encrypt) {
-                if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
-                    cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
+                if (CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
+                    aes_ccm64_encrypt_ccm128f) != 0)
                         return -1;
                 cctx->tag_set = 1;
                 return len;
         } else {
                 int rv = -1;
-                if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
-                    cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
+                if (CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
+                    aes_ccm64_decrypt_ccm128f) == 0) {
                         unsigned char tag[16];
                         if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
-                                if (!memcmp(tag, ctx->buf, cctx->M))
+                                if (timingsafe_memcmp(tag, ctx->buf, cctx->M) == 0)
                                         rv = len;
                         }
                 }
@@ -2021,24 +1303,8 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                 cctx->len_set = 0;
                 return rv;
         }
-
 }
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ccm = {
-        .nid = NID_aes_128_ccm,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_128_ccm = {
         .nid = NID_aes_128_ccm,
         .block_size = 1,
@@ -2055,29 +1321,10 @@ static const EVP_CIPHER aes_128_ccm = {
 const EVP_CIPHER *
 EVP_aes_128_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
-#else
         return &aes_128_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ccm);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ccm = {
-        .nid = NID_aes_192_ccm,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_192_ccm = {
         .nid = NID_aes_192_ccm,
         .block_size = 1,
@@ -2094,29 +1341,10 @@ static const EVP_CIPHER aes_192_ccm = {
 const EVP_CIPHER *
 EVP_aes_192_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
-#else
         return &aes_192_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ccm);
 
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ccm = {
-        .nid = NID_aes_256_ccm,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
-
 static const EVP_CIPHER aes_256_ccm = {
         .nid = NID_aes_256_ccm,
         .block_size = 1,
@@ -2133,11 +1361,7 @@ static const EVP_CIPHER aes_256_ccm = {
 const EVP_CIPHER *
 EVP_aes_256_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
-#else
         return &aes_256_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ccm);
 
@@ -2149,7 +1373,6 @@ struct aead_aes_gcm_ctx {
                 AES_KEY ks;
         } ks;
         GCM128_CONTEXT gcm;
-        ctr128_f ctr;
         unsigned char tag_len;
 };
 
@@ -2177,18 +1400,8 @@ aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
         if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
                 return 0;
 
-#ifdef AESNI_CAPABLE
-        if (AESNI_CAPABLE) {
-                aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
-                CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
-                    (block128_f)aesni_encrypt);
-                gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
-        } else
-#endif
-        {
-                gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
-                    key, key_len);
-        }
+        AES_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
+        CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, aes_encrypt_block128);
         gcm_ctx->tag_len = tag_len;
         ctx->aead_state = gcm_ctx;
 
@@ -2229,15 +1442,9 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
         if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                 return 0;
 
-        if (gcm_ctx->ctr) {
-                if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
-                    in_len - bulk, gcm_ctx->ctr))
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk))
-                        return 0;
-        }
+        if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk, aes_ctr32_encrypt_ctr128f))
+                return 0;
 
         CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
         *out_len = in_len + gcm_ctx->tag_len;
@@ -2280,15 +1487,9 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
         if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                 return 0;
 
-        if (gcm_ctx->ctr) {
-                if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
-                    in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk - gcm_ctx->tag_len))
-                        return 0;
-        }
+        if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk - gcm_ctx->tag_len, aes_ctr32_encrypt_ctr128f))
+                return 0;
 
         CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
         if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
diff --git a/src/lib/libcrypto/evp/e_bf.c b/src/lib/libcrypto/evp/e_bf.c
index 4f3799975b..8c32a5658e 100644
--- a/src/lib/libcrypto/evp/e_bf.c
+++ b/src/lib/libcrypto/evp/e_bf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_bf.c,v 1.19 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_bf.c,v 1.20 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -162,13 +162,14 @@ static const EVP_CIPHER bf_cbc = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = bf_init_key,
         .do_cipher = bf_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -184,13 +185,14 @@ static const EVP_CIPHER bf_cfb64 = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = bf_init_key,
         .do_cipher = bf_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -206,13 +208,14 @@ static const EVP_CIPHER bf_ofb = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = bf_init_key,
         .do_cipher = bf_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -228,13 +231,14 @@ static const EVP_CIPHER bf_ecb = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 0,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = bf_init_key,
         .do_cipher = bf_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
diff --git a/src/lib/libcrypto/evp/e_camellia.c b/src/lib/libcrypto/evp/e_camellia.c
index 55dcc79922..8da46275a3 100644
--- a/src/lib/libcrypto/evp/e_camellia.c
+++ b/src/lib/libcrypto/evp/e_camellia.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_camellia.c,v 1.20 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_camellia.c,v 1.22 2025/05/27 03:58:12 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
  *
@@ -59,9 +59,9 @@
 
 #ifndef OPENSSL_NO_CAMELLIA
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/camellia.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 /* Camellia subkey Structure */
@@ -163,13 +163,13 @@ static const EVP_CIPHER camellia_128_cbc = {
         .block_size = 16,
         .key_len = 16,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -185,13 +185,13 @@ static const EVP_CIPHER camellia_128_cfb128 = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_cfb128_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -207,13 +207,13 @@ static const EVP_CIPHER camellia_128_ofb = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -229,13 +229,13 @@ static const EVP_CIPHER camellia_128_ecb = {
         .block_size = 16,
         .key_len = 16,
         .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -321,13 +321,13 @@ static const EVP_CIPHER camellia_192_cbc = {
         .block_size = 16,
         .key_len = 24,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -343,13 +343,13 @@ static const EVP_CIPHER camellia_192_cfb128 = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_cfb128_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -365,13 +365,13 @@ static const EVP_CIPHER camellia_192_ofb = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -387,13 +387,13 @@ static const EVP_CIPHER camellia_192_ecb = {
         .block_size = 16,
         .key_len = 24,
         .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -479,13 +479,13 @@ static const EVP_CIPHER camellia_256_cbc = {
         .block_size = 16,
         .key_len = 32,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -501,13 +501,13 @@ static const EVP_CIPHER camellia_256_cfb128 = {
         .block_size = 1,
         .key_len = 32,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_cfb128_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -523,13 +523,13 @@ static const EVP_CIPHER camellia_256_ofb = {
         .block_size = 1,
         .key_len = 32,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -545,13 +545,13 @@ static const EVP_CIPHER camellia_256_ecb = {
         .block_size = 16,
         .key_len = 32,
         .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -589,13 +589,13 @@ static const EVP_CIPHER camellia_128_cfb1 = {
         .block_size = 1,
         .key_len = 128/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_cfb1_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -633,13 +633,13 @@ static const EVP_CIPHER camellia_192_cfb1 = {
         .block_size = 1,
         .key_len = 192/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_cfb1_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -677,13 +677,13 @@ static const EVP_CIPHER camellia_256_cfb1 = {
         .block_size = 1,
         .key_len = 256/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_cfb1_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -720,13 +720,13 @@ static const EVP_CIPHER camellia_128_cfb8 = {
         .block_size = 1,
         .key_len = 128/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_128_cfb8_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -762,13 +762,13 @@ static const EVP_CIPHER camellia_192_cfb8 = {
         .block_size = 1,
         .key_len = 192/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_192_cfb8_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -804,13 +804,13 @@ static const EVP_CIPHER camellia_256_cfb8 = {
         .block_size = 1,
         .key_len = 256/8,
         .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = camellia_init_key,
         .do_cipher = camellia_256_cfb8_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
diff --git a/src/lib/libcrypto/evp/e_cast.c b/src/lib/libcrypto/evp/e_cast.c
index 1575a7a5bb..283cb8cf63 100644
--- a/src/lib/libcrypto/evp/e_cast.c
+++ b/src/lib/libcrypto/evp/e_cast.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_cast.c,v 1.18 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_cast.c,v 1.19 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -162,13 +162,14 @@ static const EVP_CIPHER cast5_cbc = {
         .block_size = 8,
         .key_len = CAST_KEY_LENGTH,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = cast_init_key,
         .do_cipher = cast5_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -184,13 +185,14 @@ static const EVP_CIPHER cast5_cfb64 = {
         .block_size = 1,
         .key_len = CAST_KEY_LENGTH,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = cast_init_key,
         .do_cipher = cast5_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -206,13 +208,14 @@ static const EVP_CIPHER cast5_ofb = {
         .block_size = 1,
         .key_len = CAST_KEY_LENGTH,
         .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = cast_init_key,
         .do_cipher = cast5_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -228,13 +231,14 @@ static const EVP_CIPHER cast5_ecb = {
         .block_size = 8,
         .key_len = CAST_KEY_LENGTH,
         .iv_len = 0,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = cast_init_key,
         .do_cipher = cast5_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
index d176569f90..d3a1e44875 100644
--- a/src/lib/libcrypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.37 2024/12/20 20:05:29 schwarze Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 
 /*
  * Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
@@ -26,12 +26,12 @@
 
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/chacha.h>
 #include <openssl/poly1305.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 #define POLY1305_TAG_LEN 16
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index fb335e95b1..680f77a723 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_des.c,v 1.24 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_des.c,v 1.25 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -226,13 +226,14 @@ static const EVP_CIPHER des_cbc = {
         .block_size = 8,
         .key_len = 8,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
@@ -248,13 +249,14 @@ static const EVP_CIPHER des_cfb64 = {
         .block_size = 1,
         .key_len = 8,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
@@ -270,13 +272,14 @@ static const EVP_CIPHER des_ofb = {
         .block_size = 1,
         .key_len = 8,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
@@ -292,13 +295,14 @@ static const EVP_CIPHER des_ecb = {
         .block_size = 8,
         .key_len = 8,
         .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
@@ -314,13 +318,14 @@ static const EVP_CIPHER des_cfb1 = {
         .block_size = 1,
         .key_len = 8,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_cfb1_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
@@ -336,13 +341,14 @@ static const EVP_CIPHER des_cfb8 = {
         .block_size = 1,
         .key_len = 8,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_init_key,
         .do_cipher = des_cfb8_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des_ctrl,
 };
 
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 48fbcdb366..f3eb4cce1b 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_des3.c,v 1.30 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_des3.c,v 1.31 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -258,13 +258,14 @@ static const EVP_CIPHER des_ede_cbc = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+           EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede_init_key,
         .do_cipher = des_ede_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -280,13 +281,14 @@ static const EVP_CIPHER des_ede_cfb64 = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede_init_key,
         .do_cipher = des_ede_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -307,8 +309,8 @@ static const EVP_CIPHER des_ede_ofb = {
         .do_cipher = des_ede_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -324,13 +326,14 @@ static const EVP_CIPHER des_ede_ecb = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede_init_key,
         .do_cipher = des_ede_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -352,13 +355,14 @@ static const EVP_CIPHER des_ede3_cbc = {
         .block_size = 8,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -374,13 +378,14 @@ static const EVP_CIPHER des_ede3_cfb64 = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -396,13 +401,14 @@ static const EVP_CIPHER des_ede3_ofb = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -418,13 +424,14 @@ static const EVP_CIPHER des_ede3_ecb = {
         .block_size = 8,
         .key_len = 24,
         .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -441,13 +448,14 @@ static const EVP_CIPHER des_ede3_cfb1 = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_cfb1_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
@@ -464,13 +472,14 @@ static const EVP_CIPHER des_ede3_cfb8 = {
         .block_size = 1,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = des_ede3_init_key,
         .do_cipher = des_ede3_cfb8_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = des3_ctrl,
 };
 
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
index 86cf77602a..5d33a110fd 100644
--- a/src/lib/libcrypto/evp/e_idea.c
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_idea.c,v 1.22 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_idea.c,v 1.23 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -181,13 +181,13 @@ static const EVP_CIPHER idea_cbc = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 8,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = idea_init_key,
         .do_cipher = idea_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -203,13 +203,13 @@ static const EVP_CIPHER idea_cfb64 = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 8,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = idea_init_key,
         .do_cipher = idea_cfb64_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -225,13 +225,13 @@ static const EVP_CIPHER idea_ofb = {
         .block_size = 1,
         .key_len = 16,
         .iv_len = 8,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = idea_init_key,
         .do_cipher = idea_ofb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
@@ -247,13 +247,13 @@ static const EVP_CIPHER idea_ecb = {
         .block_size = 8,
         .key_len = 16,
         .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = idea_init_key,
         .do_cipher = idea_ecb_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
index dc404cff20..b7ba60297a 100644
--- a/src/lib/libcrypto/evp/e_rc2.c
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_rc2.c,v 1.29 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_rc2.c,v 1.30 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 
 #ifndef OPENSSL_NO_RC2
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/rc2.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
diff --git a/src/lib/libcrypto/evp/e_xcbc_d.c b/src/lib/libcrypto/evp/e_xcbc_d.c
index 1e3bee0791..1c5e6c32b2 100644
--- a/src/lib/libcrypto/evp/e_xcbc_d.c
+++ b/src/lib/libcrypto/evp/e_xcbc_d.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_xcbc_d.c,v 1.18 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_xcbc_d.c,v 1.19 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -88,13 +88,13 @@ static const EVP_CIPHER d_xcbc_cipher = {
         .block_size = 8,
         .key_len = 24,
         .iv_len = 8,
-        .flags = EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
         .init = desx_cbc_init_key,
         .do_cipher = desx_cbc_cipher,
         .cleanup = NULL,
         .ctx_size = sizeof(DESX_CBC_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .set_asn1_parameters = NULL,
+        .get_asn1_parameters = NULL,
         .ctrl = NULL,
 };
 
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index c2b81d0576..94295e1262 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.137 2024/08/31 10:38:49 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.138 2025/07/02 06:36:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -778,28 +778,24 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey);
 const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
 
 #ifndef OPENSSL_NO_RSA
-struct rsa_st;
-struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
-int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
+RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey);
+RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey);
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key);
 #endif
 #ifndef OPENSSL_NO_DSA
-struct dsa_st;
-struct dsa_st *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
-struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
-int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key);
+DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey);
+DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey);
+int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key);
 #endif
 #ifndef OPENSSL_NO_DH
-struct dh_st;
-struct dh_st *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
-struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
-int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key);
+DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey);
+DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey);
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key);
 #endif
 #ifndef OPENSSL_NO_EC
-struct ec_key_st;
-struct ec_key_st *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
-struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
-int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
+EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey);
+EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey);
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
 #endif
 
 EVP_PKEY *EVP_PKEY_new(void);
diff --git a/src/lib/libcrypto/evp/evp_aead.c b/src/lib/libcrypto/evp/evp_aead.c
index b35f5157ed..fdac082217 100644
--- a/src/lib/libcrypto/evp/evp_aead.c
+++ b/src/lib/libcrypto/evp/evp_aead.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_aead.c,v 1.11 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_aead.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -19,8 +19,8 @@
 #include <string.h>
 
 #include <openssl/evp.h>
-#include <openssl/err.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 size_t
diff --git a/src/lib/libcrypto/evp/evp_cipher.c b/src/lib/libcrypto/evp/evp_cipher.c
index e9c266d1b9..04e0e1c0b0 100644
--- a/src/lib/libcrypto/evp/evp_cipher.c
+++ b/src/lib/libcrypto/evp/evp_cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_cipher.c,v 1.23 2024/04/10 15:00:38 beck Exp $ */
+/* $OpenBSD: evp_cipher.c,v 1.28 2025/07/02 06:19:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -115,10 +115,10 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 int
@@ -167,7 +167,7 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
                 }
 
                 if ((ctx->cipher->flags & EVP_CIPH_CTRL_INIT) != 0) {
-                        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
+                        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL) <= 0) {
                                 EVPerror(EVP_R_INITIALIZATION_ERROR);
                                 return 0;
                         }
@@ -944,14 +944,20 @@ EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
 LCRYPTO_ALIAS(EVP_CIPHER_CTX_flags);
 
 /*
- * Used by CMS and its predecessors. Only GOST and RC2 have a custom method.
+ * Used by CMS and its predecessors. Only RC2 has a custom method.
  */
 
 int
-EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
+EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 {
         int iv_len;
 
+        if (ctx->cipher->get_asn1_parameters != NULL)
+                return ctx->cipher->get_asn1_parameters(ctx, type);
+
+        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) == 0)
+                return -1;
+
         if (type == NULL)
                 return 0;
 
@@ -970,21 +976,15 @@ EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 }
 
 int
-EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
+EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 {
-        if (ctx->cipher->get_asn1_parameters != NULL)
-                return ctx->cipher->get_asn1_parameters(ctx, type);
-
-        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0)
-                return EVP_CIPHER_get_asn1_iv(ctx, type);
+        int iv_len;
 
-        return -1;
-}
+        if (ctx->cipher->set_asn1_parameters != NULL)
+                return ctx->cipher->set_asn1_parameters(ctx, type);
 
-int
-EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
-{
-        int iv_len;
+        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) == 0)
+                return -1;
 
         if (type == NULL)
                 return 0;
@@ -998,18 +998,6 @@ EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
         return ASN1_TYPE_set_octetstring(type, ctx->oiv, iv_len);
 }
 
-int
-EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
-{
-        if (ctx->cipher->set_asn1_parameters != NULL)
-                return ctx->cipher->set_asn1_parameters(ctx, type);
-
-        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0)
-                return EVP_CIPHER_set_asn1_iv(ctx, type);
-
-        return -1;
-}
-
 /* Convert the various cipher NIDs and dummies to a proper OID NID */
 int
 EVP_CIPHER_type(const EVP_CIPHER *cipher)
diff --git a/src/lib/libcrypto/evp/evp_digest.c b/src/lib/libcrypto/evp/evp_digest.c
index 0a97d25c7d..8bd6691fbf 100644
--- a/src/lib/libcrypto/evp/evp_digest.c
+++ b/src/lib/libcrypto/evp/evp_digest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_digest.c,v 1.14 2024/04/10 15:00:38 beck Exp $ */
+/* $OpenBSD: evp_digest.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -114,10 +114,10 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 int
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index e7c7ec3294..128bec0ac3 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.36 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_key.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/ui.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 /* should be init to zeros. */
diff --git a/src/lib/libcrypto/evp/evp_local.h b/src/lib/libcrypto/evp/evp_local.h
index 54cd65d0af..76465643c6 100644
--- a/src/lib/libcrypto/evp/evp_local.h
+++ b/src/lib/libcrypto/evp/evp_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_local.h,v 1.25 2024/08/29 16:58:19 tb Exp $ */
+/* $OpenBSD: evp_local.h,v 1.26 2025/05/27 03:58:12 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -353,9 +353,7 @@ struct evp_aead_ctx_st {
 };
 
 /* Legacy EVP_CIPHER methods used by CMS and its predecessors. */
-int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
-int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 
 int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
diff --git a/src/lib/libcrypto/evp/evp_names.c b/src/lib/libcrypto/evp/evp_names.c
index 817d33602c..8757d191dd 100644
--- a/src/lib/libcrypto/evp/evp_names.c
+++ b/src/lib/libcrypto/evp/evp_names.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_names.c,v 1.18 2024/08/31 10:38:49 tb Exp $ */
+/*      $OpenBSD: evp_names.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
  *
@@ -15,7 +15,6 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 88ceb14033..cb2ace1fd0 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.50 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.51 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,13 +60,13 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 #include "pkcs12_local.h"
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index a1e127352a..1c0b8b41e9 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pkey.c,v 1.33 2025/02/04 04:51:34 tb Exp $ */
+/* $OpenBSD: evp_pkey.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,10 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* Extract a private key from a PKCS8 structure */
diff --git a/src/lib/libcrypto/evp/m_sigver.c b/src/lib/libcrypto/evp/m_sigver.c
index a3353854f1..66e4752242 100644
--- a/src/lib/libcrypto/evp/m_sigver.c
+++ b/src/lib/libcrypto/evp/m_sigver.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: m_sigver.c,v 1.27 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: m_sigver.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 static int
diff --git a/src/lib/libcrypto/evp/p_legacy.c b/src/lib/libcrypto/evp/p_legacy.c
index 01cfdbcd6a..7c958a16e3 100644
--- a/src/lib/libcrypto/evp/p_legacy.c
+++ b/src/lib/libcrypto/evp/p_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: p_legacy.c,v 1.6 2024/04/09 13:52:41 beck Exp $ */
+/*      $OpenBSD: p_legacy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,10 +59,10 @@
 #include <stdlib.h>
 
 #include <openssl/evp.h>
-#include <openssl/err.h>
 
 #include <openssl/rsa.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 int
diff --git a/src/lib/libcrypto/evp/p_lib.c b/src/lib/libcrypto/evp/p_lib.c
index 95c7721303..3f88185737 100644
--- a/src/lib/libcrypto/evp/p_lib.c
+++ b/src/lib/libcrypto/evp/p_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_lib.c,v 1.61 2024/08/22 12:24:24 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.63 2025/07/02 06:36:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -111,7 +111,6 @@
 #include <openssl/bio.h>
 #include <openssl/cmac.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -129,6 +128,7 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "err_local.h"
 #include "evp_local.h"
 
 extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
@@ -628,7 +628,7 @@ LCRYPTO_ALIAS(EVP_PKEY_get0_hmac);
 
 #ifndef OPENSSL_NO_RSA
 RSA *
-EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
 {
         if (pkey->type == EVP_PKEY_RSA || pkey->type == EVP_PKEY_RSA_PSS)
                 return pkey->pkey.rsa;
@@ -639,7 +639,7 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_RSA);
 
 RSA *
-EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+EVP_PKEY_get1_RSA(const EVP_PKEY *pkey)
 {
         RSA *rsa;
 
@@ -665,7 +665,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_RSA);
 
 #ifndef OPENSSL_NO_DSA
 DSA *
-EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+EVP_PKEY_get0_DSA(const EVP_PKEY *pkey)
 {
         if (pkey->type != EVP_PKEY_DSA) {
                 EVPerror(EVP_R_EXPECTING_A_DSA_KEY);
@@ -676,7 +676,7 @@ EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_DSA);
 
 DSA *
-EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+EVP_PKEY_get1_DSA(const EVP_PKEY *pkey)
 {
         DSA *dsa;
 
@@ -702,7 +702,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_DSA);
 
 #ifndef OPENSSL_NO_EC
 EC_KEY *
-EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
+EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey)
 {
         if (pkey->type != EVP_PKEY_EC) {
                 EVPerror(EVP_R_EXPECTING_A_EC_KEY);
@@ -713,7 +713,7 @@ EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_EC_KEY);
 
 EC_KEY *
-EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey)
 {
         EC_KEY *key;
 
@@ -740,7 +740,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_EC_KEY);
 
 #ifndef OPENSSL_NO_DH
 DH *
-EVP_PKEY_get0_DH(EVP_PKEY *pkey)
+EVP_PKEY_get0_DH(const EVP_PKEY *pkey)
 {
         if (pkey->type != EVP_PKEY_DH) {
                 EVPerror(EVP_R_EXPECTING_A_DH_KEY);
@@ -751,7 +751,7 @@ EVP_PKEY_get0_DH(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_DH);
 
 DH *
-EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+EVP_PKEY_get1_DH(const EVP_PKEY *pkey)
 {
         DH *dh;
 
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index 7f472ea716..775cf78d62 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_sign.c,v 1.22 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: p_sign.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,7 +58,6 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 02132e2c38..cd7482df55 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_verify.c,v 1.21 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: p_verify.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,7 +58,6 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/evp/pmeth_fn.c b/src/lib/libcrypto/evp/pmeth_fn.c
index 308c434f0d..ad6c04dabb 100644
--- a/src/lib/libcrypto/evp/pmeth_fn.c
+++ b/src/lib/libcrypto/evp/pmeth_fn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_fn.c,v 1.11 2024/04/12 09:41:39 tb Exp $ */
+/* $OpenBSD: pmeth_fn.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -59,10 +59,10 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 #define M_check_autoarg(ctx, arg, arglen, err) \
diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c
index bc1c5bd7d2..fa5b446124 100644
--- a/src/lib/libcrypto/evp/pmeth_gn.c
+++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_gn.c,v 1.21 2024/08/31 09:14:21 tb Exp $ */
+/* $OpenBSD: pmeth_gn.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -60,12 +60,12 @@
 #include <stdlib.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 int
diff --git a/src/lib/libcrypto/evp/pmeth_lib.c b/src/lib/libcrypto/evp/pmeth_lib.c
index fbf4057c38..ce6beecad6 100644
--- a/src/lib/libcrypto/evp/pmeth_lib.c
+++ b/src/lib/libcrypto/evp/pmeth_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_lib.c,v 1.42 2025/01/20 12:57:28 tb Exp $ */
+/* $OpenBSD: pmeth_lib.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -63,12 +63,12 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 extern const EVP_PKEY_METHOD cmac_pkey_meth;
diff --git a/src/lib/libcrypto/format-pem.pl b/src/lib/libcrypto/format-pem.pl
index 5a96fe5b1d..fba3470344 100644
--- a/src/lib/libcrypto/format-pem.pl
+++ b/src/lib/libcrypto/format-pem.pl
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $OpenBSD: format-pem.pl,v 1.7 2024/11/01 11:19:13 sthen Exp $
+# $OpenBSD: format-pem.pl,v 1.8 2025/06/16 10:24:55 sthen Exp $
 #
 # Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
 #
@@ -99,6 +99,7 @@ while(<>) {
 
                 my $verify = qx/openssl verify -CAfile $t $t 2>&1/;
                 if (not $verify =~ /^$t: OK$/) {
+                        $verify =~ s,$t: ,,;
                         print STDERR "ERROR: '$subj' cannot be verified with libressl\n---\n$verify---\n";
                         $ca{$o}{$subj}{'valid'} = 0;
                 }
diff --git a/src/lib/libcrypto/hidden/crypto_namespace.h b/src/lib/libcrypto/hidden/crypto_namespace.h
index 741ad08549..43c8718ed0 100644
--- a/src/lib/libcrypto/hidden/crypto_namespace.h
+++ b/src/lib/libcrypto/hidden/crypto_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_namespace.h,v 1.4 2024/07/11 21:31:52 miod Exp $       */
+/*      $OpenBSD: crypto_namespace.h,v 1.5 2025/08/18 16:00:05 tb Exp $ */
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -45,7 +45,11 @@
 # define LCRYPTO_UNUSED(x)
 # define LCRYPTO_USED(x)
 # define LCRYPTO_ALIAS1(pre,x)
+#ifdef _MSC_VER
+# define LCRYPTO_ALIAS(x)
+#else
 # define LCRYPTO_ALIAS(x)       asm("")
+#endif /* _MSC_VER */
 #endif
 
 #endif  /* _LIBCRYPTO_CRYPTO_NAMESPACE_H_ */
diff --git a/src/lib/libcrypto/hidden/openssl/bio.h b/src/lib/libcrypto/hidden/openssl/bio.h
index 03da75a795..69651cf3cb 100644
--- a/src/lib/libcrypto/hidden/openssl/bio.h
+++ b/src/lib/libcrypto/hidden/openssl/bio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio.h,v 1.8 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio.h,v 1.9 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -103,7 +103,6 @@ LCRYPTO_USED(BIO_s_socket);
 LCRYPTO_USED(BIO_s_connect);
 LCRYPTO_USED(BIO_s_accept);
 LCRYPTO_USED(BIO_s_fd);
-LCRYPTO_USED(BIO_s_log);
 LCRYPTO_USED(BIO_s_bio);
 LCRYPTO_USED(BIO_s_null);
 LCRYPTO_USED(BIO_f_null);
diff --git a/src/lib/libcrypto/hidden/openssl/mlkem.h b/src/lib/libcrypto/hidden/openssl/mlkem.h
index 8cd80eb3af..3807b3fa1e 100644
--- a/src/lib/libcrypto/hidden/openssl/mlkem.h
+++ b/src/lib/libcrypto/hidden/openssl/mlkem.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: mlkem.h,v 1.4 2024/12/20 15:10:31 tb Exp $ */
+/* $OpenBSD: mlkem.h,v 1.5 2025/08/14 15:48:48 beck Exp $ */
 /*
- * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
+ * Copyright (c) 2025 Bob Beck <beck@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +18,6 @@
 #ifndef _LIBCRYPTO_MLKEM_H
 #define _LIBCRYPTO_MLKEM_H
 
-/* Undo when making public */
-#ifdef LIBRESSL_HAS_MLKEM
-
 #ifndef _MSC_VER
 #include_next <openssl/mlkem.h>
 #else
@@ -28,22 +25,21 @@
 #endif
 #include "crypto_namespace.h"
 
-LCRYPTO_USED(MLKEM768_generate_key);
-LCRYPTO_USED(MLKEM768_public_from_private);
-LCRYPTO_USED(MLKEM768_encap);
-LCRYPTO_USED(MLKEM768_decap);
-LCRYPTO_USED(MLKEM768_marshal_public_key);
-LCRYPTO_USED(MLKEM768_parse_public_key);
-LCRYPTO_USED(MLKEM768_private_key_from_seed);
-LCRYPTO_USED(MLKEM768_parse_private_key);
-LCRYPTO_USED(MLKEM1024_generate_key);
-LCRYPTO_USED(MLKEM1024_public_from_private);
-LCRYPTO_USED(MLKEM1024_encap);
-LCRYPTO_USED(MLKEM1024_decap);
-LCRYPTO_USED(MLKEM1024_marshal_public_key);
-LCRYPTO_USED(MLKEM1024_parse_public_key);
-LCRYPTO_USED(MLKEM1024_private_key_from_seed);
-LCRYPTO_USED(MLKEM1024_parse_private_key);
-#endif /* LIBRESSL_HAS_MLKEM */
+LCRYPTO_USED(MLKEM_private_key_new);
+LCRYPTO_USED(MLKEM_private_key_free);
+LCRYPTO_USED(MLKEM_private_key_ciphertext_length);
+LCRYPTO_USED(MLKEM_private_key_encoded_length);
+LCRYPTO_USED(MLKEM_public_key_new);
+LCRYPTO_USED(MLKEM_public_key_free);
+LCRYPTO_USED(MLKEM_public_key_ciphertext_length);
+LCRYPTO_USED(MLKEM_public_key_encoded_length);
+LCRYPTO_USED(MLKEM_generate_key);
+LCRYPTO_USED(MLKEM_private_key_from_seed);
+LCRYPTO_USED(MLKEM_public_from_private);
+LCRYPTO_USED(MLKEM_encap);
+LCRYPTO_USED(MLKEM_decap);
+LCRYPTO_USED(MLKEM_marshal_public_key);
+LCRYPTO_USED(MLKEM_parse_public_key);
+LCRYPTO_USED(MLKEM_parse_private_key);
 
 #endif /* _LIBCRYPTO_MLKEM_H */
diff --git a/src/lib/libcrypto/hidden/openssl/pem.h b/src/lib/libcrypto/hidden/openssl/pem.h
index 5838f07f4d..233fd8859b 100644
--- a/src/lib/libcrypto/hidden/openssl/pem.h
+++ b/src/lib/libcrypto/hidden/openssl/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.2 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: pem.h,v 1.3 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
  *
@@ -33,12 +33,10 @@ LCRYPTO_USED(PEM_bytes_read_bio);
 LCRYPTO_USED(PEM_ASN1_read_bio);
 LCRYPTO_USED(PEM_ASN1_write_bio);
 LCRYPTO_USED(PEM_X509_INFO_read_bio);
-LCRYPTO_USED(PEM_X509_INFO_write_bio);
 LCRYPTO_USED(PEM_read);
 LCRYPTO_USED(PEM_write);
 LCRYPTO_USED(PEM_ASN1_read);
 LCRYPTO_USED(PEM_ASN1_write);
-LCRYPTO_USED(PEM_X509_INFO_read);
 LCRYPTO_USED(PEM_SignInit);
 LCRYPTO_USED(PEM_SignUpdate);
 LCRYPTO_USED(PEM_SignFinal);
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index e6104cd451..5e78f7af97 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.15 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.16 2025/07/16 15:59:26 tb Exp $ */
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
  *
@@ -401,8 +401,6 @@ LCRYPTO_USED(i2d_X509_CRL);
 LCRYPTO_USED(X509_CRL_add0_revoked);
 LCRYPTO_USED(X509_CRL_get0_by_serial);
 LCRYPTO_USED(X509_CRL_get0_by_cert);
-LCRYPTO_USED(X509_PKEY_new);
-LCRYPTO_USED(X509_PKEY_free);
 LCRYPTO_USED(NETSCAPE_SPKI_new);
 LCRYPTO_USED(NETSCAPE_SPKI_free);
 LCRYPTO_USED(d2i_NETSCAPE_SPKI);
diff --git a/src/lib/libcrypto/hkdf/hkdf.c b/src/lib/libcrypto/hkdf/hkdf.c
index 6104ef0cc7..f68df4bea4 100644
--- a/src/lib/libcrypto/hkdf/hkdf.c
+++ b/src/lib/libcrypto/hkdf/hkdf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hkdf.c,v 1.11 2024/03/25 13:09:13 jsing Exp $ */
+/* $OpenBSD: hkdf.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2014, Google Inc.
  *
@@ -19,10 +19,10 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/hmac.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index dc1614d3ce..e3d5664143 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.c,v 1.36 2024/08/31 10:42:21 tb Exp $ */
+/* $OpenBSD: hmac.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,9 +60,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/hmac.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index 2bdd3647fd..fccef8fc73 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: idea.h,v 1.13 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: idea.h,v 1.14 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,7 +59,12 @@
 #ifndef HEADER_IDEA_H
 #define HEADER_IDEA_H
 
-#include <openssl/opensslconf.h> /* IDEA_INT, OPENSSL_NO_IDEA */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_IDEA */
+
+#ifndef IDEA_INT
+/* XXX - typedef */
+#define IDEA_INT unsigned int
+#endif
 
 #define IDEA_ENCRYPT    1
 #define IDEA_DECRYPT    0
diff --git a/src/lib/libcrypto/kdf/hkdf_evp.c b/src/lib/libcrypto/kdf/hkdf_evp.c
index b33e2e0a26..dee6e35d82 100644
--- a/src/lib/libcrypto/kdf/hkdf_evp.c
+++ b/src/lib/libcrypto/kdf/hkdf_evp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hkdf_evp.c,v 1.20 2023/06/26 08:57:17 tb Exp $ */
+/*      $OpenBSD: hkdf_evp.c,v 1.22 2025/05/21 03:53:20 kenjiro Exp $ */
 /* ====================================================================
  * Copyright (c) 2016-2018 The OpenSSL Project.  All rights reserved.
  *
@@ -50,12 +50,11 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/hkdf.h>
 #include <openssl/kdf.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 #define HKDF_MAXBUF 1024
@@ -91,6 +90,9 @@ pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
 {
         HKDF_PKEY_CTX *kctx = ctx->data;
 
+        if (kctx == NULL)
+                return;
+
         freezero(kctx->salt, kctx->salt_len);
         freezero(kctx->key, kctx->key_len);
         freezero(kctx, sizeof(*kctx));
diff --git a/src/lib/libcrypto/kdf/tls1_prf.c b/src/lib/libcrypto/kdf/tls1_prf.c
index 7d6231e3c7..2b86ff744f 100644
--- a/src/lib/libcrypto/kdf/tls1_prf.c
+++ b/src/lib/libcrypto/kdf/tls1_prf.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
+/*      $OpenBSD: tls1_prf.c,v 1.42 2025/05/21 03:53:20 kenjiro Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2016.
@@ -61,10 +61,10 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/kdf.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 #define TLS1_PRF_MAXBUF 1024
@@ -96,6 +96,9 @@ pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
 {
         struct tls1_prf_ctx *kctx = ctx->data;
 
+        if (kctx == NULL)
+                return;
+
         freezero(kctx->secret, kctx->secret_len);
         freezero(kctx, sizeof(*kctx));
 }
diff --git a/src/lib/libcrypto/lhash/lhash.c b/src/lib/libcrypto/lhash/lhash.c
index aa532267de..ad6ece543b 100644
--- a/src/lib/libcrypto/lhash/lhash.c
+++ b/src/lib/libcrypto/lhash/lhash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.c,v 1.28 2024/07/14 14:32:45 jsing Exp $ */
+/* $OpenBSD: lhash.c,v 1.29 2025/05/01 00:35:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -115,11 +115,11 @@ expand(_LHASH *lh)
 #endif
                 if ((hash % nni) != p) { /* move it */
                         *n1 = (*n1)->next;
-                        np->next= *n2;
+                        np->next = *n2;
                         *n2 = np;
                 } else
                         n1 = &((*n1)->next);
-                np= *n1;
+                np = *n1;
         }
 
         if ((lh->p) >= lh->pmax) {
@@ -305,7 +305,7 @@ lh_delete(_LHASH *lh, const void *data)
         if (*rn == NULL) {
                 return (NULL);
         } else {
-                nn= *rn;
+                nn = *rn;
                 *rn = nn->next;
                 ret = nn->data;
                 free(nn);
diff --git a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
index 15156ffca3..bfa915c8af 100644
--- a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
+++ b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.6 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ACCESS_DESCRIPTION_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm AUTHORITY_INFO_ACCESS_free
 .Nd X.509 information access extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ACCESS_DESCRIPTION *
 .Fn ACCESS_DESCRIPTION_new void
diff --git a/src/lib/libcrypto/man/AES_encrypt.3 b/src/lib/libcrypto/man/AES_encrypt.3
index f022848a61..4ceece648e 100644
--- a/src/lib/libcrypto/man/AES_encrypt.3
+++ b/src/lib/libcrypto/man/AES_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: AES_encrypt.3,v 1.1 2019/08/28 10:37:42 schwarze Exp $
+.\" $OpenBSD: AES_encrypt.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 28 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt AES_ENCRYPT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm AES_cbc_encrypt
 .Nd low-level interface to the AES symmetric cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/aes.h
 .Ft int
 .Fo AES_set_encrypt_key
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index d8473b81a0..f5f4a1215e 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.11 2023/09/30 18:16:44 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASIDENTIFIERS_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_ASIdentifiers
 .Nd RFC 3779 autonomous system identifier delegation extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ASIdentifiers *
 .Fo ASIdentifiers_new
diff --git a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3 b/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
index a916ca3ab2..d3ab3b1ee0 100644
--- a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
+++ b/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.5 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_BIT_STRING_SET 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm ASN1_BIT_STRING_get_bit
 .Nd ASN.1 BIT STRING accessors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_BIT_STRING_set
diff --git a/src/lib/libcrypto/man/ASN1_INTEGER_get.3 b/src/lib/libcrypto/man/ASN1_INTEGER_get.3
index 84f566eda9..985e2e5084 100644
--- a/src/lib/libcrypto/man/ASN1_INTEGER_get.3
+++ b/src/lib/libcrypto/man/ASN1_INTEGER_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_INTEGER_get.3,v 1.7 2023/05/22 19:38:04 tb Exp $
+.\" $OpenBSD: ASN1_INTEGER_get.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/ASN1_INTEGER_get_int64 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_INTEGER_GET 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm ASN1_ENUMERATED_to_BN
 .Nd ASN.1 INTEGER and ENUMERATED utilities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_INTEGER_get_uint64
diff --git a/src/lib/libcrypto/man/ASN1_NULL_new.3 b/src/lib/libcrypto/man/ASN1_NULL_new.3
index b4d2428ed1..1244f2e252 100644
--- a/src/lib/libcrypto/man/ASN1_NULL_new.3
+++ b/src/lib/libcrypto/man/ASN1_NULL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_NULL_new.3,v 1.3 2021/12/09 18:42:35 schwarze Exp $
+.\" $OpenBSD: ASN1_NULL_new.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_NULL_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_NULL_free
 .Nd ASN.1 NULL value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_NULL *
 .Fn ASN1_NULL_new void
diff --git a/src/lib/libcrypto/man/ASN1_OBJECT_new.3 b/src/lib/libcrypto/man/ASN1_OBJECT_new.3
index 3e2eac02ee..3df3dd8e68 100644
--- a/src/lib/libcrypto/man/ASN1_OBJECT_new.3
+++ b/src/lib/libcrypto/man/ASN1_OBJECT_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.16 2023/09/05 15:01:39 schwarze Exp $
+.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_OBJECT_NEW 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm ASN1_OBJECT_free
 .Nd ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OBJECT *
 .Fo ASN1_OBJECT_new
diff --git a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3 b/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
index 391dd32e66..47288ee960 100644
--- a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
+++ b/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_PRINTABLE_type.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
+.\" $OpenBSD: ASN1_PRINTABLE_type.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PRINTABLE_TYPE 3
 .Os
 .Sh NAME
 .Nm ASN1_PRINTABLE_type
 .Nd classify a single-byte character string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_PRINTABLE_type
diff --git a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3 b/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
index 2bf8831c12..4149b73d34 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.4 2023/12/21 21:23:37 tb Exp $
+.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.5 2025/06/08 22:37:23 schwarze Exp $
 .\" checked up to:
 .\" OpenSSL ASN1_STRING_TABLE_add.pod 7b608d08 Jul 27 01:18:50 2017 +0800
 .\"
@@ -16,17 +16,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 21 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_TABLE_GET 3
 .Os
 .Sh NAME
-.\" .Nm ASN1_STRING_TABLE_add0 and
-.\" .Nm ASN1_STRING_TABLE_cleanup are intentionally undocumented
-.\" because they will be removed in the next major bump
 .\" .Dv STABLE_FLAGS_MALLOC is intentionally undocumented because it is unused
 .Nm ASN1_STRING_TABLE_get
 .Nd retrieve an entry from the global ASN.1 string table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING_TABLE *
 .Fo ASN1_STRING_TABLE_get
diff --git a/src/lib/libcrypto/man/ASN1_STRING_length.3 b/src/lib/libcrypto/man/ASN1_STRING_length.3
index 0c397607a9..922ae89ac6 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_length.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_length.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_length.3,v 1.30 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: ASN1_STRING_length.3,v 1.31 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_LENGTH 3
 .Os
 .Sh NAME
@@ -84,10 +84,9 @@
 .Nm ASN1_STRING_copy ,
 .Nm ASN1_STRING_to_UTF8 ,
 .Nm ASN1_STRING_type
-.\" deprecated aliases, intentionally undocumented:
-.\" M_ASN1_STRING_data, M_ASN1_STRING_length
 .Nd ASN1_STRING utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_STRING_cmp
diff --git a/src/lib/libcrypto/man/ASN1_STRING_new.3 b/src/lib/libcrypto/man/ASN1_STRING_new.3
index 212bacd413..d653b70dda 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_new.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_STRING_new.3,v 1.27 2024/12/27 15:30:17 schwarze Exp $
+.\"     $OpenBSD: ASN1_STRING_new.3,v 1.28 2025/06/08 22:37:23 schwarze Exp $
 .\"     OpenSSL 99d63d46 Tue Mar 24 07:52:24 2015 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_NEW 3
 .Os
 .Sh NAME
@@ -58,10 +58,9 @@
 .Nm ASN1_UTCTIME_free ,
 .Nm ASN1_TIME_new ,
 .Nm ASN1_TIME_free
-.\" deprecated aliases, intentionally undocumented: M_ASN1_IA5STRING_new,
-.\" M_ASN1_ENUMERATED_free, M_ASN1_INTEGER_free, M_ASN1_OCTET_STRING_free
 .Nd allocate and free ASN1_STRING objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING *
 .Fn ASN1_STRING_new void
diff --git a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
index eb43b2fe5c..8295b3e9dd 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.18 2021/12/14 19:36:18 schwarze Exp $
+.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.19 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_PRINT_EX 3
 .Os
 .Sh NAME
@@ -58,9 +58,9 @@
 .Nm ASN1_STRING_print_ex_fp ,
 .Nm ASN1_STRING_print ,
 .Nm ASN1_tag2str
-.\" M_ASN1_OCTET_STRING_print is a deprecated alias, intentionally undocumented
 .Nd ASN1_STRING output routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_STRING_print_ex
diff --git a/src/lib/libcrypto/man/ASN1_TIME_set.3 b/src/lib/libcrypto/man/ASN1_TIME_set.3
index 233cb13f2c..8cfcf4339b 100644
--- a/src/lib/libcrypto/man/ASN1_TIME_set.3
+++ b/src/lib/libcrypto/man/ASN1_TIME_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_TIME_set.3,v 1.23 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: ASN1_TIME_set.3,v 1.24 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 3d0f1cb9 Jul 11 03:01:24 2017 +0800
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_TIME_SET 3
 .Os
 .Sh NAME
@@ -101,6 +101,7 @@
 .Nm OPENSSL_tm_to_posix
 .Nd ASN.1 Time functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TIME *
 .Fo ASN1_TIME_set
diff --git a/src/lib/libcrypto/man/ASN1_TYPE_get.3 b/src/lib/libcrypto/man/ASN1_TYPE_get.3
index 16af168d91..3b3359b6ff 100644
--- a/src/lib/libcrypto/man/ASN1_TYPE_get.3
+++ b/src/lib/libcrypto/man/ASN1_TYPE_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_TYPE_get.3,v 1.19 2023/10/09 16:06:01 tb Exp $
+.\" $OpenBSD: ASN1_TYPE_get.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_TYPE_GET 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm ASN1_TYPE_cmp
 .Nd ASN.1 objects of arbitrary type
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TYPE *
 .Fn ASN1_TYPE_new void
diff --git a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3 b/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
index 2af675295b..c76956107f 100644
--- a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
+++ b/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_UNIVERSALSTRING_to_string.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
+.\" $OpenBSD: ASN1_UNIVERSALSTRING_to_string.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_UNIVERSALSTRING_TO_STRING 3
 .Os
 .Sh NAME
 .Nm ASN1_UNIVERSALSTRING_to_string
 .Nd recode UTF-32 to ISO Latin-1
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_UNIVERSALSTRING_to_string
diff --git a/src/lib/libcrypto/man/ASN1_generate_nconf.3 b/src/lib/libcrypto/man/ASN1_generate_nconf.3
index b15d4295a9..ed92bb13b6 100644
--- a/src/lib/libcrypto/man/ASN1_generate_nconf.3
+++ b/src/lib/libcrypto/man/ASN1_generate_nconf.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 05ea606a Fri May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_GENERATE_NCONF 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ASN1_generate_v3
 .Nd ASN.1 generation functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TYPE *
 .Fo ASN1_generate_nconf
diff --git a/src/lib/libcrypto/man/ASN1_get_object.3 b/src/lib/libcrypto/man/ASN1_get_object.3
index 781b12ad5a..7f92ff6d05 100644
--- a/src/lib/libcrypto/man/ASN1_get_object.3
+++ b/src/lib/libcrypto/man/ASN1_get_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_get_object.3,v 1.2 2021/07/11 19:03:45 schwarze Exp $
+.\" $OpenBSD: ASN1_get_object.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_GET_OBJECT 3
 .Os
 .Sh NAME
 .Nm ASN1_get_object
 .Nd parse identifier and length octets
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_get_object
diff --git a/src/lib/libcrypto/man/ASN1_item_d2i.3 b/src/lib/libcrypto/man/ASN1_item_d2i.3
index bc99f4a6da..cb5fd19f28 100644
--- a/src/lib/libcrypto/man/ASN1_item_d2i.3
+++ b/src/lib/libcrypto/man/ASN1_item_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_d2i.3,v 1.18 2023/05/01 07:37:45 tb Exp $
+.\" $OpenBSD: ASN1_item_d2i.3,v 1.19 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL doc/man3/d2i_X509.pod 256989ce Jun 19 15:00:32 2020 +0200
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_D2I 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm ASN1_item_print
 .Nd decode and encode ASN.1 objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_VALUE *
 .Fo ASN1_item_d2i
diff --git a/src/lib/libcrypto/man/ASN1_item_digest.3 b/src/lib/libcrypto/man/ASN1_item_digest.3
index 56a97555e9..829b82a56b 100644
--- a/src/lib/libcrypto/man/ASN1_item_digest.3
+++ b/src/lib/libcrypto/man/ASN1_item_digest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_digest.3,v 1.2 2022/09/11 04:39:46 jsg Exp $
+.\" $OpenBSD: ASN1_item_digest.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_DIGEST 3
 .Os
 .Sh NAME
 .Nm ASN1_item_digest
 .Nd DER-encode and hash an ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_digest
diff --git a/src/lib/libcrypto/man/ASN1_item_new.3 b/src/lib/libcrypto/man/ASN1_item_new.3
index 7015ed6319..42e9dd8f68 100644
--- a/src/lib/libcrypto/man/ASN1_item_new.3
+++ b/src/lib/libcrypto/man/ASN1_item_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_new.3,v 1.11 2022/01/12 17:54:51 tb Exp $
+.\" $OpenBSD: ASN1_item_new.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 12 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_free
 .Nd generic ASN.1 value constructor and destructor
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_VALUE *
 .Fo ASN1_item_new
diff --git a/src/lib/libcrypto/man/ASN1_item_pack.3 b/src/lib/libcrypto/man/ASN1_item_pack.3
index 4c87530622..d0023f599d 100644
--- a/src/lib/libcrypto/man/ASN1_item_pack.3
+++ b/src/lib/libcrypto/man/ASN1_item_pack.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_pack.3,v 1.1 2021/11/15 11:51:09 schwarze Exp $
+.\" $OpenBSD: ASN1_item_pack.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_PACK 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_unpack
 .Nd pack an ASN.1 object into an ASN1_STRING
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING *
 .Fo ASN1_item_pack
diff --git a/src/lib/libcrypto/man/ASN1_item_sign.3 b/src/lib/libcrypto/man/ASN1_item_sign.3
index 8c09fe77ff..72e317c310 100644
--- a/src/lib/libcrypto/man/ASN1_item_sign.3
+++ b/src/lib/libcrypto/man/ASN1_item_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_sign.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: ASN1_item_sign.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_SIGN 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_sign_ctx
 .Nd DER-encode and sign an ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_sign
diff --git a/src/lib/libcrypto/man/ASN1_item_verify.3 b/src/lib/libcrypto/man/ASN1_item_verify.3
index d2810879e3..282db875bb 100644
--- a/src/lib/libcrypto/man/ASN1_item_verify.3
+++ b/src/lib/libcrypto/man/ASN1_item_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_verify.3,v 1.3 2021/12/18 17:47:44 schwarze Exp $
+.\" $OpenBSD: ASN1_item_verify.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 18 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_VERIFY 3
 .Os
 .Sh NAME
 .Nm ASN1_item_verify
 .Nd signature verification for ASN.1 values
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_verify
diff --git a/src/lib/libcrypto/man/ASN1_mbstring_copy.3 b/src/lib/libcrypto/man/ASN1_mbstring_copy.3
index e0b48aaa62..6a64bc7464 100644
--- a/src/lib/libcrypto/man/ASN1_mbstring_copy.3
+++ b/src/lib/libcrypto/man/ASN1_mbstring_copy.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_mbstring_copy.3,v 1.6 2022/02/21 00:22:03 jsg Exp $
+.\" $OpenBSD: ASN1_mbstring_copy.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 21 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_MBSTRING_COPY 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm ASN1_tag2bit
 .Nd copy a multibyte string into an ASN.1 string object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_mbstring_copy
diff --git a/src/lib/libcrypto/man/ASN1_parse_dump.3 b/src/lib/libcrypto/man/ASN1_parse_dump.3
index 50761f38aa..45aa673d4c 100644
--- a/src/lib/libcrypto/man/ASN1_parse_dump.3
+++ b/src/lib/libcrypto/man/ASN1_parse_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_parse_dump.3,v 1.3 2021/12/09 18:52:09 schwarze Exp $
+.\" $OpenBSD: ASN1_parse_dump.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PARSE_DUMP 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_parse
 .Nd parse BER and print information about it
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_parse_dump
diff --git a/src/lib/libcrypto/man/ASN1_put_object.3 b/src/lib/libcrypto/man/ASN1_put_object.3
index 97a352724c..94fa55366a 100644
--- a/src/lib/libcrypto/man/ASN1_put_object.3
+++ b/src/lib/libcrypto/man/ASN1_put_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_put_object.3,v 1.5 2022/01/12 17:54:51 tb Exp $
+.\" $OpenBSD: ASN1_put_object.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 12 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PUT_OBJECT 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm ASN1_object_size
 .Nd start and end the BER encoding of an arbitrary ASN.1 data element
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft void
 .Fo ASN1_put_object
diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3
index dc58c98e58..b507213b48 100644
--- a/src/lib/libcrypto/man/ASRange_new.3
+++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASRange_new.3,v 1.8 2023/10/11 12:06:11 tb Exp $
+.\" $OpenBSD: ASRange_new.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 11 2023 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt ASRANGE_NEW 3
 .Os
 .Sh NAME
@@ -32,8 +32,9 @@
 .Nm i2d_ASIdentifierChoice
 .Nd RFC 3779 autonomous system identifiers and ranges
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
-.Ft "ASRange *"
+.Ft ASRange *
 .Fn ASRange_new void
 .Ft void
 .Fn ASRange_free "ASRange *asrange"
@@ -48,7 +49,7 @@
 .Fa "ASRange *asrange"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "ASIdOrRange *"
+.Ft ASIdOrRange *
 .Fn ASIdOrRange_new void
 .Ft void
 .Fn ASIdOrRange_free "ASIdOrRange *aor"
@@ -63,7 +64,7 @@
 .Fa "ASIdOrRange *aor"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "ASIdentifierChoice *"
+.Ft ASIdentifierChoice *
 .Fn ASIdentifierChoice_new void
 .Ft void
 .Fn ASIdentifierChoice_free "ASIdentifierChoice *aic"
diff --git a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3 b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
index bff451ff36..982685d17f 100644
--- a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
+++ b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt AUTHORITY_KEYID_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm AUTHORITY_KEYID_free
 .Nd X.509 authority key identifier extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft AUTHORITY_KEYID *
 .Fn AUTHORITY_KEYID_new void
diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
index e60b0d223c..f1b1486a8a 100644
--- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
+.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BASIC_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BASIC_CONSTRAINTS_free
 .Nd X.509 extension to mark CA certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft BASIC_CONSTRAINTS *
 .Fn BASIC_CONSTRAINTS_new void
diff --git a/src/lib/libcrypto/man/BF_set_key.3 b/src/lib/libcrypto/man/BF_set_key.3
index 5f4c7a689b..1299a0f2ef 100644
--- a/src/lib/libcrypto/man/BF_set_key.3
+++ b/src/lib/libcrypto/man/BF_set_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BF_set_key.3,v 1.12 2023/08/05 18:27:55 jmc Exp $
+.\"     $OpenBSD: BF_set_key.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BF_SET_KEY 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BF_ofb64_encrypt
 .Nd Blowfish encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/blowfish.h
 .Ft void
 .Fo BF_set_key
diff --git a/src/lib/libcrypto/man/BIO_accept.3 b/src/lib/libcrypto/man/BIO_accept.3
index e2547ac0dd..73b415017f 100644
--- a/src/lib/libcrypto/man/BIO_accept.3
+++ b/src/lib/libcrypto/man/BIO_accept.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_accept.3,v 1.2 2023/04/30 13:38:48 schwarze Exp $
+.\" $OpenBSD: BIO_accept.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_ACCEPT 3
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .\" .Nm BIO_sock_cleanup
 .Nd wrappers for socket operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_get_host_ip
diff --git a/src/lib/libcrypto/man/BIO_ctrl.3 b/src/lib/libcrypto/man/BIO_ctrl.3
index 2c537956e1..ca13f2067b 100644
--- a/src/lib/libcrypto/man/BIO_ctrl.3
+++ b/src/lib/libcrypto/man/BIO_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_ctrl.3,v 1.25 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_ctrl.3,v 1.26 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535eaf Tue Sep 22 13:14:20 2020 +0100
 .\" selective merge up to: OpenSSL 0c5bc96f Tue Mar 15 13:57:22 2022 +0000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_CTRL 3
 .Os
 .Sh NAME
@@ -91,6 +91,7 @@
 .Nm bio_info_cb
 .Nd BIO control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft long
 .Fo BIO_ctrl
diff --git a/src/lib/libcrypto/man/BIO_dump.3 b/src/lib/libcrypto/man/BIO_dump.3
index 8817f0c4ca..2c06c8cc9c 100644
--- a/src/lib/libcrypto/man/BIO_dump.3
+++ b/src/lib/libcrypto/man/BIO_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_dump.3,v 1.4 2022/12/20 15:34:03 schwarze Exp $
+.\" $OpenBSD: BIO_dump.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,19 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 20 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_DUMP 3
 .Os
 .Sh NAME
 .Nm BIO_dump ,
-.Nm BIO_dump_indent ,
-.Nm BIO_dump_fp ,
-.Nm BIO_dump_indent_fp
-.\" intentionally undocumented because nothing uses these two functions:
-.\" .Nm BIO_dump_cb
-.\" .Nm BIO_dump_indent_cb
+.Nm BIO_dump_indent
 .Nd hexadecimal printout of arbitrary byte arrays
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_dump
@@ -41,19 +37,6 @@
 .Fa "int len"
 .Fa "int indent"
 .Fc
-.Ft int
-.Fo BIO_dump_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo BIO_dump_indent_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fa "int indent"
-.Fc
 .Sh DESCRIPTION
 .Fn BIO_dump
 prints
@@ -92,14 +75,6 @@ If
 .Fa indent
 is 7 or more, the number of data columns is reduced such that the
 total width of the output does not exceed 79 characters per line.
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-are similar except that
-.Xr fwrite 3
-is used instead of
-.Xr BIO_write 3 .
 .Sh RETURN VALUES
 On success these functions return the total number of bytes written by
 .Xr BIO_write 3
@@ -120,9 +95,3 @@ first appeared in SSLeay 0.6.5 and has been available since
 .Fn BIO_dump_indent
 first appeared in OpenSSL 0.9.6 and has been available since
 .Ox 2.9 .
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/BIO_dup_chain.3 b/src/lib/libcrypto/man/BIO_dup_chain.3
index 5c5e8c6533..ad753e71a5 100644
--- a/src/lib/libcrypto/man/BIO_dup_chain.3
+++ b/src/lib/libcrypto/man/BIO_dup_chain.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_dup_chain.3,v 1.2 2023/04/09 06:27:52 jsg Exp $
+.\" $OpenBSD: BIO_dup_chain.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_DUP_CHAIN 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BIO_dup_state
 .Nd copy a BIO chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fn BIO_dup_chain "BIO *b"
diff --git a/src/lib/libcrypto/man/BIO_f_base64.3 b/src/lib/libcrypto/man/BIO_f_base64.3
index e4589de035..f652dac100 100644
--- a/src/lib/libcrypto/man/BIO_f_base64.3
+++ b/src/lib/libcrypto/man/BIO_f_base64.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_f_base64.3,v 1.15 2023/09/11 04:00:40 jsg Exp $
+.\"     $OpenBSD: BIO_f_base64.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL fc1d88f0 Wed Jul 2 22:42:40 2014 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_BASE64 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .\" and practically unused outside evp/bio_b64.c.
 .Nd base64 BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_buffer.3 b/src/lib/libcrypto/man/BIO_f_buffer.3
index a3012c5c5d..28c4f3166f 100644
--- a/src/lib/libcrypto/man/BIO_f_buffer.3
+++ b/src/lib/libcrypto/man/BIO_f_buffer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_buffer.3,v 1.17 2023/04/29 12:22:08 schwarze Exp $
+.\" $OpenBSD: BIO_f_buffer.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_BUFFER 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .\" whatever that is supposed to be, but are NOOPs, and nothing uses them.
 .Nd buffering BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_f_buffer
diff --git a/src/lib/libcrypto/man/BIO_f_cipher.3 b/src/lib/libcrypto/man/BIO_f_cipher.3
index c5d00c6981..3f7fe7bfaf 100644
--- a/src/lib/libcrypto/man/BIO_f_cipher.3
+++ b/src/lib/libcrypto/man/BIO_f_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_cipher.3,v 1.16 2023/04/29 12:01:53 schwarze Exp $
+.\" $OpenBSD: BIO_f_cipher.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_CIPHER 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .\" .Nm BIO_CTRL_SET is intentionally undocumented because it has no effect.
 .Nd cipher BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_md.3 b/src/lib/libcrypto/man/BIO_f_md.3
index 279aabc980..ba5a0d9b85 100644
--- a/src/lib/libcrypto/man/BIO_f_md.3
+++ b/src/lib/libcrypto/man/BIO_f_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_md.3,v 1.15 2023/04/28 16:20:01 schwarze Exp $
+.\" $OpenBSD: BIO_f_md.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 28 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_MD 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm BIO_set_md_ctx
 .Nd message digest BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_null.3 b/src/lib/libcrypto/man/BIO_f_null.3
index 687d991b52..ea75a242a4 100644
--- a/src/lib/libcrypto/man/BIO_f_null.3
+++ b/src/lib/libcrypto/man/BIO_f_null.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_null.3,v 1.12 2023/04/11 16:58:43 schwarze Exp $
+.\" $OpenBSD: BIO_f_null.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_NULL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .\" except in openssl(1) s_client/s_server -nbio_test.
 .Nd null filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_f_null
diff --git a/src/lib/libcrypto/man/BIO_find_type.3 b/src/lib/libcrypto/man/BIO_find_type.3
index 4a9eee7832..88f36032c7 100644
--- a/src/lib/libcrypto/man/BIO_find_type.3
+++ b/src/lib/libcrypto/man/BIO_find_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_find_type.3,v 1.12 2023/07/26 20:01:04 tb Exp $
+.\" $OpenBSD: BIO_find_type.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_FIND_TYPE 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm BIO_method_name
 .Nd BIO chain traversal
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_find_type
diff --git a/src/lib/libcrypto/man/BIO_get_data.3 b/src/lib/libcrypto/man/BIO_get_data.3
index 63750ac37b..26783929b1 100644
--- a/src/lib/libcrypto/man/BIO_get_data.3
+++ b/src/lib/libcrypto/man/BIO_get_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_get_data.3,v 1.8 2023/11/16 20:27:43 schwarze Exp $
+.\" $OpenBSD: BIO_get_data.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_GET_DATA 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm BIO_get_shutdown
 .Nd manage BIO state information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft void
 .Fo BIO_set_data
diff --git a/src/lib/libcrypto/man/BIO_get_ex_new_index.3 b/src/lib/libcrypto/man/BIO_get_ex_new_index.3
index 54d00775e7..13d20e14a8 100644
--- a/src/lib/libcrypto/man/BIO_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/BIO_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.17 2023/11/19 10:26:36 tb Exp $
+.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm EC_KEY_set_ex_data
 .Nd application-specific data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/ui.h
 .In openssl/x509.h
diff --git a/src/lib/libcrypto/man/BIO_meth_new.3 b/src/lib/libcrypto/man/BIO_meth_new.3
index 2159560596..98feac5bcc 100644
--- a/src/lib/libcrypto/man/BIO_meth_new.3
+++ b/src/lib/libcrypto/man/BIO_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_meth_new.3,v 1.5 2018/07/09 09:52:18 tb Exp $
+.\" $OpenBSD: BIO_meth_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_METH_NEW 3
 .Os
 .Sh NAME
@@ -91,6 +91,7 @@
 .Nm BIO_meth_set_callback_ctrl
 .Nd manipulate BIO_METHOD structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fn BIO_get_new_index void
diff --git a/src/lib/libcrypto/man/BIO_new.3 b/src/lib/libcrypto/man/BIO_new.3
index f97a314826..f0079948fb 100644
--- a/src/lib/libcrypto/man/BIO_new.3
+++ b/src/lib/libcrypto/man/BIO_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_new.3,v 1.28 2023/07/26 20:01:04 tb Exp $
+.\" $OpenBSD: BIO_new.3,v 1.29 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/BIO_new.pod fb46be03 Feb 26 11:51:31 2016 +0000
 .\" OpenSSL man7/bio.pod 631c37be Dec 12 16:56:50 2017 +0100
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_NEW 3
 .Os
 .Sh NAME
@@ -64,6 +64,7 @@
 .Nm BIO_free_all
 .Nd construct and destruct I/O abstraction objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_new
diff --git a/src/lib/libcrypto/man/BIO_new_CMS.3 b/src/lib/libcrypto/man/BIO_new_CMS.3
index ab93e1c00c..0279f704f4 100644
--- a/src/lib/libcrypto/man/BIO_new_CMS.3
+++ b/src/lib/libcrypto/man/BIO_new_CMS.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_new_CMS.3,v 1.9 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: BIO_new_CMS.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_NEW_CMS 3
 .Os
 .Sh NAME
 .Nm BIO_new_CMS
 .Nd CMS streaming filter BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft BIO *
 .Fo BIO_new_CMS
diff --git a/src/lib/libcrypto/man/BIO_printf.3 b/src/lib/libcrypto/man/BIO_printf.3
index 32dec0a828..6df31ad24c 100644
--- a/src/lib/libcrypto/man/BIO_printf.3
+++ b/src/lib/libcrypto/man/BIO_printf.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_printf.3,v 1.4 2024/03/02 09:18:28 tb Exp $
+.\"     $OpenBSD: BIO_printf.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 2ca2e917 Mon Mar 20 16:25:22 2017 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,13 +15,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_PRINTF 3
 .Os
 .Sh NAME
 .Nm BIO_printf
 .Nd formatted output to a BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_printf
diff --git a/src/lib/libcrypto/man/BIO_push.3 b/src/lib/libcrypto/man/BIO_push.3
index 46c736e2c2..21b798a54f 100644
--- a/src/lib/libcrypto/man/BIO_push.3
+++ b/src/lib/libcrypto/man/BIO_push.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_push.3,v 1.14 2022/12/16 16:02:17 schwarze Exp $
+.\" $OpenBSD: BIO_push.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/man3/BIO_push.pod 791bfd91 Nov 19 20:38:27 2021 +0100
 .\" OpenSSL doc/man7/bio.pod 1cb7eff4 Sep 10 13:56:40 2019 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_PUSH 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm BIO_set_next
 .Nd manipulate BIO chains
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_push
diff --git a/src/lib/libcrypto/man/BIO_read.3 b/src/lib/libcrypto/man/BIO_read.3
index 5fea9f728a..2a65b18535 100644
--- a/src/lib/libcrypto/man/BIO_read.3
+++ b/src/lib/libcrypto/man/BIO_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_read.3,v 1.11 2022/12/18 17:40:55 schwarze Exp $
+.\" $OpenBSD: BIO_read.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 18 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_READ 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm BIO_number_written
 .Nd BIO I/O functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_read
diff --git a/src/lib/libcrypto/man/BIO_s_accept.3 b/src/lib/libcrypto/man/BIO_s_accept.3
index 8e88fe1c52..c5a8f6d293 100644
--- a/src/lib/libcrypto/man/BIO_s_accept.3
+++ b/src/lib/libcrypto/man/BIO_s_accept.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_accept.3,v 1.16 2023/04/29 13:06:10 schwarze Exp $
+.\" $OpenBSD: BIO_s_accept.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL c03726ca Thu Aug 27 12:28:08 2015 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_ACCEPT 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BIO_do_accept
 .Nd accept BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_accept
diff --git a/src/lib/libcrypto/man/BIO_s_bio.3 b/src/lib/libcrypto/man/BIO_s_bio.3
index efda019df3..6590ff81ec 100644
--- a/src/lib/libcrypto/man/BIO_s_bio.3
+++ b/src/lib/libcrypto/man/BIO_s_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_bio.3,v 1.20 2024/05/19 07:12:50 jsg Exp $
+.\" $OpenBSD: BIO_s_bio.3,v 1.21 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by
@@ -53,7 +53,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_BIO 3
 .Os
 .Sh NAME
@@ -71,6 +71,7 @@
 .Nm BIO_ctrl_reset_read_request
 .Nd BIO pair BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_bio
diff --git a/src/lib/libcrypto/man/BIO_s_connect.3 b/src/lib/libcrypto/man/BIO_s_connect.3
index bce68a26b9..ca7ee6d988 100644
--- a/src/lib/libcrypto/man/BIO_s_connect.3
+++ b/src/lib/libcrypto/man/BIO_s_connect.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_connect.3,v 1.19 2023/04/30 13:53:54 schwarze Exp $
+.\" $OpenBSD: BIO_s_connect.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 0e474b8b Nov 1 15:45:49 2015 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_CONNECT 3
 .Os
 .Sh NAME
@@ -83,6 +83,7 @@
 .Nm BIO_do_connect
 .Nd connect BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_connect
diff --git a/src/lib/libcrypto/man/BIO_s_datagram.3 b/src/lib/libcrypto/man/BIO_s_datagram.3
index 104823e7a7..bbe80b259c 100644
--- a/src/lib/libcrypto/man/BIO_s_datagram.3
+++ b/src/lib/libcrypto/man/BIO_s_datagram.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_datagram.3,v 1.3 2023/04/28 16:49:00 schwarze Exp $
+.\" $OpenBSD: BIO_s_datagram.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 28 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_DATAGRAM 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .\" They are almost unused, and OpenBSD does not appear to support them.
 .Nd datagram socket BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fn BIO_s_datagram void
diff --git a/src/lib/libcrypto/man/BIO_s_fd.3 b/src/lib/libcrypto/man/BIO_s_fd.3
index 852a06756a..b1165f30a1 100644
--- a/src/lib/libcrypto/man/BIO_s_fd.3
+++ b/src/lib/libcrypto/man/BIO_s_fd.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_fd.3,v 1.13 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_fd.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_FD 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm BIO_fd_should_retry
 .Nd file descriptor BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_fd
diff --git a/src/lib/libcrypto/man/BIO_s_file.3 b/src/lib/libcrypto/man/BIO_s_file.3
index 14950cad13..d59e157c33 100644
--- a/src/lib/libcrypto/man/BIO_s_file.3
+++ b/src/lib/libcrypto/man/BIO_s_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_file.3,v 1.17 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_file.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_FILE 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .\" Nm BIO_CTRL_SET_FILENAME is unused and intentionally undocumented.
 .Nd FILE BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_file
diff --git a/src/lib/libcrypto/man/BIO_s_mem.3 b/src/lib/libcrypto/man/BIO_s_mem.3
index d7bbf6af43..e43be66e2f 100644
--- a/src/lib/libcrypto/man/BIO_s_mem.3
+++ b/src/lib/libcrypto/man/BIO_s_mem.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_mem.3,v 1.19 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_mem.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 8711efb4 Mon Apr 20 11:33:12 2009 +0000
 .\" selective merge up to: OpenSSL 36359cec Mar 7 14:37:23 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_MEM 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm BIO_new_mem_buf
 .Nd memory BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_mem
diff --git a/src/lib/libcrypto/man/BIO_s_null.3 b/src/lib/libcrypto/man/BIO_s_null.3
index 6e7cad6d37..7198797b99 100644
--- a/src/lib/libcrypto/man/BIO_s_null.3
+++ b/src/lib/libcrypto/man/BIO_s_null.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_null.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
+.\" $OpenBSD: BIO_s_null.3,v 1.12 2025/07/16 18:10:53 tb Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,14 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt BIO_S_NULL 3
 .Os
 .Sh NAME
 .Nm BIO_s_null
-.\" .Nm BIO_s_log is intentionally undocumented because it is unused
 .Nd null data sink
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_null
diff --git a/src/lib/libcrypto/man/BIO_s_socket.3 b/src/lib/libcrypto/man/BIO_s_socket.3
index 402622b3bd..aebf399b2b 100644
--- a/src/lib/libcrypto/man/BIO_s_socket.3
+++ b/src/lib/libcrypto/man/BIO_s_socket.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_s_socket.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
+.\"     $OpenBSD: BIO_s_socket.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL bbdc9c98 Oct 19 22:02:21 2000 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_SOCKET 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm BIO_new_socket
 .Nd socket BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_socket
diff --git a/src/lib/libcrypto/man/BIO_set_callback.3 b/src/lib/libcrypto/man/BIO_set_callback.3
index 56a0102be6..f3f40cba8e 100644
--- a/src/lib/libcrypto/man/BIO_set_callback.3
+++ b/src/lib/libcrypto/man/BIO_set_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_set_callback.3,v 1.12 2023/04/30 13:57:29 schwarze Exp $
+.\" $OpenBSD: BIO_set_callback.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_SET_CALLBACK 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" .Nm BIO_cb_post
 .Nd BIO callback functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft typedef long
 .Fo (*BIO_callback_fn_ex)
diff --git a/src/lib/libcrypto/man/BIO_should_retry.3 b/src/lib/libcrypto/man/BIO_should_retry.3
index 9b93743516..4a0948ff86 100644
--- a/src/lib/libcrypto/man/BIO_should_retry.3
+++ b/src/lib/libcrypto/man/BIO_should_retry.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_should_retry.3,v 1.11 2023/04/30 14:03:47 schwarze Exp $
+.\" $OpenBSD: BIO_should_retry.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 57fd5170 May 13 11:24:11 2018 +0200
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_SHOULD_RETRY 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BIO_set_retry_reason
 .Nd BIO retry functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_should_read
diff --git a/src/lib/libcrypto/man/BN_CTX_new.3 b/src/lib/libcrypto/man/BN_CTX_new.3
index 336b918896..0d5a3e847c 100644
--- a/src/lib/libcrypto/man/BN_CTX_new.3
+++ b/src/lib/libcrypto/man/BN_CTX_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_CTX_new.3,v 1.10 2023/04/25 17:21:51 tb Exp $
+.\"     $OpenBSD: BN_CTX_new.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL aafbe1cc Jun 12 23:42:08 2013 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CTX_NEW 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm BN_CTX_free
 .Nd allocate and free BN_CTX structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BN_CTX *
 .Fo BN_CTX_new
diff --git a/src/lib/libcrypto/man/BN_CTX_start.3 b/src/lib/libcrypto/man/BN_CTX_start.3
index a2b62eff5c..27159ce90d 100644
--- a/src/lib/libcrypto/man/BN_CTX_start.3
+++ b/src/lib/libcrypto/man/BN_CTX_start.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_CTX_start.3,v 1.8 2019/08/20 10:59:09 schwarze Exp $
+.\" $OpenBSD: BN_CTX_start.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CTX_START 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm BN_CTX_end
 .Nd use temporary BIGNUM variables
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_CTX_start
diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3
index e7de441b7a..32378f6940 100644
--- a/src/lib/libcrypto/man/BN_add.3
+++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_add.3,v 1.20 2023/04/27 09:47:03 tb Exp $
+.\" $OpenBSD: BN_add.3,v 1.21 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_ADD 3
 .Os
 .Sh NAME
@@ -94,13 +94,11 @@
 .\" The following are public, but intentionally undocumented for now:
 .\" .Nm BN_mod_exp_mont ,  r \(== a ^ p (mod m)
 .\" .Nm BN_mod_exp_mont_consttime ,
-.\" .Nm BN_mod_exp_mont_word ,
-.\" .Nm BN_mod_exp_simple ,
-.\" .Nm BN_mod_exp2_mont   r \(== (a1 ^ p1) * (a2 ^ p2) (mod m)
 .\" Maybe they should be deleted from <openssl/bn.h>.
 .Nm BN_gcd
 .Nd arithmetic operations on BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_add
diff --git a/src/lib/libcrypto/man/BN_add_word.3 b/src/lib/libcrypto/man/BN_add_word.3
index 161029c302..b8b45bfb2c 100644
--- a/src/lib/libcrypto/man/BN_add_word.3
+++ b/src/lib/libcrypto/man/BN_add_word.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_add_word.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
+.\" $OpenBSD: BN_add_word.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_ADD_WORD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm BN_mod_word
 .Nd arithmetic functions on BIGNUMs with integers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_add_word
diff --git a/src/lib/libcrypto/man/BN_bn2bin.3 b/src/lib/libcrypto/man/BN_bn2bin.3
index 0fe9a90738..cf72e6dd1b 100644
--- a/src/lib/libcrypto/man/BN_bn2bin.3
+++ b/src/lib/libcrypto/man/BN_bn2bin.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_bn2bin.3,v 1.16 2023/07/09 06:45:03 tb Exp $
+.\" $OpenBSD: BN_bn2bin.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_BN2BIN 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BN_mpi2bn
 .Nd format conversions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_bn2bin
diff --git a/src/lib/libcrypto/man/BN_cmp.3 b/src/lib/libcrypto/man/BN_cmp.3
index ba973313f0..3837ffcd1a 100644
--- a/src/lib/libcrypto/man/BN_cmp.3
+++ b/src/lib/libcrypto/man/BN_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_cmp.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
+.\" $OpenBSD: BN_cmp.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5b31b9df Aug 4 10:45:52 2021 +0300
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CMP 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm BN_is_odd
 .Nd BIGNUM comparison and test functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_cmp
diff --git a/src/lib/libcrypto/man/BN_copy.3 b/src/lib/libcrypto/man/BN_copy.3
index 383255e382..5481431e97 100644
--- a/src/lib/libcrypto/man/BN_copy.3
+++ b/src/lib/libcrypto/man/BN_copy.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_copy.3,v 1.10 2021/12/06 19:45:27 schwarze Exp $
+.\"     $OpenBSD: BN_copy.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_COPY 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm BN_with_flags
 .Nd copy BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_copy
diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3
index d9144155c6..55eed14e75 100644
--- a/src/lib/libcrypto/man/BN_generate_prime.3
+++ b/src/lib/libcrypto/man/BN_generate_prime.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_generate_prime.3,v 1.25 2023/12/29 19:12:46 tb Exp $
+.\" $OpenBSD: BN_generate_prime.3,v 1.26 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_GENERATE_PRIME 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .\" because it should not be used outside of libcrypto.
 .Nd generate primes and test for primality
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_is_prime_ex
diff --git a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3 b/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
index abaf80ef20..41345de274 100644
--- a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
+++ b/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_get_rfc3526_prime_8192.3,v 1.1 2023/07/20 16:26:40 tb Exp $
+.\" $OpenBSD: BN_get_rfc3526_prime_8192.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\" checked up to: OpenSSL DH_get_1024_160 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 20 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_GET_RFC3526_PRIME_8192 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm BN_get_rfc3526_prime_8192
 .Nd standard moduli for Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fn BN_get_rfc2409_prime_768 "BIGNUM *bn"
diff --git a/src/lib/libcrypto/man/BN_kronecker.3 b/src/lib/libcrypto/man/BN_kronecker.3
index 90b7f43230..6a5b7ecd88 100644
--- a/src/lib/libcrypto/man/BN_kronecker.3
+++ b/src/lib/libcrypto/man/BN_kronecker.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_kronecker.3,v 1.2 2022/11/15 17:55:00 schwarze Exp $
+.\" $OpenBSD: BN_kronecker.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_KRONECKER 3
 .Os
 .Sh NAME
 .Nm BN_kronecker
 .Nd Kronecker symbol
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_kronecker
diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3
index d0a4b458f4..ce10fa216e 100644
--- a/src/lib/libcrypto/man/BN_mod_inverse.3
+++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_mod_inverse.3,v 1.13 2023/10/21 13:53:43 schwarze Exp $
+.\"     $OpenBSD: BN_mod_inverse.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_INVERSE 3
 .Os
 .Sh NAME
 .Nm BN_mod_inverse
 .Nd compute inverse modulo m
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_mod_inverse
diff --git a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
index ed004c2549..2f9e3a532e 100644
--- a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
+++ b/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.16 2025/03/09 15:24:25 tb Exp $
+.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_MUL_MONTGOMERY 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BN_to_montgomery
 .Nd Montgomery multiplication
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BN_MONT_CTX *
 .Fo BN_MONT_CTX_new
diff --git a/src/lib/libcrypto/man/BN_mod_sqrt.3 b/src/lib/libcrypto/man/BN_mod_sqrt.3
index 7247d907a0..f2cd80e658 100644
--- a/src/lib/libcrypto/man/BN_mod_sqrt.3
+++ b/src/lib/libcrypto/man/BN_mod_sqrt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_mod_sqrt.3,v 1.2 2022/12/06 22:22:42 tb Exp $
+.\" $OpenBSD: BN_mod_sqrt.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_SQRT 3
 .Os
 .Sh NAME
 .Nm BN_mod_sqrt
 .Nd square root in a prime field
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_mod_sqrt
diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3
index 26a2a7d68a..8e61a1fcc3 100644
--- a/src/lib/libcrypto/man/BN_new.3
+++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_new.3,v 1.32 2025/04/25 12:11:17 tb Exp $
+.\" $OpenBSD: BN_new.3,v 1.33 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
 .\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
 .\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_NEW 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm BN_clear_free
 .Nd allocate and free BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_new
diff --git a/src/lib/libcrypto/man/BN_num_bytes.3 b/src/lib/libcrypto/man/BN_num_bytes.3
index 785f43e2f0..608bb2ebb8 100644
--- a/src/lib/libcrypto/man/BN_num_bytes.3
+++ b/src/lib/libcrypto/man/BN_num_bytes.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_num_bytes.3,v 1.9 2022/11/22 18:55:04 schwarze Exp $
+.\" $OpenBSD: BN_num_bytes.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_NUM_BYTES 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm BN_num_bytes
 .Nd get BIGNUM size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_num_bits_word
diff --git a/src/lib/libcrypto/man/BN_rand.3 b/src/lib/libcrypto/man/BN_rand.3
index 3d4401a429..b21155af0d 100644
--- a/src/lib/libcrypto/man/BN_rand.3
+++ b/src/lib/libcrypto/man/BN_rand.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_rand.3,v 1.18 2021/11/30 18:34:35 tb Exp $
+.\"     $OpenBSD: BN_rand.3,v 1.19 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_RAND 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm BN_pseudo_rand_range
 .Nd generate pseudo-random number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_rand
diff --git a/src/lib/libcrypto/man/BN_set_bit.3 b/src/lib/libcrypto/man/BN_set_bit.3
index 2c53066777..c13122b729 100644
--- a/src/lib/libcrypto/man/BN_set_bit.3
+++ b/src/lib/libcrypto/man/BN_set_bit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_bit.3,v 1.8 2021/11/30 18:34:35 tb Exp $
+.\"     $OpenBSD: BN_set_bit.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_BIT 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BN_rshift1
 .Nd bit operations on BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_set_bit
diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3
index 1285ae2b28..eb4840a54b 100644
--- a/src/lib/libcrypto/man/BN_set_flags.3
+++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_flags.3,v 1.6 2023/04/27 07:22:22 tb Exp $
+.\"     $OpenBSD: BN_set_flags.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BN_get_flags
 .Nd enable and inspect flags on BIGNUM objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_set_flags
diff --git a/src/lib/libcrypto/man/BN_set_negative.3 b/src/lib/libcrypto/man/BN_set_negative.3
index 6cdff5c974..579bcf2123 100644
--- a/src/lib/libcrypto/man/BN_set_negative.3
+++ b/src/lib/libcrypto/man/BN_set_negative.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_negative.3,v 1.6 2021/12/06 19:45:27 schwarze Exp $
+.\"     $OpenBSD: BN_set_negative.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_NEGATIVE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BN_is_negative
 .Nd change and inspect the sign of a BIGNUM
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_set_negative
diff --git a/src/lib/libcrypto/man/BN_swap.3 b/src/lib/libcrypto/man/BN_swap.3
index 218ca1cf02..a6a5fa95ba 100644
--- a/src/lib/libcrypto/man/BN_swap.3
+++ b/src/lib/libcrypto/man/BN_swap.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_swap.3,v 1.6 2021/12/19 22:06:35 schwarze Exp $
+.\" $OpenBSD: BN_swap.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SWAP 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm BN_consttime_swap
 .Nd exchange BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_swap
diff --git a/src/lib/libcrypto/man/BN_zero.3 b/src/lib/libcrypto/man/BN_zero.3
index 0b677b246f..18a31a1080 100644
--- a/src/lib/libcrypto/man/BN_zero.3
+++ b/src/lib/libcrypto/man/BN_zero.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_zero.3,v 1.13 2023/04/30 19:23:54 tb Exp $
+.\" $OpenBSD: BN_zero.3,v 1.15 2025/06/14 06:48:47 tb Exp $
 .\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL b713c4ff Jan 22 14:41:09 2018 -0500
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 14 2025 $
 .Dt BN_ZERO 3
 .Os
 .Sh NAME
@@ -78,8 +78,9 @@
 .Nm BN_get_word
 .Nd BIGNUM assignment operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
-.Ft int
+.Ft void
 .Fo BN_zero
 .Fa "BIGNUM *a"
 .Fc
@@ -136,8 +137,7 @@ or a number with all bits set if
 cannot be represented as a
 .Vt BN_ULONG .
 .Pp
-.Fn BN_zero ,
-.Fn BN_one ,
+.Fn BN_one
 and
 .Fn BN_set_word
 return 1 on success, 0 otherwise.
diff --git a/src/lib/libcrypto/man/BUF_MEM_new.3 b/src/lib/libcrypto/man/BUF_MEM_new.3
index 8c72091abe..ef9e473cc3 100644
--- a/src/lib/libcrypto/man/BUF_MEM_new.3
+++ b/src/lib/libcrypto/man/BUF_MEM_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BUF_MEM_new.3,v 1.19 2024/07/24 08:57:58 tb Exp $
+.\"     $OpenBSD: BUF_MEM_new.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/crypto/buffer.pod 18edda0f Sep 20 03:28:54 2000 +0000
 .\"     not merged: 74924dcb, 58e3457a, 21b0fa91, 7644a9ae
 .\"     OpenSSL doc/crypto/BUF_MEM_new.pod 53934822 Jun 9 16:39:19 2016 -0400
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BUF_MEM_NEW 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BUF_MEM_grow_clean
 .Nd simple character arrays structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/buffer.h
 .Ft BUF_MEM *
 .Fo BUF_MEM_new
diff --git a/src/lib/libcrypto/man/CMAC_Init.3 b/src/lib/libcrypto/man/CMAC_Init.3
index fd32ca085a..b1b62a6359 100644
--- a/src/lib/libcrypto/man/CMAC_Init.3
+++ b/src/lib/libcrypto/man/CMAC_Init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMAC_Init.3,v 1.9 2024/11/12 00:42:28 schwarze Exp $
+.\" $OpenBSD: CMAC_Init.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMAC_INIT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm CMAC_CTX_free
 .Nd Cipher-based message authentication code
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cmac.h
 .Ft CMAC_CTX *
 .Fn CMAC_CTX_new void
diff --git a/src/lib/libcrypto/man/CMS_ContentInfo_new.3 b/src/lib/libcrypto/man/CMS_ContentInfo_new.3
index d5117fa4ae..b44f65ee91 100644
--- a/src/lib/libcrypto/man/CMS_ContentInfo_new.3
+++ b/src/lib/libcrypto/man/CMS_ContentInfo_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.4 2024/01/22 14:00:13 tb Exp $
+.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_CONTENTINFO_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm CMS_ReceiptRequest_free
 .Nd Cryptographic Message Syntax data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fn CMS_ContentInfo_new void
diff --git a/src/lib/libcrypto/man/CMS_add0_cert.3 b/src/lib/libcrypto/man/CMS_add0_cert.3
index be9357cc9a..d0e9be6bd5 100644
--- a/src/lib/libcrypto/man/CMS_add0_cert.3
+++ b/src/lib/libcrypto/man/CMS_add0_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add0_cert.3,v 1.10 2024/11/30 21:21:40 tb Exp $
+.\" $OpenBSD: CMS_add0_cert.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD0_CERT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm CMS_get1_crls
 .Nd CMS certificate and CRL utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_add0_cert
diff --git a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
index 465119397d..7c0c3fae90 100644
--- a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
+++ b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD1_RECIPIENT_CERT 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm CMS_add0_recipient_key
 .Nd add recipients to a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_RecipientInfo *
 .Fo CMS_add1_recipient_cert
diff --git a/src/lib/libcrypto/man/CMS_add1_signer.3 b/src/lib/libcrypto/man/CMS_add1_signer.3
index 316d63c5ad..68bdb12c73 100644
--- a/src/lib/libcrypto/man/CMS_add1_signer.3
+++ b/src/lib/libcrypto/man/CMS_add1_signer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add1_signer.3,v 1.10 2024/04/18 16:50:22 tb Exp $
+.\" $OpenBSD: CMS_add1_signer.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD1_SIGNER 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm CMS_SignerInfo_sign
 .Nd add a signer to a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_SignerInfo *
 .Fo CMS_add1_signer
diff --git a/src/lib/libcrypto/man/CMS_compress.3 b/src/lib/libcrypto/man/CMS_compress.3
index 242e4e96cb..9026837fc8 100644
--- a/src/lib/libcrypto/man/CMS_compress.3
+++ b/src/lib/libcrypto/man/CMS_compress.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_compress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_compress.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_COMPRESS 3
 .Os
 .Sh NAME
 .Nm CMS_compress
 .Nd create a CMS CompressedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_compress
diff --git a/src/lib/libcrypto/man/CMS_decrypt.3 b/src/lib/libcrypto/man/CMS_decrypt.3
index 243ab2f30e..2141098084 100644
--- a/src/lib/libcrypto/man/CMS_decrypt.3
+++ b/src/lib/libcrypto/man/CMS_decrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_decrypt.3,v 1.8 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_decrypt.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_DECRYPT 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm CMS_decrypt_set1_key
 .Nd decrypt content from a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_decrypt
diff --git a/src/lib/libcrypto/man/CMS_encrypt.3 b/src/lib/libcrypto/man/CMS_encrypt.3
index 03d8b4edbb..5eda883857 100644
--- a/src/lib/libcrypto/man/CMS_encrypt.3
+++ b/src/lib/libcrypto/man/CMS_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_encrypt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_encrypt.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ENCRYPT 3
 .Os
 .Sh NAME
 .Nm CMS_encrypt
 .Nd create a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_encrypt
diff --git a/src/lib/libcrypto/man/CMS_final.3 b/src/lib/libcrypto/man/CMS_final.3
index 4ca8945923..f2b5755fa9 100644
--- a/src/lib/libcrypto/man/CMS_final.3
+++ b/src/lib/libcrypto/man/CMS_final.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_final.3,v 1.6 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_final.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_FINAL 3
 .Os
 .Sh NAME
 .Nm CMS_final
 .Nd finalise a CMS_ContentInfo structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_final
diff --git a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
index 094d6ec487..beb54bdccc 100644
--- a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
+++ b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_RECIPIENTINFOS 3
 .Os
 .Sh NAME
@@ -64,6 +64,7 @@
 .Nm CMS_RecipientInfo_encrypt
 .Nd CMS EnvelopedData RecipientInfo routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft STACK_OF(CMS_RecipientInfo) *
 .Fo CMS_get0_RecipientInfos
diff --git a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
index 017fdd40f2..f141508eb1 100644
--- a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
+++ b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.9 2024/01/22 14:00:13 tb Exp $
+.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_SIGNERINFOS 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm CMS_SignerInfo_set1_signer_cert
 .Nd CMS SignedData signer functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft STACK_OF(CMS_SignerInfo) *
 .Fo CMS_get0_SignerInfos
diff --git a/src/lib/libcrypto/man/CMS_get0_type.3 b/src/lib/libcrypto/man/CMS_get0_type.3
index 55adacd86d..5547de494a 100644
--- a/src/lib/libcrypto/man/CMS_get0_type.3
+++ b/src/lib/libcrypto/man/CMS_get0_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_type.3,v 1.9 2023/07/27 05:31:28 tb Exp $
+.\" $OpenBSD: CMS_get0_type.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_TYPE 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm CMS_get0_content
 .Nd get and set CMS content types and content
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft const ASN1_OBJECT *
 .Fo CMS_get0_type
diff --git a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
index 9feedd13a2..17a14c47e3 100644
--- a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
+++ b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET1_RECEIPTREQUEST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm CMS_ReceiptRequest_get0_values
 .Nd CMS signed receipt request functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ReceiptRequest *
 .Fo CMS_ReceiptRequest_create0
diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
index c9b26716d6..82f9ff9896 100644
--- a/src/lib/libcrypto/man/CMS_sign.3
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_sign.3,v 1.12 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: CMS_sign.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_SIGN 3
 .Os
 .Sh NAME
 .Nm CMS_sign
 .Nd create a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_sign
diff --git a/src/lib/libcrypto/man/CMS_sign_receipt.3 b/src/lib/libcrypto/man/CMS_sign_receipt.3
index 6394957846..32807b26e1 100644
--- a/src/lib/libcrypto/man/CMS_sign_receipt.3
+++ b/src/lib/libcrypto/man/CMS_sign_receipt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_sign_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_sign_receipt.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_SIGN_RECEIPT 3
 .Os
 .Sh NAME
 .Nm CMS_sign_receipt
 .Nd create a CMS signed receipt
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_sign_receipt
diff --git a/src/lib/libcrypto/man/CMS_signed_add1_attr.3 b/src/lib/libcrypto/man/CMS_signed_add1_attr.3
index 1a50c0b9d1..10a959bba6 100644
--- a/src/lib/libcrypto/man/CMS_signed_add1_attr.3
+++ b/src/lib/libcrypto/man/CMS_signed_add1_attr.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.5 2024/09/02 07:54:21 tb Exp $
+.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.7 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Job Snijders <job@openbsd.org>
 .\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt CMS_SIGNED_ADD1_ATTR 3
 .Os
 .Sh NAME
@@ -42,6 +42,7 @@
 .Nm CMS_unsigned_get_attr_count
 .Nd change signed and unsigned attributes of a CMS SignerInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_signed_add1_attr
@@ -72,19 +73,19 @@
 .Fa "const void *bytes"
 .Fa "int len"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_signed_delete_attr
 .Fa "CMS_SignerInfo *si"
 .Fa "int loc"
 .Fc
-.Ft "void *"
+.Ft void *
 .Fo CMS_signed_get0_data_by_OBJ
 .Fa "CMS_SignerInfo *si"
 .Fa "const ASN1_OBJECT *oid"
 .Fa "int start_after"
 .Fa "int type"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_signed_get_attr
 .Fa "const CMS_SignerInfo *si"
 .Fa "int loc"
@@ -134,19 +135,19 @@
 .Fa "const void *bytes"
 .Fa "int len"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_unsigned_delete_attr
 .Fa "CMS_SignerInfo *si"
 .Fa "int loc"
 .Fc
-.Ft "void *"
+.Ft void *
 .Fo CMS_unsigned_get0_data_by_OBJ
 .Fa "CMS_SignerInfo *si"
 .Fa "ASN1_OBJECT *oid"
 .Fa "int start_after"
 .Fa "int type"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_unsigned_get_attr
 .Fa "const CMS_SignerInfo *si"
 .Fa "int loc"
diff --git a/src/lib/libcrypto/man/CMS_uncompress.3 b/src/lib/libcrypto/man/CMS_uncompress.3
index ed2172521e..2a5e2f593b 100644
--- a/src/lib/libcrypto/man/CMS_uncompress.3
+++ b/src/lib/libcrypto/man/CMS_uncompress.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_uncompress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_uncompress.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_UNCOMPRESS 3
 .Os
 .Sh NAME
 .Nm CMS_uncompress
 .Nd uncompress a CMS CompressedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_uncompress
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
index 63f1b8bb18..a8803b0595 100644
--- a/src/lib/libcrypto/man/CMS_verify.3
+++ b/src/lib/libcrypto/man/CMS_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_verify.3,v 1.10 2024/03/29 06:43:12 tb Exp $
+.\" $OpenBSD: CMS_verify.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_VERIFY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm CMS_get0_signers
 .Nd verify a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_verify
diff --git a/src/lib/libcrypto/man/CMS_verify_receipt.3 b/src/lib/libcrypto/man/CMS_verify_receipt.3
index ac50087a4c..98f5c4ad91 100644
--- a/src/lib/libcrypto/man/CMS_verify_receipt.3
+++ b/src/lib/libcrypto/man/CMS_verify_receipt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_verify_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_verify_receipt.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_VERIFY_RECEIPT 3
 .Os
 .Sh NAME
 .Nm CMS_verify_receipt
 .Nd verify a CMS signed receipt
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_verify_receipt
diff --git a/src/lib/libcrypto/man/CONF_modules_free.3 b/src/lib/libcrypto/man/CONF_modules_free.3
index c5fb840942..ab299bcbda 100644
--- a/src/lib/libcrypto/man/CONF_modules_free.3
+++ b/src/lib/libcrypto/man/CONF_modules_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CONF_modules_free.3,v 1.6 2023/07/21 10:46:54 tb Exp $
+.\"     $OpenBSD: CONF_modules_free.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CONF_MODULES_FREE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm CONF_modules_unload
 .Nd OpenSSL configuration cleanup functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft void
 .Fo CONF_modules_free
diff --git a/src/lib/libcrypto/man/CONF_modules_load_file.3 b/src/lib/libcrypto/man/CONF_modules_load_file.3
index d1bcd49a38..78cfc32f0d 100644
--- a/src/lib/libcrypto/man/CONF_modules_load_file.3
+++ b/src/lib/libcrypto/man/CONF_modules_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CONF_modules_load_file.3,v 1.14 2023/11/19 20:58:07 tb Exp $
+.\" $OpenBSD: CONF_modules_load_file.3,v 1.16 2025/06/09 12:43:53 schwarze Exp $
 .\" full merge up to: e9b77246 Jan 20 19:58:49 2017 +0100
 .\" selective merge up to: d090fc00 Feb 26 13:11:10 2019 +0800
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt CONF_MODULES_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm X509_get_default_cert_area
 .Nd OpenSSL configuration functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft int
 .Fo CONF_modules_load_file
@@ -222,7 +223,6 @@ Load custom configuration file and section instead of the standard one,
 only print warnings on error, missing configuration file ignored:
 .Bd -literal
 OPENSSL_no_config();
-OPENSSL_load_builtin_modules();
 if (CONF_modules_load_file("/something/app.cnf", "myapp",
     CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
         fprintf(stderr, "WARNING: error loading configuration file\en");
@@ -233,11 +233,7 @@ if (CONF_modules_load_file("/something/app.cnf", "myapp",
 In the previous example, the call to
 .Xr OPENSSL_no_config 3
 is required first to suppress automatic loading
-of the standard configuration file, and the call to
-.Xr OPENSSL_load_builtin_modules 3
-is needed so that the configuration of builtin modules
-is loaded in addition to the configuration of
-.Qq myapp .
+of the standard configuration file.
 .Pp
 Load and parse configuration file manually, custom error handling:
 .Bd -literal
@@ -268,8 +264,7 @@ if (fp == NULL) {
 .Sh SEE ALSO
 .Xr CONF_modules_free 3 ,
 .Xr ERR 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr OPENSSL_load_builtin_modules 3
+.Xr OPENSSL_config 3
 .Sh HISTORY
 .Fn X509_get_default_cert_area
 first appeared in SSLeay 0.4.1 and has been available since
diff --git a/src/lib/libcrypto/man/CRYPTO_lock.3 b/src/lib/libcrypto/man/CRYPTO_lock.3
index afc5eb54c5..7877dd5804 100644
--- a/src/lib/libcrypto/man/CRYPTO_lock.3
+++ b/src/lib/libcrypto/man/CRYPTO_lock.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CRYPTO_lock.3,v 1.3 2024/03/14 22:09:40 tb Exp $
+.\"     $OpenBSD: CRYPTO_lock.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/crypto/threads.pod fb552ac6 Sep 30 23:43:01 2009 +0000
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_LOCK 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm CRYPTO_add
 .Nd thread support
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void
 .Fo CRYPTO_lock
diff --git a/src/lib/libcrypto/man/CRYPTO_memcmp.3 b/src/lib/libcrypto/man/CRYPTO_memcmp.3
index cbc0030c55..fbe092cb90 100644
--- a/src/lib/libcrypto/man/CRYPTO_memcmp.3
+++ b/src/lib/libcrypto/man/CRYPTO_memcmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CRYPTO_memcmp.3,v 1.1 2019/08/25 06:20:22 schwarze Exp $
+.\" $OpenBSD: CRYPTO_memcmp.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1075139c Jun 24 09:18:48 2019 +1000
 .\"
 .\" This file was written by Pauli <paul.dale@oracle.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 25 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_MEMCMP 3
 .Os
 .Sh NAME
 .Nm CRYPTO_memcmp
 .Nd constant time memory comparison
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_memcmp
diff --git a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
index c22fb22352..57cdbfb4ca 100644
--- a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
+++ b/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.15 2023/09/18 14:49:43 schwarze Exp $
+.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_SET_EX_DATA 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm CRYPTO_free_ex_data
 .Nd low-level functions for application specific data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_get_ex_new_index
diff --git a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3 b/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
index d020d10ff6..4fc88339a8 100644
--- a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
+++ b/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CRYPTO_set_mem_functions.3,v 1.2 2025/03/08 17:17:09 tb Exp $
+.\"     $OpenBSD: CRYPTO_set_mem_functions.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_SET_MEM_FUNCTIONS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm CRYPTO_mem_leaks_cb
 .Nd legacy OpenSSL memory allocation control
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_set_mem_functions
diff --git a/src/lib/libcrypto/man/ChaCha.3 b/src/lib/libcrypto/man/ChaCha.3
index 9aae6d70cf..54cd597f6c 100644
--- a/src/lib/libcrypto/man/ChaCha.3
+++ b/src/lib/libcrypto/man/ChaCha.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ChaCha.3,v 1.3 2022/02/18 10:24:32 jsg Exp $
+.\" $OpenBSD: ChaCha.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 18 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CHACHA 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm CRYPTO_xchacha_20
 .Nd ChaCha20 stream cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/chacha.h
 .Ft void
 .Fo ChaCha_set_key
diff --git a/src/lib/libcrypto/man/DES_set_key.3 b/src/lib/libcrypto/man/DES_set_key.3
index fd09d77730..3794285006 100644
--- a/src/lib/libcrypto/man/DES_set_key.3
+++ b/src/lib/libcrypto/man/DES_set_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DES_set_key.3,v 1.17 2024/05/24 19:18:07 tb Exp $
+.\" $OpenBSD: DES_set_key.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/DES_random_key 521738e9 Oct 5 14:58:30 2018 -0400
 .\"
@@ -115,7 +115,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: May 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DES_SET_KEY 3
 .Os
 .Sh NAME
@@ -151,6 +151,7 @@
 .Nm DES_crypt
 .Nd DES encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/des.h
 .Ft void
 .Fo DES_random_key
diff --git a/src/lib/libcrypto/man/DH_generate_key.3 b/src/lib/libcrypto/man/DH_generate_key.3
index 076b49f7a1..c3158b8132 100644
--- a/src/lib/libcrypto/man/DH_generate_key.3
+++ b/src/lib/libcrypto/man/DH_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_generate_key.3,v 1.12 2019/08/19 13:08:26 schwarze Exp $
+.\"     $OpenBSD: DH_generate_key.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GENERATE_KEY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm DH_compute_key
 .Nd perform Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_generate_key
diff --git a/src/lib/libcrypto/man/DH_generate_parameters.3 b/src/lib/libcrypto/man/DH_generate_parameters.3
index ac29521ec4..f47475e3b1 100644
--- a/src/lib/libcrypto/man/DH_generate_parameters.3
+++ b/src/lib/libcrypto/man/DH_generate_parameters.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_generate_parameters.3,v 1.14 2022/07/13 13:47:59 schwarze Exp $
+.\" $OpenBSD: DH_generate_parameters.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GENERATE_PARAMETERS 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm DH_generate_parameters
 .Nd generate and check Diffie-Hellman parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_generate_parameters_ex
diff --git a/src/lib/libcrypto/man/DH_get0_pqg.3 b/src/lib/libcrypto/man/DH_get0_pqg.3
index eb012980f9..e30d628c7f 100644
--- a/src/lib/libcrypto/man/DH_get0_pqg.3
+++ b/src/lib/libcrypto/man/DH_get0_pqg.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_get0_pqg.3,v 1.8 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: DH_get0_pqg.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DH_GET0_PQG 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm DH_set_length
 .Nd get data from and set data in a DH object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft void
 .Fo DH_get0_pqg
@@ -76,15 +77,15 @@
 .Fa "const BIGNUM **q"
 .Fa "const BIGNUM **g"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_p
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_q
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_g
 .Fa "const DH *dh"
 .Fc
@@ -101,11 +102,11 @@
 .Fa "const BIGNUM **pub_key"
 .Fa "const BIGNUM **priv_key"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_pub_key
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_priv_key
 .Fa "const DH *dh"
 .Fc
diff --git a/src/lib/libcrypto/man/DH_get_ex_new_index.3 b/src/lib/libcrypto/man/DH_get_ex_new_index.3
index 81a0aff8ec..e0d1f1b813 100644
--- a/src/lib/libcrypto/man/DH_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/DH_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_get_ex_new_index.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $
+.\"     $OpenBSD: DH_get_ex_new_index.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_get_ex_data
 .Nd add application specific data to DH structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_get_ex_new_index
diff --git a/src/lib/libcrypto/man/DH_new.3 b/src/lib/libcrypto/man/DH_new.3
index 4993456897..0e01a26733 100644
--- a/src/lib/libcrypto/man/DH_new.3
+++ b/src/lib/libcrypto/man/DH_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_new.3,v 1.12 2022/07/13 21:51:35 schwarze Exp $
+.\"     $OpenBSD: DH_new.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_free
 .Nd allocate and free DH objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft DH*
 .Fn DH_new void
diff --git a/src/lib/libcrypto/man/DH_set_method.3 b/src/lib/libcrypto/man/DH_set_method.3
index 70cf367c9d..3491cf8f6e 100644
--- a/src/lib/libcrypto/man/DH_set_method.3
+++ b/src/lib/libcrypto/man/DH_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_set_method.3,v 1.9 2023/11/19 10:34:26 tb Exp $
+.\"     $OpenBSD: DH_set_method.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_SET_METHOD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm DH_OpenSSL
 .Nd select DH method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft void
 .Fo DH_set_default_method
diff --git a/src/lib/libcrypto/man/DH_size.3 b/src/lib/libcrypto/man/DH_size.3
index 4e6dbc0cba..09c019f366 100644
--- a/src/lib/libcrypto/man/DH_size.3
+++ b/src/lib/libcrypto/man/DH_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
+.\" $OpenBSD: DH_size.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_SIZE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_bits
 .Nd get Diffie-Hellman prime size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_size
diff --git a/src/lib/libcrypto/man/DIST_POINT_new.3 b/src/lib/libcrypto/man/DIST_POINT_new.3
index 6a5cc40468..e5aeb2a5d5 100644
--- a/src/lib/libcrypto/man/DIST_POINT_new.3
+++ b/src/lib/libcrypto/man/DIST_POINT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DIST_POINT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: DIST_POINT_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DIST_POINT_NEW 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm ISSUING_DIST_POINT_free
 .Nd X.509 CRL distribution point extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft DIST_POINT *
 .Fn DIST_POINT_new void
diff --git a/src/lib/libcrypto/man/DSA_SIG_new.3 b/src/lib/libcrypto/man/DSA_SIG_new.3
index 160b453939..003f71f0f1 100644
--- a/src/lib/libcrypto/man/DSA_SIG_new.3
+++ b/src/lib/libcrypto/man/DSA_SIG_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_SIG_new.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
+.\" $OpenBSD: DSA_SIG_new.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIG_NEW 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm DSA_SIG_set0
 .Nd manipulate DSA signature objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_SIG *
 .Fn DSA_SIG_new void
diff --git a/src/lib/libcrypto/man/DSA_do_sign.3 b/src/lib/libcrypto/man/DSA_do_sign.3
index 4602bed872..f7de537bf9 100644
--- a/src/lib/libcrypto/man/DSA_do_sign.3
+++ b/src/lib/libcrypto/man/DSA_do_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_do_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: DSA_do_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_DO_SIGN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm DSA_do_verify
 .Nd raw DSA signature operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_SIG *
 .Fo DSA_do_sign
diff --git a/src/lib/libcrypto/man/DSA_dup_DH.3 b/src/lib/libcrypto/man/DSA_dup_DH.3
index d6163fd3c3..a3ec94f628 100644
--- a/src/lib/libcrypto/man/DSA_dup_DH.3
+++ b/src/lib/libcrypto/man/DSA_dup_DH.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_dup_DH.3,v 1.9 2023/08/12 08:26:38 tb Exp $
+.\"     $OpenBSD: DSA_dup_DH.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 12 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_DUP_DH 3
 .Os
 .Sh NAME
 .Nm DSA_dup_DH
 .Nd create a DH structure out of DSA structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DH *
 .Fo DSA_dup_DH
diff --git a/src/lib/libcrypto/man/DSA_generate_key.3 b/src/lib/libcrypto/man/DSA_generate_key.3
index 37d8ec1c0f..161e0680cc 100644
--- a/src/lib/libcrypto/man/DSA_generate_key.3
+++ b/src/lib/libcrypto/man/DSA_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_generate_key.3,v 1.11 2023/12/29 19:12:47 tb Exp $
+.\"     $OpenBSD: DSA_generate_key.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GENERATE_KEY 3
 .Os
 .Sh NAME
 .Nm DSA_generate_key
 .Nd generate DSA key pair
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_generate_key
diff --git a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3 b/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
index a318bf8298..fb610b8191 100644
--- a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
+++ b/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_generate_parameters_ex.3,v 1.1 2023/12/29 19:15:15 tb Exp $
+.\"     $OpenBSD: DSA_generate_parameters_ex.3,v 1.2 2025/06/08 22:37:23 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 7 22:14:47 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -49,15 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GENERATE_PARAMETERS_EX 3
 .Os
 .Sh NAME
-.\" .Nm DSA_generate_parameters is intentionally undocumented
-.\" because it will be removed in the next major bump
 .Nm DSA_generate_parameters_ex
 .Nd generate DSA parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_generate_parameters_ex
diff --git a/src/lib/libcrypto/man/DSA_get0_pqg.3 b/src/lib/libcrypto/man/DSA_get0_pqg.3
index b82affba66..e609b6250d 100644
--- a/src/lib/libcrypto/man/DSA_get0_pqg.3
+++ b/src/lib/libcrypto/man/DSA_get0_pqg.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_get0_pqg.3,v 1.11 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: DSA_get0_pqg.3,v 1.13 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DSA_GET0_PQG 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm DSA_get0_engine
 .Nd get data from and set data in a DSA object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft void
 .Fo DSA_get0_pqg
@@ -75,15 +76,15 @@
 .Fa "const BIGNUM **q"
 .Fa "const BIGNUM **g"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_p
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_q
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_g
 .Fa "const DSA *d"
 .Fc
@@ -100,11 +101,11 @@
 .Fa "const BIGNUM **pub_key"
 .Fa "const BIGNUM **priv_key"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_pub_key
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_priv_key
 .Fa "const DSA *d"
 .Fc
diff --git a/src/lib/libcrypto/man/DSA_get_ex_new_index.3 b/src/lib/libcrypto/man/DSA_get_ex_new_index.3
index 8fe055f337..477c011c53 100644
--- a/src/lib/libcrypto/man/DSA_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/DSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_get_ex_new_index.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $
+.\"     $OpenBSD: DSA_get_ex_new_index.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_get_ex_data
 .Nd add application specific data to DSA structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_get_ex_new_index
diff --git a/src/lib/libcrypto/man/DSA_meth_new.3 b/src/lib/libcrypto/man/DSA_meth_new.3
index d89cd397b0..abd023346e 100644
--- a/src/lib/libcrypto/man/DSA_meth_new.3
+++ b/src/lib/libcrypto/man/DSA_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_meth_new.3,v 1.3 2022/07/10 13:41:59 schwarze Exp $
+.\" $OpenBSD: DSA_meth_new.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL c4d3c19b Apr 3 13:57:12 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_METH_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm DSA_meth_set_finish
 .Nd build up DSA methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_METHOD *
 .Fo DSA_meth_new
diff --git a/src/lib/libcrypto/man/DSA_new.3 b/src/lib/libcrypto/man/DSA_new.3
index 5a958b58c4..5340bec4bd 100644
--- a/src/lib/libcrypto/man/DSA_new.3
+++ b/src/lib/libcrypto/man/DSA_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_new.3,v 1.14 2023/12/29 19:12:47 tb Exp $
+.\"     $OpenBSD: DSA_new.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_free
 .Nd allocate and free DSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA*
 .Fn DSA_new void
diff --git a/src/lib/libcrypto/man/DSA_set_method.3 b/src/lib/libcrypto/man/DSA_set_method.3
index c60a3e29c3..f2a6eca57c 100644
--- a/src/lib/libcrypto/man/DSA_set_method.3
+++ b/src/lib/libcrypto/man/DSA_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_set_method.3,v 1.12 2024/05/11 06:53:19 tb Exp $
+.\"     $OpenBSD: DSA_set_method.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SET_METHOD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm DSA_OpenSSL
 .Nd select DSA method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft void
 .Fo DSA_set_default_method
diff --git a/src/lib/libcrypto/man/DSA_sign.3 b/src/lib/libcrypto/man/DSA_sign.3
index 59f9042ba6..787dc903ea 100644
--- a/src/lib/libcrypto/man/DSA_sign.3
+++ b/src/lib/libcrypto/man/DSA_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: DSA_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_verify
 .Nd DSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_sign
diff --git a/src/lib/libcrypto/man/DSA_size.3 b/src/lib/libcrypto/man/DSA_size.3
index 4786acc7e9..09ce80e132 100644
--- a/src/lib/libcrypto/man/DSA_size.3
+++ b/src/lib/libcrypto/man/DSA_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_size.3,v 1.8 2022/07/13 21:44:23 schwarze Exp $
+.\" $OpenBSD: DSA_size.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIZE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm DSA_bits
 .Nd get DSA signature or key size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_size
diff --git a/src/lib/libcrypto/man/ECDH_compute_key.3 b/src/lib/libcrypto/man/ECDH_compute_key.3
index 93cbf3c078..b0ae6ad34c 100644
--- a/src/lib/libcrypto/man/ECDH_compute_key.3
+++ b/src/lib/libcrypto/man/ECDH_compute_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ECDH_compute_key.3,v 1.4 2025/04/25 20:04:09 tb Exp $
+.\" $OpenBSD: ECDH_compute_key.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ECDH_COMPUTE_KEY 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm ECDH_size
 .Nd Elliptic Curve Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft int
 .Fo ECDH_compute_key
diff --git a/src/lib/libcrypto/man/ECDSA_SIG_new.3 b/src/lib/libcrypto/man/ECDSA_SIG_new.3
index 8755fe7967..4554af035c 100644
--- a/src/lib/libcrypto/man/ECDSA_SIG_new.3
+++ b/src/lib/libcrypto/man/ECDSA_SIG_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ECDSA_SIG_new.3,v 1.22 2025/04/25 20:04:09 tb Exp $
+.\" $OpenBSD: ECDSA_SIG_new.3,v 1.24 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\" selective merge up to: OpenSSL da4ea0cf Aug 5 16:13:24 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt ECDSA_SIG_NEW 3
 .Os
 .Sh NAME
@@ -69,8 +69,9 @@
 .Nm ECDSA_do_verify
 .Nd Elliptic Curve Digital Signature Algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo ECDSA_SIG_new
 .Fa void
 .Fc
@@ -84,11 +85,11 @@
 .Fa "const BIGNUM **r"
 .Fa "const BIGNUM **s"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo ECDSA_SIG_get0_r
 .Fa "const ECDSA_SIG *sig"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo ECDSA_SIG_get0_s
 .Fa "const ECDSA_SIG *sig"
 .Fc
@@ -103,7 +104,7 @@
 .Fa "const ECDSA_SIG *sig_in"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo d2i_ECDSA_SIG
 .Fa "ECDSA_SIG **sig_out"
 .Fa "const unsigned char **der_in"
@@ -131,7 +132,7 @@
 .Fa "int siglen"
 .Fa "EC_KEY *eckey"
 .Fc
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo ECDSA_do_sign
 .Fa "const unsigned char *dgst"
 .Fa "int dgst_len"
diff --git a/src/lib/libcrypto/man/EC_GROUP_check.3 b/src/lib/libcrypto/man/EC_GROUP_check.3
index e000be212b..146c3d255d 100644
--- a/src/lib/libcrypto/man/EC_GROUP_check.3
+++ b/src/lib/libcrypto/man/EC_GROUP_check.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_GROUP_check.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\" $OpenBSD: EC_GROUP_check.3,v 1.6 2025/07/04 05:16:56 jsg Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: July 4 2025 $
 .Dt EC_GROUP_CHECK 3
 .Os
 .Sh NAME
@@ -24,17 +24,18 @@
 .Vt EC_GROUP
 objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .In openssl/ec.h
 .Pp
 Deprecated:
 .Pp
-.Ft "int"
+.Ft int
 .Fo EC_GROUP_check_discriminant
 .Fa "const EC_GROUP *group"
 .Fa "BN_CTX *ctx"
 .Fc
-.Ft "int"
+.Ft int
 .Fo EC_GROUP_check
 .Fa "const EC_GROUP *group"
 .Fa "BN_CTX *ctx"
@@ -43,8 +44,8 @@ Deprecated:
 These functions are deprecated.
 Only standardized curves built into the library should be used, see
 .Xr EC_GROUP_new_by_curve_name 3 .
-For builtin curves far more thorough checks than the minimal checks
-performed by these functions have been performed.
+Builtin curves went through far more thorough checking than
+the minimal, incomplete tests performed by these functions.
 .Pp
 These functions have an optional
 .Fa ctx
@@ -67,7 +68,7 @@ this implies that the Weierstrass equation defines an elliptic curve.
 .Fn EC_GROUP_check
 partially verifies that
 .Fa group
-represents an an elliptic curve and that
+represents an elliptic curve and that
 .Fa generator
 is a point on the curve whose order divides
 .Fa order .
@@ -79,17 +80,19 @@ and then verifies that that
 is non-zero and that the product
 .Fa generator No * Fa order
 is the point at infinity.
-This implies that
+This implies that the
 .Fa order
+set on
+.Fa group
 is an integer multiple of the
 .Fa generator Ns 's
-.Fa order .
+order.
 The verification that
 .Fa p
 is a prime
 and that
 .Fa order
-is the
+is equal to the
 .Fa generator Ns 's
 order are skipped because they are too expensive.
 .Sh RETURN VALUES
diff --git a/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
index 438debd7d1..940aa3c1a1 100644
--- a/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
+++ b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_GROUP_get_curve_name.3,v 1.2 2025/04/26 05:31:27 tb Exp $
+.\" $OpenBSD: EC_GROUP_get_curve_name.3,v 1.4 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 26 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt EC_GROUP_GET_CURVE_NAME 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Vt EC_GROUP
 and related objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft int
 .Fo EC_GROUP_get_curve_name
@@ -51,7 +52,7 @@ and related objects
 .Fa "EC_GROUP *group"
 .Fa "int flag"
 .Fc
-.Ft "unsigned char *"
+.Ft unsigned char *
 .Fo EC_GROUP_get0_seed
 .Fa "const EC_GROUP *group"
 .Fc
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
index 216dc56c3f..e05365874f 100644
--- a/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
+++ b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_GROUP_new_by_curve_name.3,v 1.2 2025/04/28 17:41:55 tb Exp $
+.\" $OpenBSD: EC_GROUP_new_by_curve_name.3,v 1.4 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2024, 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 28 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt EC_GROUP_NEW_BY_CURVE_NAME 3
 .Os
 .Sh NAME
@@ -27,10 +27,11 @@
 .Nm EC_curve_nist2nid
 .Nd instantiate named curves built into libcrypto
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .In openssl/ec.h
 .In openssl/objects.h
-.Ft "EC_GROUP *"
+.Ft EC_GROUP *
 .Fo EC_GROUP_new_by_curve_name
 .Fa "int nid"
 .Fc
@@ -64,7 +65,7 @@ typedef struct {
 .Fo EC_curve_nist2nid
 .Fa "const char *name"
 .Fc
-.Ft "const char *"
+.Ft const char *
 .Fo EC_curve_nid2nist
 .Fa "int nid"
 .Fc
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
index 3346bd80ef..038deff434 100644
--- a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
+++ b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.2 2025/04/26 07:07:29 tb Exp $
+.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.5 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 26 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt EC_GROUP_NEW_CURVE_GFP 3
 .Os
 .Sh NAME
@@ -32,9 +32,10 @@
 .Nm EC_GROUP_get_curve_GFp
 .Nd define elliptic curves and retrieve information from them
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .In openssl/ec.h
-.Ft "EC_GROUP *"
+.Ft EC_GROUP *
 .Fo EC_GROUP_new_curve_GFp
 .Fa "const BIGNUM *p"
 .Fa "const BIGNUM *a"
@@ -64,7 +65,7 @@
 .Fa "const BIGNUM *order"
 .Fa "const BIGNUM *cofactor"
 .Fc
-.Ft "const EC_POINT *"
+.Ft const EC_POINT *
 .Fo EC_GROUP_get0_generator
 .Fa "const EC_GROUP *group"
 .Fc
@@ -125,7 +126,9 @@ elliptic curves in Weierstrass form.
 These curves are defined over the prime field of order
 .Fa p
 via the Weierstrass equation
+.Pp
 .Dl y^2 = x^3 + ax + b
+.Pp
 where
 .Fa a
 and
@@ -143,7 +146,9 @@ the product of
 and another integer called the
 .Fa cofactor .
 Hasse's theorem is the inequality
+.Pp
 .Dl | Ns Fa order No * Fa cofactor No - (p + 1)| <= 2 sqrt(p)
+.Pp
 which implies an upper bound on
 .Fa order
 in terms of
@@ -445,7 +450,7 @@ have been available since
 Too many.
 The API is unergonomic and the design is very poor even by
 OpenSSL's standards.
-Naming is inconsistent, especially in regards to the _GFp suffix
+Naming is inconsistent, especially in regard to the _GFp suffix
 and the _get_ infix.
 Function signatures are inconsistent.
 In particular, functions that should have a
diff --git a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3 b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
index 5f5795d5cc..a0ab6bac9e 100644
--- a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.5 2025/04/25 19:57:12 tb Exp $
+.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_KEY_METHOD_NEW 3
 .Os
 .Sh NAME
@@ -37,6 +37,7 @@
 .Nm EC_KEY_get_method
 .Nd custom EC_KEY implementations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft EC_KEY_METHOD *
 .Fo EC_KEY_METHOD_new
diff --git a/src/lib/libcrypto/man/EC_KEY_new.3 b/src/lib/libcrypto/man/EC_KEY_new.3
index a2592a20ae..41ebbbe878 100644
--- a/src/lib/libcrypto/man/EC_KEY_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_new.3,v 1.22 2025/04/25 19:57:12 tb Exp $
+.\" $OpenBSD: EC_KEY_new.3,v 1.23 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500
 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_KEY_NEW 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm EC_KEY_print_fp
 .Nd create, destroy and manipulate EC_KEY objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .In openssl/bn.h
 .Ft EC_KEY *
diff --git a/src/lib/libcrypto/man/EC_POINT_add.3 b/src/lib/libcrypto/man/EC_POINT_add.3
index 9c75f0dcd3..28f3143a8d 100644
--- a/src/lib/libcrypto/man/EC_POINT_add.3
+++ b/src/lib/libcrypto/man/EC_POINT_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EC_POINT_add.3,v 1.16 2025/04/25 19:57:12 tb Exp $
+.\"     $OpenBSD: EC_POINT_add.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_POINT_ADD 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm EC_POINT_mul
 .Nd perform mathematical operations and tests on EC_POINT objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .In openssl/bn.h
 .Ft int
diff --git a/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3 b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
index b36d480530..76ef516307 100644
--- a/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
+++ b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_POINT_get_affine_coordinates.3,v 1.1 2025/04/25 19:57:12 tb Exp $
+.\" $OpenBSD: EC_POINT_get_affine_coordinates.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_POINT_GET_AFFINE_COORDINATES 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm EC_POINT_set_compressed_coordinates_GFp
 .Nd get and set coordinates of elliptic curve points
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .In openssl/ec.h
 .Pp
diff --git a/src/lib/libcrypto/man/EC_POINT_new.3 b/src/lib/libcrypto/man/EC_POINT_new.3
index cfc988f294..0a797f8bc9 100644
--- a/src/lib/libcrypto/man/EC_POINT_new.3
+++ b/src/lib/libcrypto/man/EC_POINT_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_POINT_new.3,v 1.18 2025/04/25 19:57:12 tb Exp $
+.\" $OpenBSD: EC_POINT_new.3,v 1.21 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt EC_POINT_NEW 3
 .Os
 .Sh NAME
@@ -25,26 +25,27 @@
 .Nm EC_POINT_dup
 .Nd allocate, free and copy elliptic curve points
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Pp
-.Ft "EC_POINT *"
+.Ft EC_POINT *
 .Fo EC_POINT_new
 .Fa "const EC_GROUP *group"
 .Fc
-.Ft "void"
+.Ft void
 .Fo EC_POINT_free
 .Fa "EC_POINT *point"
 .Fc
-.Ft "void"
+.Ft void
 .Fo EC_POINT_clear_free
 .Fa "EC_POINT *point"
 .Fc
-.Ft "int"
+.Ft int
 .Fo EC_POINT_copy
 .Fa "EC_POINT *dst"
 .Fa "const EC_POINT *src"
 .Fc
-.Ft "EC_POINT *"
+.Ft EC_POINT *
 .Fo EC_POINT_dup
 .Fa "const EC_POINT *point"
 .Fa "const EC_GROUP *group"
@@ -178,7 +179,7 @@ A fundamental flaw in the OpenSSL API toolkit is that
 .Fn *_new
 functions usually create invalid objects that are tricky to
 turn into valid objects.
-A fundamental flaw in the EC library is that
+One specific flaw in the EC library internals is that
 .Vt EC_POINT
 objects do not hold a reference to the group they live on
 despite the fact that
@@ -191,12 +192,12 @@ This is difficult to fix because
 objects are not reference counted and
 because of const qualifiers in the API.
 This is the root cause for various contortions in the EC library
-and API.
-This has security implications because not
+and API and
+there are security implications because not
 only does the library not know whether an
 .Fa EC_POINT
 object represents a valid point,
-even if it did know that it would not know on what curve.
+even if it did know that it would still not know on what curve.
 .Pp
 The signature of
 .Fn EC_GROUP_dup
diff --git a/src/lib/libcrypto/man/EC_POINT_point2oct.3 b/src/lib/libcrypto/man/EC_POINT_point2oct.3
index ebb09f8001..ac89c9b1d4 100644
--- a/src/lib/libcrypto/man/EC_POINT_point2oct.3
+++ b/src/lib/libcrypto/man/EC_POINT_point2oct.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_POINT_point2oct.3,v 1.2 2025/04/26 09:03:03 tb Exp $
+.\" $OpenBSD: EC_POINT_point2oct.3,v 1.6 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 26 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt EC_POINT_POINT2OCT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm EC_POINT_hex2point
 .Nd encode and decode elliptic curve points
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .In openssl/ec.h
 .Bd -literal
@@ -53,7 +54,7 @@ typedef enum {
 .Fa "size_t len"
 .Fa "BN_CTX *ctx"
 .Fc
-.Ft "BIGNUM *"
+.Ft BIGNUM *
 .Fo EC_POINT_point2bn
 .Fa "const EC_GROUP *group"
 .Fa "const EC_POINT *point"
@@ -61,21 +62,21 @@ typedef enum {
 .Fa "BIGNUM *bn"
 .Fa "BN_CTX *ctx"
 .Fc
-.Ft "EC_POINT *"
+.Ft EC_POINT *
 .Fo EC_POINT_bn2point
 .Fa "const EC_GROUP *group"
 .Fa "const BIGNUM *bn"
 .Fa "EC_POINT *point"
 .Fa "BN_CTX *ctx"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo EC_POINT_point2hex
 .Fa "const EC_GROUP *group"
 .Fa "const EC_POINT *point"
 .Fa "point_conversion_form_t form"
 .Fa "BN_CTX *ctx"
 .Fc
-.Ft "EC_POINT *"
+.Ft EC_POINT *
 .Fo EC_POINT_hex2point
 .Fa "const EC_GROUP *group"
 .Fa "const char *hex"
@@ -95,7 +96,9 @@ object.
 It is either the point at infinity or it has a representation
 (x, y) in standard affine coordinates,
 in which case it satisfies the curve's Weierstrass equation
+.Pp
 .Dl y^2 = x^3 + ax + b
+.Pp
 in the prime field of size p.
 Thus, y is a square root of x^3 + ax + b.
 Since p > 3 is odd, p - y is another square root
@@ -152,7 +155,7 @@ is not
 and its length
 .Fa len
 is sufficiently big,
-.Fn EC_POINT_point2oct 3
+.Fn EC_POINT_point2oct
 writes the
 .Fa point Ns 's
 encoding of type
@@ -242,7 +245,7 @@ The string must be freed by the caller using
 is equivalent to
 .Fn EC_POINT_point2bn
 followed by
-.Fn BN_bn2hex 3 .
+.Xr BN_bn2hex 3 .
 .Pp
 .Fn EC_POINT_hex2point
 interprets
diff --git a/src/lib/libcrypto/man/ENGINE_new.3 b/src/lib/libcrypto/man/ENGINE_new.3
index 55ed963563..f70adecc17 100644
--- a/src/lib/libcrypto/man/ENGINE_new.3
+++ b/src/lib/libcrypto/man/ENGINE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ENGINE_new.3,v 1.10 2023/11/19 21:13:47 tb Exp $
+.\" $OpenBSD: ENGINE_new.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ENGINE_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm ENGINE_cleanup
 .Nd ENGINE stub functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/engine.h
 .Ft ENGINE *
 .Fn ENGINE_new void
diff --git a/src/lib/libcrypto/man/ERR.3 b/src/lib/libcrypto/man/ERR.3
index 8f17e7a329..7d67c4f556 100644
--- a/src/lib/libcrypto/man/ERR.3
+++ b/src/lib/libcrypto/man/ERR.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR.3,v 1.11 2023/07/26 20:15:51 tb Exp $
+.\"     $OpenBSD: ERR.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR 3
 .Os
 .Sh NAME
 .Nm ERR
 .Nd OpenSSL error codes
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Sh DESCRIPTION
 When a call to the OpenSSL library fails, this is usually signaled by
diff --git a/src/lib/libcrypto/man/ERR_GET_LIB.3 b/src/lib/libcrypto/man/ERR_GET_LIB.3
index bc14f0e2ac..754f7fafe3 100644
--- a/src/lib/libcrypto/man/ERR_GET_LIB.3
+++ b/src/lib/libcrypto/man/ERR_GET_LIB.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_GET_LIB.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_GET_LIB.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/man3/ERR_GET_LIB.pod 3dfda1a6 Dec 12 11:14:40 2016 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_GET_LIB 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm ERR_FATAL_ERROR
 .Nd get library, function and reason codes for OpenSSL errors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft int
 .Fo ERR_GET_LIB
diff --git a/src/lib/libcrypto/man/ERR_asprintf_error_data.3 b/src/lib/libcrypto/man/ERR_asprintf_error_data.3
index 4291dea23e..edd8655d6d 100644
--- a/src/lib/libcrypto/man/ERR_asprintf_error_data.3
+++ b/src/lib/libcrypto/man/ERR_asprintf_error_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ERR_asprintf_error_data.3,v 1.3 2024/08/29 20:23:21 tb Exp $
+.\" $OpenBSD: ERR_asprintf_error_data.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 .\"
@@ -13,13 +13,14 @@
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_ASPRINTF_ERROR_DATA 3
 .Os
 .Sh NAME
 .Nm ERR_asprintf_error_data
 .Nd record a LibreSSL error using a formatted string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_asprintf_error_data
diff --git a/src/lib/libcrypto/man/ERR_clear_error.3 b/src/lib/libcrypto/man/ERR_clear_error.3
index 54f563e166..d39ac11956 100644
--- a/src/lib/libcrypto/man/ERR_clear_error.3
+++ b/src/lib/libcrypto/man/ERR_clear_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_clear_error.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_clear_error.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_CLEAR_ERROR 3
 .Os
 .Sh NAME
 .Nm ERR_clear_error
 .Nd clear the OpenSSL error queue
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fn ERR_clear_error void
diff --git a/src/lib/libcrypto/man/ERR_error_string.3 b/src/lib/libcrypto/man/ERR_error_string.3
index 60f9132859..a1df20fe70 100644
--- a/src/lib/libcrypto/man/ERR_error_string.3
+++ b/src/lib/libcrypto/man/ERR_error_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_error_string.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_error_string.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_ERROR_STRING 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm ERR_reason_error_string
 .Nd obtain human-readable OpenSSL error messages
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft char *
 .Fo ERR_error_string
diff --git a/src/lib/libcrypto/man/ERR_get_error.3 b/src/lib/libcrypto/man/ERR_get_error.3
index f3bcc09cbc..c592c34528 100644
--- a/src/lib/libcrypto/man/ERR_get_error.3
+++ b/src/lib/libcrypto/man/ERR_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_get_error.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_get_error.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_GET_ERROR 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm ERR_peek_last_error_line_data
 .Nd obtain OpenSSL error code and data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft unsigned long
 .Fn ERR_get_error void
diff --git a/src/lib/libcrypto/man/ERR_load_crypto_strings.3 b/src/lib/libcrypto/man/ERR_load_crypto_strings.3
index 2bca8af60f..13da93e22d 100644
--- a/src/lib/libcrypto/man/ERR_load_crypto_strings.3
+++ b/src/lib/libcrypto/man/ERR_load_crypto_strings.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.12 2024/03/05 19:21:31 tb Exp $
+.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.14 2025/06/08 22:58:09 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_LOAD_CRYPTO_STRINGS 3
 .Os
 .Sh NAME
@@ -101,11 +101,14 @@
 .\" ERR_load_X509_strings()
 .\" ERR_load_X509V3_strings()
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fn ERR_load_crypto_strings void
 .Ft void
 .Fn ERR_free_strings void
+.Pp
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_load_error_strings void
diff --git a/src/lib/libcrypto/man/ERR_load_strings.3 b/src/lib/libcrypto/man/ERR_load_strings.3
index 1020743954..9697742404 100644
--- a/src/lib/libcrypto/man/ERR_load_strings.3
+++ b/src/lib/libcrypto/man/ERR_load_strings.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_load_strings.3,v 1.8 2024/07/26 03:40:43 tb Exp $
+.\"     $OpenBSD: ERR_load_strings.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_LOAD_STRINGS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ERR_get_next_error_library
 .Nd load arbitrary OpenSSL error strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_load_strings
diff --git a/src/lib/libcrypto/man/ERR_print_errors.3 b/src/lib/libcrypto/man/ERR_print_errors.3
index a5c7c03287..4d6f8d3717 100644
--- a/src/lib/libcrypto/man/ERR_print_errors.3
+++ b/src/lib/libcrypto/man/ERR_print_errors.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_print_errors.3,v 1.8 2020/03/28 22:40:58 schwarze Exp $
+.\"     $OpenBSD: ERR_print_errors.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 28 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_PRINT_ERRORS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm ERR_print_errors_cb
 .Nd print OpenSSL error messages
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_print_errors
diff --git a/src/lib/libcrypto/man/ERR_put_error.3 b/src/lib/libcrypto/man/ERR_put_error.3
index 37e1b4d1ab..1af0e37826 100644
--- a/src/lib/libcrypto/man/ERR_put_error.3
+++ b/src/lib/libcrypto/man/ERR_put_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_put_error.3,v 1.11 2024/08/29 20:23:21 tb Exp $
+.\"     $OpenBSD: ERR_put_error.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_PUT_ERROR 3
 .Os
 .Sh NAME
 .Nm ERR_put_error
 .Nd record an OpenSSL error
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_put_error
diff --git a/src/lib/libcrypto/man/ERR_remove_state.3 b/src/lib/libcrypto/man/ERR_remove_state.3
index bc28f15dea..c05810d778 100644
--- a/src/lib/libcrypto/man/ERR_remove_state.3
+++ b/src/lib/libcrypto/man/ERR_remove_state.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_remove_state.3,v 1.7 2020/03/28 22:40:58 schwarze Exp $
+.\"     $OpenBSD: ERR_remove_state.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 28 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_REMOVE_STATE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ERR_remove_state
 .Nd free a thread's OpenSSL error queue
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_remove_thread_state
diff --git a/src/lib/libcrypto/man/ERR_set_mark.3 b/src/lib/libcrypto/man/ERR_set_mark.3
index 2f3486d8c0..88b1be88b5 100644
--- a/src/lib/libcrypto/man/ERR_set_mark.3
+++ b/src/lib/libcrypto/man/ERR_set_mark.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_set_mark.3,v 1.4 2018/03/23 00:09:11 schwarze Exp $
+.\"     $OpenBSD: ERR_set_mark.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_SET_MARK 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm ERR_pop_to_mark
 .Nd set marks and pop OpenSSL errors until mark
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft int
 .Fn ERR_set_mark void
diff --git a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
index 4baabbcd99..7014d008af 100644
--- a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
+++ b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ESS_SIGNING_CERT_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm ESS_ISSUER_SERIAL_free
 .Nd signing certificates for S/MIME
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft ESS_SIGNING_CERT *
 .Fn ESS_SIGNING_CERT_new void
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
index 8b3b8adb0f..41a829c675 100644
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -37,6 +37,7 @@
 .Nm EVP_aead_xchacha20_poly1305
 .Nd authenticated encryption with additional data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_AEAD_CTX *
 .Fn EVP_AEAD_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_BytesToKey.3 b/src/lib/libcrypto/man/EVP_BytesToKey.3
index 1f78b4de06..060335744e 100644
--- a/src/lib/libcrypto/man/EVP_BytesToKey.3
+++ b/src/lib/libcrypto/man/EVP_BytesToKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_BytesToKey.3,v 1.9 2024/12/05 15:12:37 schwarze Exp $
+.\" $OpenBSD: EVP_BytesToKey.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_BYTESTOKEY 3
 .Os
 .Sh NAME
 .Nm EVP_BytesToKey
 .Nd password based encryption routine
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_BytesToKey
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
index d7ab36e711..8aaf2cc385 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.4 2025/03/25 11:54:34 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm EVP_CIPHER_CTX_get_iv
 .Nd configure EVP cipher contexts
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_CTX_ctrl
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
index 4f75c8b008..a549ea25f6 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_get_cipher_data.3,v 1.3 2023/08/26 15:12:04 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_get_cipher_data.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_GET_CIPHER_DATA 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm EVP_CIPHER_CTX_buf_noconst
 .Nd inspect and modify EVP_CIPHER_CTX objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void *
 .Fo EVP_CIPHER_CTX_get_cipher_data
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
index 79a8e540af..7b1d81bafa 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.4 2024/12/06 15:01:01 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_INIT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_Cipher
 .Nd obsolete EVP cipher functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_CTX_init
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
index 67ef8679bc..0d86050ae6 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.2 2023/09/06 16:26:49 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 6 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm EVP_CIPHER_CTX_set_app_data
 .Nd unusual EVP cipher context configuration
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fo EVP_CIPHER_CTX_set_flags
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3 b/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
index e912044978..342cf372df 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.3 2024/03/14 23:54:55 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023,2024 Theo Buehler <tb@openbsd.org>
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_DO_ALL 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm OBJ_NAME_do_all_sorted
 .Nd iterate over lookup tables for ciphers and digests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fo EVP_CIPHER_do_all
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3 b/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
index 187dab6d8a..f831b20c3d 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_meth_new.3,v 1.6 2024/03/04 09:49:07 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_meth_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_METH_NEW 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm EVP_CIPHER_meth_set_ctrl
 .Nd Routines to build up EVP_CIPHER methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_CIPHER *
 .Fo EVP_CIPHER_meth_new
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_nid.3 b/src/lib/libcrypto/man/EVP_CIPHER_nid.3
index 1feff4f34e..6152c389c8 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_nid.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.3 2023/09/05 14:54:21 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_EncryptInit.pod
 .\"   0874d7f2 Oct 11 13:13:47 2022 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_NID 3
 .Os
 .Sh NAME
@@ -83,6 +83,7 @@
 .Nm EVP_CIPHER_CTX_mode
 .Nd inspect EVP_CIPHER objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_nid
diff --git a/src/lib/libcrypto/man/EVP_DigestInit.3 b/src/lib/libcrypto/man/EVP_DigestInit.3
index 2a634540c7..1457d65e40 100644
--- a/src/lib/libcrypto/man/EVP_DigestInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestInit.3,v 1.38 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: EVP_DigestInit.3,v 1.39 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -70,7 +70,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTINIT 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .Nm EVP_get_digestbyobj
 .Nd EVP digest routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_MD_CTX *
 .Fn EVP_MD_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_DigestSignInit.3 b/src/lib/libcrypto/man/EVP_DigestSignInit.3
index caf519e28c..46b8acbd3c 100644
--- a/src/lib/libcrypto/man/EVP_DigestSignInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestSignInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestSignInit.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_DigestSignInit.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 28428130 Apr 17 15:18:40 2018 +0200
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTSIGNINIT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_DigestSign
 .Nd EVP signing functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_DigestSignInit
diff --git a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
index fa62f5a0a5..3d40f8e916 100644
--- a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.17 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to OpenSSL f097e875 Aug 23 11:37:22 2018 +0100
 .\" selective merge up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTVERIFYINIT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_DigestVerify
 .Nd EVP signature verification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_DigestVerifyInit
diff --git a/src/lib/libcrypto/man/EVP_EncodeInit.3 b/src/lib/libcrypto/man/EVP_EncodeInit.3
index da79af84cf..82f5687c8b 100644
--- a/src/lib/libcrypto/man/EVP_EncodeInit.3
+++ b/src/lib/libcrypto/man/EVP_EncodeInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_EncodeInit.3,v 1.7 2019/06/06 01:06:58 schwarze Exp $
+.\" $OpenBSD: EVP_EncodeInit.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL f430ba31 Jun 19 19:39:01 2016 +0200
 .\" selective merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_ENCODEINIT 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm EVP_DecodeBlock
 .Nd EVP base64 encode/decode routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_ENCODE_CTX *
 .Fn EVP_ENCODE_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_EncryptInit.3 b/src/lib/libcrypto/man/EVP_EncryptInit.3
index 7765be2ca6..382c0e2b06 100644
--- a/src/lib/libcrypto/man/EVP_EncryptInit.3
+++ b/src/lib/libcrypto/man/EVP_EncryptInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_EncryptInit.3,v 1.56 2024/12/20 01:54:03 schwarze Exp $
+.\" $OpenBSD: EVP_EncryptInit.3,v 1.57 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"   EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
 .\"   7c6d372a Nov 20 13:20:01 2018 +0000
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 20 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_ENCRYPTINIT 3
 .Os
 .Sh NAME
@@ -115,6 +115,7 @@
 .Nm EVP_cast5_ofb
 .Nd EVP cipher routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_CIPHER_CTX *
 .Fn EVP_CIPHER_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
index c8c148faf0..a16bba9bf8 100644
--- a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_MD_CTX_ctrl.3,v 1.3 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_MD_CTX_ctrl.3,v 1.5 2025/06/11 13:48:54 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
 .\" 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt EVP_MD_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm EVP_MD_CTX_md_data
 .Nd configure EVP message digest contexts
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_MD_CTX_ctrl
@@ -154,7 +155,9 @@ when it is no longer needed.
 This
 .Fa command
 is used by
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3
+and
+.Xr SMIME_write_PKCS7 3
 when creating S/MIME multipart/signed messages as specified in RFC 3851.
 .Pp
 .Fn EVP_MD_CTX_set_flags
diff --git a/src/lib/libcrypto/man/EVP_MD_nid.3 b/src/lib/libcrypto/man/EVP_MD_nid.3
index 15806091de..384c043149 100644
--- a/src/lib/libcrypto/man/EVP_MD_nid.3
+++ b/src/lib/libcrypto/man/EVP_MD_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_MD_nid.3,v 1.4 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_MD_nid.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
 .\" 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_MD_NID 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm EVP_MD_pkey_type
 .Nd inspect EVP_MD objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_MD_nid
diff --git a/src/lib/libcrypto/man/EVP_OpenInit.3 b/src/lib/libcrypto/man/EVP_OpenInit.3
index fbd0e75571..8cdcbda0e9 100644
--- a/src/lib/libcrypto/man/EVP_OpenInit.3
+++ b/src/lib/libcrypto/man/EVP_OpenInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_OpenInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
+.\"     $OpenBSD: EVP_OpenInit.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_OPENINIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_OpenFinal
 .Nd EVP envelope decryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_OpenInit
diff --git a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3 b/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
index 30a43b8dca..a8b7d86808 100644
--- a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
+++ b/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKCS82PKEY.3,v 1.3 2024/03/05 19:21:31 tb Exp $
+.\" $OpenBSD: EVP_PKCS82PKEY.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKCS82PKEY 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EVP_PKEY2PKCS8
 .Nd convert between EVP_PKEY and PKCS#8 PrivateKeyInfo
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft EVP_PKEY *
 .Fn EVP_PKCS82PKEY "const PKCS8_PRIV_KEY_INFO *keyinfo"
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 41c5a9ab9a..db65f132bb 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.29 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.30 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\" Parts were split out into RSA_pkey_ctx_ctrl(3).
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -97,6 +97,7 @@
 .Nm EVP_PKEY_CTX_get1_id_len
 .Nd algorithm specific control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_CTX_ctrl
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
index 2482c746d4..ce234337bb 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_get_operation.3,v 1.3 2023/09/12 16:15:23 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_get_operation.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 12 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_GET_OPERATION 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EVP_PKEY_CTX_get0_pkey
 .Nd inspect EVP_PKEY_CTX objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_CTX_get_operation
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
index e74bce9dfb..d0f514d5ea 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.16 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_NEW 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_PKEY_CTX_free
 .Nd public key algorithm context functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY_CTX *
 .Fo EVP_PKEY_CTX_new
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
index 973ae95974..a63744097a 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.4 2024/07/10 07:57:37 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Alessandro Ghedini <alessandro@ghedini.me>,
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_SET_HKDF_MD 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_PKEY_CTX_hkdf_mode
 .Nd HMAC-based Extract-and-Expand key derivation algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .In openssl/kdf.h
 .Ft int
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
index bdb1a208a2..57a85a78d9 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.3 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Dr Stephen Henson <steve@openssl.org>,
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_SET_TLS1_PRF_MD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_CTX_add1_tls1_prf_seed
 .Nd TLS PRF key derivation algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .In openssl/kdf.h
 .Ft int
diff --git a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
index f7810789b6..098a5565b2 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_ASN1_GET_COUNT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_PKEY_asn1_get0_info
 .Nd enumerate public key ASN.1 methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fn EVP_PKEY_asn1_get_count void
diff --git a/src/lib/libcrypto/man/EVP_PKEY_cmp.3 b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
index c12843854d..bcd0152dc8 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_cmp.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.15 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CMP 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .\" resulting in incomplete output without the public key parameters.
 .Nd public key parameter and comparison functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_missing_parameters
diff --git a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
index c063847b10..abac0e6a2e 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_DECRYPT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_decrypt
 .Nd decrypt using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_decrypt_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_derive.3 b/src/lib/libcrypto/man/EVP_PKEY_derive.3
index 47f467fea1..d02ef0e9e4 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_derive.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_derive.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_derive.3,v 1.12 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_derive.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_DERIVE 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_PKEY_derive
 .Nd derive public key algorithm shared secret
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_derive_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
index c2e70cb31f..f32d411283 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_ENCRYPT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_encrypt
 .Nd encrypt using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_encrypt_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 b/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
index e9ff7c4609..5c5b07bd3c 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,13 +66,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_GET_DEFAULT_DIGEST_NID 3
 .Os
 .Sh NAME
 .Nm EVP_PKEY_get_default_digest_nid
 .Nd get default signature digest
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_get_default_digest_nid
diff --git a/src/lib/libcrypto/man/EVP_PKEY_keygen.3 b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
index e75859b486..3c000f8cd2 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_keygen.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_KEYGEN 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .Nm EVP_PKEY_CTX_get_data
 .Nd key and parameter generation functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_keygen_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new.3 b/src/lib/libcrypto/man/EVP_PKEY_new.3
index 3b1ef029c3..7c13f625bc 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_new.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_new.3,v 1.26 2024/12/10 15:10:26 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_new.3,v 1.27 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 4dcfdfce May 27 11:50:05 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_NEW 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm EVP_PKEY_get_raw_public_key
 .Nd public and private key allocation and raw key handling functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fn EVP_PKEY_new void
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3 b/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
index d09af3a012..e4202fab67 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_new_CMAC_key.3,v 1.1 2024/11/12 20:00:36 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_new_CMAC_key.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_NEW_CMAC_KEY 3
 .Os
 .Sh NAME
 .Nm EVP_PKEY_new_CMAC_key
 .Nd CMAC in the EVP framework
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo EVP_PKEY_new_CMAC_key
diff --git a/src/lib/libcrypto/man/EVP_PKEY_print_private.3 b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
index a4b51a4bbb..877385d15b 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_print_private.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.8 2024/12/06 12:51:13 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_PRINT_PRIVATE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_print_params
 .Nd public key algorithm printing routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_print_public
diff --git a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
index 39404f5286..5e17894bea 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.24 2024/12/09 11:25:25 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.27 2025/07/02 06:40:28 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 9 2024 $
+.Dd $Mdocdate: July 2 2025 $
 .Dt EVP_PKEY_SET1_RSA 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .\" EVP_PKT_ENC EVP_PKT_EXCH EVP_PKT_EXP EVP_PKT_SIGN
 .Nd EVP_PKEY assignment functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_set1_RSA
@@ -126,35 +127,35 @@
 .Fc
 .Ft RSA *
 .Fo EVP_PKEY_get1_RSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DSA *
 .Fo EVP_PKEY_get1_DSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DH *
 .Fo EVP_PKEY_get1_DH
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft EC_KEY *
 .Fo EVP_PKEY_get1_EC_KEY
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft RSA *
 .Fo EVP_PKEY_get0_RSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DSA *
 .Fo EVP_PKEY_get0_DSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DH *
 .Fo EVP_PKEY_get0_DH
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft EC_KEY *
 .Fo EVP_PKEY_get0_EC_KEY
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft const unsigned char *
 .Fo EVP_PKEY_get0_hmac
@@ -193,11 +194,11 @@
 .Fc
 .Ft int
 .Fo EVP_PKEY_base_id
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo EVP_PKEY_id
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo EVP_PKEY_type
diff --git a/src/lib/libcrypto/man/EVP_PKEY_sign.3 b/src/lib/libcrypto/man/EVP_PKEY_sign.3
index afd9177596..58d7e34cb6 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_sign.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.10 2025/04/17 14:58:09 tb Exp $
+.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_sign
 .Nd sign using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_sign_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_size.3 b/src/lib/libcrypto/man/EVP_PKEY_size.3
index cd25eec9c2..dc53de1268 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_size.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_size.3,v 1.4 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_size.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL eed9d03b Jan 8 11:04:15 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_SIZE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm EVP_PKEY_security_bits
 .Nd EVP_PKEY information functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_size
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify.3 b/src/lib/libcrypto/man/EVP_PKEY_verify.3
index c297e9669a..1a1d19a552 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify.3,v 1.9 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: EVP_PKEY_verify.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_VERIFY 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_verify
 .Nd signature verification using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_verify_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
index 2e863f35b4..840307b41e 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.11 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_VERIFY_RECOVER 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_verify_recover
 .Nd recover signature using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_verify_recover_init
diff --git a/src/lib/libcrypto/man/EVP_SealInit.3 b/src/lib/libcrypto/man/EVP_SealInit.3
index da53535274..f211702ba6 100644
--- a/src/lib/libcrypto/man/EVP_SealInit.3
+++ b/src/lib/libcrypto/man/EVP_SealInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_SealInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
+.\"     $OpenBSD: EVP_SealInit.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SEALINIT 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm EVP_SealFinal
 .Nd EVP envelope encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_SealInit
diff --git a/src/lib/libcrypto/man/EVP_SignInit.3 b/src/lib/libcrypto/man/EVP_SignInit.3
index 8158b21dbf..d3964abd41 100644
--- a/src/lib/libcrypto/man/EVP_SignInit.3
+++ b/src/lib/libcrypto/man/EVP_SignInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_SignInit.3,v 1.21 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_SignInit.3,v 1.22 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SIGNINIT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm EVP_SignInit
 .Nd EVP signing functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_SignInit_ex
diff --git a/src/lib/libcrypto/man/EVP_VerifyInit.3 b/src/lib/libcrypto/man/EVP_VerifyInit.3
index 0baadfb9fb..9bf1f1e163 100644
--- a/src/lib/libcrypto/man/EVP_VerifyInit.3
+++ b/src/lib/libcrypto/man/EVP_VerifyInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_VerifyInit.3,v 1.13 2024/11/08 22:23:35 schwarze Exp $
+.\" $OpenBSD: EVP_VerifyInit.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 8 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_VERIFYINIT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm EVP_VerifyInit
 .Nd EVP signature verification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_VerifyInit_ex
diff --git a/src/lib/libcrypto/man/EVP_aes_128_cbc.3 b/src/lib/libcrypto/man/EVP_aes_128_cbc.3
index 46e3ef0bdc..72f654b73d 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_cbc.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.8 2024/12/20 01:54:03 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 20 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_CBC 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .Nm EVP_aes_256_xts
 .Nd EVP AES cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_cbc void
diff --git a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
index e9023a5b67..eaba95c936 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_ccm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.5 2024/12/29 12:27:28 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_CCM 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_aes_256_ccm
 .Nd EVP AES cipher in Counter with CBC-MAC mode
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_ccm void
diff --git a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
index 53c41ea162..fa4a88619a 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_gcm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.2 2024/12/29 12:27:28 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_GCM 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_aes_256_gcm
 .Nd EVP AES cipher in Galois Counter Mode
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_gcm void
diff --git a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3 b/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
index 6f15a85f7f..3ff5d5a0e0 100644
--- a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
+++ b/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.3 2024/11/09 22:03:49 schwarze Exp $
+.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CAMELLIA_128_CBC 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_camellia_256_ofb
 .Nd EVP Camellia cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_camellia_128_cbc void
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
index 8fc79dbf2b..45584f3e86 100644
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.8 2024/12/09 11:55:52 schwarze Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm EVP_chacha20_poly1305
 .Nd ChaCha20 stream cipher for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_chacha20 void
diff --git a/src/lib/libcrypto/man/EVP_des_cbc.3 b/src/lib/libcrypto/man/EVP_des_cbc.3
index 7c8a08c7db..84ee9aaa61 100644
--- a/src/lib/libcrypto/man/EVP_des_cbc.3
+++ b/src/lib/libcrypto/man/EVP_des_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_des_cbc.3,v 1.2 2024/11/09 22:03:49 schwarze Exp $
+.\" $OpenBSD: EVP_des_cbc.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\"   OpenSSL EVP_desx_cbc.pod 8fa4d95e Oct 21 11:59:09 2017 +0900
 .\" selective merge up to:
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DES_CBC 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm EVP_desx_cbc
 .Nd EVP DES cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_des_cbc void
diff --git a/src/lib/libcrypto/man/EVP_rc2_cbc.3 b/src/lib/libcrypto/man/EVP_rc2_cbc.3
index 38c8184260..9a3bc29304 100644
--- a/src/lib/libcrypto/man/EVP_rc2_cbc.3
+++ b/src/lib/libcrypto/man/EVP_rc2_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_rc2_cbc.3,v 1.1 2024/12/08 17:41:23 schwarze Exp $
+.\" $OpenBSD: EVP_rc2_cbc.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 8 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_RC2_CBC 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm EVP_rc2_64_cbc
 .Nd Rivest Cipher 2 in the EVP framework
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_rc2_cbc void
diff --git a/src/lib/libcrypto/man/EVP_rc4.3 b/src/lib/libcrypto/man/EVP_rc4.3
index fda041113c..40dd27e49f 100644
--- a/src/lib/libcrypto/man/EVP_rc4.3
+++ b/src/lib/libcrypto/man/EVP_rc4.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_rc4.3,v 1.1 2019/03/21 13:37:25 schwarze Exp $
+.\" $OpenBSD: EVP_rc4.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 8fa4d95e Oct 21 11:59:09 2017 +0900
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_RC4 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_rc4_hmac_md5
 .Nd EVP RC4 stream cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_rc4 void
diff --git a/src/lib/libcrypto/man/EVP_sha1.3 b/src/lib/libcrypto/man/EVP_sha1.3
index b28c9f54c3..d1e336cc42 100644
--- a/src/lib/libcrypto/man/EVP_sha1.3
+++ b/src/lib/libcrypto/man/EVP_sha1.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sha1.3,v 1.2 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_sha1.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SHA1 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm EVP_md4
 .Nd legacy message digest algorithms
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sha1 void
diff --git a/src/lib/libcrypto/man/EVP_sha3_224.3 b/src/lib/libcrypto/man/EVP_sha3_224.3
index 3c21ae1a09..19a9114885 100644
--- a/src/lib/libcrypto/man/EVP_sha3_224.3
+++ b/src/lib/libcrypto/man/EVP_sha3_224.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sha3_224.3,v 1.3 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_sha3_224.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL bbda8ce9 Oct 31 15:43:01 2017 +0800
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SHA3_224 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm EVP_sha3_512
 .Nd Secure Hash Algorithm 3 for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sha3_224 void
diff --git a/src/lib/libcrypto/man/EVP_sm3.3 b/src/lib/libcrypto/man/EVP_sm3.3
index aa6789f249..33621bef81 100644
--- a/src/lib/libcrypto/man/EVP_sm3.3
+++ b/src/lib/libcrypto/man/EVP_sm3.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sm3.3,v 1.1 2019/08/25 17:08:20 schwarze Exp $
+.\" $OpenBSD: EVP_sm3.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 21ebd2fc Aug 24 20:38:04 2018 +0800
 .\"
 .\" This file was written by Jack Lloyd <jack.lloyd@ribose.com>
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 25 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SM3 3
 .Os
 .Sh NAME
 .Nm EVP_sm3
 .Nd SM3 hash function for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sm3 void
diff --git a/src/lib/libcrypto/man/EVP_sm4_cbc.3 b/src/lib/libcrypto/man/EVP_sm4_cbc.3
index 0605a52faa..eba31afff3 100644
--- a/src/lib/libcrypto/man/EVP_sm4_cbc.3
+++ b/src/lib/libcrypto/man/EVP_sm4_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sm4_cbc.3,v 1.2 2023/11/16 20:27:43 schwarze Exp $
+.\" $OpenBSD: EVP_sm4_cbc.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 87103969 Oct 1 14:11:57 2018 -0700
 .\"
 .\" Copyright (c) 2017 Ribose Inc
@@ -18,7 +18,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SM4_CBC 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm EVP_sm4_ctr
 .Nd EVP SM4 cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_sm4_cbc void
diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
index 3d1ed17ff3..3258c9793d 100644
--- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
+++ b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
+.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EXTENDED_KEY_USAGE_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EXTENDED_KEY_USAGE_free
 .Nd X.509 key usage restrictions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft EXTENDED_KEY_USAGE
 .Fn EXTENDED_KEY_USAGE_new void
diff --git a/src/lib/libcrypto/man/GENERAL_NAME_new.3 b/src/lib/libcrypto/man/GENERAL_NAME_new.3
index a6b7ee56da..84ad2edb3b 100644
--- a/src/lib/libcrypto/man/GENERAL_NAME_new.3
+++ b/src/lib/libcrypto/man/GENERAL_NAME_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.6 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt GENERAL_NAME_NEW 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm OTHERNAME_free
 .Nd names for use in X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft GENERAL_NAME *
 .Fn GENERAL_NAME_new void
diff --git a/src/lib/libcrypto/man/HMAC.3 b/src/lib/libcrypto/man/HMAC.3
index a515014fca..0b9e24a7bd 100644
--- a/src/lib/libcrypto/man/HMAC.3
+++ b/src/lib/libcrypto/man/HMAC.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: HMAC.3,v 1.23 2024/08/29 20:21:53 tb Exp $
+.\" $OpenBSD: HMAC.3,v 1.24 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt HMAC 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm HMAC_size
 .Nd HMAC message authentication code
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/hmac.h
 .Ft unsigned char *
 .Fo HMAC
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
index a812107cdf..79e3751b4e 100644
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.9 2023/10/03 09:58:06 tb Exp $
+.\" $OpenBSD: IPAddressRange_new.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 3 2023 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt IPADDRESSRANGE_NEW 3
 .Os
 .Sh NAME
@@ -36,8 +36,9 @@
 .Nm i2d_IPAddressFamily
 .Nd RFC 3779 IP address prefixes and ranges
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
-.Ft "IPAddressRange *"
+.Ft IPAddressRange *
 .Fn IPAddressRange_new void
 .Ft void
 .Fn IPAddressRange_free "IPAddressRange *range"
@@ -52,7 +53,7 @@
 .Fa "IPAddressRange *range"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressOrRange *"
+.Ft IPAddressOrRange *
 .Fn IPAddressOrRange_new void
 .Ft void
 .Fn IPAddressOrRange_free "IPAddressOrRange *aor"
@@ -67,7 +68,7 @@
 .Fa "IPAddressOrRange *aor"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressChoice *"
+.Ft IPAddressChoice *
 .Fn IPAddressChoice_new void
 .Ft void
 .Fn IPAddressChoice_free "IPAddressChoice *ac"
@@ -82,7 +83,7 @@
 .Fa "IPAddressChoice *ac"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressFamily *"
+.Ft IPAddressFamily *
 .Fn IPAddressFamily_new void
 .Ft void
 .Fn IPAddressFamily_free "IPAddressFamily *af"
diff --git a/src/lib/libcrypto/man/MD5.3 b/src/lib/libcrypto/man/MD5.3
index 01e715f406..c9c89c33af 100644
--- a/src/lib/libcrypto/man/MD5.3
+++ b/src/lib/libcrypto/man/MD5.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: MD5.3,v 1.9 2024/05/26 09:54:16 tb Exp $
+.\"     $OpenBSD: MD5.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt MD5 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm MD5_Final
 .Nd MD4 and MD5 hash functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/md4.h
 .Ft unsigned char *
 .Fo MD4
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index b8dfe86d49..aea939dc2b 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.308 2025/04/25 19:57:12 tb Exp $
+# $OpenBSD: Makefile,v 1.312 2025/07/17 10:31:50 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -216,7 +216,6 @@ MAN=	\
         IPAddressRange_new.3 \
         MD5.3 \
         NAME_CONSTRAINTS_new.3 \
-        OBJ_NAME_add.3 \
         OBJ_create.3 \
         OBJ_find_sigid_algs.3 \
         OBJ_nid2obj.3 \
@@ -232,12 +231,11 @@ MAN=	\
         OPENSSL_cleanse.3 \
         OPENSSL_config.3 \
         OPENSSL_init_crypto.3 \
-        OPENSSL_load_builtin_modules.3 \
         OPENSSL_malloc.3 \
         OPENSSL_sk_new.3 \
         OpenSSL_add_all_algorithms.3 \
         PEM_ASN1_read.3 \
-        PEM_X509_INFO_read.3 \
+        PEM_X509_INFO_read_bio.3 \
         PEM_bytes_read_bio.3 \
         PEM_read.3 \
         PEM_read_bio_PrivateKey.3 \
@@ -293,11 +291,9 @@ MAN=	\
         RSA_size.3 \
         SHA1.3 \
         SMIME_crlf_copy.3 \
-        SMIME_read_ASN1.3 \
         SMIME_read_CMS.3 \
         SMIME_read_PKCS7.3 \
         SMIME_text.3 \
-        SMIME_write_ASN1.3 \
         SMIME_write_CMS.3 \
         SMIME_write_PKCS7.3 \
         STACK_OF.3 \
@@ -330,7 +326,6 @@ MAN=	\
         X509_NAME_new.3 \
         X509_NAME_print_ex.3 \
         X509_OBJECT_get0_X509.3 \
-        X509_PKEY_new.3 \
         X509_PUBKEY_new.3 \
         X509_PURPOSE_set.3 \
         X509_REQ_add1_attr.3 \
diff --git a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
index fec3aba7f7..7d39754858 100644
--- a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.4 2020/09/17 08:50:05 schwarze Exp $
+.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 17 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt NAME_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" We probably need to deprecate it thoughtfully.
 .Nd X.509 CA name constraints extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft NAME_CONSTRAINTS *
 .Fn NAME_CONSTRAINTS_new void
diff --git a/src/lib/libcrypto/man/OBJ_NAME_add.3 b/src/lib/libcrypto/man/OBJ_NAME_add.3
deleted file mode 100644
index 0b46010c49..0000000000
--- a/src/lib/libcrypto/man/OBJ_NAME_add.3
+++ /dev/null
@@ -1,307 +0,0 @@
-.\" $OpenBSD: OBJ_NAME_add.3,v 1.6 2024/01/31 08:02:53 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_NAME_ADD 3
-.Os
-.Sh NAME
-.Nm OBJ_NAME_add ,
-.Nm OBJ_NAME_remove ,
-.Nm OBJ_NAME_get ,
-.Nm OBJ_NAME_new_index ,
-.Nm OBJ_NAME_init ,
-.Nm OBJ_NAME_cleanup
-.Nd global associative array
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft int
-.Fo OBJ_NAME_add
-.Fa "const char *name"
-.Fa "int type"
-.Fa "const char *value"
-.Fc
-.Ft int
-.Fo OBJ_NAME_remove
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft const char *
-.Fo OBJ_NAME_get
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo OBJ_NAME_new_index
-.Fa "unsigned long (*hash_func)(const char *name)"
-.Fa "int (*cmp_func)(const char *name1, const char *name2)"
-.Fa "void (*free_func)(const char *name, int type, const char *value)"
-.Fc
-.Ft int
-.Fn OBJ_NAME_init void
-.Ft void
-.Fn OBJ_NAME_cleanup "int type"
-.Bd -literal
-typedef struct {
-        int         type;
-        int         alias;
-        const char *name;
-        const char *data;
-} OBJ_NAME;
-.Ed
-.Sh DESCRIPTION
-These functions implement a single, static associative array
-with the following properties:
-.Bl -bullet
-.It
-The keys are ordered pairs consisting of a NUL-terminated string
-.Pq called the Fa name
-and an
-.Vt int
-number
-.Pq called the Fa type .
-Two types are predefined and used internally by the library:
-.Dv OBJ_NAME_TYPE_MD_METH
-and
-.Dv OBJ_NAME_TYPE_CIPHER_METH .
-Two additional types are predefined but not used internally:
-.Dv OBJ_NAME_TYPE_PKEY_METH
-and
-.Dv OBJ_NAME_TYPE_COMP_METH .
-All predefined types are greater than
-.Dv OBJ_NAME_TYPE_UNDEF
-and smaller than
-.Dv OBJ_NAME_TYPE_NUM .
-.It
-The values are pointers.
-Formally, they are of the type
-.Vt const char * ,
-but in practice, pointers of other types, for example
-.Vt EVP_CIPHER *
-or
-.Vt EVP_MD * ,
-are often stored as values
-and cast back to the correct type on retrieval.
-.It
-The array supports type-specific aliases for names.
-.El
-.Pp
-.Fn OBJ_NAME_add
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-in the same way as
-.Fn OBJ_NAME_remove
-and inserts a key-value pair with the specified
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, that bit is cleared before using the
-.Fa type
-and the key
-.Pq Fa name , type
-becomes an alias for the key
-.Pq Fa value , type
-instead of setting a value.
-It is not checked whether the key
-.Pq Fa value , type
-already exists.
-Consequently, it is possible to define an alias
-before setting the associated value.
-.Pp
-.Fn OBJ_NAME_remove
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-from the array, if it exists.
-Otherwise, it has no effect.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is ignored and cleared before using the
-.Fa type .
-If the
-.Fa type
-is an application-defined type added with
-.Fn OBJ_NAME_new_index
-and the
-.Fa free_func
-associated with the
-.Fa type
-is not a
-.Dv NULL
-pointer, it is called with the
-.Fa name ,
-.Fa type ,
-and
-.Fa value
-of the key-value pair being removed or with the
-.Fa name ,
-.Fa type ,
-and alias target name of the alias being removed.
-In typical usage, this function might free the
-.Fa name ,
-and it might free the
-.Fa value
-in a type-specific way.
-.Pp
-.Fn OBJ_NAME_get
-looks up the key
-.Pq Fa name , type ,
-recursively resolving up to ten aliases if needed.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is cleared before using the
-.Fa type ,
-processing of aliases is disabled, and if
-.Pq Fa name , type
-is an alias, the target name of the alias is returned instead of a value.
-.Pp
-.Fn OBJ_NAME_new_index
-assigns the smallest unassigned positive integer number
-to represent a new, application-defined
-.Fa type .
-The three function pointers will be used, respectively,
-to hash a name for this type, to compare two names for this type,
-and to free the contents of a key-value pair holding the given
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the
-.Fa hash_func
-argument is a
-.Dv NULL
-pointer,
-.Xr lh_strhash 3
-is used instead.
-If the
-.Fa cmp_func
-argument is a
-.Dv NULL
-pointer,
-.Xr strcmp 3
-is used instead.
-If the
-.Fa free_func
-argument is a
-.Dv NULL
-pointer, the
-.Fa name
-and
-.Fa value
-pointers contained in the key-value pair are not freed,
-only the structure representing the pair itself is.
-This default behaviour is also used for the built-in types.
-.Pp
-.Fn OBJ_NAME_init
-initializes the array.
-After initialization, the array is empty.
-Calling
-.Fn OBJ_NAME_init
-when the array is already initialized has no effect.
-Application programs do not need to call this function because
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_get
-automatically call it whenever needed.
-.Pp
-.Fn OBJ_NAME_cleanup
-removes all key-value pairs and aliases of the given
-.Fa type
-from the array by calling
-.Fn OBJ_NAME_remove
-on every such pair and alias.
-If the
-.Fa type
-argument is negative, it removes all key-value pairs and aliases
-of any type and also reverses all effects of
-.Fn OBJ_NAME_new_index
-and
-.Fn OBJ_NAME_init ,
-in particular resetting the list of types to the predefined types
-and releasing all memory reserved by these functions.
-.Pp
-The
-.Vt OBJ_NAME
-structure represents one key-value pair or one alias with the key
-.Pq Fa name , type .
-If the
-.Fa alias
-field is 0, the
-.Fa data
-field contains the value; otherwise, it contains the alias target name.
-.Sh RETURN VALUES
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_init
-return 1 on success or 0 if memory allocation fails.
-.Pp
-.Fn OBJ_NAME_remove
-returns 1 if one key-value pair or alias was removed or 0 otherwise.
-.Pp
-.Fn OBJ_NAME_get
-returns the
-.Fa value
-associated with the key
-.Pq Fa name , type
-or
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL ,
-if the array does not contain a value for this key,
-or if more than ten aliases are encountered before finding a value.
-.Pp
-.Fn OBJ_NAME_new_index
-returns a positive integer greater than or equal to
-.Dv OBJ_NAME_TYPE_NUM
-representing the new type or 0 if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
-.Xr EVP_get_cipherbyname 3 ,
-.Xr EVP_get_digestbyname 3 ,
-.Xr lh_new 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh BUGS
-Calling
-.Fn OBJ_NAME_get
-with the bit
-.Dv OBJ_NAME_ALIAS
-is not very useful because there is no way to tell
-whether the returned pointer points to a value or to a name,
-short of calling the function again without setting the bit
-and comparing the two returned pointers.
-.Pp
-The
-.Fa free_func
-has no way to tell whether its
-.Fa value
-argument is indeed of the given
-.Fa type
-or whether it is merely the target name of an alias.
-Consequently, to use values of a type
-that requires more cleanup than merely calling
-.Xr free 3
-on it, instances of the type need to begin with a magic number or string
-that cannot occur at the beginning of a name.
diff --git a/src/lib/libcrypto/man/OBJ_create.3 b/src/lib/libcrypto/man/OBJ_create.3
index fa5bde3dd3..75d51f4bb8 100644
--- a/src/lib/libcrypto/man/OBJ_create.3
+++ b/src/lib/libcrypto/man/OBJ_create.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_create.3,v 1.10 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_create.3,v 1.11 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL OBJ_nid2obj.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to:
@@ -69,18 +69,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OBJ_CREATE 3
 .Os
 .Sh NAME
 .Nm OBJ_new_nid ,
 .Nm OBJ_add_object ,
 .Nm OBJ_create ,
-.\" OBJ_create_and_add_object is a deprecated, unused alias for OBJ_create(3).
 .Nm OBJ_create_objects ,
 .Nm OBJ_cleanup
 .Nd modify the table of ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft int
 .Fn OBJ_new_nid "int increment"
diff --git a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3 b/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
index 1d7a2b649b..4c071c6c76 100644
--- a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
+++ b/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.2 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.4 2025/06/09 12:42:46 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OBJ_FIND_SIGID_ALGS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm OBJ_find_sigid_by_algs
 .Nd signature algorithm mappings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft int
 .Fo OBJ_find_sigid_algs
@@ -80,7 +81,6 @@ and
 algorithms is defined or 0 if the definition of such an algorithm
 is not built into the library.
 .Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
 .Xr OBJ_create 3 ,
 .Xr OBJ_nid2obj 3
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/OBJ_nid2obj.3 b/src/lib/libcrypto/man/OBJ_nid2obj.3
index ccab1ed30c..9261ac9a7d 100644
--- a/src/lib/libcrypto/man/OBJ_nid2obj.3
+++ b/src/lib/libcrypto/man/OBJ_nid2obj.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_nid2obj.3,v 1.22 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_nid2obj.3,v 1.23 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL c264592d May 14 11:28:00 2006 +0000
 .\" selective merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OBJ_NID2OBJ 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm i2a_ASN1_OBJECT
 .Nd inspect and create ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft ASN1_OBJECT *
 .Fo OBJ_nid2obj
diff --git a/src/lib/libcrypto/man/OCSP_CRLID_new.3 b/src/lib/libcrypto/man/OCSP_CRLID_new.3
index 6feb608654..9b0126fe91 100644
--- a/src/lib/libcrypto/man/OCSP_CRLID_new.3
+++ b/src/lib/libcrypto/man/OCSP_CRLID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.8 2022/01/15 23:38:50 jsg Exp $
+.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_CRLID_NEW 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm OCSP_crlID_new
 .Nd OCSP CRL extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_CRLID *
 .Fn OCSP_CRLID_new void
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
index a304f60160..0e4e0ffb38 100644
--- a/src/lib/libcrypto/man/OCSP_REQUEST_new.3
+++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.12 2022/02/19 13:09:36 jsg Exp $
+.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 19 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_REQUEST_NEW 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm OCSP_request_onereq_get0
 .Nd OCSP request functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQUEST *
 .Fn OCSP_REQUEST_new void
diff --git a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
index 62eb8c320f..42288321a3 100644
--- a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
+++ b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.8 2019/08/23 12:23:39 schwarze Exp $
+.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 23 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_SERVICELOC_NEW 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm OCSP_url_svcloc_new
 .Nd OCSP service locator extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_SERVICELOC *
 .Fn OCSP_SERVICELOC_new void
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
index 032e87515e..d0c04fcbb1 100644
--- a/src/lib/libcrypto/man/OCSP_cert_to_id.3
+++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.14 2025/04/17 14:58:09 tb Exp $
+.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_CERT_TO_ID 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm OCSP_id_get0_info
 .Nd OCSP certificate ID utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_CERTID *
 .Fn OCSP_CERTID_new void
diff --git a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
index 036c937c61..304d686ba7 100644
--- a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
+++ b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_REQUEST_ADD1_NONCE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm OCSP_copy_nonce
 .Nd OCSP nonce functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft int
 .Fo OCSP_request_add1_nonce
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
index 06d0354bd6..5e9ce02fd5 100644
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_resp_find_status.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: OCSP_resp_find_status.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400
 .\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_RESP_FIND_STATUS 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm OCSP_basic_verify
 .Nd OCSP response utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_SINGLERESP *
 .Fn OCSP_SINGLERESP_new void
diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3
index 4e85384fb0..7fd8267d9f 100644
--- a/src/lib/libcrypto/man/OCSP_response_status.3
+++ b/src/lib/libcrypto/man/OCSP_response_status.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_response_status.3,v 1.8 2019/08/27 09:40:29 schwarze Exp $
+.\" $OpenBSD: OCSP_response_status.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\" selective merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 27 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_RESPONSE_STATUS 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm OCSP_basic_sign
 .Nd OCSP response functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_RESPONSE *
 .Fn OCSP_RESPONSE_new void
diff --git a/src/lib/libcrypto/man/OCSP_sendreq_new.3 b/src/lib/libcrypto/man/OCSP_sendreq_new.3
index 300f719525..c6608ecce7 100644
--- a/src/lib/libcrypto/man/OCSP_sendreq_new.3
+++ b/src/lib/libcrypto/man/OCSP_sendreq_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_sendreq_new.3,v 1.10 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: OCSP_sendreq_new.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_SENDREQ_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm OCSP_sendreq_bio
 .Nd OCSP responder query functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQ_CTX *
 .Fo OCSP_sendreq_new
diff --git a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
index 76427a864b..929658c28d 100644
--- a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
+++ b/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.13 2023/11/16 20:17:04 schwarze Exp $
+.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 1f13ad31 Dec 25 17:50:39 2017 +0800
 .\"
 .\" This file is a derived work.
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_VERSION_NUMBER 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm SSLeay_version
 .Nd get OpenSSL version number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/opensslv.h
 .Fd #define OPENSSL_VERSION_NUMBER 0x020000000L
 .Fd #define LIBRESSL_VERSION_NUMBER 0x02nnnn00fL
diff --git a/src/lib/libcrypto/man/OPENSSL_cleanse.3 b/src/lib/libcrypto/man/OPENSSL_cleanse.3
index 95fe6b86fd..cf16405db9 100644
--- a/src/lib/libcrypto/man/OPENSSL_cleanse.3
+++ b/src/lib/libcrypto/man/OPENSSL_cleanse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OPENSSL_cleanse.3,v 1.4 2019/06/10 09:49:48 schwarze Exp $
+.\"     $OpenBSD: OPENSSL_cleanse.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_CLEANSE 3
 .Os
 .Sh NAME
 .Nm OPENSSL_cleanse
 .Nd OpenSSL memory cleaning operation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void
 .Fo OPENSSL_cleanse
diff --git a/src/lib/libcrypto/man/OPENSSL_config.3 b/src/lib/libcrypto/man/OPENSSL_config.3
index f5f31571a1..e21b9817de 100644
--- a/src/lib/libcrypto/man/OPENSSL_config.3
+++ b/src/lib/libcrypto/man/OPENSSL_config.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_config.3,v 1.16 2023/11/19 21:01:27 tb Exp $
+.\" $OpenBSD: OPENSSL_config.3,v 1.18 2025/06/09 12:43:53 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OPENSSL_CONFIG 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm OPENSSL_no_config
 .Nd simple crypto and ssl library configuration
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft void
 .Fo OPENSSL_config
@@ -117,13 +118,11 @@ To use a non-standard configuration file, refer to
 Internally,
 .Fn OPENSSL_config
 calls
-.Xr OPENSSL_init_crypto 3
-and
-.Xr OPENSSL_load_builtin_modules 3 .
+.Xr OPENSSL_init_crypto 3 .
 .Pp
 If an application is compiled with the preprocessor symbol
 .Dv OPENSSL_LOAD_CONF
-#define'd,
+defined,
 .Xr OpenSSL_add_all_algorithms 3
 automatically calls
 .Fn OPENSSL_config .
@@ -140,7 +139,6 @@ standard configuration file
 .Xr CONF_modules_free 3 ,
 .Xr CONF_modules_load_file 3 ,
 .Xr crypto 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
 .Xr OPENSSL_VERSION_NUMBER 3 ,
 .Xr openssl.cnf 5 ,
 .Xr x509v3.cnf 5
diff --git a/src/lib/libcrypto/man/OPENSSL_init_crypto.3 b/src/lib/libcrypto/man/OPENSSL_init_crypto.3
index 6f38c7bda2..5c29d55aa9 100644
--- a/src/lib/libcrypto/man/OPENSSL_init_crypto.3
+++ b/src/lib/libcrypto/man/OPENSSL_init_crypto.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.5 2020/05/24 12:21:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.7 2025/06/09 12:43:53 schwarze Exp $
 .\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2020 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OPENSSL_INIT_CRYPTO 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm OPENSSL_init
 .Nd initialise the crypto library
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo OPENSSL_init_crypto
@@ -54,10 +55,7 @@ If
 is called before any other crypto or ssl functions, the crypto
 library is initialised by allocating various internal resources,
 in particular calling
-.Xr ERR_load_crypto_strings 3 ,
-.Xr OpenSSL_add_all_ciphers 3 ,
-and
-.Xr OpenSSL_add_all_digests 3 .
+.Xr ERR_load_crypto_strings 3 .
 .Pp
 The following
 .Fa options
@@ -92,7 +90,6 @@ is intended to return 1 on success or 0 on error.
 .Sh SEE ALSO
 .Xr CONF_modules_load_file 3 ,
 .Xr OPENSSL_config 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
 .Xr openssl.cnf 5
 .Sh HISTORY
 .Fn OPENSSL_init
diff --git a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
deleted file mode 100644
index 2b20efaf0e..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\"     $OpenBSD: OPENSSL_load_builtin_modules.3,v 1.8 2023/12/05 02:41:13 jsg Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 5 2023 $
-.Dt OPENSSL_LOAD_BUILTIN_MODULES 3
-.Os
-.Sh NAME
-.Nm OPENSSL_load_builtin_modules ,
-.Nm ASN1_add_oid_module
-.Nd add standard configuration modules
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft void
-.Fn OPENSSL_load_builtin_modules void
-.Ft void
-.Fn ASN1_add_oid_module void
-.Sh DESCRIPTION
-The function
-.Fn OPENSSL_load_builtin_modules
-adds all the standard OpenSSL configuration modules to the internal
-list.
-They can then be used by the OpenSSL configuration code.
-.Pp
-.Fn ASN1_add_oid_module
-adds just the ASN.1 OBJECT module.
-.Pp
-If the simple configuration function
-.Xr OPENSSL_config 3
-is called then
-.Fn OPENSSL_load_builtin_modules
-is called automatically.
-.Pp
-Applications which use configuration functions like
-.Xr CONF_modules_load_file 3
-directly need to call
-.Fn OPENSSL_load_builtin_modules
-themselves
-.Em before
-any other configuration code.
-.Pp
-Applications should call
-.Xr OPENSSL_config 3
-or
-.Fn OPENSSL_load_builtin_modules
-to load all configuration modules instead of adding modules selectively:
-otherwise functionality may be missing from the application when
-new modules are added.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OPENSSL_malloc.3 b/src/lib/libcrypto/man/OPENSSL_malloc.3
index a43dc56923..6e87d030d8 100644
--- a/src/lib/libcrypto/man/OPENSSL_malloc.3
+++ b/src/lib/libcrypto/man/OPENSSL_malloc.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OPENSSL_malloc.3,v 1.13 2024/04/04 09:30:43 tb Exp $
+.\"     $OpenBSD: OPENSSL_malloc.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_MALLOC 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm CRYPTO_strdup
 .Nd legacy OpenSSL memory allocation wrappers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void *
 .Fo OPENSSL_malloc
diff --git a/src/lib/libcrypto/man/OPENSSL_sk_new.3 b/src/lib/libcrypto/man/OPENSSL_sk_new.3
index 8f06bb4212..632bc9d39f 100644
--- a/src/lib/libcrypto/man/OPENSSL_sk_new.3
+++ b/src/lib/libcrypto/man/OPENSSL_sk_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_sk_new.3,v 1.13 2024/03/04 09:47:34 tb Exp $
+.\" $OpenBSD: OPENSSL_sk_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_SK_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm sk_zero
 .Nd variable-sized arrays of void pointers, called OpenSSL stacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/stack.h
 .Ft _STACK *
 .Fn sk_new_null void
diff --git a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
index 88ecef9768..68d8799bd4 100644
--- a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
+++ b/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
@@ -1,7 +1,24 @@
-.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.16 2024/03/04 19:04:47 tb Exp $
+.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.19 2025/06/12 15:59:30 schwarze Exp $
 .\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2018, 2019, 2023, 2025 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2000, 2003, 2013 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -48,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 12 2025 $
 .Dt OPENSSL_ADD_ALL_ALGORITHMS 3
 .Os
 .Sh NAME
@@ -64,6 +81,7 @@
 .\" because they are unused aliases.
 .Nd add algorithms to internal table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fn OpenSSL_add_all_algorithms void
@@ -79,40 +97,43 @@
 These functions are deprecated.
 It is never useful for any application program
 to call any of them explicitly.
-The library automatically calls them internally whenever needed.
+Most of them have no effect except that they may or may not call
+.Xr OPENSSL_init_crypto 3 .
 .Pp
-OpenSSL keeps an internal table of digest algorithms and ciphers.
-It uses this table to look up ciphers via functions such as
-.Xr EVP_get_cipherbyname 3 .
+The library contains internal tables of digest algorithms and ciphers.
+It uses these tables to look up digests and ciphers via
+.Xr EVP_get_digestbyname 3
+and
+.Xr EVP_get_cipherbyname 3 ,
+respectively.
+In LibreSSL, these tables are static constants and do not require
+initialization.
 .Pp
 .Fn OpenSSL_add_all_algorithms
-adds all algorithms to the table (digests and ciphers).
+used to add all digests and ciphers to the tables.
 If an application is compiled with the preprocessor symbol
 .Dv OPENSSL_LOAD_CONF
-#define'd, it also calls
+defined, it also calls
 .Xr OPENSSL_config 3
 with a
 .Dv NULL
 argument, loading the default configuration file.
+Relying on this behaviour is not recommended.
+If loading a configuration file is desired, call
+.Xr OPENSSL_config 3
+or
+.Xr CONF_modules_load_file 3
+directly.
 .Pp
 .Fn OpenSSL_add_all_digests
-adds all digest algorithms to the table.
+used to add all digest algorithms to the table.
 .Pp
 .Fn OpenSSL_add_all_ciphers
-adds all encryption algorithms to the table including password based
-encryption algorithms.
-.Pp
-If any of the above functions is called more than once,
-only the first call has an effect.
+used to add all encryption algorithms to the table.
 .Pp
 .Fn EVP_cleanup
-removes all ciphers and digests from the table and also calls
-.Xr OBJ_NAME_cleanup 3
-with an argument of \-1 ,
-thus resetting the global associative array of names
-and all signature algorithm definitions to their default states,
-removing all application-defined types, key-value pairs, and aliases,
-including any that are unrelated to the EVP library.
+has no effect; it used to remove various kinds of application-supplied
+data that is no longer supported in the first place.
 .Pp
 .Fn SSLeay_add_all_algorithms
 is a deprecated alias for
@@ -126,8 +147,6 @@ are implemented as macros.
 .Xr evp 3 ,
 .Xr EVP_DigestInit 3 ,
 .Xr EVP_EncryptInit 3 ,
-.Xr OBJ_cleanup 3 ,
-.Xr OBJ_NAME_add 3 ,
 .Xr OPENSSL_config 3
 .Sh HISTORY
 .Fn EVP_cleanup ,
@@ -148,5 +167,3 @@ first appeared in OpenSSL 0.9.5 and have been available since
 .Sh BUGS
 Although the functions do not return error codes, it is possible for them
 to fail.
-This will only happen as a result of a memory allocation failure so this
-is not too much of a problem in practice.
diff --git a/src/lib/libcrypto/man/PEM_ASN1_read.3 b/src/lib/libcrypto/man/PEM_ASN1_read.3
index 53ebe5ada4..016007d405 100644
--- a/src/lib/libcrypto/man/PEM_ASN1_read.3
+++ b/src/lib/libcrypto/man/PEM_ASN1_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_ASN1_read.3,v 1.2 2020/07/23 17:34:53 schwarze Exp $
+.\" $OpenBSD: PEM_ASN1_read.3,v 1.4 2025/07/16 17:59:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 23 2020 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_ASN1_READ 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm PEM_ASN1_read_bio
 .Nd PEM and DER decode an arbitrary ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft typedef void *
 .Fo d2i_of_void
@@ -165,7 +166,7 @@ Additional types of errors can result from
 .Xr PEM_read 3 ,
 .Xr PEM_read_bio_PrivateKey 3 ,
 .Xr PEM_read_SSL_SESSION 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh HISTORY
 These functions first appeared in SSLeay 0.5.1
 and have been available since
diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
index b3216a89b6..7d34951df0 100644
--- a/src/lib/libcrypto/man/PEM_X509_INFO_read.3
+++ b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.4 2021/10/19 10:39:33 schwarze Exp $
+.\" $OpenBSD: PEM_X509_INFO_read_bio.3,v 1.1 2025/07/17 10:31:50 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,23 +14,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt PEM_X509_INFO_READ 3
+.Dd $Mdocdate: July 17 2025 $
+.Dt PEM_X509_INFO_READ_BIO 3
 .Os
 .Sh NAME
-.Nm PEM_X509_INFO_read ,
 .Nm PEM_X509_INFO_read_bio
 .Nd PEM and DER decode X.509 certificates, private keys, and revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft STACK_OF(X509_INFO) *
-.Fo PEM_X509_INFO_read
-.Fa "FILE *in_fp"
-.Fa "STACK_OF(X509_INFO) *sk"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft STACK_OF(X509_INFO) *
 .Fo PEM_X509_INFO_read_bio
 .Fa "BIO *in_bp"
 .Fa "STACK_OF(X509_INFO) *sk"
@@ -38,13 +31,11 @@
 .Fa "void *u"
 .Fc
 .Sh DESCRIPTION
-These functions read zero or more objects
+This function reads zero or more objects
 related to X.509 certificates from
-.Fa in_fp
-or
 .Fa in_bp ,
-perform both PEM and DER decoding,
-and wrap the resulting objects in newly allocated
+performs both PEM and DER decoding,
+and wraps the resulting objects in newly allocated
 .Vt X509_INFO
 containers.
 .Pp
@@ -109,11 +100,11 @@ during the same call are deleted again and
 .Fa sk
 is left unchanged.
 .Sh RETURN VALUES
-These functions return a pointer to the stack
+This function returns a pointer to the stack
 the objects read were pushed onto or
 .Dv NULL
 if an error occurs.
-They fail if
+It fails if
 .Xr PEM_read_bio 3 ,
 .Xr PEM_get_EVP_CIPHER_INFO 3 ,
 .Xr PEM_do_header 3 ,
@@ -128,9 +119,6 @@ include:
 .Bl -tag -width Ds
 .It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
 DER decoding of a PEM object failed.
-.It Dv ERR_R_BUF_LIB Qq BUF lib
-.Fn PEM_X509_INFO_read
-failed to set up a temporary BIO, for example because memory was exhausted.
 .It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
 .Fn PEM_X509_INFO_read_bio
 failed to allocate a new
@@ -147,7 +135,7 @@ Additional types of errors can result from
 and
 .Xr PEM_do_header 3 .
 .Pp
-After these functions failed due to memory exhaustion,
+After this function failed due to memory exhaustion,
 .Xr ERR_get_error 3
 may sometimes return 0 anyway.
 .Sh SEE ALSO
@@ -162,14 +150,10 @@ may sometimes return 0 anyway.
 .Xr X509_CRL_new 3 ,
 .Xr X509_INFO_new 3 ,
 .Xr X509_LOOKUP_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PKEY_new 3
+.Xr X509_new 3
 .Sh HISTORY
-.Fn PEM_X509_INFO_read
-first appeared in SSLeay 0.5.1 and
 .Fn PEM_X509_INFO_read_bio
-in SSLeay 0.6.0.
-Both functions have been available since
+first appeared in SSLeay 0.6.0 and has been available since
 .Ox 2.4 .
 .Sh CAVEATS
 It is not an error
@@ -184,6 +168,6 @@ a newly allocated, empty stack is returned.
 The only way to detect this situation is by comparing
 the number of objects on the stack before and after the call.
 .Sh BUGS
-When reaching the end of the input, these functions call
+When reaching the end of the input, this function calls
 .Xr ERR_clear_error 3 ,
-which may hide errors that occurred before calling these functions.
+which may hide errors that occurred before calling it.
diff --git a/src/lib/libcrypto/man/PEM_bytes_read_bio.3 b/src/lib/libcrypto/man/PEM_bytes_read_bio.3
index 20ad6b8a4d..69cb26ce8d 100644
--- a/src/lib/libcrypto/man/PEM_bytes_read_bio.3
+++ b/src/lib/libcrypto/man/PEM_bytes_read_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.6 2020/07/23 17:34:53 schwarze Exp $
+.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.8 2025/07/16 17:59:10 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600
 .\"
@@ -65,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 23 2020 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_BYTES_READ_BIO 3
 .Os
 .Sh NAME
 .Nm PEM_bytes_read_bio
 .Nd read a PEM-encoded data structure from a BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft int
 .Fo PEM_bytes_read_bio
@@ -175,7 +176,7 @@ Additional types of errors can result from
 .Xr PEM_ASN1_read 3 ,
 .Xr PEM_read 3 ,
 .Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh STANDARDS
 RFC 1421: Privacy Enhancement for Internet Electronic Mail (PEM), Part I
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/PEM_read.3 b/src/lib/libcrypto/man/PEM_read.3
index 1493d54fc4..de93b3e903 100644
--- a/src/lib/libcrypto/man/PEM_read.3
+++ b/src/lib/libcrypto/man/PEM_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read.3,v 1.15 2023/09/18 15:26:46 schwarze Exp $
+.\" $OpenBSD: PEM_read.3,v 1.17 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_READ 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm pem_password_cb
 .Nd PEM encoding routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft int
 .Fo PEM_write
@@ -395,7 +396,7 @@ to fail may differ.
 .Xr PEM_read_SSL_SESSION 3 ,
 .Xr PEM_write_bio_CMS_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh HISTORY
 .Fn PEM_write ,
 .Fn PEM_read ,
diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
index 9f45261725..9ef136de7e 100644
--- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.25 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
 .\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_READ_BIO_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -143,6 +143,7 @@
 .Nm PEM_write_bio_CMS
 .Nd PEM routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft EVP_PKEY *
 .Fo PEM_read_bio_PrivateKey
@@ -1183,7 +1184,7 @@ pass_cb(char *buf, int size, int rwflag, void *u)
 .Xr PEM_read_SSL_SESSION 3 ,
 .Xr PEM_write_bio_CMS_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3 ,
+.Xr PEM_X509_INFO_read_bio 3 ,
 .Xr RSA_new 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_REQ_new 3 ,
diff --git a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
index 88adbba74f..a858874bab 100644
--- a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
+++ b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_WRITE_BIO_CMS_STREAM 3
 .Os
 .Sh NAME
 .Nm PEM_write_bio_CMS_stream
 .Nd output CMS_ContentInfo structure in PEM format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo PEM_write_bio_CMS_stream
diff --git a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
index 9050b8562f..a731767049 100644
--- a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
+++ b/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.12 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_WRITE_BIO_PKCS7_STREAM 3
 .Os
 .Sh NAME
 .Nm PEM_write_bio_PKCS7_stream
 .Nd output PKCS7 structure in PEM format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PEM_write_bio_PKCS7_stream
diff --git a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
index e7d20ea7f6..45bdc20bc9 100644
--- a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
+++ b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_SAFEBAG_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS12_BAGS_free
 .Nd PKCS#12 container for one piece of information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12_SAFEBAG *
 .Fn PKCS12_SAFEBAG_new void
diff --git a/src/lib/libcrypto/man/PKCS12_create.3 b/src/lib/libcrypto/man/PKCS12_create.3
index 904166da73..80471ca88a 100644
--- a/src/lib/libcrypto/man/PKCS12_create.3
+++ b/src/lib/libcrypto/man/PKCS12_create.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS12_create.3,v 1.13 2024/08/22 12:26:01 tb Exp $
+.\" $OpenBSD: PKCS12_create.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_CREATE 3
 .Os
 .Sh NAME
 .Nm PKCS12_create
 .Nd create a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fo PKCS12_create
diff --git a/src/lib/libcrypto/man/PKCS12_new.3 b/src/lib/libcrypto/man/PKCS12_new.3
index c7ccdb4911..1506eaade3 100644
--- a/src/lib/libcrypto/man/PKCS12_new.3
+++ b/src/lib/libcrypto/man/PKCS12_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: PKCS12_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS12_MAC_DATA_free
 .Nd PKCS#12 personal information exchange (PFX)
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fn PKCS12_new void
diff --git a/src/lib/libcrypto/man/PKCS12_newpass.3 b/src/lib/libcrypto/man/PKCS12_newpass.3
index b5642c96ea..b4d088e0e8 100644
--- a/src/lib/libcrypto/man/PKCS12_newpass.3
+++ b/src/lib/libcrypto/man/PKCS12_newpass.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_newpass.3,v 1.4 2019/06/14 13:59:32 schwarze Exp $
+.\"     $OpenBSD: PKCS12_newpass.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL c95a8b4e May 5 14:26:26 2016 +0100
 .\"
 .\" This file was written by Jeffrey Walton <noloader@gmail.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_NEWPASS 3
 .Os
 .Sh NAME
 .Nm PKCS12_newpass
 .Nd change the password of a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft int
 .Fo PKCS12_newpass
diff --git a/src/lib/libcrypto/man/PKCS12_parse.3 b/src/lib/libcrypto/man/PKCS12_parse.3
index 4e92d303c7..333d86b672 100644
--- a/src/lib/libcrypto/man/PKCS12_parse.3
+++ b/src/lib/libcrypto/man/PKCS12_parse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_parse.3,v 1.7 2021/07/09 12:07:27 schwarze Exp $
+.\"     $OpenBSD: PKCS12_parse.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_PARSE 3
 .Os
 .Sh NAME
 .Nm PKCS12_parse
 .Nd parse a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft int
 .Fo PKCS12_parse
diff --git a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 b/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
index 3a448b92a7..7c113029ee 100644
--- a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
+++ b/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.9 2019/06/07 20:46:25 schwarze Exp $
+.\"     $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Jeffrey Walton <noloader@gmail.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS5_PBKDF2_HMAC 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm PKCS5_PBKDF2_HMAC_SHA1
 .Nd password based derivation routines with salt and iteration count
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo PKCS5_PBKDF2_HMAC
diff --git a/src/lib/libcrypto/man/PKCS7_add_attribute.3 b/src/lib/libcrypto/man/PKCS7_add_attribute.3
index 4a1c350f98..e7c8c734c4 100644
--- a/src/lib/libcrypto/man/PKCS7_add_attribute.3
+++ b/src/lib/libcrypto/man/PKCS7_add_attribute.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $
+.\" $OpenBSD: PKCS7_add_attribute.3,v 1.6 2025/07/27 19:31:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: July 27 2025 $
 .Dt PKCS7_ADD_ATTRIBUTE 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm PKCS7_add_attrib_smimecap
 .Nd attributes of SignerInfo objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_add_attribute
@@ -306,6 +307,10 @@ RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0,
 section 5.3: Attribute types for use in PKCS #7 data
 and section 5.6: Attributes defined in S/MIME
 .Pp
+RFC 5652: Cryptographic Message Syntax (CMS),
+section 5.3: SignerInfo Type
+and section 11: Useful Attributes
+.Pp
 RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
 Version 4.0 Message Specification,
 section 2.5.2: SMIMECapabilities Attribute
@@ -345,7 +350,7 @@ in a state that violates the standard.
 .Fn PKCS7_add0_attrib_signing_time
 does not validate
 .Fa t
-in any way.
+beyond checking that it is well-formed per RFC 5652, section 11.3.
 In particular, it may set the signing time to the future
 or to the remote past.
 .Sh BUGS
diff --git a/src/lib/libcrypto/man/PKCS7_dataFinal.3 b/src/lib/libcrypto/man/PKCS7_dataFinal.3
index 1a01b2ff61..fdc9da7f9e 100644
--- a/src/lib/libcrypto/man/PKCS7_dataFinal.3
+++ b/src/lib/libcrypto/man/PKCS7_dataFinal.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_dataFinal.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: PKCS7_dataFinal.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DATAFINAL 3
 .Os
 .Sh NAME
 .Nm PKCS7_dataFinal
 .Nd move data from a BIO chain to a ContentInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_dataFinal
diff --git a/src/lib/libcrypto/man/PKCS7_dataInit.3 b/src/lib/libcrypto/man/PKCS7_dataInit.3
index cb54d3f95c..320a227454 100644
--- a/src/lib/libcrypto/man/PKCS7_dataInit.3
+++ b/src/lib/libcrypto/man/PKCS7_dataInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_dataInit.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $
+.\" $OpenBSD: PKCS7_dataInit.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 3 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DATAINIT 3
 .Os
 .Sh NAME
 .Nm PKCS7_dataInit
 .Nd construct a BIO chain for adding or retrieving content
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft BIO *
 .Fo PKCS7_dataInit
diff --git a/src/lib/libcrypto/man/PKCS7_decrypt.3 b/src/lib/libcrypto/man/PKCS7_decrypt.3
index 8d00499b57..857777bcd6 100644
--- a/src/lib/libcrypto/man/PKCS7_decrypt.3
+++ b/src/lib/libcrypto/man/PKCS7_decrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_decrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: PKCS7_decrypt.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DECRYPT 3
 .Os
 .Sh NAME
 .Nm PKCS7_decrypt
 .Nd decrypt content from a PKCS#7 envelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_decrypt
diff --git a/src/lib/libcrypto/man/PKCS7_encrypt.3 b/src/lib/libcrypto/man/PKCS7_encrypt.3
index 700498a1de..3e7283839d 100644
--- a/src/lib/libcrypto/man/PKCS7_encrypt.3
+++ b/src/lib/libcrypto/man/PKCS7_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_encrypt.3,v 1.11 2020/06/03 13:41:27 schwarze Exp $
+.\" $OpenBSD: PKCS7_encrypt.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 3 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_ENCRYPT 3
 .Os
 .Sh NAME
 .Nm PKCS7_encrypt
 .Nd create a PKCS#7 envelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo PKCS7_encrypt
diff --git a/src/lib/libcrypto/man/PKCS7_final.3 b/src/lib/libcrypto/man/PKCS7_final.3
index 775b84d984..5c2063b1bd 100644
--- a/src/lib/libcrypto/man/PKCS7_final.3
+++ b/src/lib/libcrypto/man/PKCS7_final.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_final.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: PKCS7_final.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_FINAL 3
 .Os
 .Sh NAME
 .Nm PKCS7_final
 .Nd read data from a BIO into a ContentInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_final
diff --git a/src/lib/libcrypto/man/PKCS7_get_signer_info.3 b/src/lib/libcrypto/man/PKCS7_get_signer_info.3
index 280f373ead..9edf4c63de 100644
--- a/src/lib/libcrypto/man/PKCS7_get_signer_info.3
+++ b/src/lib/libcrypto/man/PKCS7_get_signer_info.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.1 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_GET_SIGNER_INFO 3
 .Os
 .Sh NAME
 .Nm PKCS7_get_signer_info
 .Nd retrieve signerInfos from a SignedData object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft STACK_OF(PKCS7_SIGNER_INFO) *
 .Fn PKCS7_get_signer_info "PKCS7 *p7"
diff --git a/src/lib/libcrypto/man/PKCS7_new.3 b/src/lib/libcrypto/man/PKCS7_new.3
index 151261a312..19f6f1ac81 100644
--- a/src/lib/libcrypto/man/PKCS7_new.3
+++ b/src/lib/libcrypto/man/PKCS7_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_new.3,v 1.12 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm PKCS7_ISSUER_AND_SERIAL_free
 .Nd PKCS#7 data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fn PKCS7_new void
diff --git a/src/lib/libcrypto/man/PKCS7_set_content.3 b/src/lib/libcrypto/man/PKCS7_set_content.3
index fa057341d5..bf0eb76786 100644
--- a/src/lib/libcrypto/man/PKCS7_set_content.3
+++ b/src/lib/libcrypto/man/PKCS7_set_content.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_set_content.3,v 1.2 2020/05/24 12:37:30 schwarze Exp $
+.\" $OpenBSD: PKCS7_set_content.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SET_CONTENT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS7_content_new
 .Nd set the nested contentInfo in a PKCS#7 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_set_content
diff --git a/src/lib/libcrypto/man/PKCS7_set_type.3 b/src/lib/libcrypto/man/PKCS7_set_type.3
index f414b128a2..23eefff972 100644
--- a/src/lib/libcrypto/man/PKCS7_set_type.3
+++ b/src/lib/libcrypto/man/PKCS7_set_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_set_type.3,v 1.2 2020/05/20 11:40:26 schwarze Exp $
+.\" $OpenBSD: PKCS7_set_type.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 20 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SET_TYPE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS7_set0_type_other
 .Nd initialize type of PKCS#7 ContentInfo
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_set_type
diff --git a/src/lib/libcrypto/man/PKCS7_sign.3 b/src/lib/libcrypto/man/PKCS7_sign.3
index 37257e60fd..174b385196 100644
--- a/src/lib/libcrypto/man/PKCS7_sign.3
+++ b/src/lib/libcrypto/man/PKCS7_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_sign.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_sign.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SIGN 3
 .Os
 .Sh NAME
 .Nm PKCS7_sign
 .Nd create a PKCS#7 signedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo PKCS7_sign
diff --git a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
index 195d6388c9..4b88ff72bd 100644
--- a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
+++ b/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SIGN_ADD_SIGNER 3
 .Os
 .Sh NAME
 .Nm PKCS7_sign_add_signer
 .Nd add a signer to a SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7_SIGNER_INFO *
 .Fo PKCS7_sign_add_signer
diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3
index d091c03dfd..6bf932b54b 100644
--- a/src/lib/libcrypto/man/PKCS7_verify.3
+++ b/src/lib/libcrypto/man/PKCS7_verify.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_verify.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
+.\"     $OpenBSD: PKCS7_verify.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_VERIFY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm PKCS7_get0_signers
 .Nd verify a PKCS#7 signedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_verify
diff --git a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
index 822968f58d..55eb464a33 100644
--- a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
+++ b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.7 2024/12/06 12:51:13 schwarze Exp $
+.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS8_PRIV_KEY_INFO_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS8_PRIV_KEY_INFO_free
 .Nd PKCS#8 private key information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft PKCS8_PRIV_KEY_INFO *
 .Fn PKCS8_PRIV_KEY_INFO_new void
diff --git a/src/lib/libcrypto/man/PKCS8_pkey_set0.3 b/src/lib/libcrypto/man/PKCS8_pkey_set0.3
index f3d5a294c3..a8a160d544 100644
--- a/src/lib/libcrypto/man/PKCS8_pkey_set0.3
+++ b/src/lib/libcrypto/man/PKCS8_pkey_set0.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.3 2024/09/02 07:45:09 tb Exp $
+.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS8_PKEY_SET0 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS8_pkey_get0_attrs
 .Nd change and inspect PKCS#8 PrivateKeyInfo objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo PKCS8_pkey_set0
diff --git a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
index 40735c6f86..2d4f010bce 100644
--- a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
+++ b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.5 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKEY_USAGE_PERIOD_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKEY_USAGE_PERIOD_free
 .Nd X.509 certificate private key usage period extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft PKEY_USAGE_PERIOD *
 .Fn PKEY_USAGE_PERIOD_new void
diff --git a/src/lib/libcrypto/man/POLICYINFO_new.3 b/src/lib/libcrypto/man/POLICYINFO_new.3
index 52c004414e..aad2ad3ce5 100644
--- a/src/lib/libcrypto/man/POLICYINFO_new.3
+++ b/src/lib/libcrypto/man/POLICYINFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: POLICYINFO_new.3,v 1.11 2023/05/14 08:03:57 tb Exp $
+.\"     $OpenBSD: POLICYINFO_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 14 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt POLICYINFO_NEW 3
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .Nm POLICY_CONSTRAINTS_free
 .Nd X.509 certificate policies
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft POLICYINFO *
 .Fn POLICYINFO_new void
diff --git a/src/lib/libcrypto/man/RAND_add.3 b/src/lib/libcrypto/man/RAND_add.3
index 5404f696a3..b56707a313 100644
--- a/src/lib/libcrypto/man/RAND_add.3
+++ b/src/lib/libcrypto/man/RAND_add.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RAND_add.3,v 1.10 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: RAND_add.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to: OpenSSL c16de9d8 Aug 31 23:16:22 2017 +0200
 .\"
 .\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_ADD 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm RAND_status
 .Nd manipulate the PRNG state
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft void
 .Fo RAND_add
diff --git a/src/lib/libcrypto/man/RAND_bytes.3 b/src/lib/libcrypto/man/RAND_bytes.3
index 19427a82df..ce0773f448 100644
--- a/src/lib/libcrypto/man/RAND_bytes.3
+++ b/src/lib/libcrypto/man/RAND_bytes.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_bytes.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: RAND_bytes.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_BYTES 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RAND_pseudo_bytes
 .Nd generate random data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft int
 .Fo RAND_bytes
diff --git a/src/lib/libcrypto/man/RAND_load_file.3 b/src/lib/libcrypto/man/RAND_load_file.3
index 9227e2721b..1c6f7a27fb 100644
--- a/src/lib/libcrypto/man/RAND_load_file.3
+++ b/src/lib/libcrypto/man/RAND_load_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_load_file.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: RAND_load_file.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RAND_write_file
 .Nd PRNG seed file
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft const char *
 .Fo RAND_file_name
diff --git a/src/lib/libcrypto/man/RAND_set_rand_method.3 b/src/lib/libcrypto/man/RAND_set_rand_method.3
index d94d794daf..2756099c7b 100644
--- a/src/lib/libcrypto/man/RAND_set_rand_method.3
+++ b/src/lib/libcrypto/man/RAND_set_rand_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_set_rand_method.3,v 1.4 2018/03/21 09:03:49 schwarze Exp $
+.\"     $OpenBSD: RAND_set_rand_method.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_SET_RAND_METHOD 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm RAND_SSLeay
 .Nd select RAND method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft int
 .Fo RAND_set_rand_method
diff --git a/src/lib/libcrypto/man/RC2_encrypt.3 b/src/lib/libcrypto/man/RC2_encrypt.3
index a90e0f574b..735c10cbd7 100644
--- a/src/lib/libcrypto/man/RC2_encrypt.3
+++ b/src/lib/libcrypto/man/RC2_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RC2_encrypt.3,v 1.2 2024/12/18 04:15:48 jsg Exp $
+.\" $OpenBSD: RC2_encrypt.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RC2_ENCRYPT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm RC2_ofb64_encrypt
 .Nd low-level functions for Rivest Cipher 2
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rc2.h
 .Ft void
 .Fo RC2_set_key
diff --git a/src/lib/libcrypto/man/RC4.3 b/src/lib/libcrypto/man/RC4.3
index 8b20a434b7..ff92cffc78 100644
--- a/src/lib/libcrypto/man/RC4.3
+++ b/src/lib/libcrypto/man/RC4.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RC4.3,v 1.8 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: RC4.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RC4 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RC4
 .Nd RC4 encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rc4.h
 .Ft void
 .Fo RC4_set_key
diff --git a/src/lib/libcrypto/man/RIPEMD160.3 b/src/lib/libcrypto/man/RIPEMD160.3
index 43c6694036..e22f4ed841 100644
--- a/src/lib/libcrypto/man/RIPEMD160.3
+++ b/src/lib/libcrypto/man/RIPEMD160.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RIPEMD160.3,v 1.8 2024/05/26 09:54:16 tb Exp $
+.\" $OpenBSD: RIPEMD160.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RIPEMD160 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm RIPEMD160_Final
 .Nd RIPEMD-160 hash function
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ripemd.h
 .Ft unsigned char *
 .Fo RIPEMD160
diff --git a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
index f69f33dbe5..6532028a57 100644
--- a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
+++ b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PSS_PARAMS_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm RSA_PSS_PARAMS_free
 .Nd probabilistic signature scheme with RSA hashing
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA_PSS_PARAMS *
 .Fn RSA_PSS_PARAMS_new void
diff --git a/src/lib/libcrypto/man/RSA_blinding_on.3 b/src/lib/libcrypto/man/RSA_blinding_on.3
index bd2a301377..0dfebf3739 100644
--- a/src/lib/libcrypto/man/RSA_blinding_on.3
+++ b/src/lib/libcrypto/man/RSA_blinding_on.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_blinding_on.3,v 1.7 2023/07/26 20:08:59 tb Exp $
+.\"     $OpenBSD: RSA_blinding_on.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_BLINDING_ON 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_blinding_off
 .Nd protect the RSA operation from timing attacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_blinding_on
diff --git a/src/lib/libcrypto/man/RSA_check_key.3 b/src/lib/libcrypto/man/RSA_check_key.3
index 36b613b3a5..b6c9bc20a1 100644
--- a/src/lib/libcrypto/man/RSA_check_key.3
+++ b/src/lib/libcrypto/man/RSA_check_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_check_key.3,v 1.10 2023/11/19 21:06:15 tb Exp $
+.\"     $OpenBSD: RSA_check_key.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_CHECK_KEY 3
 .Os
 .Sh NAME
 .Nm RSA_check_key
 .Nd validate private RSA keys
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_check_key
diff --git a/src/lib/libcrypto/man/RSA_generate_key.3 b/src/lib/libcrypto/man/RSA_generate_key.3
index 83703b1eaa..a72168def9 100644
--- a/src/lib/libcrypto/man/RSA_generate_key.3
+++ b/src/lib/libcrypto/man/RSA_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_generate_key.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_generate_key.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_generate_key.pod bb6c5e7f Feb 5 10:29:22 2017 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_GENERATE_KEY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_generate_key
 .Nd generate RSA key pair
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_generate_key_ex
diff --git a/src/lib/libcrypto/man/RSA_get0_key.3 b/src/lib/libcrypto/man/RSA_get0_key.3
index f09fb00d2b..cf82b21ce2 100644
--- a/src/lib/libcrypto/man/RSA_get0_key.3
+++ b/src/lib/libcrypto/man/RSA_get0_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_get0_key.3,v 1.8 2025/01/05 15:40:42 tb Exp $
+.\" $OpenBSD: RSA_get0_key.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 665d899f Aug 2 02:19:43 2017 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 5 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt RSA_GET0_KEY 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm RSA_set_flags
 .Nd get and set data in an RSA object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft void
 .Fo RSA_get0_key
@@ -96,15 +97,15 @@
 .Fa "const BIGNUM **e"
 .Fa "const BIGNUM **d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_n
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_e
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_d
 .Fa "const RSA *r"
 .Fc
@@ -121,11 +122,11 @@
 .Fa "const BIGNUM **p"
 .Fa "const BIGNUM **q"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_p
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_q
 .Fa "const RSA *r"
 .Fc
@@ -142,15 +143,15 @@
 .Fa "const BIGNUM **dmq1"
 .Fa "const BIGNUM **iqmp"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_dmp1
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_dmq1
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_iqmp
 .Fa "const RSA *r"
 .Fc
diff --git a/src/lib/libcrypto/man/RSA_get_ex_new_index.3 b/src/lib/libcrypto/man/RSA_get_ex_new_index.3
index 5f1fb4335f..1b7096faa1 100644
--- a/src/lib/libcrypto/man/RSA_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/RSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.13 2023/11/19 21:08:04 tb Exp $
+.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm RSA_get_ex_data
 .Nd add application specific data to RSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_get_ex_new_index
diff --git a/src/lib/libcrypto/man/RSA_meth_new.3 b/src/lib/libcrypto/man/RSA_meth_new.3
index a3a5c549e5..9626f1139f 100644
--- a/src/lib/libcrypto/man/RSA_meth_new.3
+++ b/src/lib/libcrypto/man/RSA_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_meth_new.3,v 1.6 2025/01/05 15:40:42 tb Exp $
+.\" $OpenBSD: RSA_meth_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400
 .\" selective merge up to: OpenSSL 24907560 Sep 17 07:47:42 2018 +1000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 5 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_METH_NEW 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .Nm RSA_meth_set_keygen
 .Nd build up RSA methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA_METHOD *
 .Fo RSA_meth_new
diff --git a/src/lib/libcrypto/man/RSA_new.3 b/src/lib/libcrypto/man/RSA_new.3
index f5c7929e77..9c69ce27b1 100644
--- a/src/lib/libcrypto/man/RSA_new.3
+++ b/src/lib/libcrypto/man/RSA_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_new.3,v 1.18 2023/11/19 21:03:22 tb Exp $
+.\" $OpenBSD: RSA_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/man3/RSA_new.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\" OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400 (final)
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm RSA_free
 .Nd allocate and free RSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA *
 .Fn RSA_new void
diff --git a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
index e7c3a2a624..d8a142f3f9 100644
--- a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
+++ b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.8 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm RSA_padding_check_none
 .Nd asymmetric encryption padding
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_padding_add_PKCS1_type_1
diff --git a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3 b/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
index 3d4e79cc47..ca805e5191 100644
--- a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
+++ b/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" OpenSSL man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod
@@ -55,7 +55,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
 .Nd RSA private key control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_pkey_ctx_ctrl
diff --git a/src/lib/libcrypto/man/RSA_print.3 b/src/lib/libcrypto/man/RSA_print.3
index 767241ce1c..3f5d927b79 100644
--- a/src/lib/libcrypto/man/RSA_print.3
+++ b/src/lib/libcrypto/man/RSA_print.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_print.3,v 1.9 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: RSA_print.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PRINT 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm DHparams_print_fp
 .Nd print cryptographic parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_print
diff --git a/src/lib/libcrypto/man/RSA_private_encrypt.3 b/src/lib/libcrypto/man/RSA_private_encrypt.3
index 2bf6c57dba..43e94b1fd2 100644
--- a/src/lib/libcrypto/man/RSA_private_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_private_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_private_encrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_private_encrypt.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_private_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PRIVATE_ENCRYPT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_public_decrypt
 .Nd low level signature operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_private_encrypt
diff --git a/src/lib/libcrypto/man/RSA_public_encrypt.3 b/src/lib/libcrypto/man/RSA_public_encrypt.3
index be3afdf402..f40118846a 100644
--- a/src/lib/libcrypto/man/RSA_public_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_public_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_public_encrypt.3,v 1.13 2023/09/10 16:04:15 schwarze Exp $
+.\"     $OpenBSD: RSA_public_encrypt.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PUBLIC_ENCRYPT 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_PKEY_decrypt_old
 .Nd RSA public key cryptography
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_public_encrypt
diff --git a/src/lib/libcrypto/man/RSA_security_bits.3 b/src/lib/libcrypto/man/RSA_security_bits.3
index f7024a7956..0766ce61b1 100644
--- a/src/lib/libcrypto/man/RSA_security_bits.3
+++ b/src/lib/libcrypto/man/RSA_security_bits.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_security_bits.3,v 1.1 2022/07/13 17:32:16 schwarze Exp $
+.\" $OpenBSD: RSA_security_bits.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SECURITY_BITS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm BN_security_bits
 .Nd get security strength
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fn RSA_security_bits "const RSA *rsa"
diff --git a/src/lib/libcrypto/man/RSA_set_method.3 b/src/lib/libcrypto/man/RSA_set_method.3
index ffe22c116f..127dc62c60 100644
--- a/src/lib/libcrypto/man/RSA_set_method.3
+++ b/src/lib/libcrypto/man/RSA_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_set_method.3,v 1.18 2023/11/19 10:34:26 tb Exp $
+.\"     $OpenBSD: RSA_set_method.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SET_METHOD 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm RSA_new_method
 .Nd select RSA method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft void
 .Fo RSA_set_default_method
diff --git a/src/lib/libcrypto/man/RSA_sign.3 b/src/lib/libcrypto/man/RSA_sign.3
index 888e36a680..d2a4512302 100644
--- a/src/lib/libcrypto/man/RSA_sign.3
+++ b/src/lib/libcrypto/man/RSA_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_sign.3,v 1.9 2025/04/17 14:58:09 tb Exp $
+.\"     $OpenBSD: RSA_sign.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RSA_verify
 .Nd RSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_sign
diff --git a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
index 34aef42c48..bd11a0607a 100644
--- a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
+++ b/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.7 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIGN_ASN1_OCTET_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_verify_ASN1_OCTET_STRING
 .Nd RSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_sign_ASN1_OCTET_STRING
diff --git a/src/lib/libcrypto/man/RSA_size.3 b/src/lib/libcrypto/man/RSA_size.3
index 8a552b4e67..9988903d55 100644
--- a/src/lib/libcrypto/man/RSA_size.3
+++ b/src/lib/libcrypto/man/RSA_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
+.\" $OpenBSD: RSA_size.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIZE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RSA_bits
 .Nd get the RSA modulus size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_size
diff --git a/src/lib/libcrypto/man/SHA1.3 b/src/lib/libcrypto/man/SHA1.3
index 4ccb08157c..74fd388cd8 100644
--- a/src/lib/libcrypto/man/SHA1.3
+++ b/src/lib/libcrypto/man/SHA1.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SHA1.3,v 1.9 2024/06/01 12:35:23 tb Exp $
+.\"     $OpenBSD: SHA1.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 1 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SHA1 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm SHA512_Final
 .Nd Secure Hash Algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/sha.h
 .Ft unsigned char *
 .Fo SHA1
diff --git a/src/lib/libcrypto/man/SMIME_crlf_copy.3 b/src/lib/libcrypto/man/SMIME_crlf_copy.3
index 3b46138473..0991d207a1 100644
--- a/src/lib/libcrypto/man/SMIME_crlf_copy.3
+++ b/src/lib/libcrypto/man/SMIME_crlf_copy.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_crlf_copy.3,v 1.3 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: SMIME_crlf_copy.3,v 1.5 2025/06/11 13:48:54 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_CRLF_COPY 3
 .Os
 .Sh NAME
 .Nm SMIME_crlf_copy
 .Nd buffered copy between BIOs
 .Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/asn1.h
 .Ft int
 .Fo SMIME_crlf_copy
 .Fa "BIO *in_bio"
@@ -79,7 +81,8 @@ is intended to return 1 on success or 0 on failure.
 .Xr BIO_push 3 ,
 .Xr BIO_read 3 ,
 .Xr SMIME_text 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_crlf_copy
 first appeared in OpenSSL 1.0.0 and has been available since
diff --git a/src/lib/libcrypto/man/SMIME_read_ASN1.3 b/src/lib/libcrypto/man/SMIME_read_ASN1.3
deleted file mode 100644
index 320064567c..0000000000
--- a/src/lib/libcrypto/man/SMIME_read_ASN1.3
+++ /dev/null
@@ -1,124 +0,0 @@
-.\" $OpenBSD: SMIME_read_ASN1.3,v 1.2 2021/12/14 15:22:49 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL SMIME_read_PKCS7.pod 83cf7abf May 29 13:07:08 2018 +0100
-.\" OpenSSL SMIME_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_READ_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_read_ASN1
-.Nd generic S/MIME message parser
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_VALUE *
-.Fo SMIME_read_ASN1
-.Fa "BIO *in_bio"
-.Fa "BIO **out_bio"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_read_ASN1
-reads a message in S/MIME format from
-.Fa in_bio .
-.Pp
-If the message uses cleartext signing, the content is saved in a memory
-.Vt BIO
-which is written to
-.Pf * Fa out_bio .
-Otherwise,
-.Pf * Fa out_bio
-is set to
-.Dv NULL .
-.Pp
-To support future functionality, if
-.Fa out_bio
-is not
-.Dv NULL ,
-.Pf * Fa out_bio
-should be initialized to
-.Dv NULL
-before calling
-.Fn SMIME_read_ASN1 .
-.Sh RETURN VALUES
-.Fn SMIME_read_ASN1
-returns a newly allocated object of type
-.Fa it
-or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_read_CMS 3 ,
-.Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_text 3
-.Sh HISTORY
-.Fn SMIME_read_ASN1
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Sh BUGS
-The MIME parser used by
-.Fn SMIME_read_ASN1
-is somewhat primitive.
-While it will handle most S/MIME messages, more complex compound
-formats may not work.
-.Pp
-The parser assumes that the
-structure is always base64 encoded, and it will not handle the case
-where it is in binary format or uses quoted printable format.
-.Pp
-The use of a memory
-to hold the signed content limits the size of the message which can
-be processed due to memory restraints: a streaming single pass
-option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_read_CMS.3 b/src/lib/libcrypto/man/SMIME_read_CMS.3
index e1b1d07499..d37769e5ea 100644
--- a/src/lib/libcrypto/man/SMIME_read_CMS.3
+++ b/src/lib/libcrypto/man/SMIME_read_CMS.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_read_CMS.3,v 1.7 2021/12/14 14:30:50 schwarze Exp $
+.\" $OpenBSD: SMIME_read_CMS.3,v 1.9 2025/06/11 13:41:03 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_READ_CMS 3
 .Os
 .Sh NAME
 .Nm SMIME_read_CMS
 .Nd extract CMS ContentInfo from an S/MIME message
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo SMIME_read_CMS
@@ -103,12 +104,15 @@ if an error occurred.
 The error can be obtained from
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr CMS_ContentInfo_new 3 ,
 .Xr CMS_decrypt 3 ,
 .Xr CMS_get0_type 3 ,
 .Xr CMS_verify 3 ,
 .Xr d2i_CMS_ContentInfo 3 ,
-.Xr SMIME_read_ASN1 3 ,
+.Xr SMIME_read_PKCS7 3 ,
+.Xr SMIME_text 3 ,
 .Xr SMIME_write_CMS 3
 .Sh HISTORY
 .Fn SMIME_read_CMS
diff --git a/src/lib/libcrypto/man/SMIME_read_PKCS7.3 b/src/lib/libcrypto/man/SMIME_read_PKCS7.3
index dbe2765b8b..095115c0dc 100644
--- a/src/lib/libcrypto/man/SMIME_read_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_read_PKCS7.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.8 2021/12/14 14:30:50 schwarze Exp $
+.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.10 2025/06/11 13:41:03 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_READ_PKCS7 3
 .Os
 .Sh NAME
 .Nm SMIME_read_PKCS7
 .Nd extract a PKCS#7 object from an S/MIME message
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo SMIME_read_PKCS7
@@ -124,8 +125,11 @@ if an error occurred.
 The error can be obtained from
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr PKCS7_new 3 ,
-.Xr SMIME_read_ASN1 3 ,
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_text 3 ,
 .Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_read_PKCS7
diff --git a/src/lib/libcrypto/man/SMIME_text.3 b/src/lib/libcrypto/man/SMIME_text.3
index a4c9689925..719b3d921f 100644
--- a/src/lib/libcrypto/man/SMIME_text.3
+++ b/src/lib/libcrypto/man/SMIME_text.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_text.3,v 1.1 2021/12/14 15:22:49 schwarze Exp $
+.\" $OpenBSD: SMIME_text.3,v 1.3 2025/06/11 13:48:54 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_TEXT 3
 .Os
 .Sh NAME
 .Nm SMIME_text
 .Nd remove text/plain MIME headers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo SMIME_text
@@ -47,7 +48,10 @@ header, or if the content type is not
 .Dq text/plain .
 .Sh SEE ALSO
 .Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_read_ASN1 3
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_read_PKCS7 3 ,
+.Xr SMIME_write_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_text
 first appeared in OpenSSL 1.0.0 and has been available since
diff --git a/src/lib/libcrypto/man/SMIME_write_ASN1.3 b/src/lib/libcrypto/man/SMIME_write_ASN1.3
deleted file mode 100644
index a02fa58570..0000000000
--- a/src/lib/libcrypto/man/SMIME_write_ASN1.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\" $OpenBSD: SMIME_write_ASN1.3,v 1.2 2023/05/01 07:28:11 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt SMIME_WRITE_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_write_ASN1
-.Nd generate an S/MIME message
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo SMIME_write_ASN1
-.Fa "BIO *out_bio"
-.Fa "ASN1_VALUE *val_in"
-.Fa "BIO *in_bio"
-.Fa "int flags"
-.Fa "int ctype_nid"
-.Fa "int econt_nid"
-.Fa "STACK_OF(X509_ALGOR) *micalg"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_write_ASN1
-generates an S/MIME message on
-.Fa out_bio
-by writing MIME 1.0 headers
-followed by a BER- and base64-encoded serialization of
-.Fa val_in ,
-which can be of the type
-.Vt CMS_ContentInfo
-or
-.Vt PKCS7
-and has to match the
-.Fa it
-argument.
-.Pp
-The
-.Fa flags
-can be the logical OR of zero or more of the following bits:
-.Bl -tag -width Ds
-.It Dv PKCS7_REUSE_DIGEST
-Skip the calls to
-.Xr PKCS7_dataInit 3
-and
-.Xr PKCS7_dataFinal 3 .
-This flag has no effect unless
-.Dv SMIME_DETACHED
-is also set.
-It is normally used if
-.Fa out_bio
-is already set up to calculate and finalize the digest when written through.
-.It Dv SMIME_BINARY
-If specified, this flag is passed through to
-.Xr SMIME_crlf_copy 3 .
-.It Dv SMIME_CRLFEOL
-End MIME header lines with pairs of carriage return and newline characters.
-By default, no carriage return characters are written
-and header lines are ended with newline characters only.
-.It Dv SMIME_DETACHED
-Use cleartext signing.
-Generate a
-.Qq multipart/signed
-S/MIME message using the
-.Fa micalg
-argument and ignoring the
-.Fa ctype_nid
-and
-.Fa econt_nid
-arguments.
-The content is read from
-.Fa in_bio .
-If
-.Fa in_bio
-is a
-.Dv NULL
-pointer, this flag is ignored.
-.Pp
-If this flag is ignored or not specified,
-the smime-type is chosen according to
-.Fa ctype_nid
-instead:
-.Bl -tag -width Ds
-.It Dv NID_pkcs7_enveloped
-.Qq enveloped-data
-.It Dv NID_pkcs7_signed
-.Qq signed-receipt
-if
-.Fa econt_nid
-is
-.Dv NID_id_smime_ct_receipt
-.br
-.Qq signed-data
-if
-.Fa micalg
-is not empty
-.br
-.Qq certs-only
-if
-.Fa micalg
-is empty
-.It Dv NID_id_smime_ct_compressedData
-.Qq compressed-data
-.El
-.It Dv SMIME_OLDMIME
-In Content-Type headers, use
-.Qq application/x-pkcs7-mime
-or
-.Qq application/x-pkcs7-signature .
-By default,
-.Qq application/pkcs7-mime
-or
-.Qq application/pkcs7-signature
-are used instead.
-.It Dv SMIME_STREAM
-Perform streaming by reading the content from
-.Fa in_bio .
-This only works if
-.Dv SMIME_DETACHED
-is not specified.
-.It SMIME_TEXT
-Prepend the line
-.Qq Content-Type: text/plain
-to the content.
-This only makes sense if
-.Dv SMIME_DETACHED
-is also set.
-It is ignored if the flag
-.Dv SMIME_BINARY
-is also set.
-.El
-.Sh RETURN VALUES
-.Fn SMIME_write_ASN1
-is intended to return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr ASN1_item_i2d_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_write_CMS 3 ,
-.Xr SMIME_write_PKCS7 3 ,
-.Xr X509_ALGOR_new 3
-.Sh HISTORY
-.Fn SMIME_write_ASN1
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-.Fn SMIME_write_ASN1
-ignores most errors and is likely to return 1
-even after producing corrupt or incomplete output.
diff --git a/src/lib/libcrypto/man/SMIME_write_CMS.3 b/src/lib/libcrypto/man/SMIME_write_CMS.3
index c2c6b77e53..5f4c43bb7c 100644
--- a/src/lib/libcrypto/man/SMIME_write_CMS.3
+++ b/src/lib/libcrypto/man/SMIME_write_CMS.3
@@ -1,7 +1,24 @@
-.\" $OpenBSD: SMIME_write_CMS.3,v 1.6 2021/12/13 17:24:39 schwarze Exp $
+.\" $OpenBSD: SMIME_write_CMS.3,v 1.9 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -48,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 13 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_WRITE_CMS 3
 .Os
 .Sh NAME
 .Nm SMIME_write_CMS
 .Nd convert CMS structure to S/MIME format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo SMIME_write_CMS
@@ -65,21 +83,35 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_CMS
-adds the appropriate MIME headers to the
-.Fa cms
-structure to produce an S/MIME message and writes it to
-.Fa out .
+generates an S/MIME message on
+.Fa out
+by writing MIME 1.0 headers
+followed by a BER- and base64-encoded serialization of
+.Fa cms .
+The BER encoding uses the DER format except as described for
+.Dv CMS_STREAM
+below.
 If streaming is enabled, the content must be supplied in the
 .Fa data
 argument.
 .Pp
-The following
+The
 .Fa flags
-can be passed:
+can be the logical OR of zero or more of the following bits:
 .Bl -tag -width Ds
 .It Dv CMS_DETACHED
-Use cleartext signing.
-This option only makes sense if
+Use cleartext signing and generate a
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
+If
+.Fa data
+is a
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported if
 .Fa cms
 is of the type
 .Vt SignedData
@@ -94,13 +126,46 @@ is not set, the data must be read twice:
 once to compute the signature in
 .Xr CMS_sign 3
 and once to output the S/MIME message.
-.It Dv CMS_TEXT
-Add MIME headers for type text/plain to the content.
-This only makes sense if
+.Pp
+If
+.Dv CMS_DETACHED
+is ignored or not specified, the smime-type is chosen according to
+.Xr CMS_get0_type 3 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-receiptM -compact
+.It Qq signed-receipt
+if
+.Xr CMS_get0_eContentType 3
+is
+.Dv NID_id_smime_ct_receipt
+.It Qq signed-data
+if
+.Fa cms
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv CMS_REUSE_DIGEST
+Skip the calls to
+.Xr CMS_dataInit 3
+and
+.Xr CMS_dataFinal 3 .
+This flag has no effect unless
 .Dv CMS_DETACHED
 is also set.
 .It Dv CMS_STREAM
-Perform streaming.
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv CMS_DETACHED
+is not specified.
+.Pp
 This flag should only be set if
 .Dv CMS_STREAM
 was also passed to the function that created
@@ -111,17 +176,38 @@ constructed encoding except in the case of
 .Vt SignedData
 with detached content where the content is absent and DER format is
 used.
+.It Dv CMS_TEXT
+Prepend the line
+.Qq Content-Type: text/plain
+to the content.
+This only makes sense if
+.Dv CMS_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
 .El
 .Sh RETURN VALUES
 .Fn SMIME_write_CMS
-returns 1 for success or 0 for failure.
+is intended to return 1 on success or 0 on failure.
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr CMS_ContentInfo_new 3 ,
 .Xr CMS_encrypt 3 ,
 .Xr CMS_sign 3 ,
 .Xr d2i_CMS_ContentInfo 3 ,
 .Xr ERR_get_error 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_crlf_copy 3 ,
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_write_CMS
 first appeared in OpenSSL 0.9.8h
@@ -129,5 +215,9 @@ and has been available since
 .Ox 6.7 .
 .Sh BUGS
 .Fn SMIME_write_CMS
+ignores most errors and is likely to return 1
+even after producing corrupt or incomplete output.
+.Pp
+.Fn SMIME_write_CMS
 always base64 encodes CMS structures.
 There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
index c1a9f051d0..5e344d9c63 100644
--- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,10 +1,10 @@
-.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.9 2021/12/14 15:46:48 schwarze Exp $
+.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.12 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -66,13 +66,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_WRITE_PKCS7 3
 .Os
 .Sh NAME
 .Nm SMIME_write_PKCS7
 .Nd convert PKCS#7 structure to S/MIME format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo SMIME_write_PKCS7
@@ -83,48 +84,81 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_PKCS7
-adds the appropriate MIME headers to a PKCS#7 structure to produce an
-S/MIME message.
-.Pp
+generates an S/MIME message on
 .Fa out
-is the
-.Vt BIO
-to write the data to.
-.Fa p7
-is the appropriate
-.Vt PKCS7
-structure.
+by writing MIME 1.0 headers
+followed by a BER- and base64-encoded serialization of
+.Fa p7 .
+The BER encoding uses the DER format except as described for
+.Dv PKCS7_STREAM
+below.
 If streaming is enabled, then the content must be supplied in the
 .Fa data
 argument.
-.Fa flags
-is an optional set of flags.
 .Pp
-The following flags can be passed in the
+The
 .Fa flags
-parameter.
-.Pp
+can be the logical OR of zero or more of the following bits:
+.Bl -tag -width Ds
+.It Dv PKCS7_DETACHED
+Use cleartext signing and generate a
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
 If
-.Dv PKCS7_DETACHED
-is set, then cleartext signing will be used.
-This option only makes sense for signedData where
+.Fa data
+is a
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported for signedData where
 .Dv PKCS7_DETACHED
 is also set when
 .Xr PKCS7_sign 3
-is also called.
+is called.
 .Pp
-If the
-.Dv PKCS7_TEXT
-flag is set, MIME headers for type
-.Sy text/plain
-are added to the content.
-This only makes sense if
+If
+.Dv PKCS7_STREAM
+is not set, the data must be read twice: once to compute the
+signature in
+.Xr PKCS7_sign 3
+and once to output the S/MIME message.
+.Pp
+If
+.Dv PKCS7_DETACHED
+is ignored or not specified, the smime-type is chosen according to the type of
+.Fa p7 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-dataM -compact
+.It Qq signed-data
+if
+.Fa p7
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv PKCS7_REUSE_DIGEST
+Skip the calls to
+.Xr PKCS7_dataInit 3
+and
+.Xr PKCS7_dataFinal 3 .
+This flag has no effect unless
 .Dv PKCS7_DETACHED
 is also set.
+.It Dv PKCS7_STREAM
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv PKCS7_DETACHED
+is not specified.
 .Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, streaming is performed.
 This flag should only be set if
 .Dv PKCS7_STREAM
 was also set in the previous call to
@@ -132,13 +166,28 @@ was also set in the previous call to
 or
 .Xr PKCS7_encrypt 3 .
 .Pp
-The bit
-.Dv SMIME_OLDMIME
-is inverted before passing on the
-.Fa flags
-to
-.Xr SMIME_write_ASN1 3 .
-Consequently, if this bit is set in the
+The content is output in BER format using indefinite length constructed
+encoding except in the case of signed data with detached content
+where the content is absent and DER format is used.
+.It Dv PKCS7_TEXT
+Prepend the line
+.Qq Content-Type: text/plain
+to the content.
+This only makes sense if
+.Dv PKCS7_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
+.It Dv SMIME_OLDMIME
+If this bit is set in the
 .Fa flags
 argument,
 .Qq application/pkcs7-mime
@@ -150,35 +199,30 @@ Otherwise,
 or
 .Qq application/x-pkcs7-signature
 is used.
-.Pp
-If cleartext signing is being used and
-.Dv PKCS7_STREAM
-is not set, then the data must be read twice: once to compute the
-signature in
-.Xr PKCS7_sign 3
-and once to output the S/MIME message.
-.Pp
-If streaming is performed, the content is output in BER format using
-indefinite length constructed encoding except in the case of signed
-data with detached content where the content is absent and DER
-format is used.
+.El
 .Sh RETURN VALUES
-Upon successful completion, 1 is returned;
-otherwise 0 is returned and an error code can be retrieved with
-.Xr ERR_get_error 3 .
+.Fn SMIME_write_PKCS7
+is intended to return 1 on success or 0 on failure.
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr i2d_PKCS7_bio_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
 .Xr PEM_write_PKCS7 3 ,
 .Xr PKCS7_final 3 ,
 .Xr PKCS7_new 3 ,
+.Xr SMIME_crlf_copy 3 ,
 .Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3
 .Sh HISTORY
 .Fn SMIME_write_PKCS7
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Sh BUGS
 .Fn SMIME_write_PKCS7
+ignores most errors and is likely to return 1
+even after producing corrupt or incomplete output.
+.Pp
+.Fn SMIME_write_PKCS7
 always base64 encodes PKCS#7 structures.
 There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/STACK_OF.3 b/src/lib/libcrypto/man/STACK_OF.3
index 4c627eed9b..38bca99cf6 100644
--- a/src/lib/libcrypto/man/STACK_OF.3
+++ b/src/lib/libcrypto/man/STACK_OF.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: STACK_OF.3,v 1.5 2021/10/24 13:10:46 schwarze Exp $
+.\" $OpenBSD: STACK_OF.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt STACK_OF 3
 .Os
 .Sh NAME
 .Nm STACK_OF
 .Nd variable-sized arrays of pointers, called OpenSSL stacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/safestack.h
 .Fn STACK_OF type
 .Sh DESCRIPTION
diff --git a/src/lib/libcrypto/man/TS_REQ_new.3 b/src/lib/libcrypto/man/TS_REQ_new.3
index 8dbd15ea7e..796b58f4f8 100644
--- a/src/lib/libcrypto/man/TS_REQ_new.3
+++ b/src/lib/libcrypto/man/TS_REQ_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: TS_REQ_new.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: TS_REQ_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt TS_REQ_NEW 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm TS_MSG_IMPRINT_free
 .Nd X.509 time-stamp protocol
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft TS_REQ *
 .Fn TS_REQ_new void
diff --git a/src/lib/libcrypto/man/UI_create_method.3 b/src/lib/libcrypto/man/UI_create_method.3
index ffd6b98157..a116baaa79 100644
--- a/src/lib/libcrypto/man/UI_create_method.3
+++ b/src/lib/libcrypto/man/UI_create_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: UI_create_method.3,v 1.6 2023/05/22 19:38:04 tb Exp $
+.\"     $OpenBSD: UI_create_method.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL UI_create_method.pod 8e3d46e5 Mar 11 10:51:04 2017 +0100
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_CREATE_METHOD 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm UI_method_get_prompt_constructor
 .Nd user interface method creation and destruction
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Ft UI_METHOD *
 .Fo UI_create_method
diff --git a/src/lib/libcrypto/man/UI_get_string_type.3 b/src/lib/libcrypto/man/UI_get_string_type.3
index bc0449a90e..84c774d94d 100644
--- a/src/lib/libcrypto/man/UI_get_string_type.3
+++ b/src/lib/libcrypto/man/UI_get_string_type.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: UI_get_string_type.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: UI_get_string_type.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL UI_STRING.pod e9c9971b Jul 1 18:28:50 2017 +0200
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_GET_STRING_TYPE 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm UI_set_result
 .Nd OpenSSL user interface string parsing
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Bd -literal
 enum UI_string_types {
diff --git a/src/lib/libcrypto/man/UI_new.3 b/src/lib/libcrypto/man/UI_new.3
index e55477f31e..853219aac2 100644
--- a/src/lib/libcrypto/man/UI_new.3
+++ b/src/lib/libcrypto/man/UI_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: UI_new.3,v 1.13 2025/03/09 15:25:14 tb Exp $
+.\" $OpenBSD: UI_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 78b19e90 Jan 11 00:12:01 2017 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_NEW 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm UI_null
 .Nd New User Interface
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Ft UI *
 .Fn UI_new void
diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3
index a327f8c7b2..3686df9bfa 100644
--- a/src/lib/libcrypto/man/X25519.3
+++ b/src/lib/libcrypto/man/X25519.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
+.\" $OpenBSD: X25519.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" contains some text from: BoringSSL curve25519.h, curve25519.c
 .\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
 .\"
@@ -24,7 +24,7 @@
 .\" by Daniel J. Bernstein and others that are included in SUPERCOP
 .\" and that Adam Langley's BoringSSL implementation is based on.
 .\"
-.Dd $Mdocdate: December 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X25519 3
 .Os
 .Sh NAME
@@ -35,6 +35,7 @@
 .Nm ED25519_verify
 .Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/curve25519.h
 .Ft int
 .Fo X25519
diff --git a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3 b/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
index ad153c36d0..78975874aa 100644
--- a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
+++ b/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.8 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXT_GET_NID 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_EXT_get
 .Nd retrieve X.509v3 certificate extension methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft const X509V3_EXT_METHOD *
 .Fo X509V3_EXT_get_nid
diff --git a/src/lib/libcrypto/man/X509V3_EXT_print.3 b/src/lib/libcrypto/man/X509V3_EXT_print.3
index edb97d3a36..8705e4d5ac 100644
--- a/src/lib/libcrypto/man/X509V3_EXT_print.3
+++ b/src/lib/libcrypto/man/X509V3_EXT_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_EXT_print.3,v 1.3 2024/12/28 10:19:45 schwarze Exp $
+.\" $OpenBSD: X509V3_EXT_print.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 28 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXT_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_EXT_print_fp
 .Nd pretty-print an X.509 extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509V3_EXT_print
diff --git a/src/lib/libcrypto/man/X509V3_extensions_print.3 b/src/lib/libcrypto/man/X509V3_extensions_print.3
index 8c43fe9b01..d95a4da01e 100644
--- a/src/lib/libcrypto/man/X509V3_extensions_print.3
+++ b/src/lib/libcrypto/man/X509V3_extensions_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_extensions_print.3,v 1.2 2021/11/26 13:48:21 jsg Exp $
+.\" $OpenBSD: X509V3_extensions_print.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXTENSIONS_PRINT 3
 .Os
 .Sh NAME
 .Nm X509V3_extensions_print
 .Nd pretty-print an array of X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509V3_extensions_print
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
index bf442dc846..7920fca09f 100644
--- a/src/lib/libcrypto/man/X509V3_get_d2i.3
+++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.25 2024/12/31 20:17:00 tb Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.26 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm X509_get0_uids
 .Nd X509 extension decode and encode functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft void *
 .Fo X509V3_get_d2i
diff --git a/src/lib/libcrypto/man/X509V3_parse_list.3 b/src/lib/libcrypto/man/X509V3_parse_list.3
index 447f1a5e94..385f8ad9c8 100644
--- a/src/lib/libcrypto/man/X509V3_parse_list.3
+++ b/src/lib/libcrypto/man/X509V3_parse_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_parse_list.3,v 1.2 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: X509V3_parse_list.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_PARSE_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_conf_free
 .Nd create and destroy CONF_VALUE objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft STACK_OF(CONF_VALUE) *
 .Fn X509V3_parse_list "const char *string"
diff --git a/src/lib/libcrypto/man/X509_ALGOR_dup.3 b/src/lib/libcrypto/man/X509_ALGOR_dup.3
index ef7ca75863..bc9ba4b77d 100644
--- a/src/lib/libcrypto/man/X509_ALGOR_dup.3
+++ b/src/lib/libcrypto/man/X509_ALGOR_dup.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.23 2024/03/19 17:34:05 tb Exp $
+.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.24 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ALGOR_DUP 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm X509_ALGOR_cmp
 .Nd create, change, and inspect algorithm identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ALGOR *
 .Fn X509_ALGOR_new void
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
index 4212e27d7e..b452fcbea2 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_get0_object.3,v 1.2 2021/10/21 16:26:34 schwarze Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_get0_object.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 21 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_GET0_OBJECT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd X.501 Attribute read accessors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft ASN1_OBJECT *
 .Fo X509_ATTRIBUTE_get0_object
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
index cc2b27d4c0..63a5c58169 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.18 2024/09/02 07:57:27 tb Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_NEW 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd generic X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ATTRIBUTE *
 .Fn X509_ATTRIBUTE_new void
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
index 3555d4b169..d26e7de473 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_set1_object.3,v 1.3 2021/11/26 13:48:21 jsg Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_set1_object.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_SET1_OBJECT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd modify an X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_ATTRIBUTE_set1_object
diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3
index 6c09c58545..62399c07f7 100644
--- a/src/lib/libcrypto/man/X509_CINF_new.3
+++ b/src/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
+.\"     $OpenBSD: X509_CINF_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CINF_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_CERT_AUX_free
 .Nd X.509 certificate information objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CINF *
 .Fn X509_CINF_new void
diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
index f5edee6085..5a7d57c3f5 100644
--- a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
+++ b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.13 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL cdd6c8c5 Mar 20 12:29:37 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_GET0_BY_SERIAL 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_CRL_sort
 .Nd add, sort, and retrieve CRL entries
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_CRL_get0_by_serial
diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3
index f9355fcfd3..36a6439269 100644
--- a/src/lib/libcrypto/man/X509_CRL_new.3
+++ b/src/lib/libcrypto/man/X509_CRL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_new.3,v 1.14 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_CRL_new.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_CRL_INFO_free
 .Nd X.509 certificate revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CRL *
 .Fn X509_CRL_new void
diff --git a/src/lib/libcrypto/man/X509_CRL_print.3 b/src/lib/libcrypto/man/X509_CRL_print.3
index 2f4832f0e7..1f1d278968 100644
--- a/src/lib/libcrypto/man/X509_CRL_print.3
+++ b/src/lib/libcrypto/man/X509_CRL_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_print.3,v 1.1 2021/07/19 13:16:43 schwarze Exp $
+.\" $OpenBSD: X509_CRL_print.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_CRL_print_fp
 .Nd pretty-print a certificate revocation list
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_CRL_print
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
index 45cf0dbaa5..f1356c350b 100644
--- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.19 2024/12/28 11:04:09 schwarze Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.20 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 28 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" The ASN.1 structure is called "Extension", not "extension".
 .Nd create, change, and inspect X.509 Extension objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_EXTENSION *
 .Fn X509_EXTENSION_new void
diff --git a/src/lib/libcrypto/man/X509_INFO_new.3 b/src/lib/libcrypto/man/X509_INFO_new.3
index 1e9bb832f3..38bf6fe55c 100644
--- a/src/lib/libcrypto/man/X509_INFO_new.3
+++ b/src/lib/libcrypto/man/X509_INFO_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_INFO_new.3,v 1.3 2021/10/19 10:39:33 schwarze Exp $
+.\" $OpenBSD: X509_INFO_new.3,v 1.5 2025/07/16 17:59:10 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 19 2021 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt X509_INFO_NEW 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm X509_INFO_free
 .Nd X.509 certificate wrapper object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_INFO *
 .Fn X509_INFO_new void
@@ -60,10 +61,9 @@ object or
 .Dv NULL
 if an error occurs.
 .Sh SEE ALSO
-.Xr PEM_X509_INFO_read 3 ,
+.Xr PEM_X509_INFO_read_bio 3 ,
 .Xr X509_CRL_new 3 ,
-.Xr X509_new 3 ,
-.Xr X509_PKEY_new 3
+.Xr X509_new 3
 .Sh HISTORY
 .Fn X509_INFO_new
 and
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
index 5980f8f80d..74e3aaed3c 100644
--- a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
+++ b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.13 2024/09/02 07:20:21 tb Exp $
+.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOOKUP_HASH_DIR 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_LOOKUP_mem
 .Nd certificate lookup methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft const X509_LOOKUP_METHOD *
 .Fn X509_LOOKUP_hash_dir void
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3
index 559dbbb594..5fa9f99d7c 100644
--- a/src/lib/libcrypto/man/X509_LOOKUP_new.3
+++ b/src/lib/libcrypto/man/X509_LOOKUP_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
+.\" $OpenBSD: X509_LOOKUP_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOOKUP_NEW 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .\" and because it doesn't do much in the first place.
 .Nd certificate lookup object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
diff --git a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
index 2eadec7b4d..ac6d590c5f 100644
--- a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
+++ b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.16 2021/12/10 16:58:20 schwarze Exp $
+.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL ca34e08d Dec 12 07:38:07 2018 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_ENTRY_GET_OBJECT 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" This object defined in X.501, not in X.509.
 .Nd X.501 relative distinguished name
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME_ENTRY *
 .Fn X509_NAME_ENTRY_new void
diff --git a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
index 3c1237d20e..30cc3bccb1 100644
--- a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
+++ b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.16 2022/03/31 17:27:17 naddy Exp $
+.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_ADD_ENTRY_BY_TXT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm X509_NAME_delete_entry
 .Nd X509_NAME modification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_add_entry_by_txt
diff --git a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
index a2ceb10eb5..57dd488181 100644
--- a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
+++ b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.16 2023/05/29 11:54:50 beck Exp $
+.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_GET_INDEX_BY_NID 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm X509_NAME_get_text_by_OBJ
 .Nd X509_NAME lookup and enumeration functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_get_index_by_NID
diff --git a/src/lib/libcrypto/man/X509_NAME_hash.3 b/src/lib/libcrypto/man/X509_NAME_hash.3
index 55de9bbe2e..2e03f41ed2 100644
--- a/src/lib/libcrypto/man/X509_NAME_hash.3
+++ b/src/lib/libcrypto/man/X509_NAME_hash.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_hash.3,v 1.4 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: X509_NAME_hash.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_HASH 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .\" The type is called "Name" with capital "N", not "name".
 .Nd calculate SHA-1 or MD5 hashes of X.501 Name objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft unsigned long
 .Fn X509_NAME_hash "X509_NAME *name"
diff --git a/src/lib/libcrypto/man/X509_NAME_new.3 b/src/lib/libcrypto/man/X509_NAME_new.3
index 3a4786a9ae..279df816fe 100644
--- a/src/lib/libcrypto/man/X509_NAME_new.3
+++ b/src/lib/libcrypto/man/X509_NAME_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_new.3,v 1.9 2021/07/20 17:31:32 schwarze Exp $
+.\" $OpenBSD: X509_NAME_new.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 20 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_NEW 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .\" The type in called "Name" with capital "N", not "name".
 .Nd X.501 Name object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fn X509_NAME_new void
diff --git a/src/lib/libcrypto/man/X509_NAME_print_ex.3 b/src/lib/libcrypto/man/X509_NAME_print_ex.3
index fc06a717cc..845428b3fb 100644
--- a/src/lib/libcrypto/man/X509_NAME_print_ex.3
+++ b/src/lib/libcrypto/man/X509_NAME_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_print_ex.3,v 1.17 2025/03/09 16:45:31 tb Exp $
+.\" $OpenBSD: X509_NAME_print_ex.3,v 1.18 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_PRINT_EX 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_NAME_oneline
 .Nd X509_NAME printing routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_print_ex
diff --git a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3 b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
index 56b3926a8b..1b0de39265 100644
--- a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
+++ b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.16 2025/03/08 17:02:59 tb Exp $
+.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_OBJECT_GET0_X509 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm X509_OBJECT_retrieve_match
 .Nd certificate, CRL, private key, and string wrapper for certificate stores
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_LOOKUP_TYPE
 .Fo X509_OBJECT_get_type
diff --git a/src/lib/libcrypto/man/X509_PKEY_new.3 b/src/lib/libcrypto/man/X509_PKEY_new.3
deleted file mode 100644
index 253b0f6db5..0000000000
--- a/src/lib/libcrypto/man/X509_PKEY_new.3
+++ /dev/null
@@ -1,92 +0,0 @@
-.\" $OpenBSD: X509_PKEY_new.3,v 1.1 2021/10/19 10:39:33 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt X509_PKEY_NEW 3
-.Os
-.Sh NAME
-.Nm X509_PKEY_new ,
-.Nm X509_PKEY_free
-.Nd X.509 private key wrapper object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_PKEY *
-.Fn X509_PKEY_new void
-.Ft void
-.Fn X509_PKEY_free "X509_PKEY *wrapper"
-.Sh DESCRIPTION
-.Vt X509_PKEY
-is a reference-counted wrapper object that can store
-.Bl -bullet -width 1n
-.It
-a pointer to an encrypted and ASN.1-encoded private key
-.It
-a pointer to an
-.Vt EVP_PKEY
-object representing the same key in decrypted form
-.It
-a pointer to an
-.Vt X509_ALGOR
-object identifying the algorithm used by the key
-.El
-.Pp
-The object may contain only the encrypted key or only the decrypted
-key or both.
-.Pp
-.Vt X509_PKEY
-is used as a sub-object of the
-.Vt X509_INFO
-object created by
-.Xr PEM_X509_INFO_read_bio 3
-if the PEM file contains any RSA, DSA, or EC PRIVATE KEY object.
-.Pp
-.Fn X509_PKEY_new
-allocates and initializes an empty
-.Vt X509_PKEY
-object and sets its reference count to 1.
-.Pp
-.Fn X509_PKEY_free
-decrements the reference count of the
-.Fa wrapper
-object by 1.
-If the reference count reaches 0,
-it frees all internal objects allocated by the
-.Fa wrapper
-as well as the storage needed for the
-.Fa wrapper
-object itself.
-If
-.Fa wrapper
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_PKEY_new
-returns a pointer to the new
-.Vt X509_PKEY
-object or
-.Dv NULL
-if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_PKEY_new 3 ,
-.Xr PEM_X509_INFO_read 3 ,
-.Xr X509_INFO_new 3
-.Sh HISTORY
-.Fn X509_PKEY_new
-and
-.Fn X509_PKEY_free
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_PUBKEY_new.3 b/src/lib/libcrypto/man/X509_PUBKEY_new.3
index df1c50bda2..1ef1afbc34 100644
--- a/src/lib/libcrypto/man/X509_PUBKEY_new.3
+++ b/src/lib/libcrypto/man/X509_PUBKEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_PUBKEY_new.3,v 1.18 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: X509_PUBKEY_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_PUBKEY_NEW 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm X509_PUBKEY_get0_param
 .Nd X.509 SubjectPublicKeyInfo structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_PUBKEY *
 .Fn X509_PUBKEY_new void
diff --git a/src/lib/libcrypto/man/X509_PURPOSE_set.3 b/src/lib/libcrypto/man/X509_PURPOSE_set.3
index 1f723e9b9f..cb955f392c 100644
--- a/src/lib/libcrypto/man/X509_PURPOSE_set.3
+++ b/src/lib/libcrypto/man/X509_PURPOSE_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_PURPOSE_set.3,v 1.1 2021/07/23 14:27:32 schwarze Exp $
+.\" $OpenBSD: X509_PURPOSE_set.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_PURPOSE_SET 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .Nm X509_PURPOSE_get_trust
 .Nd purpose objects, indices, and identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_PURPOSE_set
diff --git a/src/lib/libcrypto/man/X509_REQ_add1_attr.3 b/src/lib/libcrypto/man/X509_REQ_add1_attr.3
index f9b602dbef..6beb024039 100644
--- a/src/lib/libcrypto/man/X509_REQ_add1_attr.3
+++ b/src/lib/libcrypto/man/X509_REQ_add1_attr.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.4 2024/09/02 07:56:28 tb Exp $
+.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_ADD1_ATTR 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm X509_REQ_get_attr_by_NID
 .Nd X.501 Attributes of PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_REQ_add1_attr
diff --git a/src/lib/libcrypto/man/X509_REQ_add_extensions.3 b/src/lib/libcrypto/man/X509_REQ_add_extensions.3
index ff33edf474..804e787947 100644
--- a/src/lib/libcrypto/man/X509_REQ_add_extensions.3
+++ b/src/lib/libcrypto/man/X509_REQ_add_extensions.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_add_extensions.3,v 1.2 2024/08/18 11:04:55 tb Exp $
+.\" $OpenBSD: X509_REQ_add_extensions.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_ADD_EXTENSIONS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_REQ_extension_nid
 .Nd extensions in certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_REQ_add_extensions
diff --git a/src/lib/libcrypto/man/X509_REQ_new.3 b/src/lib/libcrypto/man/X509_REQ_new.3
index 0a5828d5d4..a62f2c3acb 100644
--- a/src/lib/libcrypto/man/X509_REQ_new.3
+++ b/src/lib/libcrypto/man/X509_REQ_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_new.3,v 1.11 2021/10/29 09:42:07 schwarze Exp $
+.\" $OpenBSD: X509_REQ_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 29 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_REQ_INFO_free
 .Nd PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REQ *
 .Fn X509_REQ_new void
diff --git a/src/lib/libcrypto/man/X509_REQ_print_ex.3 b/src/lib/libcrypto/man/X509_REQ_print_ex.3
index eee06abb21..8d87396b14 100644
--- a/src/lib/libcrypto/man/X509_REQ_print_ex.3
+++ b/src/lib/libcrypto/man/X509_REQ_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_print_ex.3,v 1.3 2025/03/09 14:02:46 tb Exp $
+.\" $OpenBSD: X509_REQ_print_ex.3,v 1.4 2025/06/08 22:30:52 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_PRINT_EX 3
 .Os
 .Sh NAME
@@ -23,6 +23,8 @@
 .Nm X509_REQ_print_fp
 .Nd pretty-print a PKCS#10 certification request
 .Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/x509.h
 .Ft int
 .Fo X509_REQ_print_ex
 .Fa "BIO *bio"
diff --git a/src/lib/libcrypto/man/X509_REVOKED_new.3 b/src/lib/libcrypto/man/X509_REVOKED_new.3
index c1a50d1c9a..6dffcfd03e 100644
--- a/src/lib/libcrypto/man/X509_REVOKED_new.3
+++ b/src/lib/libcrypto/man/X509_REVOKED_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REVOKED_new.3,v 1.12 2021/07/19 13:16:43 schwarze Exp $
+.\" $OpenBSD: X509_REVOKED_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_CRL_get0_by_serial cdd6c8c5 Mar 20 12:29:37 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REVOKED_NEW 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm X509_REVOKED_set_revocationDate
 .Nd create, change, and inspect an X.509 CRL revoked entry
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REVOKED *
 .Fn X509_REVOKED_new void
diff --git a/src/lib/libcrypto/man/X509_SIG_get0.3 b/src/lib/libcrypto/man/X509_SIG_get0.3
index 456261ca3f..339fcc0cf5 100644
--- a/src/lib/libcrypto/man/X509_SIG_get0.3
+++ b/src/lib/libcrypto/man/X509_SIG_get0.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_SIG_get0.3,v 1.1 2021/10/23 15:39:06 tb Exp $
+.\" $OpenBSD: X509_SIG_get0.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIG_GET0 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm X509_SIG_getm
 .Nd DigestInfo functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft void
 .Fo X509_SIG_get0
diff --git a/src/lib/libcrypto/man/X509_SIG_new.3 b/src/lib/libcrypto/man/X509_SIG_new.3
index 8e6b29dea5..8fafc00c98 100644
--- a/src/lib/libcrypto/man/X509_SIG_new.3
+++ b/src/lib/libcrypto/man/X509_SIG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_SIG_new.3,v 1.5 2021/10/27 11:24:47 schwarze Exp $
+.\"     $OpenBSD: X509_SIG_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIG_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_SIG_free
 .Nd PKCS#7 digest information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_SIG *
 .Fn X509_SIG_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 1f221563cb..5eb2bfe8cb 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.28 2023/06/06 16:20:13 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.29 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -89,6 +89,7 @@
 .Nm X509_verify_cert_error_string
 .Nd get or set certificate verification status information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_error
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
index bfec65a123..1c34efa947 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.6 2021/07/29 08:32:13 schwarze Exp $
+.\"     $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 29 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_STORE_CTX_get_app_data
 .Nd add application specific data to X509_STORE_CTX structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_ex_new_index
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
index 96af7a8afb..4c0f8c5857 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.27 2022/11/16 14:55:40 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.28 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_NEW 3
 .Os
 .Sh NAME
@@ -89,6 +89,7 @@
 .\" X509_STORE_CTX_set_verify moved to X509_STORE_CTX_set_verify(3)
 .Nd X509_STORE_CTX initialisation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_STORE_CTX *
 .Fn X509_STORE_CTX_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
index 04bb202bac..028d4da810 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.8 2024/08/29 20:21:10 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.9 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -76,13 +76,12 @@
 .Nm X509_STORE_CTX_set_depth ,
 .Nm X509_STORE_CTX_set_trust ,
 .Nm X509_STORE_CTX_set_purpose ,
-.\" .Nm X509_STORE_CTX_purpose_inherit is intentionally undocumented
-.\" because it will be removed in the next major bump.
 .Nm X509_STORE_CTX_get0_param ,
 .Nm X509_STORE_CTX_set0_param ,
 .Nm X509_STORE_CTX_set_default
 .Nd X509_STORE_CTX parameter initialisation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fo X509_STORE_CTX_set_flags
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
index 8c27deea5d..4a319ed8bb 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.8 2024/06/07 05:51:39 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 7 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .Nm X509_STORE_CTX_get_check_issued
 .Nd user-defined certificate chain verification function
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft typedef int
 .Fo (*X509_STORE_CTX_verify_fn)
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
index 0fe086b721..29f1e79b62 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.12 2023/05/30 07:37:34 op Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_VERIFY_CB 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm X509_STORE_CTX_get_verify_cb
 .Nd set and retrieve verification callback
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft typedef int
 .Fo (*X509_STORE_CTX_verify_cb)
diff --git a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3 b/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
index 0f6fbd8410..a8379ad5cb 100644
--- a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
+++ b/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.6 2024/05/12 05:08:59 tb Exp $
+.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_GET_BY_SUBJECT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm X509_STORE_get1_crls
 .Nd retrieve objects from a certificate store
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_by_subject
diff --git a/src/lib/libcrypto/man/X509_STORE_load_locations.3 b/src/lib/libcrypto/man/X509_STORE_load_locations.3
index a8177b0fd4..d876ef831a 100644
--- a/src/lib/libcrypto/man/X509_STORE_load_locations.3
+++ b/src/lib/libcrypto/man/X509_STORE_load_locations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_load_locations.3,v 1.12 2024/09/02 07:20:21 tb Exp $
+.\" $OpenBSD: X509_STORE_load_locations.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_LOAD_LOCATIONS 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_STORE_add_lookup
 .Nd configure files and directories used by a certificate store
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_load_locations
diff --git a/src/lib/libcrypto/man/X509_STORE_new.3 b/src/lib/libcrypto/man/X509_STORE_new.3
index a17da03a41..e1d146da43 100644
--- a/src/lib/libcrypto/man/X509_STORE_new.3
+++ b/src/lib/libcrypto/man/X509_STORE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_new.3,v 1.7 2021/11/17 16:08:32 schwarze Exp $
+.\" $OpenBSD: X509_STORE_new.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 17 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_NEW 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_STORE_free
 .Nd allocate and free X.509 certificate stores
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_STORE *
 .Fn X509_STORE_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3
index 527fe652e5..d96a33a8fa 100644
--- a/src/lib/libcrypto/man/X509_STORE_set1_param.3
+++ b/src/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.22 2024/03/14 22:19:12 tb Exp $
+.\" $OpenBSD: X509_STORE_set1_param.3,v 1.23 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to:
 .\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -36,6 +36,7 @@
 .Nm X509_STORE_get_ex_data
 .Nd get and set X509_STORE data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_set1_param
diff --git a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
index bdd5ea5044..a09e6741a2 100644
--- a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
+++ b/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.12 2022/11/16 14:51:08 schwarze Exp $
+.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 315c47e0 Dec 1 14:22:16 2020 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_SET_VERIFY_CB_FUNC 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm X509_STORE_get_verify_cb
 .Nd set verification callback
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fo X509_STORE_set_verify_cb
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
index a22d2b1b4b..333b3860e0 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.5 2023/05/24 09:57:50 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_VERIFY_PARAM_NEW 3
 .Os
 .Sh NAME
@@ -38,6 +38,7 @@
 .\" X509_VP_FLAG_ONCE
 .Nd X509 verification parameter objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_VERIFY_PARAM *
 .Fo X509_VERIFY_PARAM_new
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index a0ae839f9a..e21d1122a9 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.30 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -95,6 +95,7 @@
 .Nm X509_VERIFY_PARAM_set1_ip_asc
 .Nd X509 verification parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft const char *
 .Fo X509_VERIFY_PARAM_get0_name
diff --git a/src/lib/libcrypto/man/X509_add1_trust_object.3 b/src/lib/libcrypto/man/X509_add1_trust_object.3
index 067bf64464..e1ca67a8f3 100644
--- a/src/lib/libcrypto/man/X509_add1_trust_object.3
+++ b/src/lib/libcrypto/man/X509_add1_trust_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_add1_trust_object.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ADD1_TRUST_OBJECT 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_reject_clear
 .Nd mark an X.509 certificate as intended for a specific purpose
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_add1_trust_object
diff --git a/src/lib/libcrypto/man/X509_check_ca.3 b/src/lib/libcrypto/man/X509_check_ca.3
index 114bac69e7..2aa496b6ff 100644
--- a/src/lib/libcrypto/man/X509_check_ca.3
+++ b/src/lib/libcrypto/man/X509_check_ca.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_ca.3,v 1.7 2022/05/10 19:44:29 tb Exp $
+.\"     $OpenBSD: X509_check_ca.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_CA 3
 .Os
 .Sh NAME
 .Nm X509_check_ca
 .Nd check whether a certificate is a CA certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_ca
diff --git a/src/lib/libcrypto/man/X509_check_host.3 b/src/lib/libcrypto/man/X509_check_host.3
index dbc56c0d21..be3190b2d2 100644
--- a/src/lib/libcrypto/man/X509_check_host.3
+++ b/src/lib/libcrypto/man/X509_check_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_host.3,v 1.6 2020/09/17 08:04:22 schwarze Exp $
+.\" $OpenBSD: X509_check_host.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL a09e4d24 Jun 12 01:56:31 2014 -0400
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 17 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_HOST 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm X509_check_ip_asc
 .Nd X.509 certificate matching
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_host
diff --git a/src/lib/libcrypto/man/X509_check_issued.3 b/src/lib/libcrypto/man/X509_check_issued.3
index f8c2a5297a..24457674d5 100644
--- a/src/lib/libcrypto/man/X509_check_issued.3
+++ b/src/lib/libcrypto/man/X509_check_issued.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_issued.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_check_issued.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_ISSUED 3
 .Os
 .Sh NAME
 .Nm X509_check_issued
 .Nd check whether a certificate was issued using a given CA certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_issued
diff --git a/src/lib/libcrypto/man/X509_check_private_key.3 b/src/lib/libcrypto/man/X509_check_private_key.3
index 31df2126cc..61ff091728 100644
--- a/src/lib/libcrypto/man/X509_check_private_key.3
+++ b/src/lib/libcrypto/man/X509_check_private_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_private_key.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_check_private_key.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL X509_check_private_key.pod 09ddb878 Jun 5 03:56:07 2017 +0800
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_PRIVATE_KEY 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_REQ_check_private_key
 .Nd compare public key components
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_check_private_key
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index 8fea6679fc..86ee53f559 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
 .Nm X509_check_purpose
 .Nd check intended usage of a public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_purpose
diff --git a/src/lib/libcrypto/man/X509_cmp.3 b/src/lib/libcrypto/man/X509_cmp.3
index b1cdec1773..e025f5c8c0 100644
--- a/src/lib/libcrypto/man/X509_cmp.3
+++ b/src/lib/libcrypto/man/X509_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_cmp.3,v 1.4 2024/06/07 14:00:09 job Exp $
+.\" $OpenBSD: X509_cmp.3,v 1.5 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL ea5d4b89 Jun 6 11:42:02 2019 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CMP 3
 .Os
 .Sh NAME
@@ -79,10 +79,8 @@
 .Nm X509_CRL_cmp ,
 .Nm X509_CRL_match
 .Nd compare X.509 certificates and related values
-.\" The function name_cmp() is intentionally undocumented.
-.\" It was a mistake to make it public in the first place,
-.\" and it is no longer part of the public API in OpenSSL 1.1.
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_cmp
diff --git a/src/lib/libcrypto/man/X509_cmp_time.3 b/src/lib/libcrypto/man/X509_cmp_time.3
index bb430dfbb7..2ac584ad09 100644
--- a/src/lib/libcrypto/man/X509_cmp_time.3
+++ b/src/lib/libcrypto/man/X509_cmp_time.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_cmp_time.3,v 1.12 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: X509_cmp_time.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CMP_TIME 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_gmtime_adj
 .Nd ASN.1 Time utilities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_cmp_time
diff --git a/src/lib/libcrypto/man/X509_digest.3 b/src/lib/libcrypto/man/X509_digest.3
index 7627e07731..991d1990b2 100644
--- a/src/lib/libcrypto/man/X509_digest.3
+++ b/src/lib/libcrypto/man/X509_digest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_digest.3,v 1.8 2019/08/20 13:27:19 schwarze Exp $
+.\" $OpenBSD: X509_digest.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_DIGEST 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm PKCS7_ISSUER_AND_SERIAL_digest
 .Nd get digests of various objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_digest
diff --git a/src/lib/libcrypto/man/X509_find_by_subject.3 b/src/lib/libcrypto/man/X509_find_by_subject.3
index 98a76a1fca..962eb80854 100644
--- a/src/lib/libcrypto/man/X509_find_by_subject.3
+++ b/src/lib/libcrypto/man/X509_find_by_subject.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_find_by_subject.3,v 1.1 2021/07/04 12:56:27 schwarze Exp $
+.\" $OpenBSD: X509_find_by_subject.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 4 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_FIND_BY_SUBJECT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_find_by_issuer_and_serial
 .Nd search an array of X.509 certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fo X509_find_by_subject
diff --git a/src/lib/libcrypto/man/X509_get0_notBefore.3 b/src/lib/libcrypto/man/X509_get0_notBefore.3
index 5e5c08b79a..5ac075fe31 100644
--- a/src/lib/libcrypto/man/X509_get0_notBefore.3
+++ b/src/lib/libcrypto/man/X509_get0_notBefore.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_notBefore.3,v 1.7 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: X509_get0_notBefore.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000
 .\"
 .\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET0_NOTBEFORE 3
 .Os
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nm X509_CRL_set_nextUpdate
 .Nd get and set certificate and CRL validity dates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft const ASN1_TIME *
 .Fo X509_get0_notBefore
diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3
index 2428f411b1..6cebb94e56 100644
--- a/src/lib/libcrypto/man/X509_get0_signature.3
+++ b/src/lib/libcrypto/man/X509_get0_signature.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_signature.3,v 1.10 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: X509_get0_signature.3,v 1.12 2025/07/06 09:32:08 tb Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: July 6 2025 $
 .Dt X509_GET0_SIGNATURE 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm X509_get_signature_info
 .Nd signature information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft void
 .Fo X509_get0_signature
@@ -278,3 +279,10 @@ In some cases the actual security of the signature is smaller
 because the signing key is less secure.
 For example in a certificate signed using SHA-512
 and a 1024-bit RSA key.
+.Sh BUGS
+The signatures of
+.Fn X509_get0_signature ,
+.Fn X509_REQ_get0_signature ,
+and
+.Fn X509_CRL_get0_signature
+are inconsistent.
diff --git a/src/lib/libcrypto/man/X509_get1_email.3 b/src/lib/libcrypto/man/X509_get1_email.3
index c38a604899..020708d227 100644
--- a/src/lib/libcrypto/man/X509_get1_email.3
+++ b/src/lib/libcrypto/man/X509_get1_email.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get1_email.3,v 1.1 2019/08/23 12:23:39 schwarze Exp $
+.\" $OpenBSD: X509_get1_email.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 23 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET1_EMAIL 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_email_free
 .Nd utilities for stacks of strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Vt typedef char *OPENSSL_STRING ;
 .Ft STACK_OF(OPENSSL_STRING) *
diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3
index e5e773f2e8..1d15be407e 100644
--- a/src/lib/libcrypto/man/X509_get_extension_flags.3
+++ b/src/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.5 2025/04/17 14:58:09 tb Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 17 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_EXTENSION_FLAGS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm X509_get_extended_key_usage
 .Nd retrieve certificate extension data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft uint32_t
 .Fo X509_get_extension_flags
diff --git a/src/lib/libcrypto/man/X509_get_pubkey.3 b/src/lib/libcrypto/man/X509_get_pubkey.3
index 0829397982..9af6f49a33 100644
--- a/src/lib/libcrypto/man/X509_get_pubkey.3
+++ b/src/lib/libcrypto/man/X509_get_pubkey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_pubkey.3,v 1.13 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: X509_get_pubkey.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_PUBKEY 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm X509_REQ_extract_key
 .Nd get or set certificate or certificate request public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft EVP_PKEY *
 .Fo X509_get_pubkey
diff --git a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3 b/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
index 181361477e..b2611210d1 100644
--- a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
+++ b/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_pubkey_parameters.3,v 1.2 2021/11/26 13:35:10 schwarze Exp $
+.\" $OpenBSD: X509_get_pubkey_parameters.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_PUBKEY_PARAMETERS 3
 .Os
 .Sh NAME
 .Nm X509_get_pubkey_parameters
 .Nd copy public key parameters from a chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_get_pubkey_parameters
diff --git a/src/lib/libcrypto/man/X509_get_serialNumber.3 b/src/lib/libcrypto/man/X509_get_serialNumber.3
index 7d757c7a71..56f108f3d7 100644
--- a/src/lib/libcrypto/man/X509_get_serialNumber.3
+++ b/src/lib/libcrypto/man/X509_get_serialNumber.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_serialNumber.3,v 1.5 2020/06/19 12:01:20 schwarze Exp $
+.\" $OpenBSD: X509_get_serialNumber.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 19 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_SERIALNUMBER 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm X509_set_serialNumber
 .Nd get or set certificate serial number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft ASN1_INTEGER *
 .Fo X509_get_serialNumber
diff --git a/src/lib/libcrypto/man/X509_get_subject_name.3 b/src/lib/libcrypto/man/X509_get_subject_name.3
index fb9611f645..8dc19080f6 100644
--- a/src/lib/libcrypto/man/X509_get_subject_name.3
+++ b/src/lib/libcrypto/man/X509_get_subject_name.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_get_subject_name.3,v 1.10 2020/10/21 17:17:44 tb Exp $
+.\"     $OpenBSD: X509_get_subject_name.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_SUBJECT_NAME 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm X509_CRL_set_issuer_name
 .Nd get and set issuer or subject names
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fo X509_get_subject_name
diff --git a/src/lib/libcrypto/man/X509_get_version.3 b/src/lib/libcrypto/man/X509_get_version.3
index ee46ff7c8c..d539053d81 100644
--- a/src/lib/libcrypto/man/X509_get_version.3
+++ b/src/lib/libcrypto/man/X509_get_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_get_version.3,v 1.8 2020/10/21 17:17:44 tb Exp $
+.\"     $OpenBSD: X509_get_version.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_VERSION 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm X509_CRL_set_version
 .Nd get or set certificate, certificate request, or CRL version
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft long
 .Fo X509_get_version
diff --git a/src/lib/libcrypto/man/X509_keyid_set1.3 b/src/lib/libcrypto/man/X509_keyid_set1.3
index c529fc742b..e1668f976a 100644
--- a/src/lib/libcrypto/man/X509_keyid_set1.3
+++ b/src/lib/libcrypto/man/X509_keyid_set1.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_keyid_set1.3,v 1.2 2021/07/09 14:41:14 tb Exp $
+.\" $OpenBSD: X509_keyid_set1.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_KEYID_SET1 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_alias_get0
 .Nd auxiliary certificate data for PKCS#12
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_keyid_set1
diff --git a/src/lib/libcrypto/man/X509_load_cert_file.3 b/src/lib/libcrypto/man/X509_load_cert_file.3
index 95a83dd00e..04a666da25 100644
--- a/src/lib/libcrypto/man/X509_load_cert_file.3
+++ b/src/lib/libcrypto/man/X509_load_cert_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_load_cert_file.3,v 1.1 2021/11/09 16:23:04 schwarze Exp $
+.\" $OpenBSD: X509_load_cert_file.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOAD_CERT_FILE 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_load_cert_crl_file
 .Nd read, decode, and cache certificates and CRLs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_load_cert_file
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 7b62363d4d..b6140b24b0 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.47 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm X509_chain_up_ref
 .Nd X.509 certificate object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fn X509_new void
@@ -230,7 +231,6 @@ if an error occurs.
 .Xr X509_LOOKUP_new 3 ,
 .Xr X509_NAME_new 3 ,
 .Xr X509_OBJECT_new 3 ,
-.Xr X509_PKEY_new 3 ,
 .Xr X509_print_ex 3 ,
 .Xr X509_PUBKEY_new 3 ,
 .Xr X509_PURPOSE_set 3 ,
diff --git a/src/lib/libcrypto/man/X509_ocspid_print.3 b/src/lib/libcrypto/man/X509_ocspid_print.3
index b9b6c92fbb..7b0493c655 100644
--- a/src/lib/libcrypto/man/X509_ocspid_print.3
+++ b/src/lib/libcrypto/man/X509_ocspid_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ocspid_print.3,v 1.1 2021/08/06 21:45:55 schwarze Exp $
+.\" $OpenBSD: X509_ocspid_print.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_OCSPID_PRINT 3
 .Os
 .Sh NAME
 .Nm X509_ocspid_print
 .Nd pretty-print hashes of subject name and public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_ocspid_print
diff --git a/src/lib/libcrypto/man/X509_print_ex.3 b/src/lib/libcrypto/man/X509_print_ex.3
index c769e77c32..627ef25a79 100644
--- a/src/lib/libcrypto/man/X509_print_ex.3
+++ b/src/lib/libcrypto/man/X509_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_print_ex.3,v 1.5 2025/03/09 14:02:46 tb Exp $
+.\" $OpenBSD: X509_print_ex.3,v 1.7 2025/07/01 06:47:56 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: July 1 2025 $
 .Dt X509_PRINT_EX 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm X509_print_fp
 .Nd pretty-print an X.509 certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_print_ex
@@ -132,6 +133,11 @@ with
 .Xr EVP_PKEY_print_public 3 .
 .Pq Dv X509_FLAG_NO_PUBKEY
 .It
+If an issuer or a subject unique identifier is present, its hex dump
+is printed with
+.Xr X509_signature_dump 3 .
+.Pq Dv X509_FLAG_NO_IDS
+.It
 All X.509 extensions contained in the certificate are printed with
 .Xr X509V3_extensions_print 3 .
 .Pq Dv X509_FLAG_NO_EXTENSIONS
diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3
index 059d92bac5..9e9df1e98d 100644
--- a/src/lib/libcrypto/man/X509_sign.3
+++ b/src/lib/libcrypto/man/X509_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_sign.3,v 1.11 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_sign.3,v 1.13 2025/07/11 18:42:51 tb Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: July 11 2025 $
 .Dt X509_SIGN 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm X509_CRL_verify
 .Nd sign or verify certificate, certificate request, or CRL signature
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_sign
@@ -77,8 +78,8 @@
 .Fc
 .Ft int
 .Fo X509_verify
-.Fa "X509 *a"
-.Fa "EVP_PKEY *r"
+.Fa "X509 *x"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo X509_REQ_sign
@@ -93,8 +94,8 @@
 .Fc
 .Ft int
 .Fo X509_REQ_verify
-.Fa "X509_REQ *a"
-.Fa "EVP_PKEY *r"
+.Fa "X509_REQ *x"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo X509_CRL_sign
@@ -109,8 +110,8 @@
 .Fc
 .Ft int
 .Fo X509_CRL_verify
-.Fa "X509_CRL *a"
-.Fa "EVP_PKEY *r"
+.Fa "X509_CRL *x"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Sh DESCRIPTION
 .Fn X509_sign
diff --git a/src/lib/libcrypto/man/X509_signature_dump.3 b/src/lib/libcrypto/man/X509_signature_dump.3
index 3333a615bf..c5b9277e0c 100644
--- a/src/lib/libcrypto/man/X509_signature_dump.3
+++ b/src/lib/libcrypto/man/X509_signature_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_signature_dump.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: X509_signature_dump.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIGNATURE_DUMP 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_signature_print
 .Nd pretty-print ASN.1 strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_signature_dump
diff --git a/src/lib/libcrypto/man/X509_verify_cert.3 b/src/lib/libcrypto/man/X509_verify_cert.3
index 9c085d7780..7897e09f80 100644
--- a/src/lib/libcrypto/man/X509_verify_cert.3
+++ b/src/lib/libcrypto/man/X509_verify_cert.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_verify_cert.3,v 1.8 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_verify_cert.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_VERIFY_CERT 3
 .Os
 .Sh NAME
 .Nm X509_verify_cert
 .Nd discover and verify X509 certificate chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_verify_cert
diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
index 4b2d150c86..d33de1f6a8 100644
--- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
+++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.11 2023/10/01 22:46:21 tb Exp $
+.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_ADD_INHERIT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm X509v3_addr_is_canonical
 .Nd RFC 3779 IP address delegation extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509v3_addr_add_inherit
diff --git a/src/lib/libcrypto/man/X509v3_addr_get_range.3 b/src/lib/libcrypto/man/X509v3_addr_get_range.3
index e0d83b1162..7ad279d7cc 100644
--- a/src/lib/libcrypto/man/X509v3_addr_get_range.3
+++ b/src/lib/libcrypto/man/X509v3_addr_get_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_get_range.3,v 1.2 2023/09/30 14:12:40 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_get_range.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_GET_RANGE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_addr_get_range
 .Nd parse helpers for the IP address delegation extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft unsigned
 .Fn X509v3_addr_get_afi "const IPAddressFamily *af"
diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3
index 8e3cecf7ae..0da24ad10f 100644
--- a/src/lib/libcrypto/man/X509v3_addr_inherits.3
+++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_inherits.3,v 1.3 2023/09/30 14:21:57 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_inherits.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_INHERITS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_asid_inherits
 .Nd RFC 3779 inheritance
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_inherits "IPAddrBlocks *addrblocks"
diff --git a/src/lib/libcrypto/man/X509v3_addr_subset.3 b/src/lib/libcrypto/man/X509v3_addr_subset.3
index 93714a26fa..5629d9c3cf 100644
--- a/src/lib/libcrypto/man/X509v3_addr_subset.3
+++ b/src/lib/libcrypto/man/X509v3_addr_subset.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_subset.3,v 1.2 2023/09/30 14:24:00 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_subset.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_SUBSET 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_asid_subset
 .Nd RFC 3779 subset relationship
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_subset "IPAddrBlocks *child" "IPAddrBlocks *parent"
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
index fe6065d599..5bafc6eba4 100644
--- a/src/lib/libcrypto/man/X509v3_addr_validate_path.3
+++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.5 2023/09/30 19:07:38 tb Exp $
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_VALIDATE_PATH 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509v3_asid_validate_resource_set
 .Nd RFC 3779 path validation for IP address and AS number delegation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index 81221ca9bc..6378f45ae8 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.9 2023/09/30 18:16:44 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ASID_ADD_ID_OR_RANGE 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509v3_asid_is_canonical
 .Nd RFC 3779 autonomous system identifier delegation extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509v3_asid_add_id_or_range
diff --git a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
index 8c7c159f80..63f8180151 100644
--- a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
+++ b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.15 2024/05/22 09:44:10 tb Exp $
+.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.16 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL fd38836b Jun 20 15:25:43 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_GET_EXT_BY_NID 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm X509_REVOKED_add_ext
 .Nd extension stack utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509v3_get_ext_count
diff --git a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3 b/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
index 7d36a54be2..ed5e7b21f6 100644
--- a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
+++ b/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.3 2023/08/09 17:34:39 schwarze Exp $
+.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt A2D_ASN1_OBJECT 3
 .Os
 .Sh NAME
 .Nm a2d_ASN1_OBJECT
 .Nd DER content octets of an ASN.1 object identifier
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo a2d_ASN1_OBJECT
diff --git a/src/lib/libcrypto/man/a2i_ipadd.3 b/src/lib/libcrypto/man/a2i_ipadd.3
index 1372b2acfd..1fea5e1a05 100644
--- a/src/lib/libcrypto/man/a2i_ipadd.3
+++ b/src/lib/libcrypto/man/a2i_ipadd.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: a2i_ipadd.3,v 1.1 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: a2i_ipadd.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt A2I_IPADD 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm a2i_IPADDRESS_NC
 .Nd parse Internet Protocol addresses into ASN.1 OCTET STRINGs for X.509
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo a2i_ipadd
diff --git a/src/lib/libcrypto/man/d2i_ASN1_NULL.3 b/src/lib/libcrypto/man/d2i_ASN1_NULL.3
index 037c9c93e1..06aafc08a2 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_NULL.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_NULL.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ASN1_NULL.3,v 1.5 2023/09/26 09:36:22 tb Exp $
+.\"     $OpenBSD: d2i_ASN1_NULL.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_NULL 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_ASN1_NULL
 .Nd decode and encode an ASN.1 NULL type
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_NULL *
 .Fo d2i_ASN1_NULL
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
index bbb70ad8c6..3d90c60e0b 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.15 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.16 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_OBJECT 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm OBJ_length
 .Nd decode and encode ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OBJECT *
 .Fo d2i_ASN1_OBJECT
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
index d544af0fe4..bd4b900193 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.20 2024/02/13 12:38:43 job Exp $
+.\"     $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.21 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_OCTET_STRING 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm i2d_ASN1_TIME
 .Nd decode and encode ASN1_STRING objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OCTET_STRING *
 .Fo d2i_ASN1_OCTET_STRING
diff --git a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 b/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
index 654f0b1e6b..bd54520005 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.3 2021/12/09 19:05:09 schwarze Exp $
+.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_SEQUENCE_ANY 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_ASN1_SET_ANY
 .Nd decode and encode ASN.1 sequences and sets
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_SEQUENCE_ANY *
 .Fo d2i_ASN1_SEQUENCE_ANY
diff --git a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 b/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
index 413f41e179..de1acfb6e1 100644
--- a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
+++ b/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_AUTHORITY_KEYID 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_AUTHORITY_KEYID
 .Nd decode and encode X.509 authority key identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft AUTHORITY_KEYID *
 .Fo d2i_AUTHORITY_KEYID
diff --git a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 b/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
index 2964a1f90e..b90c13df06 100644
--- a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
+++ b/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_BASIC_CONSTRAINTS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_EXTENDED_KEY_USAGE
 .Nd decode and encode X.509 key usage purposes
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft BASIC_CONSTRAINTS *
 .Fo d2i_BASIC_CONSTRAINTS
diff --git a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3 b/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
index 0c61047c42..f4238d664d 100644
--- a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
+++ b/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.3 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_CMS_CONTENTINFO 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm i2d_CMS_ReceiptRequest
 .Nd decode and encode Cryptographic Message Syntax data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo d2i_CMS_ContentInfo
diff --git a/src/lib/libcrypto/man/d2i_DHparams.3 b/src/lib/libcrypto/man/d2i_DHparams.3
index 7fd9878dc0..f3cbd21f13 100644
--- a/src/lib/libcrypto/man/d2i_DHparams.3
+++ b/src/lib/libcrypto/man/d2i_DHparams.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_DHparams.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: d2i_DHparams.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DHPARAMS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm i2d_DHparams
 .Nd PKCS#3 DH parameter functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft DH *
 .Fo d2i_DHparams
diff --git a/src/lib/libcrypto/man/d2i_DIST_POINT.3 b/src/lib/libcrypto/man/d2i_DIST_POINT.3
index 34bdb26fb4..0e49dfeeb3 100644
--- a/src/lib/libcrypto/man/d2i_DIST_POINT.3
+++ b/src/lib/libcrypto/man/d2i_DIST_POINT.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_DIST_POINT.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_DIST_POINT.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DIST_POINT 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_AUTHORITY_INFO_ACCESS
 .Nd decode and encode X.509 data access extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft DIST_POINT *
 .Fo d2i_DIST_POINT
diff --git a/src/lib/libcrypto/man/d2i_DSAPublicKey.3 b/src/lib/libcrypto/man/d2i_DSAPublicKey.3
index 37ef22e1b9..62dcc45082 100644
--- a/src/lib/libcrypto/man/d2i_DSAPublicKey.3
+++ b/src/lib/libcrypto/man/d2i_DSAPublicKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_DSAPublicKey.3,v 1.14 2018/08/26 17:03:32 tb Exp $
+.\"     $OpenBSD: d2i_DSAPublicKey.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 26 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DSAPUBLICKEY 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm i2d_DSA_SIG
 .Nd decode and encode DSA keys
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA *
 .Fo d2i_DSAPublicKey
diff --git a/src/lib/libcrypto/man/d2i_ECPKParameters.3 b/src/lib/libcrypto/man/d2i_ECPKParameters.3
index 3e1fe1ac70..8e824951d6 100644
--- a/src/lib/libcrypto/man/d2i_ECPKParameters.3
+++ b/src/lib/libcrypto/man/d2i_ECPKParameters.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ECPKParameters.3,v 1.14 2025/04/25 20:04:09 tb Exp $
+.\"     $OpenBSD: d2i_ECPKParameters.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ECPKPARAMETERS 3
 .Os
 .Sh NAME
@@ -98,6 +98,7 @@
 .Nm i2d_EC_PUBKEY_fp
 .Nd decode and encode ASN.1 representations of elliptic curve entities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft EC_GROUP *
 .Fo d2i_ECPKParameters
diff --git a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 b/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
index c1d61d3b5e..0305ca78a1 100644
--- a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
+++ b/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ESS_SIGNING_CERT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm i2d_ESS_ISSUER_SERIAL
 .Nd decode and encode signing certificates for S/MIME
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft ESS_SIGNING_CERT *
 .Fo d2i_ESS_SIGNING_CERT
diff --git a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3 b/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
index bfdcc6c67c..557e5ce353 100644
--- a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
+++ b/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_GENERAL_NAME.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: d2i_GENERAL_NAME.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_GENERAL_NAME 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm i2d_OTHERNAME
 .Nd decode and encode names for use in X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft GENERAL_NAME *
 .Fo d2i_GENERAL_NAME
diff --git a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3 b/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
index 07a990556d..7d27d2b4c1 100644
--- a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
+++ b/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_OCSP_REQUEST.3,v 1.3 2021/03/12 05:18:00 jsg Exp $
+.\"     $OpenBSD: d2i_OCSP_REQUEST.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_OCSP_REQUEST 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_OCSP_SERVICELOC
 .Nd decode and encode OCSP requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQUEST *
 .Fo d2i_OCSP_REQUEST
diff --git a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 b/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
index 716e85dc6e..a89c566c12 100644
--- a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
+++ b/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.4 2021/03/12 05:18:00 jsg Exp $
+.\"     $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_OCSP_RESPONSE 3
 .Os
 .Sh NAME
@@ -38,6 +38,7 @@
 .Nm i2d_OCSP_CRLID
 .Nd decode and encode OCSP responses
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_RESPONSE *
 .Fo d2i_OCSP_RESPONSE
diff --git a/src/lib/libcrypto/man/d2i_PKCS12.3 b/src/lib/libcrypto/man/d2i_PKCS12.3
index 55272d1f36..2dda946a3f 100644
--- a/src/lib/libcrypto/man/d2i_PKCS12.3
+++ b/src/lib/libcrypto/man/d2i_PKCS12.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS12.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
+.\"     $OpenBSD: d2i_PKCS12.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS12 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_PKCS12_BAGS
 .Nd decode and encode PKCS#12 structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fo d2i_PKCS12
diff --git a/src/lib/libcrypto/man/d2i_PKCS7.3 b/src/lib/libcrypto/man/d2i_PKCS7.3
index e587787465..6d72433b7d 100644
--- a/src/lib/libcrypto/man/d2i_PKCS7.3
+++ b/src/lib/libcrypto/man/d2i_PKCS7.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS7.3,v 1.7 2023/04/25 18:05:07 tb Exp $
+.\"     $OpenBSD: d2i_PKCS7.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS7 3
 .Os
 .Sh NAME
@@ -44,6 +44,7 @@
 .Nm i2d_PKCS7_SIGN_ENVELOPE
 .Nd decode and encode PKCS#7 data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo d2i_PKCS7
diff --git a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 b/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
index 58dd989fae..41ab7ebcba 100644
--- a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
+++ b/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.11 2019/06/07 19:28:52 schwarze Exp $
+.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS8PRIVATEKEY_BIO 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm i2d_PKCS8PrivateKey_nid_fp
 .Nd PKCS#8 format private key functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo d2i_PKCS8PrivateKey_bio
diff --git a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 b/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
index 1ac0f2c308..583fd536f2 100644
--- a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
+++ b/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.3 2018/03/21 21:18:08 schwarze Exp $
+.\"     $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS8_PRIV_KEY_INFO 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm i2d_PKCS8_PRIV_KEY_INFO_fp
 .Nd decode and encode PKCS#8 private key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft PKCS8_PRIV_KEY_INFO *
 .Fo d2i_PKCS8_PRIV_KEY_INFO
diff --git a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 b/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
index df8639264c..1c3a215a38 100644
--- a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
+++ b/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKEY_USAGE_PERIOD 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_PKEY_USAGE_PERIOD
 .Nd decode and encode X.509 key usage period extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft PKEY_USAGE_PERIOD *
 .Fo d2i_PKEY_USAGE_PERIOD
diff --git a/src/lib/libcrypto/man/d2i_POLICYINFO.3 b/src/lib/libcrypto/man/d2i_POLICYINFO.3
index bae78b17c7..c335edc1df 100644
--- a/src/lib/libcrypto/man/d2i_POLICYINFO.3
+++ b/src/lib/libcrypto/man/d2i_POLICYINFO.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_POLICYINFO.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
+.\"     $OpenBSD: d2i_POLICYINFO.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_POLICYINFO 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm i2d_NOTICEREF
 .Nd decode and encode X.509 certificate policies
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft POLICYINFO *
 .Fo d2i_POLICYINFO
diff --git a/src/lib/libcrypto/man/d2i_PrivateKey.3 b/src/lib/libcrypto/man/d2i_PrivateKey.3
index b544ea0e9a..48f1b93a19 100644
--- a/src/lib/libcrypto/man/d2i_PrivateKey.3
+++ b/src/lib/libcrypto/man/d2i_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_PrivateKey.3,v 1.11 2024/10/24 21:42:10 tb Exp $
+.\" $OpenBSD: d2i_PrivateKey.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm i2d_PublicKey
 .Nd decode and encode EVP_PKEY objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo d2i_PrivateKey
diff --git a/src/lib/libcrypto/man/d2i_RSAPublicKey.3 b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
index d6c376d84b..3f738641df 100644
--- a/src/lib/libcrypto/man/d2i_RSAPublicKey.3
+++ b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.13 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_RSAPUBLICKEY 3
 .Os
 .Sh NAME
@@ -95,6 +95,7 @@
 .Nm i2d_RSA_PUBKEY_fp
 .Nd decode and encode RSA keys and parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA *
 .Fo d2i_RSAPublicKey
diff --git a/src/lib/libcrypto/man/d2i_TS_REQ.3 b/src/lib/libcrypto/man/d2i_TS_REQ.3
index 9f7c860fa1..87e9a402b8 100644
--- a/src/lib/libcrypto/man/d2i_TS_REQ.3
+++ b/src/lib/libcrypto/man/d2i_TS_REQ.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_TS_REQ.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_TS_REQ.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_TS_REQ 3
 .Os
 .Sh NAME
@@ -48,6 +48,7 @@
 .Nm i2d_TS_MSG_IMPRINT_fp
 .Nd decode and encode X.509 time-stamp protocol structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft TS_REQ *
 .Fo d2i_TS_REQ
diff --git a/src/lib/libcrypto/man/d2i_X509.3 b/src/lib/libcrypto/man/d2i_X509.3
index 6102e49e0e..2905e49aca 100644
--- a/src/lib/libcrypto/man/d2i_X509.3
+++ b/src/lib/libcrypto/man/d2i_X509.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509.3,v 1.11 2021/10/27 10:35:43 schwarze Exp $
+.\" $OpenBSD: d2i_X509.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" OpenSSL d2i_X509.pod checked up to:
 .\" 256989ce4 Jun 19 15:00:32 2020 +0200
 .\" OpenSSL i2d_re_X509_tbs.pod checked up to:
@@ -71,7 +71,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509 3
 .Os
 .Sh NAME
@@ -94,6 +94,7 @@
 .Nm i2d_re_X509_REQ_tbs
 .Nd decode and encode X.509 certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fo d2i_X509
diff --git a/src/lib/libcrypto/man/d2i_X509_ALGOR.3 b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
index 252f3fc344..2691ceda85 100644
--- a/src/lib/libcrypto/man/d2i_X509_ALGOR.3
+++ b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.11 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_ALGOR 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_X509_ALGORS
 .Nd decode and encode algorithm identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ALGOR *
 .Fo d2i_X509_ALGOR
diff --git a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 b/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
index 6b070e5e51..be4924d3e0 100644
--- a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
+++ b/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.3 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_ATTRIBUTE 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .\" The type in called "Attribute" with capital "A", not "attribute".
 .Nd decode and encode generic X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ATTRIBUTE *
 .Fo d2i_X509_ATTRIBUTE
diff --git a/src/lib/libcrypto/man/d2i_X509_CRL.3 b/src/lib/libcrypto/man/d2i_X509_CRL.3
index 79c1ed9f8c..040ac0395f 100644
--- a/src/lib/libcrypto/man/d2i_X509_CRL.3
+++ b/src/lib/libcrypto/man/d2i_X509_CRL.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_CRL.3,v 1.10 2025/03/15 15:17:41 tb Exp $
+.\" $OpenBSD: d2i_X509_CRL.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 15 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_CRL 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm i2d_X509_REVOKED
 .Nd decode and encode X.509 certificate revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CRL *
 .Fo d2i_X509_CRL
diff --git a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3 b/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
index 46a680c1ba..3e1011d180 100644
--- a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
+++ b/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_EXTENSION.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_EXTENSION.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_EXTENSION 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .\" The ASN.1 structure is called "Extensions", not "extensions".
 .Nd decode and encode X.509 Extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_EXTENSION *
 .Fo d2i_X509_EXTENSION
diff --git a/src/lib/libcrypto/man/d2i_X509_NAME.3 b/src/lib/libcrypto/man/d2i_X509_NAME.3
index f5cafaee97..c8df55f10d 100644
--- a/src/lib/libcrypto/man/d2i_X509_NAME.3
+++ b/src/lib/libcrypto/man/d2i_X509_NAME.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_NAME.3,v 1.18 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_X509_NAME.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" checked up to:
 .\" OpenSSL crypto/d2i_X509_NAME 4692340e Jun 7 15:49:08 2016 -0400 and
 .\" OpenSSL man3/X509_NAME_get0_der 99d63d46 Oct 26 13:56:48 2016 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_NAME 3
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .\" The type is called "Name" with capital "N", not "name".
 .Nd decode and encode X.501 Name objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fo d2i_X509_NAME
diff --git a/src/lib/libcrypto/man/d2i_X509_REQ.3 b/src/lib/libcrypto/man/d2i_X509_REQ.3
index 95785a2d25..0f113757ee 100644
--- a/src/lib/libcrypto/man/d2i_X509_REQ.3
+++ b/src/lib/libcrypto/man/d2i_X509_REQ.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_REQ.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_REQ.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_REQ 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm i2d_X509_REQ_INFO
 .Nd decode and encode PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REQ *
 .Fo d2i_X509_REQ
diff --git a/src/lib/libcrypto/man/d2i_X509_SIG.3 b/src/lib/libcrypto/man/d2i_X509_SIG.3
index c9fbf86633..1700b2d728 100644
--- a/src/lib/libcrypto/man/d2i_X509_SIG.3
+++ b/src/lib/libcrypto/man/d2i_X509_SIG.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_SIG.3,v 1.10 2025/03/14 21:32:15 tb Exp $
+.\"     $OpenBSD: d2i_X509_SIG.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_SIG 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .\" These functions are misnamed.
 .Nd decode and encode PKCS#7 digest information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_SIG *
 .Fo d2i_X509_SIG
diff --git a/src/lib/libcrypto/man/des_read_pw.3 b/src/lib/libcrypto/man/des_read_pw.3
index 7cb35b47f8..2ffe13bbe9 100644
--- a/src/lib/libcrypto/man/des_read_pw.3
+++ b/src/lib/libcrypto/man/des_read_pw.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: des_read_pw.3,v 1.12 2024/08/24 07:48:37 tb Exp $
+.\" $OpenBSD: des_read_pw.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL doc/crypto/des.pod
 .\" 53934822 Jun 9 16:39:19 2016 -0400
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DES_READ_PW 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_get_pw_prompt
 .Nd compatibility user interface functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_read_pw_string
diff --git a/src/lib/libcrypto/man/evp.3 b/src/lib/libcrypto/man/evp.3
index 2c54c0f981..3a7acf1ff8 100644
--- a/src/lib/libcrypto/man/evp.3
+++ b/src/lib/libcrypto/man/evp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: evp.3,v 1.36 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: evp.3,v 1.38 2025/06/11 13:48:54 schwarze Exp $
 .\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -51,13 +51,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt EVP 3
 .Os
 .Sh NAME
 .Nm evp
 .Nd high-level cryptographic functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Sh DESCRIPTION
 The EVP library provides a high-level interface to cryptographic
@@ -75,7 +76,7 @@ in contexts like
 .Xr EVP_SealInit 3 ,
 .Xr PKCS7_encrypt 3 ,
 or
-.Xr SMIME_write_ASN1 3 .
+.Xr SMIME_write_PKCS7 3 .
 .Pp
 .Xr EVP_SealInit 3
 and
diff --git a/src/lib/libcrypto/man/i2a_ASN1_STRING.3 b/src/lib/libcrypto/man/i2a_ASN1_STRING.3
index 7d46474775..c16259e565 100644
--- a/src/lib/libcrypto/man/i2a_ASN1_STRING.3
+++ b/src/lib/libcrypto/man/i2a_ASN1_STRING.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2a_ASN1_STRING.3,v 1.5 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: i2a_ASN1_STRING.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2A_ASN1_STRING 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm a2i_ASN1_ENUMERATED
 .Nd hexadecimal dump of an ASN.1 string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo i2a_ASN1_STRING
diff --git a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
index b60468464c..403f7c2906 100644
--- a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
+++ b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2D_CMS_BIO_STREAM 3
 .Os
 .Sh NAME
 .Nm i2d_CMS_bio_stream
 .Nd output CMS_ContentInfo structure in BER format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo i2d_CMS_bio_stream
diff --git a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
index 7a47ba3026..3636960aa2 100644
--- a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
+++ b/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.11 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2D_PKCS7_BIO_STREAM 3
 .Os
 .Sh NAME
 .Nm i2d_PKCS7_bio_stream
 .Nd output PKCS7 structure in BER format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo i2d_PKCS7_bio_stream
diff --git a/src/lib/libcrypto/man/lh_new.3 b/src/lib/libcrypto/man/lh_new.3
index 2550a7d2e7..cc0b3d6b96 100644
--- a/src/lib/libcrypto/man/lh_new.3
+++ b/src/lib/libcrypto/man/lh_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: lh_new.3,v 1.13 2024/03/05 22:15:29 tb Exp $
+.\" $OpenBSD: lh_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/crypto/lhash.pod 1bc74519 May 20 08:11:46 2016 -0400
 .\" selective merge up to:
@@ -118,7 +118,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt LH_NEW 3
 .Os
 .Sh NAME
@@ -137,6 +137,7 @@
 .Nm lh_strhash
 .Nd dynamic hash table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/lhash.h
 .Fn DECLARE_LHASH_OF <type>
 .Ft LHASH *
diff --git a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3 b/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
index a2105bc4bc..16646c69d1 100644
--- a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
+++ b/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.9 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt S2I_ASN1_INTEGER 3
 .Os
 .Sh NAME
@@ -26,35 +26,36 @@
 .Nm s2i_ASN1_OCTET_STRING
 .Nd ASN.1 data type conversion utilities for certificate extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .In openssl/x509v3.h
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_ENUMERATED
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_ENUMERATED *a"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_INTEGER
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_INTEGER *a"
 .Fc
-.Ft "ASN1_INTEGER *"
+.Ft ASN1_INTEGER *
 .Fo s2i_ASN1_INTEGER
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const char *value"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_OCTET_STRING
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_OCTET_STRING *aos"
 .Fc
-.Ft "ASN1_OCTET_STRING *"
+.Ft ASN1_OCTET_STRING *
 .Fo s2i_ASN1_OCTET_STRING
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "X509V3_CTX *ctx"
 .Fa "const char *value"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_ENUMERATED_TABLE
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_ENUMERATED *a"
diff --git a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3 b/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
index 36d9f7496b..107a57ae35 100644
--- a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
+++ b/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: v2i_ASN1_BIT_STRING.3,v 1.1 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: v2i_ASN1_BIT_STRING.3,v 1.2 2025/06/08 22:40:31 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt V2I_ASN1_BIT_STRING 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2v_ASN1_BIT_STRING
 .Nd ASN.1 BIT STRING utility functions for certificate extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ASN1_BIT_STRING *
 .Fo v2i_ASN1_BIT_STRING
diff --git a/src/lib/libcrypto/mlkem/mlkem.c b/src/lib/libcrypto/mlkem/mlkem.c
new file mode 100644
index 0000000000..bf53e5d77a
--- /dev/null
+++ b/src/lib/libcrypto/mlkem/mlkem.c
@@ -0,0 +1,416 @@
+/*      $OpenBSD: mlkem.c,v 1.2 2025/08/14 16:04:01 beck Exp $ */
+/*
+ * Copyright (c) 2025, Bob Beck <beck@obtuse.com>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdlib.h>
+
+#include <openssl/mlkem.h>
+#include "mlkem_internal.h"
+
+static inline int
+private_key_is_new(const MLKEM_private_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PRIVATE_KEY_UNINITIALIZED &&
+            (key->rank == RANK768 || key->rank == RANK1024));
+}
+
+static inline int
+private_key_is_valid(const MLKEM_private_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PRIVATE_KEY_INITIALIZED &&
+            (key->rank == RANK768 || key->rank == RANK1024));
+}
+
+static inline int
+public_key_is_new(const MLKEM_public_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PUBLIC_KEY_UNINITIALIZED &&
+            (key->rank == RANK768 || key->rank == RANK1024));
+}
+
+static inline int
+public_key_is_valid(const MLKEM_public_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PUBLIC_KEY_INITIALIZED &&
+            (key->rank == RANK768 || key->rank == RANK1024));
+}
+
+/*
+ * ML-KEM operations
+ */
+
+int
+MLKEM_generate_key_external_entropy(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    const uint8_t *entropy)
+{
+        uint8_t *k = NULL;
+        size_t k_len = 0;
+        int ret = 0;
+
+        if (*out_encoded_public_key != NULL)
+                goto err;
+
+        if (!private_key_is_new(private_key))
+                goto err;
+
+        k_len = MLKEM768_PUBLIC_KEY_BYTES;
+        if (private_key->rank == RANK1024)
+                k_len = MLKEM1024_PUBLIC_KEY_BYTES;
+
+        if ((k = calloc(1, k_len)) == NULL)
+                goto err;
+
+        switch (private_key->rank) {
+        case RANK768:
+                if (!MLKEM768_generate_key_external_entropy(k, private_key,
+                    entropy))
+                        goto err;
+                break;
+        case RANK1024:
+                if (!MLKEM1024_generate_key_external_entropy(k, private_key,
+                    entropy))
+                        goto err;
+                break;
+        }
+
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+
+        *out_encoded_public_key = k;
+        *out_encoded_public_key_len = k_len;
+        k = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(k, k_len);
+
+        return ret;
+}
+
+int
+MLKEM_generate_key(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    uint8_t **out_optional_seed, size_t *out_optional_seed_len)
+{
+        uint8_t *entropy_buf = NULL;
+        int ret = 0;
+
+        if (*out_encoded_public_key != NULL)
+                goto err;
+
+        if (out_optional_seed != NULL && *out_optional_seed != NULL)
+                goto err;
+
+        if ((entropy_buf = calloc(1, MLKEM_SEED_LENGTH)) == NULL)
+                goto err;
+
+        arc4random_buf(entropy_buf, MLKEM_SEED_LENGTH);
+        if (!MLKEM_generate_key_external_entropy(private_key,
+            out_encoded_public_key, out_encoded_public_key_len,
+            entropy_buf))
+                goto err;
+
+        if (out_optional_seed != NULL) {
+                *out_optional_seed = entropy_buf;
+                *out_optional_seed_len = MLKEM_SEED_LENGTH;
+                entropy_buf = NULL;
+        }
+
+        ret = 1;
+
+ err:
+        freezero(entropy_buf, MLKEM_SEED_LENGTH);
+
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_generate_key);
+
+int
+MLKEM_private_key_from_seed(MLKEM_private_key *private_key,
+    const uint8_t *seed, size_t seed_len)
+{
+        int ret = 0;
+
+        if (!private_key_is_new(private_key))
+                goto err;
+
+        if (seed_len != MLKEM_SEED_LENGTH)
+                goto err;
+
+        switch (private_key->rank) {
+        case RANK768:
+                if (!MLKEM768_private_key_from_seed(seed,
+                    seed_len, private_key))
+                        goto err;
+                break;
+        case RANK1024:
+                if (!MLKEM1024_private_key_from_seed(private_key,
+                    seed, seed_len))
+                        goto err;
+                break;
+        }
+
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+
+        ret = 1;
+
+ err:
+
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_from_seed);
+
+int
+MLKEM_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *public_key)
+{
+        if (!private_key_is_valid(private_key))
+                return 0;
+        if (!public_key_is_new(public_key))
+                return 0;
+        if (public_key->rank != private_key->rank)
+                return 0;
+        switch (private_key->rank) {
+        case RANK768:
+                MLKEM768_public_from_private(private_key, public_key);
+                break;
+        case RANK1024:
+                MLKEM1024_public_from_private(private_key, public_key);
+                break;
+        }
+
+        public_key->state = MLKEM_PUBLIC_KEY_INITIALIZED;
+
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_public_from_private);
+
+int
+MLKEM_encap_external_entropy(const MLKEM_public_key *public_key,
+    const uint8_t *entropy, uint8_t **out_ciphertext,
+    size_t *out_ciphertext_len, uint8_t **out_shared_secret,
+    size_t *out_shared_secret_len)
+{
+        uint8_t *secret = NULL;
+        uint8_t *ciphertext = NULL;
+        size_t ciphertext_len = 0;
+        int ret = 0;
+
+        if (*out_ciphertext != NULL)
+                goto err;
+
+        if (*out_shared_secret != NULL)
+                goto err;
+
+        if (!public_key_is_valid(public_key))
+                goto err;
+
+        if ((secret = calloc(1, MLKEM_SHARED_SECRET_LENGTH)) == NULL)
+                goto err;
+
+        ciphertext_len = MLKEM_public_key_ciphertext_length(public_key);
+
+        if ((ciphertext = calloc(1, ciphertext_len)) == NULL)
+                goto err;
+
+        switch (public_key->rank) {
+        case RANK768:
+                MLKEM768_encap_external_entropy(ciphertext, secret, public_key,
+                    entropy);
+                break;
+
+        case RANK1024:
+                MLKEM1024_encap_external_entropy(ciphertext, secret, public_key,
+                    entropy);
+                break;
+        }
+        *out_ciphertext = ciphertext;
+        *out_ciphertext_len = ciphertext_len;
+        ciphertext = NULL;
+        *out_shared_secret = secret;
+        *out_shared_secret_len = MLKEM_SHARED_SECRET_LENGTH;
+        secret = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(secret, MLKEM_SHARED_SECRET_LENGTH);
+        freezero(ciphertext, ciphertext_len);
+
+        return ret;
+}
+
+int
+MLKEM_encap(const MLKEM_public_key *public_key,
+    uint8_t **out_ciphertext, size_t *out_ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len)
+{
+        uint8_t entropy[MLKEM_ENCAP_ENTROPY];
+
+        arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
+
+        return MLKEM_encap_external_entropy(public_key, entropy, out_ciphertext,
+            out_ciphertext_len, out_shared_secret, out_shared_secret_len);
+}
+LCRYPTO_ALIAS(MLKEM_encap);
+
+int
+MLKEM_decap(const MLKEM_private_key *private_key,
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len)
+{
+        uint8_t *s = NULL;
+        int ret = 0;
+
+        if (*out_shared_secret != NULL)
+                goto err;
+
+        if (!private_key_is_valid(private_key))
+                goto err;
+
+        if (ciphertext_len != MLKEM_private_key_ciphertext_length(private_key))
+                goto err;
+
+        if ((s = calloc(1, MLKEM_SHARED_SECRET_LENGTH)) == NULL)
+                goto err;
+
+        switch (private_key->rank) {
+        case RANK768:
+                MLKEM768_decap(private_key, ciphertext, ciphertext_len, s);
+                break;
+
+        case RANK1024:
+                MLKEM1024_decap(private_key, ciphertext, ciphertext_len, s);
+                break;
+        }
+
+        *out_shared_secret = s;
+        *out_shared_secret_len = MLKEM_SHARED_SECRET_LENGTH;
+        s = NULL;
+
+        ret = 1;
+
+ err:
+        freezero(s, MLKEM_SHARED_SECRET_LENGTH);
+
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_decap);
+
+int
+MLKEM_marshal_public_key(const MLKEM_public_key *public_key, uint8_t **out,
+    size_t *out_len)
+{
+        if (*out != NULL)
+                return 0;
+
+        if (!public_key_is_valid(public_key))
+                return 0;
+
+        switch (public_key->rank) {
+        case RANK768:
+                return MLKEM768_marshal_public_key(public_key, out, out_len);
+        case RANK1024:
+                return MLKEM1024_marshal_public_key(public_key, out, out_len);
+        default:
+                return 0;
+        }
+}
+LCRYPTO_ALIAS(MLKEM_marshal_public_key);
+
+/*
+ * Not exposed publicly, becuase the NIST private key format is gigantisch, and
+ * seeds should be used instead.  Used for the NIST tests.
+ */
+int
+MLKEM_marshal_private_key(const MLKEM_private_key *private_key, uint8_t **out,
+    size_t *out_len)
+{
+        if (*out != NULL)
+                return 0;
+
+        if (!private_key_is_valid(private_key))
+                return 0;
+
+        switch (private_key->rank) {
+        case RANK768:
+                return MLKEM768_marshal_private_key(private_key, out, out_len);
+        case RANK1024:
+                return MLKEM1024_marshal_private_key(private_key, out, out_len);
+        default:
+                return 0;
+        }
+}
+
+int
+MLKEM_parse_public_key(MLKEM_public_key *public_key, const uint8_t *in,
+    size_t in_len)
+{
+        if (!public_key_is_new(public_key))
+                return 0;
+
+        if (in_len != MLKEM_public_key_encoded_length(public_key))
+                return 0;
+
+        switch (public_key->rank) {
+        case RANK768:
+                if (!MLKEM768_parse_public_key(in, in_len,
+                    public_key))
+                        return 0;
+                break;
+        case RANK1024:
+                if (!MLKEM1024_parse_public_key(in, in_len,
+                    public_key))
+                        return 0;
+                break;
+        }
+
+        public_key->state = MLKEM_PUBLIC_KEY_INITIALIZED;
+
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_parse_public_key);
+
+int
+MLKEM_parse_private_key(MLKEM_private_key *private_key, const uint8_t *in,
+    size_t in_len)
+{
+        if (!private_key_is_new(private_key))
+                return 0;
+
+        if (in_len != MLKEM_private_key_encoded_length(private_key))
+                return 0;
+
+        switch (private_key->rank) {
+        case RANK768:
+                if (!MLKEM768_parse_private_key(in, in_len, private_key))
+                        return 0;
+                break;
+        case RANK1024:
+                if (!MLKEM1024_parse_private_key(in, in_len, private_key))
+                        return 0;
+                break;
+        }
+
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem.h b/src/lib/libcrypto/mlkem/mlkem.h
index 055d92290e..31d4858195 100644
--- a/src/lib/libcrypto/mlkem/mlkem.h
+++ b/src/lib/libcrypto/mlkem/mlkem.h
@@ -1,6 +1,6 @@
-/*      $OpenBSD: mlkem.h,v 1.5 2025/03/28 12:17:16 tb Exp $ */
+/*      $OpenBSD: mlkem.h,v 1.7 2025/08/14 15:48:48 beck Exp $ */
 /*
- * Copyright (c) 2024, Google Inc.
+ * Copyright (c) 2025 Bob Beck <beck@obtuse.com>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -25,258 +25,203 @@
 extern "C" {
 #endif
 
-/* Hack for now */
-struct cbs_st;
-struct cbb_st;
-
-/*
- * ML-KEM-768
- *
- * This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
- * https://csrc.nist.gov/pubs/fips/204/final
- */
-
 /*
- * MLKEM768_public_key contains a ML-KEM-768 public key. The contents of this
- * object should never leave the address space since the format is unstable.
+ * ML-KEM constants
  */
-struct MLKEM768_public_key {
-        union {
-                uint8_t bytes[512 * (3 + 9) + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
 
-/*
- * MLKEM768_private_key contains a ML-KEM-768 private key. The contents of this
- * object should never leave the address space since the format is unstable.
- */
-struct MLKEM768_private_key {
-        union {
-                uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
+#define RANK768 3
+#define RANK1024 4
 
 /*
- * MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM768 public
- * key.
+ * ML-KEM keys
  */
-#define MLKEM768_PUBLIC_KEY_BYTES 1184
 
-/* MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. */
-#define MLKEM_SEED_BYTES 64
+typedef struct MLKEM_private_key_st MLKEM_private_key;
+typedef struct MLKEM_public_key_st MLKEM_public_key;
 
 /*
- *  MLKEM_SHARED_SECRET_BYTES is the number of bytes in the ML-KEM768 shared
- * secret. Although the round-3 specification has a variable-length output, the
- * final ML-KEM construction is expected to use a fixed 32-byte output. To
- * simplify the future transition, we apply the same restriction.
+ * MLKEM_private_key_new allocates a new uninitialized ML-KEM private key for
+ * |rank|, which must be RANK768 or RANK1024. It returns a pointer to an
+ * allocated structure suitable for holding a generated private key of the
+ * corresponding rank on success, NULL is returned on failure. The caller is
+ * responsible for deallocating the resulting key with |MLKEM_private_key_free|.
  */
-#define MLKEM_SHARED_SECRET_BYTES 32
+MLKEM_private_key *MLKEM_private_key_new(int rank);
 
 /*
- * MLKEM_generate_key generates a random public/private key pair, writes the
- * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
- * the private key. If |optional_out_seed| is not NULL then the seed used to
- * generate the private key is written to it.
+ * MLKEM_private_key_free zeroes and frees all memory for |key| if |key| is
+ * non NULL. If |key| is NULL it does nothing and returns.
  */
-void MLKEM768_generate_key(
-    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM768_private_key *out_private_key);
+void MLKEM_private_key_free(MLKEM_private_key *key);
 
 /*
- * MLKEM768_private_key_from_seed derives a private key from a seed that was
- * generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is
- * incorrect, otherwise it writes |*out_private_key| and returns 1.
+ * MLKEM_private_key_encoded_length the number of bytes used by the encoded form
+ * of |key|. Thie corresponds to the length of the buffer allocated for the
+ * encoded_public_key from |MLKEM_marshal_private_key|. Zero is returned if
+ * |key| is NULL or has an invalid rank.
  */
-int MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key,
-    const uint8_t *seed, size_t seed_len);
+size_t MLKEM_private_key_encoded_length(const MLKEM_private_key *key);
 
 /*
- * MLKEM_public_from_private sets |*out_public_key| to the public key that
- * corresponds to |private_key|. (This is faster than parsing the output of
- * |MLKEM_generate_key| if, for some reason, you need to encapsulate to a key
- * that was just generated.)
+ * MLKEM_private_key_ciphertext_length returns the number of bytes of ciphertext
+ * required to decrypt a shared secret with |key| using |MLKEM_decap|. Zero is
+ * returned if |key| is NULL or has an invalid rank.
  */
-void MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key,
-    const struct MLKEM768_private_key *private_key);
-
-/* MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM768 ciphertext. */
-#define MLKEM768_CIPHERTEXT_BYTES 1088
+size_t MLKEM_private_key_ciphertext_length(const MLKEM_private_key *key);
 
 /*
- * MLKEM768_encap encrypts a random shared secret for |public_key|, writes the
- * ciphertext to |out_ciphertext|, and writes the random shared secret to
- * |out_shared_secret|.
+ * MLKEM_public_key_new allocates a new uninitialized ML-KEM public key for
+ * |rank|, which must be RANK768 or RANK1024. It returns a pointer to an
+ * allocated structure suitable for holding a generated public key of the
+ * corresponding rank on success, NULL is returned on failure. The caller is
+ * responsible for deallocating the resulting key with |MLKEM_public_key_free|.
  */
-void MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key);
+MLKEM_public_key *MLKEM_public_key_new(int rank);
 
 /*
- * MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key|
- * and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
- * returns 0, otherwise it rreturns 1. If |ciphertext| is invalid,
- * |out_shared_secret| is filled with a key that will always be the same for the
- * same |ciphertext| and |private_key|, but which appears to be random unless
- * one has access to |private_key|. These alternatives occur in constant time.
- * Any subsequent symmetric encryption using |out_shared_secret| must use an
- * authenticated encryption scheme in order to discover the decapsulation
- * failure.
+ * MLKEM_public_key_free zeros and deallocates all memory for |key| if |key| is
+ * non NULL. If |key| is NULL it does nothing and returns.
  */
-int MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM768_private_key *private_key);
-
-/* Serialisation of keys. */
+void MLKEM_public_key_free(MLKEM_public_key *key);
 
 /*
- * MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard
- * format for ML-KEM public keys. It returns one on success or zero on allocation
- * error.
+ * MLKEM_public_key_encoded_length the number of bytes used by the encoded form
+ * of |key|. Thie corresponds to the length of the buffer allocated for the
+ * encoded_public_key from |MLKEM_generate_key| or |MLKEM_marshal_public_key|.
+ * Zero is returned if |key| is NULL or has an invalid rank.
  */
-int MLKEM768_marshal_public_key(struct cbb_st *out,
-    const struct MLKEM768_public_key *public_key);
+size_t MLKEM_public_key_encoded_length(const MLKEM_public_key *key);
 
 /*
- * MLKEM768_parse_public_key parses a public key, in the format generated by
- * |MLKEM_marshal_public_key|, from |in| and writes the result to
- * |out_public_key|. It returns one on success or zero on parse error or if
- * there are trailing bytes in |in|.
+ * MLKEM_public_key_cipertext_length returns the number of bytes produced as the
+ * ciphertext when encrypting a shared secret with |key| using |MLKEM_encap|. Zero
+ * is returned if |key| is NULL or has an invalid rank.
  */
-int MLKEM768_parse_public_key(struct MLKEM768_public_key *out_public_key,
-    struct cbs_st *in);
+size_t MLKEM_public_key_ciphertext_length(const MLKEM_public_key *key);
 
 /*
- * MLKEM_parse_private_key parses a private key, in the format generated by
- * |MLKEM_marshal_private_key|, from |in| and writes the result to
- * |out_private_key|. It returns one on success or zero on parse error or if
- * there are trailing bytes in |in|. This formate is verbose and should be avoided.
- * Private keys should be stored as seeds and parsed using |MLKEM768_private_key_from_seed|.
+ * ML-KEM operations
  */
-int MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key,
-    struct cbs_st *in);
 
 /*
- * ML-KEM-1024
+ * MLKEM_generate_key generates a random private/public key pair, initializing
+ * |private_key|. It returns one on success, and zero on failure or error.
+ * |private_key| must be a new uninitialized key. |*out_encoded_public_key| and
+ * |*out_optional_seed|, if provided, must have the value of NULL. On success, a
+ * pointer to the encoded public key of the correct size for |key| is returned
+ * in |out_encoded_public_key|, and the length in bytes of
+ * |*out_encoded_public_key| is returned in |out_encoded_public_key_len|. If
+ * |out_optional_seed| is not NULL, a pointer to the seed used to generate the
+ * private key is returned in |*out_optional_seed| and the length in bytes of
+ * the seed is returned in |*out_optional_seed_len|. The caller is responsible
+ * for freeing the values returned in |out_encoded_public_key|, and
+ * |out_optional_seed|.
  *
- * ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible.
+ * In the event a private key needs to be saved, The normal best practice is to
+ * save |out_optional_seed| as the private key, along with the ML-KEM rank value.
+ * An MLKEM_private_key of the correct rank can then be constructed using
+ * |MLKEM_private_key_from_seed|.
  */
+int MLKEM_generate_key(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    uint8_t **out_optional_seed, size_t *out_optional_seed_len);
 
 /*
- * MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this
- * object should never leave the address space since the format is unstable.
- */
-struct MLKEM1024_public_key {
-        union {
-                uint8_t bytes[512 * (4 + 16) + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
-
-/*
- * MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of
- * this object should never leave the address space since the format is
- * unstable.
- */
-struct MLKEM1024_private_key {
-        union {
-                uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
-
-/*
- * MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
- * public key.
- */
-#define MLKEM1024_PUBLIC_KEY_BYTES 1568
-
-/*
- * MLKEM1024_generate_key generates a random public/private key pair, writes the
- * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
- * the private key. If |optional_out_seed| is not NULL then the seed used to
- * generate the private key is written to it.
+ * MLKEM_private_key_from_seed derives a private key from a seed that was
+ * generated by |MLKEM_generate_key| initializing |private_key|. It returns one
+ * on success, and zero on failure or error. |private_key| must be a new
+ * uninitialized key. |seed_len| must be MLKEM_SEED_LENGTH.
+ *
+ * For |private_key| to match the key generated by |MLKEM_generate_key|,
+ * |private_key| must have been created with the same rank as used when generating
+ * the key.
  */
-void MLKEM1024_generate_key(
-    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM1024_private_key *out_private_key);
+int MLKEM_private_key_from_seed(MLKEM_private_key *private_key,
+    const uint8_t *seed, size_t seed_len);
 
 /*
- * MLKEM1024_private_key_from_seed derives a private key from a seed that was
- * generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len|
- * is incorrect, otherwise it writes |*out_private_key| and returns 1.
+ * MLKEM_public_from_private initializes |public_key| with the public key that
+ * corresponds to |private_key|. It returns one on success and zero on
+ * error. This is faster than parsing the output of |MLKEM_generate_key| if, for
+ * some reason, you need to encapsulate to a key that was just
+ * generated. |private key| must be a new uninitialized key, of the same rank as
+ * |public_key|.
  */
-int MLKEM1024_private_key_from_seed(
-    struct MLKEM1024_private_key *out_private_key, const uint8_t *seed,
-    size_t seed_len);
+int MLKEM_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *public_key);
 
 /*
- * MLKEM1024_public_from_private sets |*out_public_key| to the public key that
- * corresponds to |private_key|. (This is faster than parsing the output of
- * |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a
- * key that was just generated.)
+ * MLKEM_encap encrypts a random shared secret for an initialized
+ * |public_key|. It returns one on success, and zero on failure or error. |*out
+ * ciphertext| and |*out_shared_secret| must have the value NULL. On success, a
+ * pointer to the ciphertext of the correct size for |key| is returned in
+ * |out_ciphertext|, the length in bytes of |*out_ciphertext| is returned in
+ * |*out_ciphertext_len|, a pointer to the random shared secret is returned in
+ * |out_shared_secret|, and the length in bytes of |*out_shared_secret| is
+ * returned in |*out_ciphtertext_len|. The caller is responsible for zeroing and
+ * freeing the values returned in |out_ciphertext| and |out_shared_secret|
  */
-void MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key,
-    const struct MLKEM1024_private_key *private_key);
-
-/* MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. */
-#define MLKEM1024_CIPHERTEXT_BYTES 1568
+int MLKEM_encap(const MLKEM_public_key *public_key,
+    uint8_t **out_ciphertext, size_t *out_ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len);
 
 /*
- * MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the
- * ciphertext to |out_ciphertext|, and writes the random shared secret to
- * |out_shared_secret|.
- */
-void MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM1024_public_key *public_key);
-
-/*
- * MLKEM1024_decap decrypts a shared secret from |ciphertext| using
- * |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is
- * incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid
- * (but of the correct length), |out_shared_secret| is filled with a key that
- * will always be the same for the same |ciphertext| and |private_key|, but
- * which appears to be random unless one has access to |private_key|. These
- * alternatives occur in constant time. Any subsequent symmetric encryption
- * using |out_shared_secret| must use an authenticated encryption scheme in
- * order to discover the decapsulation failure.
+ * MLKEM_decap decrypts a shared secret from |ciphertext| using an initialized
+ * |private_key|. It returns a pointer to the shared secret|out_shared_secret|
+ * and the length in bytes of |*out_shared_secret| in |*out_shared_secret_len|.
+ *
+ * If |ciphertext_len| is incorrect for |private_key|, |*out_shared_secret| is
+ * not NULL, or memory can not be allocated, it returns zero, otherwise it
+ * returns one. If |ciphertext| is invalid, a pointer is returned in
+ * |out_shared_secret| pointing to a key that will always be the same for the
+ * same |ciphertext| and |private_key|, but which appears to be random unless
+ * one has access to |private_key|. These alternatives occur in constant time.
+ * Any subsequent symmetric encryption using |out_shared_secret| must use an
+ * authenticated encryption scheme in order to discover the decapsulation
+ * failure. The caller is responsible for zeroing and freeing the value returned
+ * in |out_shared_secret|.
  */
-int MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+int MLKEM_decap(const MLKEM_private_key *private_key,
     const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM1024_private_key *private_key);
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len);
+
+/* Serialization of ML-KEM keys. */
 
 /*
- * Serialisation of ML-KEM-1024 keys.
- * MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard
- * format for ML-KEM-1024 public keys. It returns one on success or zero on
- * allocation error.
+ * MLKEM_marshal_public_key serializes an initialized |public_key| in the
+ * standard format for ML-KEM public keys. It returns one on success or zero on
+ * allocation error or failure. |*out| must have the value NULL. On success a
+ * pointer is returned in |out| to the encoded public key matching |public_key|,
+ * and a pointer to the length in bytes of the encoded public key is stored in
+ * |out_len|. The caller is responsible for freeing the values returned in
+ * |out|.
  */
-int MLKEM1024_marshal_public_key(struct cbb_st *out,
-    const struct MLKEM1024_public_key *public_key);
+int MLKEM_marshal_public_key(const MLKEM_public_key *public_key, uint8_t **out,
+    size_t *out_len);
 
 /*
- * MLKEM1024_parse_public_key parses a public key, in the format generated by
- * |MLKEM1024_marshal_public_key|, from |in| and writes the result to
- * |out_public_key|. It returns one on success or zero on parse error or if
- * there are trailing bytes in |in|.
+ * MLKEM_parse_public_key parses a public key, in the format generated by
+ * |MLKEM_marshal_public_key|, from |in|. It returns one on success or zero on
+ * error or failure. |public_key| must be a new uninitialized key. |in_len| must
+ * be the correct length for the encoded format of |public_key. On success
+ * |public_key| is initialized to the value parsed from |in|.
  */
-int MLKEM1024_parse_public_key(struct MLKEM1024_public_key *out_public_key,
-    struct cbs_st *in);
+int MLKEM_parse_public_key(MLKEM_public_key *public_key, const uint8_t *in,
+    size_t in_len);
 
 /*
- * MLKEM1024_parse_private_key parses a private key, in NIST's format for
- * private keys, from |in| and writes the result to |out_private_key|. It
- * returns one on success or zero on parse error or if there are trailing bytes
- * in |in|. This format is verbose and should be avoided. Private keys should be
- * stored as seeds and parsed using |MLKEM1024_private_key_from_seed|.
+ * MLKEM_parse_private_key parses a private key, in the format generated by
+ * |MLKEM_marshal_private_key|, from |in|. It returns one on success or zero on
+ * error or failure. |private_key| must be a new uninitialized key. |in_len|
+ * must be the correct length for the encoded format of |private_key. On success
+ * |private_key| is initialized to the value parsed from |in|.
+ *
+ * This format is wastefully verbose and should be avoided. Private keys should
+ * be stored as seeds from |MLKEM_generate_key|, and then parsed using
+ * |MLKEM_private_key_from_seed|.
  */
-int MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
-    struct cbs_st *in);
+int MLKEM_parse_private_key(MLKEM_private_key *private_key, const uint8_t *in,
+    size_t in_len);
 
 #if defined(__cplusplus)
 }
diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem1024.c
index f6fccdf6a8..8f4f41f8ff 100644
--- a/src/lib/libcrypto/mlkem/mlkem1024.c
+++ b/src/lib/libcrypto/mlkem/mlkem1024.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: mlkem1024.c,v 1.6 2025/01/03 08:19:24 tb Exp $ */
+/* $OpenBSD: mlkem1024.c,v 1.12 2025/08/14 15:48:48 beck Exp $ */
 /*
  * Copyright (c) 2024, Google Inc.
- * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
+ * Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -20,18 +20,14 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "bytestring.h"
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 
+#include "bytestring.h"
 #include "sha3_internal.h"
 #include "mlkem_internal.h"
 #include "constant_time.h"
 #include "crypto_internal.h"
 
-/* Remove later */
-#undef LCRYPTO_ALIAS
-#define LCRYPTO_ALIAS(A)
-
 /*
  * See
  * https://csrc.nist.gov/pubs/fips/203/final
@@ -80,7 +76,6 @@ kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32],
 }
 
 #define DEGREE 256
-#define RANK1024 4
 
 static const size_t kBarrettMultiplier = 5039;
 static const unsigned kBarrettShift = 24;
@@ -612,6 +607,19 @@ vector_encode(uint8_t *out, const vector *a, int bits)
         }
 }
 
+/* Encodes an entire vector as above, but adding it to a CBB */
+static int
+vector_encode_cbb(CBB *cbb, const vector *a, int bits)
+{
+        uint8_t *encoded_vector;
+
+        if (!CBB_add_space(cbb, &encoded_vector, kEncodedVectorSize))
+                return 0;
+        vector_encode(encoded_vector, a, bits);
+
+        return 1;
+}
+
 /*
  * scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
  * |out|. It returns one on success and zero if any parsed value is >=
@@ -793,10 +801,14 @@ struct public_key {
         matrix m;
 };
 
+CTASSERT(sizeof(struct MLKEM1024_public_key) == sizeof(struct public_key));
+
 static struct public_key *
-public_key_1024_from_external(const struct MLKEM1024_public_key *external)
+public_key_1024_from_external(const MLKEM_public_key *external)
 {
-        return (struct public_key *)external;
+        if (external->rank != RANK1024)
+                return NULL;
+        return (struct public_key *)external->key_1024;
 }
 
 struct private_key {
@@ -805,33 +817,36 @@ struct private_key {
         uint8_t fo_failure_secret[32];
 };
 
+CTASSERT(sizeof(struct MLKEM1024_private_key) == sizeof(struct private_key));
+
 static struct private_key *
-private_key_1024_from_external(const struct MLKEM1024_private_key *external)
+private_key_1024_from_external(const MLKEM_private_key *external)
 {
-        return (struct private_key *)external;
+        if (external->rank != RANK1024)
+                return NULL;
+        return (struct private_key *)external->key_1024;
 }
 
 /*
  * Calls |MLKEM1024_generate_key_external_entropy| with random bytes from
  * |RAND_bytes|.
  */
-void
+int
 MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
     uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM1024_private_key *out_private_key)
+    MLKEM_private_key *out_private_key)
 {
         uint8_t entropy_buf[MLKEM_SEED_BYTES];
         uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
             entropy_buf;
 
         arc4random_buf(entropy, MLKEM_SEED_BYTES);
-        MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
+        return MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
             out_private_key, entropy);
 }
-LCRYPTO_ALIAS(MLKEM1024_generate_key);
 
 int
-MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key,
+MLKEM1024_private_key_from_seed(MLKEM_private_key *out_private_key,
     const uint8_t *seed, size_t seed_len)
 {
         uint8_t public_key_bytes[MLKEM1024_PUBLIC_KEY_BYTES];
@@ -839,32 +854,22 @@ MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key,
         if (seed_len != MLKEM_SEED_BYTES) {
                 return 0;
         }
-        MLKEM1024_generate_key_external_entropy(public_key_bytes,
+        return MLKEM1024_generate_key_external_entropy(public_key_bytes,
             out_private_key, seed);
-
-        return 1;
 }
-LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed);
 
 static int
 mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
 {
-        uint8_t *vector_output;
-
-        if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(vector_output, &pub->t, kLog2Prime);
-        if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
+        if (!vector_encode_cbb(out, &pub->t, kLog2Prime))
                 return 0;
-        }
-        return 1;
+        return CBB_add_bytes(out, pub->rho, sizeof(pub->rho));
 }
 
-void
+int
 MLKEM1024_generate_key_external_entropy(
     uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
-    struct MLKEM1024_private_key *out_private_key,
+    MLKEM_private_key *out_private_key,
     const uint8_t entropy[MLKEM_SEED_BYTES])
 {
         struct private_key *priv = private_key_1024_from_external(
@@ -875,7 +880,9 @@ MLKEM1024_generate_key_external_entropy(
         uint8_t hashed[64];
         vector error;
         CBB cbb;
+        int ret = 0;
 
+        memset(&cbb, 0, sizeof(CBB));
         memcpy(augmented_seed, entropy, 32);
         augmented_seed[32] = RANK1024;
         hash_g(hashed, augmented_seed, 33);
@@ -890,21 +897,28 @@ MLKEM1024_generate_key_external_entropy(
         matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
         vector_add(&priv->pub.t, &error);
 
-        /* XXX - error checking. */
-        CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM1024_PUBLIC_KEY_BYTES);
-        if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {
-                abort();
-        }
-        CBB_cleanup(&cbb);
+        if (!CBB_init_fixed(&cbb, out_encoded_public_key,
+            MLKEM1024_PUBLIC_KEY_BYTES))
+                goto err;
+
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
+                goto err;
 
         hash_h(priv->pub.public_key_hash, out_encoded_public_key,
             MLKEM1024_PUBLIC_KEY_BYTES);
         memcpy(priv->fo_failure_secret, entropy + 32, 32);
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
 
 void
-MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key,
-    const struct MLKEM1024_private_key *private_key)
+MLKEM1024_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *out_public_key)
 {
         struct public_key *const pub = public_key_1024_from_external(
             out_public_key);
@@ -913,7 +927,6 @@ MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key,
 
         *pub = priv->pub;
 }
-LCRYPTO_ALIAS(MLKEM1024_public_from_private);
 
 /*
  * Encrypts a message with given randomness to the ciphertext in |out|. Without
@@ -955,9 +968,9 @@ encrypt_cpa(uint8_t out[MLKEM1024_CIPHERTEXT_BYTES],
 
 /* Calls MLKEM1024_encap_external_entropy| with random bytes */
 void
-MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM1024_public_key *public_key)
+MLKEM1024_encap(const MLKEM_public_key *public_key,
+    uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES])
 {
         uint8_t entropy[MLKEM_ENCAP_ENTROPY];
 
@@ -965,14 +978,13 @@ MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
         MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret,
             public_key, entropy);
 }
-LCRYPTO_ALIAS(MLKEM1024_encap);
 
 /* See section 6.2 of the spec. */
 void
 MLKEM1024_encap_external_entropy(
     uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
     uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM1024_public_key *public_key,
+    const MLKEM_public_key *public_key,
     const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
 {
         const struct public_key *pub = public_key_1024_from_external(public_key);
@@ -1008,10 +1020,10 @@ decrypt_cpa(uint8_t out[32], const struct private_key *priv,
 
 /* See section 6.3 */
 int
-MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+MLKEM1024_decap(const MLKEM_private_key *private_key,
     const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM1024_private_key *private_key)
-{
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES])
+ {
         const struct private_key *priv = private_key_1024_from_external(
             private_key);
         uint8_t expected_ciphertext[MLKEM1024_CIPHERTEXT_BYTES];
@@ -1042,16 +1054,29 @@ MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
 
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM1024_decap);
 
 int
-MLKEM1024_marshal_public_key(CBB *out,
-    const struct MLKEM1024_public_key *public_key)
+MLKEM1024_marshal_public_key(const MLKEM_public_key *public_key,
+    uint8_t **output, size_t *output_len)
 {
-        return mlkem_marshal_public_key(out,
-            public_key_1024_from_external(public_key));
+        int ret = 0;
+        CBB cbb;
+
+        if (!CBB_init(&cbb, MLKEM1024_PUBLIC_KEY_BYTES))
+                goto err;
+        if (!mlkem_marshal_public_key(&cbb,
+            public_key_1024_from_external(public_key)))
+                goto err;
+        if (!CBB_finish(&cbb, output, output_len))
+                goto err;
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM1024_marshal_public_key);
 
 /*
  * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate
@@ -1062,10 +1087,11 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
 {
         CBS t_bytes;
 
-        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) ||
-            !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime)) {
+        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize))
                 return 0;
-        }
+        if (!vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime))
+                return 0;
+
         memcpy(pub->rho, CBS_data(in), sizeof(pub->rho));
         if (!CBS_skip(in, sizeof(pub->rho)))
                 return 0;
@@ -1074,66 +1100,84 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
 }
 
 int
-MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, CBS *in)
+MLKEM1024_parse_public_key(const uint8_t *input, size_t input_len,
+    MLKEM_public_key *public_key)
 {
         struct public_key *pub = public_key_1024_from_external(public_key);
-        CBS orig_in = *in;
+        CBS cbs;
 
-        if (!mlkem_parse_public_key_no_hash(pub, in) ||
-            CBS_len(in) != 0) {
+        CBS_init(&cbs, input, input_len);
+        if (!mlkem_parse_public_key_no_hash(pub, &cbs))
                 return 0;
-        }
-        hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
+        if (CBS_len(&cbs) != 0)
+                return 0;
+
+        hash_h(pub->public_key_hash, input, input_len);
+
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM1024_parse_public_key);
 
 int
-MLKEM1024_marshal_private_key(CBB *out,
-    const struct MLKEM1024_private_key *private_key)
+MLKEM1024_marshal_private_key(const MLKEM_private_key *private_key,
+    uint8_t **out_private_key, size_t *out_private_key_len)
 {
         const struct private_key *const priv = private_key_1024_from_external(
             private_key);
-        uint8_t *s_output;
+        CBB cbb;
+        int ret = 0;
 
-        if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(s_output, &priv->s, kLog2Prime);
-        if (!mlkem_marshal_public_key(out, &priv->pub) ||
-            !CBB_add_bytes(out, priv->pub.public_key_hash,
-            sizeof(priv->pub.public_key_hash)) ||
-            !CBB_add_bytes(out, priv->fo_failure_secret,
-            sizeof(priv->fo_failure_secret))) {
-                return 0;
-        }
-        return 1;
+        if (!CBB_init(&cbb, MLKEM1024_PRIVATE_KEY_BYTES))
+                goto err;
+
+        if (!vector_encode_cbb(&cbb, &priv->s, kLog2Prime))
+                goto err;
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv->pub.public_key_hash,
+            sizeof(priv->pub.public_key_hash)))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv->fo_failure_secret,
+            sizeof(priv->fo_failure_secret)))
+                goto err;
+
+        if (!CBB_finish(&cbb, out_private_key, out_private_key_len))
+                goto err;
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
 
 int
-MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
-    CBS *in)
+MLKEM1024_parse_private_key(const uint8_t *input, size_t input_len,
+    MLKEM_private_key *out_private_key)
 {
         struct private_key *const priv = private_key_1024_from_external(
             out_private_key);
-        CBS s_bytes;
+        CBS cbs, s_bytes;
+
+        CBS_init(&cbs, input, input_len);
 
-        if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||
-            !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
-            !mlkem_parse_public_key_no_hash(&priv->pub, in)) {
+        if (!CBS_get_bytes(&cbs, &s_bytes, kEncodedVectorSize))
                 return 0;
-        }
-        memcpy(priv->pub.public_key_hash, CBS_data(in),
+        if (!vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime))
+                return 0;
+        if (!mlkem_parse_public_key_no_hash(&priv->pub, &cbs))
+                return 0;
+
+        memcpy(priv->pub.public_key_hash, CBS_data(&cbs),
             sizeof(priv->pub.public_key_hash));
-        if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))
+        if (!CBS_skip(&cbs, sizeof(priv->pub.public_key_hash)))
                 return 0;
-        memcpy(priv->fo_failure_secret, CBS_data(in),
+        memcpy(priv->fo_failure_secret, CBS_data(&cbs),
             sizeof(priv->fo_failure_secret));
-        if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))
+        if (!CBS_skip(&cbs, sizeof(priv->fo_failure_secret)))
                 return 0;
-        if (CBS_len(in) != 0)
+        if (CBS_len(&cbs) != 0)
                 return 0;
 
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM1024_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c
index bacde0c0b7..1a44b9413f 100644
--- a/src/lib/libcrypto/mlkem/mlkem768.c
+++ b/src/lib/libcrypto/mlkem/mlkem768.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mlkem768.c,v 1.7 2025/01/03 08:19:24 tb Exp $ */
+/* $OpenBSD: mlkem768.c,v 1.13 2025/08/14 15:48:48 beck Exp $ */
 /*
  * Copyright (c) 2024, Google Inc.
  * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
@@ -19,19 +19,16 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdio.h>
 
-#include "bytestring.h"
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 
+#include "bytestring.h"
 #include "sha3_internal.h"
 #include "mlkem_internal.h"
 #include "constant_time.h"
 #include "crypto_internal.h"
 
-/* Remove later */
-#undef LCRYPTO_ALIAS
-#define LCRYPTO_ALIAS(A)
-
 /*
  * See
  * https://csrc.nist.gov/pubs/fips/203/final
@@ -80,7 +77,6 @@ kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32],
 }
 
 #define DEGREE 256
-#define RANK768 3
 
 static const size_t kBarrettMultiplier = 5039;
 static const unsigned kBarrettShift = 24;
@@ -89,6 +85,7 @@ static const int kLog2Prime = 12;
 static const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;
 static const int kDU768 = 10;
 static const int kDV768 = 4;
+
 /*
  * kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th
  * root of unity.
@@ -611,6 +608,19 @@ vector_encode(uint8_t *out, const vector *a, int bits)
         }
 }
 
+/* Encodes an entire vector as above, but adding it to a CBB */
+static int
+vector_encode_cbb(CBB *cbb, const vector *a, int bits)
+{
+        uint8_t *encoded_vector;
+
+        if (!CBB_add_space(cbb, &encoded_vector, kEncodedVectorSize))
+                return 0;
+        vector_encode(encoded_vector, a, bits);
+
+        return 1;
+}
+
 /*
  * scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
  * |out|. It returns one on success and zero if any parsed value is >=
@@ -792,10 +802,14 @@ struct public_key {
         matrix m;
 };
 
+CTASSERT(sizeof(struct MLKEM768_public_key) == sizeof(struct public_key));
+
 static struct public_key *
-public_key_768_from_external(const struct MLKEM768_public_key *external)
+public_key_768_from_external(const MLKEM_public_key *external)
 {
-        return (struct public_key *)external;
+        if (external->rank != RANK768)
+                return NULL;
+        return (struct public_key *)external->key_768;
 }
 
 struct private_key {
@@ -804,66 +818,60 @@ struct private_key {
         uint8_t fo_failure_secret[32];
 };
 
+CTASSERT(sizeof(struct MLKEM768_private_key) == sizeof(struct private_key));
+
 static struct private_key *
-private_key_768_from_external(const struct MLKEM768_private_key *external)
+private_key_768_from_external(const MLKEM_private_key *external)
 {
-        return (struct private_key *)external;
+        if (external->rank != RANK768)
+                return NULL;
+        return (struct private_key *)external->key_768;
 }
 
 /*
  * Calls |MLKEM768_generate_key_external_entropy| with random bytes from
  * |RAND_bytes|.
  */
-void
+int
 MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
     uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM768_private_key *out_private_key)
+    MLKEM_private_key *out_private_key)
 {
         uint8_t entropy_buf[MLKEM_SEED_BYTES];
         uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
             entropy_buf;
 
         arc4random_buf(entropy, MLKEM_SEED_BYTES);
-        MLKEM768_generate_key_external_entropy(out_encoded_public_key,
+        return MLKEM768_generate_key_external_entropy(out_encoded_public_key,
             out_private_key, entropy);
 }
-LCRYPTO_ALIAS(MLKEM768_generate_key);
 
 int
-MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key,
-    const uint8_t *seed, size_t seed_len)
+MLKEM768_private_key_from_seed(const uint8_t *seed, size_t seed_len,
+    MLKEM_private_key *out_private_key)
 {
+        /* XXX stack */
         uint8_t public_key_bytes[MLKEM768_PUBLIC_KEY_BYTES];
 
         if (seed_len != MLKEM_SEED_BYTES) {
                 return 0;
         }
-        MLKEM768_generate_key_external_entropy(public_key_bytes,
+        return MLKEM768_generate_key_external_entropy(public_key_bytes,
             out_private_key, seed);
-
-        return 1;
 }
-LCRYPTO_ALIAS(MLKEM768_private_key_from_seed);
 
 static int
 mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
 {
-        uint8_t *vector_output;
-
-        if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(vector_output, &pub->t, kLog2Prime);
-        if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
+        if (!vector_encode_cbb(out, &pub->t, kLog2Prime))
                 return 0;
-        }
-        return 1;
+        return CBB_add_bytes(out, pub->rho, sizeof(pub->rho));
 }
 
-void
+int
 MLKEM768_generate_key_external_entropy(
     uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    struct MLKEM768_private_key *out_private_key,
+    MLKEM_private_key *out_private_key,
     const uint8_t entropy[MLKEM_SEED_BYTES])
 {
         struct private_key *priv = private_key_768_from_external(
@@ -874,7 +882,9 @@ MLKEM768_generate_key_external_entropy(
         uint8_t hashed[64];
         vector error;
         CBB cbb;
+        int ret = 0;
 
+        memset(&cbb, 0, sizeof(CBB));
         memcpy(augmented_seed, entropy, 32);
         augmented_seed[32] = RANK768;
         hash_g(hashed, augmented_seed, 33);
@@ -889,22 +899,28 @@ MLKEM768_generate_key_external_entropy(
         matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
         vector_add(&priv->pub.t, &error);
 
-        /* XXX - error checking */
-        CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM768_PUBLIC_KEY_BYTES);
-        if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {
-                abort();
-        }
-        CBB_cleanup(&cbb);
+        if (!CBB_init_fixed(&cbb, out_encoded_public_key,
+            MLKEM768_PUBLIC_KEY_BYTES))
+                goto err;
+
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
+                goto err;
 
         hash_h(priv->pub.public_key_hash, out_encoded_public_key,
             MLKEM768_PUBLIC_KEY_BYTES);
         memcpy(priv->fo_failure_secret, entropy + 32, 32);
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
 
 void
-MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key,
-    const struct MLKEM768_private_key *private_key)
-{
+MLKEM768_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *out_public_key) {
         struct public_key *const pub = public_key_768_from_external(
             out_public_key);
         const struct private_key *const priv = private_key_768_from_external(
@@ -912,7 +928,6 @@ MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key,
 
         *pub = priv->pub;
 }
-LCRYPTO_ALIAS(MLKEM768_public_from_private);
 
 /*
  * Encrypts a message with given randomness to the ciphertext in |out|. Without
@@ -954,24 +969,23 @@ encrypt_cpa(uint8_t out[MLKEM768_CIPHERTEXT_BYTES],
 
 /* Calls MLKEM768_encap_external_entropy| with random bytes */
 void
-MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key)
+MLKEM768_encap(const MLKEM_public_key *public_key,
+    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES])
 {
         uint8_t entropy[MLKEM_ENCAP_ENTROPY];
 
         arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
-        MLKEM768_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
+        MLKEM768_encap_external_entropy(out_ciphertext,
+            out_shared_secret, public_key, entropy);
 }
-LCRYPTO_ALIAS(MLKEM768_encap);
 
 /* See section 6.2 of the spec. */
 void
 MLKEM768_encap_external_entropy(
     uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
     uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key,
+    const MLKEM_public_key *public_key,
     const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
 {
         const struct public_key *pub = public_key_768_from_external(public_key);
@@ -1007,9 +1021,8 @@ decrypt_cpa(uint8_t out[32], const struct private_key *priv,
 
 /* See section 6.3 */
 int
-MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM768_private_key *private_key)
+MLKEM768_decap(const MLKEM_private_key *private_key, const uint8_t *ciphertext,
+    size_t ciphertext_len, uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES])
 {
         const struct private_key *priv = private_key_768_from_external(
             private_key);
@@ -1041,16 +1054,29 @@ MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
 
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM768_decap);
 
 int
-MLKEM768_marshal_public_key(CBB *out,
-    const struct MLKEM768_public_key *public_key)
+MLKEM768_marshal_public_key(const MLKEM_public_key *public_key,
+    uint8_t **output, size_t *output_len)
 {
-        return mlkem_marshal_public_key(out,
-            public_key_768_from_external(public_key));
+        int ret = 0;
+        CBB cbb;
+
+        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
+                goto err;
+        if (!mlkem_marshal_public_key(&cbb,
+            public_key_768_from_external(public_key)))
+                goto err;
+        if (!CBB_finish(&cbb, output, output_len))
+                goto err;
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM768_marshal_public_key);
 
 /*
  * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate
@@ -1061,10 +1087,11 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
 {
         CBS t_bytes;
 
-        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) ||
-            !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime)) {
+        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize))
                 return 0;
-        }
+        if (!vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime))
+                return 0;
+
         memcpy(pub->rho, CBS_data(in), sizeof(pub->rho));
         if (!CBS_skip(in, sizeof(pub->rho)))
                 return 0;
@@ -1073,66 +1100,84 @@ mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
 }
 
 int
-MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key, CBS *in)
+MLKEM768_parse_public_key(const uint8_t *input, size_t input_len,
+    MLKEM_public_key *public_key)
 {
         struct public_key *pub = public_key_768_from_external(public_key);
-        CBS orig_in = *in;
+        CBS cbs;
 
-        if (!mlkem_parse_public_key_no_hash(pub, in) ||
-            CBS_len(in) != 0) {
+        CBS_init(&cbs, input, input_len);
+        if (!mlkem_parse_public_key_no_hash(pub, &cbs))
                 return 0;
-        }
-        hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
+        if (CBS_len(&cbs) != 0)
+                return 0;
+
+        hash_h(pub->public_key_hash, input, input_len);
+
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM768_parse_public_key);
 
 int
-MLKEM768_marshal_private_key(CBB *out,
-    const struct MLKEM768_private_key *private_key)
+MLKEM768_marshal_private_key(const MLKEM_private_key *private_key,
+    uint8_t **out_private_key, size_t *out_private_key_len)
 {
         const struct private_key *const priv = private_key_768_from_external(
             private_key);
-        uint8_t *s_output;
+        CBB cbb;
+        int ret = 0;
 
-        if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(s_output, &priv->s, kLog2Prime);
-        if (!mlkem_marshal_public_key(out, &priv->pub) ||
-            !CBB_add_bytes(out, priv->pub.public_key_hash,
-            sizeof(priv->pub.public_key_hash)) ||
-            !CBB_add_bytes(out, priv->fo_failure_secret,
-            sizeof(priv->fo_failure_secret))) {
-                return 0;
-        }
-        return 1;
+        if (!CBB_init(&cbb, MLKEM768_PRIVATE_KEY_BYTES))
+                goto err;
+
+        if (!vector_encode_cbb(&cbb, &priv->s, kLog2Prime))
+                goto err;
+        if (!mlkem_marshal_public_key(&cbb, &priv->pub))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv->pub.public_key_hash,
+            sizeof(priv->pub.public_key_hash)))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv->fo_failure_secret,
+            sizeof(priv->fo_failure_secret)))
+                goto err;
+
+        if (!CBB_finish(&cbb, out_private_key, out_private_key_len))
+                goto err;
+
+        ret = 1;
+
+ err:
+        CBB_cleanup(&cbb);
+
+        return ret;
 }
 
 int
-MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key,
-    CBS *in)
+MLKEM768_parse_private_key(const uint8_t *input, size_t input_len,
+    MLKEM_private_key *out_private_key)
 {
         struct private_key *const priv = private_key_768_from_external(
             out_private_key);
-        CBS s_bytes;
+        CBS cbs, s_bytes;
+
+        CBS_init(&cbs, input, input_len);
 
-        if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||
-            !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
-            !mlkem_parse_public_key_no_hash(&priv->pub, in)) {
+        if (!CBS_get_bytes(&cbs, &s_bytes, kEncodedVectorSize))
                 return 0;
-        }
-        memcpy(priv->pub.public_key_hash, CBS_data(in),
+        if (!vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime))
+                return 0;
+        if (!mlkem_parse_public_key_no_hash(&priv->pub, &cbs))
+                return 0;
+
+        memcpy(priv->pub.public_key_hash, CBS_data(&cbs),
             sizeof(priv->pub.public_key_hash));
-        if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))
+        if (!CBS_skip(&cbs, sizeof(priv->pub.public_key_hash)))
                 return 0;
-        memcpy(priv->fo_failure_secret, CBS_data(in),
+        memcpy(priv->fo_failure_secret, CBS_data(&cbs),
             sizeof(priv->fo_failure_secret));
-        if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))
+        if (!CBS_skip(&cbs, sizeof(priv->fo_failure_secret)))
                 return 0;
-        if (CBS_len(in) != 0)
+        if (CBS_len(&cbs) != 0)
                 return 0;
 
         return 1;
 }
-LCRYPTO_ALIAS(MLKEM768_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h
index d3f325932f..776f8aac17 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.h
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_internal.h,v 1.4 2024/12/19 23:52:26 tb Exp $ */
+/*      $OpenBSD: mlkem_internal.h,v 1.8 2025/08/14 15:48:48 beck Exp $ */
 /*
  * Copyright (c) 2023, Google Inc.
  *
@@ -26,6 +26,253 @@ extern "C" {
 #endif
 
 __BEGIN_HIDDEN_DECLS
+/*
+ * MLKEM_SEED_LENGTH is the number of bytes in an ML-KEM seed. An ML-KEM
+ * seed is normally used to represent a private key.
+ */
+#define MLKEM_SEED_LENGTH 64
+
+/*
+ * MLKEM_SHARED_SECRET_LENGTH is the number of bytes in an ML-KEM shared
+ * secret.
+ */
+#define MLKEM_SHARED_SECRET_LENGTH 32
+
+/*
+ * |MLKEM_encap_external_entropy| behaves exactly like the public |MLKEM_encap|
+ * with the entropy provided by the caller. It is directly called internally
+ * and by tests.
+ */
+int
+MLKEM_encap_external_entropy(const MLKEM_public_key *public_key,
+    const uint8_t *entropy, uint8_t **out_ciphertext,
+    size_t *out_ciphertext_len, uint8_t **out_shared_secret,
+    size_t *out_shared_secret_len);
+
+/*
+ * |MLKEM_generate_key_external_entropy| behaves exactly like the public
+ * |MLKEM_generate_key| with the entropy provided by the caller.
+ * It is directly called internally and by tests.
+ */
+int
+MLKEM_generate_key_external_entropy(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    const uint8_t *entropy);
+/*
+ * Marshals a private key to encoded format, used for NIST tests.
+ */
+int MLKEM_marshal_private_key(const MLKEM_private_key *private_key,
+    uint8_t **out, size_t *out_len);
+
+/*
+ * ML-KEM-768
+ *
+ * This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
+ * https://csrc.nist.gov/pubs/fips/204/final
+ */
+
+/*
+ * MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM768 public
+ * key.
+ */
+#define MLKEM768_PUBLIC_KEY_BYTES 1184
+
+/* MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. */
+#define MLKEM_SEED_BYTES 64
+
+/*
+ *  MLKEM_SHARED_SECRET_BYTES is the number of bytes in the ML-KEM768 shared
+ * secret. Although the round-3 specification has a variable-length output, the
+ * final ML-KEM construction is expected to use a fixed 32-byte output. To
+ * simplify the future transition, we apply the same restriction.
+ */
+#define MLKEM_SHARED_SECRET_BYTES 32
+
+/*
+ * MLKEM_generate_key generates a random public/private key pair, writes the
+ * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+ * the private key. If |optional_out_seed| is not NULL then the seed used to
+ * generate the private key is written to it.
+ */
+int MLKEM768_generate_key(
+    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
+    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
+    MLKEM_private_key *out_private_key);
+
+/*
+ * MLKEM768_private_key_from_seed derives a private key from a seed that was
+ * generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is
+ * incorrect, otherwise it writes |*out_private_key| and returns 1.
+ */
+int MLKEM768_private_key_from_seed(const uint8_t *seed, size_t seed_len,
+    MLKEM_private_key *out_private_key);
+
+/*
+ * MLKEM_public_from_private sets |*out_public_key| to the public key that
+ * corresponds to |private_key|. (This is faster than parsing the output of
+ * |MLKEM_generate_key| if, for some reason, you need to encapsulate to a key
+ * that was just generated.)
+ */
+void MLKEM768_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *out_public_key);
+
+/* MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM768 ciphertext. */
+#define MLKEM768_CIPHERTEXT_BYTES 1088
+
+/*
+ * MLKEM768_encap encrypts a random shared secret for |public_key|, writes the
+ * ciphertext to |out_ciphertext|, and writes the random shared secret to
+ * |out_shared_secret|.
+ */
+void MLKEM768_encap(const MLKEM_public_key *public_key,
+    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]);
+
+/*
+ * MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key|
+ * and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
+ * returns 0, otherwise it rreturns 1. If |ciphertext| is invalid,
+ * |out_shared_secret| is filled with a key that will always be the same for the
+ * same |ciphertext| and |private_key|, but which appears to be random unless
+ * one has access to |private_key|. These alternatives occur in constant time.
+ * Any subsequent symmetric encryption using |out_shared_secret| must use an
+ * authenticated encryption scheme in order to discover the decapsulation
+ * failure.
+ */
+int MLKEM768_decap(const MLKEM_private_key *private_key,
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]);
+
+/* Serialisation of keys. */
+
+/*
+ * MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard
+ * format for ML-KEM public keys. It returns one on success or zero on allocation
+ * error.
+ */
+int MLKEM768_marshal_public_key(const MLKEM_public_key *public_key,
+    uint8_t **output, size_t *output_len);
+
+/*
+ * MLKEM768_parse_public_key parses a public key, in the format generated by
+ * |MLKEM_marshal_public_key|, from |in| and writes the result to
+ * |out_public_key|. It returns one on success or zero on parse error or if
+ * there are trailing bytes in |in|.
+ */
+int MLKEM768_parse_public_key(const uint8_t *input, size_t input_len,
+    MLKEM_public_key *out_public_key);
+
+/*
+ * MLKEM_parse_private_key parses a private key, in the format generated by
+ * |MLKEM_marshal_private_key|, from |in| and writes the result to
+ * |out_private_key|. It returns one on success or zero on parse error or if
+ * there are trailing bytes in |in|. This formate is verbose and should be avoided.
+ * Private keys should be stored as seeds and parsed using |MLKEM768_private_key_from_seed|.
+ */
+int MLKEM768_parse_private_key(const uint8_t *input, size_t input_len,
+    MLKEM_private_key *out_private_key);
+
+/*
+ * ML-KEM-1024
+ *
+ * ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible.
+ */
+
+/*
+ * MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
+ * public key.
+ */
+#define MLKEM1024_PUBLIC_KEY_BYTES 1568
+
+/*
+ * MLKEM1024_generate_key generates a random public/private key pair, writes the
+ * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+ * the private key. If |optional_out_seed| is not NULL then the seed used to
+ * generate the private key is written to it.
+ */
+int MLKEM1024_generate_key(
+    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
+    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
+    MLKEM_private_key *out_private_key);
+
+/*
+ * MLKEM1024_private_key_from_seed derives a private key from a seed that was
+ * generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len|
+ * is incorrect, otherwise it writes |*out_private_key| and returns 1.
+ */
+int MLKEM1024_private_key_from_seed(
+    MLKEM_private_key *out_private_key, const uint8_t *seed,
+    size_t seed_len);
+
+/*
+ * MLKEM1024_public_from_private sets |*out_public_key| to the public key that
+ * corresponds to |private_key|. (This is faster than parsing the output of
+ * |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a
+ * key that was just generated.)
+ */
+void MLKEM1024_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *out_public_key);
+
+/* MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. */
+#define MLKEM1024_CIPHERTEXT_BYTES 1568
+
+/*
+ * MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the
+ * ciphertext to |out_ciphertext|, and writes the random shared secret to
+ * |out_shared_secret|.
+ */
+void MLKEM1024_encap(const MLKEM_public_key *public_key,
+    uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]);
+
+
+/*
+ * MLKEM1024_decap decrypts a shared secret from |ciphertext| using
+ * |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is
+ * incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid
+ * (but of the correct length), |out_shared_secret| is filled with a key that
+ * will always be the same for the same |ciphertext| and |private_key|, but
+ * which appears to be random unless one has access to |private_key|. These
+ * alternatives occur in constant time. Any subsequent symmetric encryption
+ * using |out_shared_secret| must use an authenticated encryption scheme in
+ * order to discover the decapsulation failure.
+ */
+int MLKEM1024_decap(const MLKEM_private_key *private_key,
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES]);
+
+/*
+ * Serialisation of ML-KEM-1024 keys.
+ * MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard
+ * format for ML-KEM-1024 public keys. It returns one on success or zero on
+ * allocation error.
+ */
+int MLKEM1024_marshal_public_key(const MLKEM_public_key *public_key,
+    uint8_t **output, size_t *output_len);
+
+
+/*
+ * MLKEM1024_parse_public_key parses a public key, in the format generated by
+ * |MLKEM1024_marshal_public_key|, from |in| and writes the result to
+ * |out_public_key|. It returns one on success or zero on parse error or if
+ * there are trailing bytes in |in|.
+ */
+int MLKEM1024_parse_public_key(const uint8_t *input, size_t input_len,
+    MLKEM_public_key *out_public_key);
+
+
+/*
+ * MLKEM1024_parse_private_key parses a private key, in NIST's format for
+ * private keys, from |in| and writes the result to |out_private_key|. It
+ * returns one on success or zero on parse error or if there are trailing bytes
+ * in |in|. This format is verbose and should be avoided. Private keys should be
+ * stored as seeds and parsed using |MLKEM1024_private_key_from_seed|.
+ */
+int MLKEM1024_parse_private_key(const uint8_t *input, size_t input_len,
+ MLKEM_private_key *out_private_key);
+
+
+/* XXXX Truly internal stuff below, also in need of de-duping */
 
 /*
  * MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy
@@ -35,15 +282,58 @@ __BEGIN_HIDDEN_DECLS
 #define MLKEM_ENCAP_ENTROPY 32
 
 /*
+ * MLKEM768_public_key contains a ML-KEM-768 public key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM768_public_key {
+        union {
+                uint8_t bytes[512 * (3 + 9) + 32 + 32];
+                uint16_t alignment;
+        } opaque;
+};
+
+/*
+ * MLKEM768_private_key contains a ML-KEM-768 private key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM768_private_key {
+        union {
+                uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
+                uint16_t alignment;
+        } opaque;
+};
+
+/* Public opaque ML-KEM key structures. */
+
+#define MLKEM_PUBLIC_KEY_UNINITIALIZED 1
+#define MLKEM_PUBLIC_KEY_INITIALIZED 2
+#define MLKEM_PRIVATE_KEY_UNINITIALIZED 3
+#define MLKEM_PRIVATE_KEY_INITIALIZED 4
+
+struct MLKEM_public_key_st {
+        uint16_t rank;
+        int state;
+        struct MLKEM768_public_key *key_768;
+        struct MLKEM1024_public_key *key_1024;
+};
+
+struct MLKEM_private_key_st {
+        uint16_t rank;
+        int state;
+        struct MLKEM768_private_key *key_768;
+        struct MLKEM1024_private_key *key_1024;
+};
+
+/*
  * MLKEM768_generate_key_external_entropy is a deterministic function to create a
  * pair of ML-KEM 768 keys, using the supplied entropy. The entropy needs to be
  * uniformly random generated. This function is should only be used for tests,
  * regular callers should use the non-deterministic |MLKEM_generate_key|
  * directly.
  */
-void MLKEM768_generate_key_external_entropy(
+int MLKEM768_generate_key_external_entropy(
     uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    struct MLKEM768_private_key *out_private_key,
+    MLKEM_private_key *out_private_key,
     const uint8_t entropy[MLKEM_SEED_BYTES]);
 
 /*
@@ -57,11 +347,11 @@ void MLKEM768_generate_key_external_entropy(
  * format for ML-KEM private keys. It returns one on success or zero on
  * allocation error.
  */
-int MLKEM768_marshal_private_key(CBB *out,
-    const struct MLKEM768_private_key *private_key);
+int MLKEM768_marshal_private_key(const MLKEM_private_key *private_key,
+    uint8_t **out_private_key, size_t *out_private_key_len);
 
 /*
- * MLKEM_encap_external_entropy behaves like |MLKEM_encap|, but uses
+ * MLKEM768_encap_external_entropy behaves like |MLKEM768_encap|, but uses
  * |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating
  * side will be able to recover |entropy| in full. This function should only be
  * used for tests, regular callers should use the non-deterministic
@@ -70,9 +360,34 @@ int MLKEM768_marshal_private_key(CBB *out,
 void MLKEM768_encap_external_entropy(
     uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
     uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key,
+    const MLKEM_public_key *public_key,
     const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
 
+
+/*
+ * MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM1024_public_key {
+        union {
+                uint8_t bytes[512 * (4 + 16) + 32 + 32];
+                uint16_t alignment;
+        } opaque;
+};
+
+/*
+ * MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of
+ * this object should never leave the address space since the format is
+ * unstable.
+ */
+struct MLKEM1024_private_key {
+        union {
+                uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
+                uint16_t alignment;
+        } opaque;
+};
+
+
 /*
  * MLKEM1024_generate_key_external_entropy is a deterministic function to create a
  * pair of ML-KEM 1024 keys, using the supplied entropy. The entropy needs to be
@@ -80,9 +395,9 @@ void MLKEM768_encap_external_entropy(
  * regular callers should use the non-deterministic |MLKEM_generate_key|
  * directly.
  */
-void MLKEM1024_generate_key_external_entropy(
+int MLKEM1024_generate_key_external_entropy(
     uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
-    struct MLKEM1024_private_key *out_private_key,
+    MLKEM_private_key *out_private_key,
     const uint8_t entropy[MLKEM_SEED_BYTES]);
 
 /*
@@ -96,8 +411,9 @@ void MLKEM1024_generate_key_external_entropy(
  * standard format for ML-KEM private keys. It returns one on success or zero on
  * allocation error.
  */
-int MLKEM1024_marshal_private_key(CBB *out,
-    const struct MLKEM1024_private_key *private_key);
+int MLKEM1024_marshal_private_key(
+    const MLKEM_private_key *private_key, uint8_t **out_private_key,
+    size_t *out_private_key_len);
 
 /*
  * MLKEM_encap_external_entropy behaves like |MLKEM_encap|, but uses
@@ -109,7 +425,7 @@ int MLKEM1024_marshal_private_key(CBB *out,
 void MLKEM1024_encap_external_entropy(
     uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
     uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM1024_public_key *public_key,
+    const MLKEM_public_key *public_key,
     const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
 
 __END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/mlkem/mlkem_key.c b/src/lib/libcrypto/mlkem/mlkem_key.c
new file mode 100644
index 0000000000..051d8f2b88
--- /dev/null
+++ b/src/lib/libcrypto/mlkem/mlkem_key.c
@@ -0,0 +1,200 @@
+/* $OpenBSD: mlkem_key.c,v 1.1 2025/08/14 15:48:48 beck Exp $ */
+/*
+ * Copyright (c) 2025 Bob Beck <beck@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/mlkem.h>
+
+#include "mlkem_internal.h"
+
+MLKEM_private_key *
+MLKEM_private_key_new(int rank)
+{
+        struct MLKEM1024_private_key *key_1024 = NULL;
+        struct MLKEM768_private_key *key_768 = NULL;
+        MLKEM_private_key *key = NULL;
+        MLKEM_private_key *ret = NULL;
+
+        if ((key = calloc(1, sizeof(MLKEM_private_key))) == NULL)
+                goto err;
+
+        switch (rank) {
+        case RANK768:
+                if ((key_768 = calloc(1, sizeof(*key_768))) ==
+                    NULL)
+                        goto err;
+                key->key_768 = key_768;
+                break;
+        case RANK1024:
+                if ((key_1024 = calloc(1, sizeof(*key_1024))) ==
+                    NULL)
+                        goto err;
+                key->key_1024 = key_1024;
+                break;
+        default:
+                goto err;
+        }
+        key->rank = rank;
+        key->state = MLKEM_PRIVATE_KEY_UNINITIALIZED;
+
+        ret = key;
+        key= NULL;
+
+ err:
+        MLKEM_private_key_free(key);
+
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_new);
+
+void
+MLKEM_private_key_free(MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return;
+
+        freezero(key->key_768, sizeof(*key->key_768));
+        freezero(key->key_1024, sizeof(*key->key_1024));
+        freezero(key, sizeof(*key));
+}
+LCRYPTO_ALIAS(MLKEM_private_key_free);
+
+size_t
+MLKEM_private_key_encoded_length(const MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return 0;
+
+        switch (key->rank) {
+        case RANK768:
+                return MLKEM768_PRIVATE_KEY_BYTES;
+        case RANK1024:
+                return MLKEM1024_PRIVATE_KEY_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_encoded_length);
+
+size_t
+MLKEM_private_key_ciphertext_length(const MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return 0;
+
+        switch (key->rank) {
+        case RANK768:
+                return MLKEM768_CIPHERTEXT_BYTES;
+        case RANK1024:
+                return MLKEM1024_CIPHERTEXT_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_ciphertext_length);
+
+MLKEM_public_key *
+MLKEM_public_key_new(int rank)
+{
+        struct MLKEM1024_public_key *key_1024 = NULL;
+        struct MLKEM768_public_key *key_768 = NULL;
+        MLKEM_public_key *key = NULL;
+        MLKEM_public_key *ret = NULL;
+
+        if ((key = calloc(1, sizeof(MLKEM_public_key))) == NULL)
+                goto err;
+
+        switch (rank) {
+        case RANK768:
+                if ((key_768 = calloc(1, sizeof(*key_768))) ==
+                    NULL)
+                        goto err;
+                key->key_768 = key_768;
+                break;
+        case RANK1024:
+                if ((key_1024 = calloc(1, sizeof(*key_1024))) ==
+                    NULL)
+                        goto err;
+                key->key_1024 = key_1024;
+                break;
+        default:
+                goto err;
+        }
+
+        key->rank = rank;
+        key->state = MLKEM_PUBLIC_KEY_UNINITIALIZED;
+
+        ret = key;
+        key = NULL;
+
+ err:
+        MLKEM_public_key_free(key);
+
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_new);
+
+void
+MLKEM_public_key_free(MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return;
+
+        freezero(key->key_768, sizeof(*key->key_768));
+        freezero(key->key_1024, sizeof(*key->key_1024));
+        freezero(key, sizeof(*key));
+}
+LCRYPTO_ALIAS(MLKEM_public_key_free);
+
+size_t
+MLKEM_public_key_encoded_length(const MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return 0;
+
+        switch (key->rank) {
+        case RANK768:
+                return MLKEM768_PUBLIC_KEY_BYTES;
+        case RANK1024:
+                return MLKEM1024_PUBLIC_KEY_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_encoded_length);
+
+size_t
+MLKEM_public_key_ciphertext_length(const MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return 0;
+
+        switch (key->rank) {
+        case RANK768:
+                return MLKEM768_CIPHERTEXT_BYTES;
+        case RANK1024:
+                return MLKEM1024_CIPHERTEXT_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_ciphertext_length);
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86.pl b/src/lib/libcrypto/modes/asm/ghash-x86.pl
index 47833582b6..395c680cc5 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86.pl
@@ -119,8 +119,7 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],"ghash-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
 
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=1;
 
 ($Zhh,$Zhl,$Zlh,$Zll) = ("ebp","edx","ecx","ebx");
 $inp  = "edi";
diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c
index 0f592dd9e5..e27681ee62 100644
--- a/src/lib/libcrypto/modes/ccm128.c
+++ b/src/lib/libcrypto/modes/ccm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ccm128.c,v 1.10 2025/04/21 16:01:18 jsing Exp $ */
+/* $OpenBSD: ccm128.c,v 1.12 2025/05/18 09:21:29 bcook Exp $ */
 /* ====================================================================
  * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
  *
@@ -61,7 +61,7 @@ CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
     unsigned int M, unsigned int L, void *key, block128_f block)
 {
         memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
-        ctx->nonce.c[0] = ((u8)(L - 1) & 7) | (u8)(((M - 2)/2) & 7) << 3;
+        ctx->nonce.c[0] = ((uint8_t)(L - 1) & 7) | (uint8_t)(((M - 2)/2) & 7) << 3;
         ctx->blocks = 0;
         ctx->block = block;
         ctx->key = key;
@@ -81,17 +81,17 @@ CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
                 return -1;              /* nonce is too short */
 
         if (sizeof(mlen) == 8 && L >= 3) {
-                ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen)*8)));
-                ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen)*8)));
-                ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen)*8)));
-                ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen)*8)));
+                ctx->nonce.c[8] = (uint8_t)(mlen >> (56 % (sizeof(mlen)*8)));
+                ctx->nonce.c[9] = (uint8_t)(mlen >> (48 % (sizeof(mlen)*8)));
+                ctx->nonce.c[10] = (uint8_t)(mlen >> (40 % (sizeof(mlen)*8)));
+                ctx->nonce.c[11] = (uint8_t)(mlen >> (32 % (sizeof(mlen)*8)));
         } else
                 ctx->nonce.u[1] = 0;
 
-        ctx->nonce.c[12] = (u8)(mlen >> 24);
-        ctx->nonce.c[13] = (u8)(mlen >> 16);
-        ctx->nonce.c[14] = (u8)(mlen >> 8);
-        ctx->nonce.c[15] = (u8)mlen;
+        ctx->nonce.c[12] = (uint8_t)(mlen >> 24);
+        ctx->nonce.c[13] = (uint8_t)(mlen >> 16);
+        ctx->nonce.c[14] = (uint8_t)(mlen >> 8);
+        ctx->nonce.c[15] = (uint8_t)mlen;
 
         ctx->nonce.c[0] &= ~0x40;       /* clear Adata flag */
         memcpy(&ctx->nonce.c[1], nonce, 14 - L);
@@ -116,29 +116,29 @@ CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
             ctx->blocks++;
 
         if (alen < (0x10000 - 0x100)) {
-                ctx->cmac.c[0] ^= (u8)(alen >> 8);
-                ctx->cmac.c[1] ^= (u8)alen;
+                ctx->cmac.c[0] ^= (uint8_t)(alen >> 8);
+                ctx->cmac.c[1] ^= (uint8_t)alen;
                 i = 2;
         } else if (sizeof(alen) == 8 &&
             alen >= (size_t)1 << (32 % (sizeof(alen)*8))) {
                 ctx->cmac.c[0] ^= 0xFF;
                 ctx->cmac.c[1] ^= 0xFF;
-                ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen)*8)));
-                ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen)*8)));
-                ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen)*8)));
-                ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen)*8)));
-                ctx->cmac.c[6] ^= (u8)(alen >> 24);
-                ctx->cmac.c[7] ^= (u8)(alen >> 16);
-                ctx->cmac.c[8] ^= (u8)(alen >> 8);
-                ctx->cmac.c[9] ^= (u8)alen;
+                ctx->cmac.c[2] ^= (uint8_t)(alen >> (56 % (sizeof(alen)*8)));
+                ctx->cmac.c[3] ^= (uint8_t)(alen >> (48 % (sizeof(alen)*8)));
+                ctx->cmac.c[4] ^= (uint8_t)(alen >> (40 % (sizeof(alen)*8)));
+                ctx->cmac.c[5] ^= (uint8_t)(alen >> (32 % (sizeof(alen)*8)));
+                ctx->cmac.c[6] ^= (uint8_t)(alen >> 24);
+                ctx->cmac.c[7] ^= (uint8_t)(alen >> 16);
+                ctx->cmac.c[8] ^= (uint8_t)(alen >> 8);
+                ctx->cmac.c[9] ^= (uint8_t)alen;
                 i = 10;
         } else {
                 ctx->cmac.c[0] ^= 0xFF;
                 ctx->cmac.c[1] ^= 0xFE;
-                ctx->cmac.c[2] ^= (u8)(alen >> 24);
-                ctx->cmac.c[3] ^= (u8)(alen >> 16);
-                ctx->cmac.c[4] ^= (u8)(alen >> 8);
-                ctx->cmac.c[5] ^= (u8)alen;
+                ctx->cmac.c[2] ^= (uint8_t)(alen >> 24);
+                ctx->cmac.c[3] ^= (uint8_t)(alen >> 16);
+                ctx->cmac.c[4] ^= (uint8_t)(alen >> 8);
+                ctx->cmac.c[5] ^= (uint8_t)alen;
                 i = 6;
         }
 
@@ -160,7 +160,7 @@ static void
 ctr64_inc(unsigned char *counter)
 {
         unsigned int n = 8;
-        u8 c;
+        uint8_t c;
 
         counter += 8;
         do {
@@ -184,8 +184,8 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
         block128_f       block = ctx->block;
         void            *key = ctx->key;
         union {
-                u64 u[2];
-                u8 c[16];
+                uint64_t u[2];
+                uint8_t c[16];
         } scratch;
 
         if (!(flags0 & 0x40))
@@ -211,16 +211,16 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
         while (len >= 16) {
 #ifdef __STRICT_ALIGNMENT
                 union {
-                        u64 u[2];
-                        u8 c[16];
+                        uint64_t u[2];
+                        uint8_t c[16];
                 } temp;
 
                 memcpy(temp.c, inp, 16);
                 ctx->cmac.u[0] ^= temp.u[0];
                 ctx->cmac.u[1] ^= temp.u[1];
 #else
-                ctx->cmac.u[0] ^= ((u64 *)inp)[0];
-                ctx->cmac.u[1] ^= ((u64 *)inp)[1];
+                ctx->cmac.u[0] ^= ((uint64_t *)inp)[0];
+                ctx->cmac.u[1] ^= ((uint64_t *)inp)[1];
 #endif
                 (*block)(ctx->cmac.c, ctx->cmac.c, key);
                 (*block)(ctx->nonce.c, scratch.c, key);
@@ -230,8 +230,8 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
                 temp.u[1] ^= scratch.u[1];
                 memcpy(out, temp.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0];
-                ((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1];
+                ((uint64_t *)out)[0] = scratch.u[0] ^ ((uint64_t *)inp)[0];
+                ((uint64_t *)out)[1] = scratch.u[1] ^ ((uint64_t *)inp)[1];
 #endif
                 inp += 16;
                 out += 16;
@@ -271,8 +271,8 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
         block128_f       block = ctx->block;
         void            *key = ctx->key;
         union {
-                u64 u[2];
-                u8 c[16];
+                uint64_t u[2];
+                uint8_t c[16];
         } scratch;
 
         if (!(flags0 & 0x40))
@@ -293,8 +293,8 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
         while (len >= 16) {
 #ifdef __STRICT_ALIGNMENT
                 union {
-                        u64 u[2];
-                        u8 c[16];
+                        uint64_t u[2];
+                        uint8_t c[16];
                 } temp;
 #endif
                 (*block)(ctx->nonce.c, scratch.c, key);
@@ -305,10 +305,10 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
                 ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
                 memcpy(out, scratch.c, 16);
 #else
-                ctx->cmac.u[0] ^= (((u64 *)out)[0] = scratch.u[0] ^
-                    ((u64 *)inp)[0]);
-                ctx->cmac.u[1] ^= (((u64 *)out)[1] = scratch.u[1] ^
-                    ((u64 *)inp)[1]);
+                ctx->cmac.u[0] ^= (((uint64_t *)out)[0] = scratch.u[0] ^
+                    ((uint64_t *)inp)[0]);
+                ctx->cmac.u[1] ^= (((uint64_t *)out)[1] = scratch.u[1] ^
+                    ((uint64_t *)inp)[1]);
 #endif
                 (*block)(ctx->cmac.c, ctx->cmac.c, key);
 
@@ -363,8 +363,8 @@ CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
         block128_f       block = ctx->block;
         void            *key = ctx->key;
         union {
-                u64 u[2];
-                u8 c[16];
+                uint64_t u[2];
+                uint8_t c[16];
         } scratch;
 
         if (!(flags0 & 0x40))
@@ -430,8 +430,8 @@ CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
         block128_f       block = ctx->block;
         void            *key = ctx->key;
         union {
-                u64 u[2];
-                u8 c[16];
+                uint64_t u[2];
+                uint8_t c[16];
         } scratch;
 
         if (!(flags0 & 0x40))
diff --git a/src/lib/libcrypto/modes/ctr128.c b/src/lib/libcrypto/modes/ctr128.c
index 30563ed6e3..87d9abb355 100644
--- a/src/lib/libcrypto/modes/ctr128.c
+++ b/src/lib/libcrypto/modes/ctr128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ctr128.c,v 1.17 2025/04/23 10:09:08 jsing Exp $ */
+/* $OpenBSD: ctr128.c,v 1.18 2025/05/18 09:05:59 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
  *
@@ -63,8 +63,8 @@
 static void
 ctr128_inc(unsigned char *counter)
 {
-        u32 n = 16;
-        u8  c;
+        uint32_t n = 16;
+        uint8_t  c;
 
         do {
                 --n;
@@ -175,8 +175,8 @@ LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt);
 static void
 ctr96_inc(unsigned char *counter)
 {
-        u32 n = 12;
-        u8  c;
+        uint32_t n = 12;
+        uint8_t  c;
 
         do {
                 --n;
@@ -223,7 +223,7 @@ CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
                  * overflow, which is then handled by limiting the
                  * amount of blocks to the exact overflow point...
                  */
-                ctr32 += (u32)blocks;
+                ctr32 += (uint32_t)blocks;
                 if (ctr32 < blocks) {
                         blocks -= ctr32;
                         ctr32 = 0;
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 21ba9eef57..b6874296e0 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.35 2025/04/25 12:08:53 jsing Exp $ */
+/* $OpenBSD: gcm128.c,v 1.54 2025/06/28 12:39:10 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -55,184 +55,12 @@
 #include "crypto_internal.h"
 #include "modes_local.h"
 
-#define PACK(s)         ((size_t)(s)<<(sizeof(size_t)*8-16))
-#define REDUCE1BIT(V)                                                   \
-        do {                                                            \
-                if (sizeof(size_t)==8) {                                \
-                        u64 T = U64(0xe100000000000000) & (0-(V.lo&1)); \
-                        V.lo  = (V.hi<<63)|(V.lo>>1);                   \
-                        V.hi  = (V.hi>>1 )^T;                           \
-                } else {                                                \
-                        u32 T = 0xe1000000U & (0-(u32)(V.lo&1));        \
-                        V.lo  = (V.hi<<63)|(V.lo>>1);                   \
-                        V.hi  = (V.hi>>1 )^((u64)T<<32);                \
-                }                                                       \
-        } while(0)
-
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8. 8 is effectively reserved for testing purposes.
- * TABLE_BITS>1 are lookup-table-driven implementations referred to as
- * "Shoup's" in GCM specification. In other words OpenSSL does not cover
- * whole spectrum of possible table driven implementations. Why? In
- * non-"Shoup's" case memory access pattern is segmented in such manner,
- * that it's trivial to see that cache timing information can reveal
- * fair portion of intermediate hash value. Given that ciphertext is
- * always available to attacker, it's possible for him to attempt to
- * deduce secret parameter H and if successful, tamper with messages
- * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
- * not as trivial, but there is no reason to believe that it's resistant
- * to cache-timing attack. And the thing about "8-bit" implementation is
- * that it consumes 16 (sixteen) times more memory, 4KB per individual
- * key + 1KB shared. Well, on pros side it should be twice as fast as
- * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
- * was observed to run ~75% faster, closer to 100% for commercial
- * compilers... Yet "4-bit" procedure is preferred, because it's
- * believed to provide better security-performance balance and adequate
- * all-round performance. "All-round" refers to things like:
- *
- * - shorter setup time effectively improves overall timing for
- *   handling short messages;
- * - larger table allocation can become unbearable because of VM
- *   subsystem penalties (for example on Windows large enough free
- *   results in VM working set trimming, meaning that consequent
- *   malloc would immediately incur working set expansion);
- * - larger table has larger cache footprint, which can affect
- *   performance of other code paths (not necessarily even from same
- *   thread in Hyper-Threading world);
- *
- * Value of 1 is not appropriate for performance reasons.
- */
-#if     TABLE_BITS==8
-
-static void
-gcm_init_8bit(u128 Htable[256], u64 H[2])
-{
-        int  i, j;
-        u128 V;
-
-        Htable[0].hi = 0;
-        Htable[0].lo = 0;
-        V.hi = H[0];
-        V.lo = H[1];
-
-        for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
-                REDUCE1BIT(V);
-                Htable[i] = V;
-        }
-
-        for (i = 2; i < 256; i <<= 1) {
-                u128 *Hi = Htable + i, H0 = *Hi;
-                for (j = 1; j < i; ++j) {
-                        Hi[j].hi = H0.hi ^ Htable[j].hi;
-                        Hi[j].lo = H0.lo ^ Htable[j].lo;
-                }
-        }
-}
-
-static void
-gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
-{
-        u128 Z = { 0, 0};
-        const u8 *xi = (const u8 *)Xi + 15;
-        size_t rem, n = *xi;
-        static const size_t rem_8bit[256] = {
-                PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
-                PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
-                PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
-                PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
-                PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
-                PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
-                PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
-                PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
-                PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
-                PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
-                PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
-                PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
-                PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
-                PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
-                PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
-                PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
-                PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
-                PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
-                PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
-                PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
-                PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
-                PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
-                PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
-                PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
-                PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
-                PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
-                PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
-                PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
-                PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
-                PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
-                PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
-                PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
-                PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
-                PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
-                PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
-                PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
-                PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
-                PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
-                PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
-                PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
-                PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
-                PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
-                PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
-                PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
-                PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
-                PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
-                PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
-                PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
-                PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
-                PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
-                PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
-                PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
-                PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
-                PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
-                PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
-                PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
-                PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
-                PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
-                PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
-                PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
-                PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
-                PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
-                PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
-                PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) };
-
-        while (1) {
-                Z.hi ^= Htable[n].hi;
-                Z.lo ^= Htable[n].lo;
-
-                if ((u8 *)Xi == xi)
-                        break;
-
-                n = *(--xi);
-
-                rem = (size_t)Z.lo & 0xff;
-                Z.lo = (Z.hi << 56)|(Z.lo >> 8);
-                Z.hi = (Z.hi >> 8);
-#if SIZE_MAX == 0xffffffffffffffff
-                Z.hi ^= rem_8bit[rem];
-#else
-                Z.hi ^= (u64)rem_8bit[rem] << 32;
-#endif
-        }
-
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
-}
-#define GCM_MUL(ctx,Xi)   gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
-
-#elif   TABLE_BITS==4
-
-static void
-gcm_init_4bit(u128 Htable[16], u64 H[2])
+void
+gcm_init_4bit(u128 Htable[16], uint64_t H[2])
 {
         u128 V;
-        int  i;
+        uint64_t T;
+        int i;
 
         Htable[0].hi = 0;
         Htable[0].lo = 0;
@@ -240,57 +68,41 @@ gcm_init_4bit(u128 Htable[16], u64 H[2])
         V.lo = H[1];
 
         for (Htable[8] = V, i = 4; i > 0; i >>= 1) {
-                REDUCE1BIT(V);
+                T = U64(0xe100000000000000) & (0 - (V.lo & 1));
+                V.lo = (V.hi << 63) | (V.lo >> 1);
+                V.hi = (V.hi >> 1 ) ^ T;
                 Htable[i] = V;
         }
 
         for (i = 2; i < 16; i <<= 1) {
                 u128 *Hi = Htable + i;
                 int   j;
-                for (V = *Hi, j = 1; j < i; ++j) {
+                for (V = *Hi, j = 1; j < i; j++) {
                         Hi[j].hi = V.hi ^ Htable[j].hi;
                         Hi[j].lo = V.lo ^ Htable[j].lo;
                 }
         }
-
-#if defined(GHASH_ASM) && (defined(__arm__) || defined(__arm))
-        /*
-         * ARM assembler expects specific dword order in Htable.
-         */
-        {
-                int j;
-#if BYTE_ORDER == LITTLE_ENDIAN
-                for (j = 0; j < 16; ++j) {
-                        V = Htable[j];
-                        Htable[j].hi = V.lo;
-                        Htable[j].lo = V.hi;
-                }
-#else /* BIG_ENDIAN */
-                for (j = 0; j < 16; ++j) {
-                        V = Htable[j];
-                        Htable[j].hi = V.lo << 32|V.lo >> 32;
-                        Htable[j].lo = V.hi << 32|V.hi >> 32;
-                }
-#endif
-        }
-#endif
 }
 
-#ifndef GHASH_ASM
-static const size_t rem_4bit[16] = {
-        PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460),
-        PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0),
-        PACK(0xE100), PACK(0xFD20), PACK(0xD940), PACK(0xC560),
-        PACK(0x9180), PACK(0x8DA0), PACK(0xA9C0), PACK(0xB5E0) };
+#ifdef GHASH_ASM
+void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+#else
+static const uint16_t rem_4bit[16] = {
+        0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
+        0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
+};
 
 static void
-gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
+gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16])
 {
         u128 Z;
         int cnt = 15;
         size_t rem, nlo, nhi;
 
-        nlo = ((const u8 *)Xi)[15];
+        nlo = ((const uint8_t *)Xi)[15];
         nhi = nlo >> 4;
         nlo &= 0xf;
 
@@ -301,29 +113,21 @@ gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
                 rem = (size_t)Z.lo & 0xf;
                 Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                 Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
-                Z.hi ^= rem_4bit[rem];
-#else
-                Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
+                Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
                 Z.hi ^= Htable[nhi].hi;
                 Z.lo ^= Htable[nhi].lo;
 
                 if (--cnt < 0)
                         break;
 
-                nlo = ((const u8 *)Xi)[cnt];
+                nlo = ((const uint8_t *)Xi)[cnt];
                 nhi = nlo >> 4;
                 nlo &= 0xf;
 
                 rem = (size_t)Z.lo & 0xf;
                 Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                 Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
-                Z.hi ^= rem_4bit[rem];
-#else
-                Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
+                Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
                 Z.hi ^= Htable[nlo].hi;
                 Z.lo ^= Htable[nlo].lo;
         }
@@ -332,25 +136,17 @@ gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
         Xi[1] = htobe64(Z.lo);
 }
 
-/*
- * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
- * details... Compiler-generated code doesn't seem to give any
- * performance improvement, at least not on x86[_64]. It's here
- * mostly as reference and a placeholder for possible future
- * non-trivial optimization[s]...
- */
 static void
-gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
-    const u8 *inp, size_t len)
+gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16],
+    const uint8_t *inp, size_t len)
 {
         u128 Z;
         int cnt;
         size_t rem, nlo, nhi;
 
-#if 1
         do {
                 cnt = 15;
-                nlo = ((const u8 *)Xi)[15];
+                nlo = ((const uint8_t *)Xi)[15];
                 nlo ^= inp[15];
                 nhi = nlo >> 4;
                 nlo &= 0xf;
@@ -362,18 +158,14 @@ gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
                         rem = (size_t)Z.lo & 0xf;
                         Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                         Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
-                        Z.hi ^= rem_4bit[rem];
-#else
-                        Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
+                        Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
                         Z.hi ^= Htable[nhi].hi;
                         Z.lo ^= Htable[nhi].lo;
 
                         if (--cnt < 0)
                                 break;
 
-                        nlo = ((const u8 *)Xi)[cnt];
+                        nlo = ((const uint8_t *)Xi)[cnt];
                         nlo ^= inp[cnt];
                         nhi = nlo >> 4;
                         nlo &= 0xf;
@@ -381,205 +173,40 @@ gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
                         rem = (size_t)Z.lo & 0xf;
                         Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                         Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
-                        Z.hi ^= rem_4bit[rem];
-#else
-                        Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
+                        Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
                         Z.hi ^= Htable[nlo].hi;
                         Z.lo ^= Htable[nlo].lo;
                 }
-#else
-    /*
-     * Extra 256+16 bytes per-key plus 512 bytes shared tables
-     * [should] give ~50% improvement... One could have PACK()-ed
-     * the rem_8bit even here, but the priority is to minimize
-     * cache footprint...
-     */
-        u128 Hshr4[16]; /* Htable shifted right by 4 bits */
-        u8 Hshl4[16];   /* Htable shifted left  by 4 bits */
-        static const unsigned short rem_8bit[256] = {
-                0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E,
-                0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E,
-                0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E,
-                0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E,
-                0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E,
-                0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E,
-                0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E,
-                0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E,
-                0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE,
-                0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE,
-                0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE,
-                0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE,
-                0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E,
-                0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E,
-                0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE,
-                0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE,
-                0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E,
-                0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E,
-                0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E,
-                0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E,
-                0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E,
-                0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E,
-                0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E,
-                0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E,
-                0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE,
-                0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE,
-                0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE,
-                0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE,
-                0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E,
-                0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
-                0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
-                0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE };
-    /*
-     * This pre-processing phase slows down procedure by approximately
-     * same time as it makes each loop spin faster. In other words
-     * single block performance is approximately same as straightforward
-     * "4-bit" implementation, and then it goes only faster...
-     */
-        for (cnt = 0; cnt < 16; ++cnt) {
-                Z.hi = Htable[cnt].hi;
-                Z.lo = Htable[cnt].lo;
-                Hshr4[cnt].lo = (Z.hi << 60)|(Z.lo >> 4);
-                Hshr4[cnt].hi = (Z.hi >> 4);
-                Hshl4[cnt] = (u8)(Z.lo << 4);
-        }
-
-        do {
-                for (Z.lo = 0, Z.hi = 0, cnt = 15; cnt; --cnt) {
-                        nlo = ((const u8 *)Xi)[cnt];
-                        nlo ^= inp[cnt];
-                        nhi = nlo >> 4;
-                        nlo &= 0xf;
-
-                        Z.hi ^= Htable[nlo].hi;
-                        Z.lo ^= Htable[nlo].lo;
-
-                        rem = (size_t)Z.lo & 0xff;
-
-                        Z.lo = (Z.hi << 56)|(Z.lo >> 8);
-                        Z.hi = (Z.hi >> 8);
-
-                        Z.hi ^= Hshr4[nhi].hi;
-                        Z.lo ^= Hshr4[nhi].lo;
-                        Z.hi ^= (u64)rem_8bit[rem ^ Hshl4[nhi]] << 48;
-                }
-
-                nlo = ((const u8 *)Xi)[0];
-                nlo ^= inp[0];
-                nhi = nlo >> 4;
-                nlo &= 0xf;
-
-                Z.hi ^= Htable[nlo].hi;
-                Z.lo ^= Htable[nlo].lo;
-
-                rem = (size_t)Z.lo & 0xf;
-
-                Z.lo = (Z.hi << 60)|(Z.lo >> 4);
-                Z.hi = (Z.hi >> 4);
-
-                Z.hi ^= Htable[nhi].hi;
-                Z.lo ^= Htable[nhi].lo;
-                Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48;
-#endif
 
                 Xi[0] = htobe64(Z.hi);
                 Xi[1] = htobe64(Z.lo);
         } while (inp += 16, len -= 16);
 }
-#else
-void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
 #endif
 
-#define GCM_MUL(ctx,Xi)   gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
-#define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len)
-/* GHASH_CHUNK is "stride parameter" missioned to mitigate cache
- * trashing effect. In other words idea is to hash data while it's
- * still in L1 cache after encryption pass... */
-#define GHASH_CHUNK       (3*1024)
-
-#else   /* TABLE_BITS */
-
-static void
-gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
+static inline void
+gcm_mul(GCM128_CONTEXT *ctx, uint64_t u[2])
 {
-        u128 V, Z = { 0, 0 };
-        u64 X;
-        int i, j;
-
-        V.hi = H[0];    /* H is in host byte order, no byte swapping */
-        V.lo = H[1];
-
-        for (j = 0; j < 2; j++) {
-                X = be64toh(Xi[j]);
-
-                for (i = 0; i < 64; i++) {
-                        u64 M = 0 - (X >> 63);
-                        Z.hi ^= V.hi & M;
-                        Z.lo ^= V.lo & M;
-                        X <<= 1;
-
-                        REDUCE1BIT(V);
-                }
-        }
-
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
+        ctx->gmult(u, ctx->Htable);
 }
-#define GCM_MUL(ctx,Xi)   gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
-
-#endif
-
-#if     defined(GHASH_ASM) &&                                           \
-        (defined(__i386)        || defined(__i386__)    ||              \
-         defined(__x86_64)      || defined(__x86_64__)  ||              \
-         defined(_M_IX86)       || defined(_M_AMD64)    || defined(_M_X64))
-#include "x86_arch.h"
-#endif
-
-#if     TABLE_BITS==4 && defined(GHASH_ASM)
-# if    (defined(__i386)        || defined(__i386__)    ||              \
-         defined(__x86_64)      || defined(__x86_64__)  ||              \
-         defined(_M_IX86)       || defined(_M_AMD64)    || defined(_M_X64))
-#  define GHASH_ASM_X86_OR_64
-#  define GCM_FUNCREF_4BIT
-
-void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]);
-void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_clmul(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
 
-#  if   defined(__i386) || defined(__i386__) || defined(_M_IX86)
-#   define GHASH_ASM_X86
-void gcm_gmult_4bit_mmx(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit_mmx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
+static inline void
+gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
+{
+        ctx->ghash(ctx->Xi.u, ctx->Htable, in, len);
+}
 
-void gcm_gmult_4bit_x86(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#  endif
-# elif defined(__arm__) || defined(__arm)
-#  include "arm_arch.h"
-#  if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT)
-#   define GHASH_ASM_ARM
-#   define GCM_FUNCREF_4BIT
-void gcm_gmult_neon(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_neon(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#  endif
-# endif
-#endif
+#ifdef HAVE_GCM128_INIT
+void gcm128_init(GCM128_CONTEXT *ctx);
 
-#ifdef GCM_FUNCREF_4BIT
-# undef  GCM_MUL
-# define GCM_MUL(ctx,Xi)        (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable)
-# ifdef GHASH
-#  undef  GHASH
-#  define GHASH(ctx,in,len)     (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len)
-# endif
+#else
+static void
+gcm128_init(GCM128_CONTEXT *ctx)
+{
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
+        ctx->gmult = gcm_gmult_4bit;
+        ctx->ghash = gcm_ghash_4bit;
+}
 #endif
 
 void
@@ -595,60 +222,35 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
         ctx->H.u[0] = be64toh(ctx->H.u[0]);
         ctx->H.u[1] = be64toh(ctx->H.u[1]);
 
-#if     TABLE_BITS==8
-        gcm_init_8bit(ctx->Htable, ctx->H.u);
-#elif   TABLE_BITS==4
-# if    defined(GHASH_ASM_X86_OR_64)
-#  if   !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
-        /* check FXSR and PCLMULQDQ bits */
-        if ((crypto_cpu_caps_ia32() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
-            (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) {
-                gcm_init_clmul(ctx->Htable, ctx->H.u);
-                ctx->gmult = gcm_gmult_clmul;
-                ctx->ghash = gcm_ghash_clmul;
-                return;
-        }
-#  endif
-        gcm_init_4bit(ctx->Htable, ctx->H.u);
-#  if   defined(GHASH_ASM_X86)                  /* x86 only */
-#   if  defined(OPENSSL_IA32_SSE2)
-        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSE) { /* check SSE bit */
-#   else
-        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_MMX) { /* check MMX bit */
-#   endif
-                ctx->gmult = gcm_gmult_4bit_mmx;
-                ctx->ghash = gcm_ghash_4bit_mmx;
-        } else {
-                ctx->gmult = gcm_gmult_4bit_x86;
-                ctx->ghash = gcm_ghash_4bit_x86;
-        }
-#  else
-        ctx->gmult = gcm_gmult_4bit;
-        ctx->ghash = gcm_ghash_4bit;
-#  endif
-# elif  defined(GHASH_ASM_ARM)
-        if (OPENSSL_armcap_P & ARMV7_NEON) {
-                ctx->gmult = gcm_gmult_neon;
-                ctx->ghash = gcm_ghash_neon;
-        } else {
-                gcm_init_4bit(ctx->Htable, ctx->H.u);
-                ctx->gmult = gcm_gmult_4bit;
-                ctx->ghash = gcm_ghash_4bit;
-        }
-# else
-        gcm_init_4bit(ctx->Htable, ctx->H.u);
-# endif
-#endif
+        gcm128_init(ctx);
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_init);
 
+GCM128_CONTEXT *
+CRYPTO_gcm128_new(void *key, block128_f block)
+{
+        GCM128_CONTEXT *ctx;
+
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
+                return NULL;
+
+        CRYPTO_gcm128_init(ctx, key, block);
+
+        return ctx;
+}
+LCRYPTO_ALIAS(CRYPTO_gcm128_new);
+
+void
+CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
+{
+        freezero(ctx, sizeof(*ctx));
+}
+LCRYPTO_ALIAS(CRYPTO_gcm128_release);
+
 void
 CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len)
 {
         unsigned int ctr;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-#endif
 
         ctx->Yi.u[0] = 0;
         ctx->Yi.u[1] = 0;
@@ -665,573 +267,277 @@ CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len)
                 ctr = 1;
         } else {
                 size_t i;
-                u64 len0 = len;
+                uint64_t len0 = len;
 
                 while (len >= 16) {
-                        for (i = 0; i < 16; ++i)
+                        for (i = 0; i < 16; i++)
                                 ctx->Yi.c[i] ^= iv[i];
-                        GCM_MUL(ctx, Yi);
+                        gcm_mul(ctx, ctx->Yi.u);
                         iv += 16;
                         len -= 16;
                 }
-                if (len) {
-                        for (i = 0; i < len; ++i)
+                if (len > 0) {
+                        for (i = 0; i < len; i++)
                                 ctx->Yi.c[i] ^= iv[i];
-                        GCM_MUL(ctx, Yi);
+                        gcm_mul(ctx, ctx->Yi.u);
                 }
                 len0 <<= 3;
                 ctx->Yi.u[1] ^= htobe64(len0);
 
-                GCM_MUL(ctx, Yi);
+                gcm_mul(ctx, ctx->Yi.u);
 
                 ctr = be32toh(ctx->Yi.d[3]);
         }
 
         (*ctx->block)(ctx->Yi.c, ctx->EK0.c, ctx->key);
-        ++ctr;
-        ctx->Yi.d[3] = htobe32(ctr);
+        ctx->Yi.d[3] = htobe32(++ctr);
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_setiv);
 
 int
 CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad, size_t len)
 {
-        size_t i;
         unsigned int n;
-        u64 alen = ctx->len.u[0];
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
+        uint64_t alen;
+        size_t i;
 
-        if (ctx->len.u[1])
+        if (ctx->len.u[1] != 0)
                 return -2;
 
-        alen += len;
+        alen = ctx->len.u[0] + len;
         if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
                 return -1;
         ctx->len.u[0] = alen;
 
-        n = ctx->ares;
-        if (n) {
-                while (n && len) {
+        if ((n = ctx->ares) > 0) {
+                while (n > 0 && len > 0) {
                         ctx->Xi.c[n] ^= *(aad++);
-                        --len;
                         n = (n + 1) % 16;
+                        len--;
                 }
-                if (n == 0)
-                        GCM_MUL(ctx, Xi);
-                else {
+                if (n > 0) {
                         ctx->ares = n;
                         return 0;
                 }
+                gcm_mul(ctx, ctx->Xi.u);
         }
 
-#ifdef GHASH
-        if ((i = (len & (size_t)-16))) {
-                GHASH(ctx, aad, i);
+        if ((i = (len & (size_t)-16)) > 0) {
+                gcm_ghash(ctx, aad, i);
                 aad += i;
                 len -= i;
         }
-#else
-        while (len >= 16) {
-                for (i = 0; i < 16; ++i)
-                        ctx->Xi.c[i] ^= aad[i];
-                GCM_MUL(ctx, Xi);
-                aad += 16;
-                len -= 16;
-        }
-#endif
-        if (len) {
+        if (len > 0) {
                 n = (unsigned int)len;
-                for (i = 0; i < len; ++i)
+                for (i = 0; i < len; i++)
                         ctx->Xi.c[i] ^= aad[i];
         }
-
         ctx->ares = n;
+
         return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_aad);
 
 int
-CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
-    const unsigned char *in, unsigned char *out,
-    size_t len)
+CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
+    unsigned char *out, size_t len)
 {
         unsigned int n, ctr;
+        uint64_t mlen;
         size_t i;
-        u64 mlen = ctx->len.u[1];
-        block128_f block = ctx->block;
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
 
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
         if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                 return -1;
         ctx->len.u[1] = mlen;
 
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                 /* First call to encrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                 ctx->ares = 0;
         }
 
         ctr = be32toh(ctx->Yi.d[3]);
 
         n = ctx->mres;
-        if (16 % sizeof(size_t) == 0)
-                do {    /* always true actually */
-                        if (n) {
-                                while (n && len) {
-                                        ctx->Xi.c[n] ^= *(out++) = *(in++) ^
-                                            ctx->EKi.c[n];
-                                        --len;
-                                        n = (n + 1) % 16;
-                                }
-                                if (n == 0)
-                                        GCM_MUL(ctx, Xi);
-                                else {
-                                        ctx->mres = n;
-                                        return 0;
-                                }
-                        }
-#ifdef __STRICT_ALIGNMENT
-                        if (((size_t)in|(size_t)out) % sizeof(size_t) != 0)
-                                break;
-#endif
-#if defined(GHASH) && defined(GHASH_CHUNK)
-                        while (len >= GHASH_CHUNK) {
-                                size_t j = GHASH_CHUNK;
-
-                                while (j) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        j -= 16;
-                                }
-                                GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
-                                len -= GHASH_CHUNK;
-                        }
-                        if ((i = (len & (size_t)-16))) {
-                                size_t j = i;
-
-                                while (len >= 16) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        len -= 16;
-                                }
-                                GHASH(ctx, out - j, j);
-                        }
-#else
-                        while (len >= 16) {
-                                size_t *out_t = (size_t *)out;
-                                const size_t *in_t = (const size_t *)in;
-
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-
-                                for (i = 0; i < 16/sizeof(size_t); ++i)
-                                        ctx->Xi.t[i] ^=
-                                            out_t[i] = in_t[i] ^ ctx->EKi.t[i];
-                                GCM_MUL(ctx, Xi);
-                                out += 16;
-                                in += 16;
-                                len -= 16;
-                        }
-#endif
-                        if (len) {
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-
-                                while (len--) {
-                                        ctx->Xi.c[n] ^= out[n] = in[n] ^
-                                            ctx->EKi.c[n];
-                                        ++n;
-                                }
-                        }
 
-                        ctx->mres = n;
-                        return 0;
-                } while (0);
-        for (i = 0; i < len; ++i) {
+        for (i = 0; i < len; i++) {
                 if (n == 0) {
-                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                        ++ctr;
-                        ctx->Yi.d[3] = htobe32(ctr);
+                        ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
+                        ctx->Yi.d[3] = htobe32(++ctr);
                 }
                 ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
                 n = (n + 1) % 16;
                 if (n == 0)
-                        GCM_MUL(ctx, Xi);
+                        gcm_mul(ctx, ctx->Xi.u);
         }
 
         ctx->mres = n;
+
         return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_encrypt);
 
 int
-CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
-    const unsigned char *in, unsigned char *out,
-    size_t len)
+CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
+    unsigned char *out, size_t len)
 {
         unsigned int n, ctr;
+        uint64_t mlen;
+        uint8_t c;
         size_t i;
-        u64 mlen = ctx->len.u[1];
-        block128_f block = ctx->block;
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
 
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
         if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                 return -1;
         ctx->len.u[1] = mlen;
 
         if (ctx->ares) {
                 /* First call to decrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                 ctx->ares = 0;
         }
 
         ctr = be32toh(ctx->Yi.d[3]);
 
         n = ctx->mres;
-        if (16 % sizeof(size_t) == 0)
-                do {    /* always true actually */
-                        if (n) {
-                                while (n && len) {
-                                        u8 c = *(in++);
-                                        *(out++) = c ^ ctx->EKi.c[n];
-                                        ctx->Xi.c[n] ^= c;
-                                        --len;
-                                        n = (n + 1) % 16;
-                                }
-                                if (n == 0)
-                                        GCM_MUL(ctx, Xi);
-                                else {
-                                        ctx->mres = n;
-                                        return 0;
-                                }
-                        }
-#ifdef __STRICT_ALIGNMENT
-                        if (((size_t)in|(size_t)out) % sizeof(size_t) != 0)
-                                break;
-#endif
-#if defined(GHASH) && defined(GHASH_CHUNK)
-                        while (len >= GHASH_CHUNK) {
-                                size_t j = GHASH_CHUNK;
-
-                                GHASH(ctx, in, GHASH_CHUNK);
-                                while (j) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        j -= 16;
-                                }
-                                len -= GHASH_CHUNK;
-                        }
-                        if ((i = (len & (size_t)-16))) {
-                                GHASH(ctx, in, i);
-                                while (len >= 16) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        len -= 16;
-                                }
-                        }
-#else
-                        while (len >= 16) {
-                                size_t *out_t = (size_t *)out;
-                                const size_t *in_t = (const size_t *)in;
-
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-
-                                for (i = 0; i < 16/sizeof(size_t); ++i) {
-                                        size_t c = in_t[i];
-                                        out_t[i] = c ^ ctx->EKi.t[i];
-                                        ctx->Xi.t[i] ^= c;
-                                }
-                                GCM_MUL(ctx, Xi);
-                                out += 16;
-                                in += 16;
-                                len -= 16;
-                        }
-#endif
-                        if (len) {
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-
-                                while (len--) {
-                                        u8 c = in[n];
-                                        ctx->Xi.c[n] ^= c;
-                                        out[n] = c ^ ctx->EKi.c[n];
-                                        ++n;
-                                }
-                        }
 
-                        ctx->mres = n;
-                        return 0;
-                } while (0);
-        for (i = 0; i < len; ++i) {
-                u8 c;
+        for (i = 0; i < len; i++) {
                 if (n == 0) {
-                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                        ++ctr;
-                        ctx->Yi.d[3] = htobe32(ctr);
+                        ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
+                        ctx->Yi.d[3] = htobe32(++ctr);
                 }
                 c = in[i];
                 out[i] = c ^ ctx->EKi.c[n];
                 ctx->Xi.c[n] ^= c;
                 n = (n + 1) % 16;
                 if (n == 0)
-                        GCM_MUL(ctx, Xi);
+                        gcm_mul(ctx, ctx->Xi.u);
         }
 
         ctx->mres = n;
+
         return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_decrypt);
 
 int
-CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
-    const unsigned char *in, unsigned char *out,
-    size_t len, ctr128_f stream)
+CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in,
+    unsigned char *out, size_t len, ctr128_f stream)
 {
         unsigned int n, ctr;
-        size_t i;
-        u64 mlen = ctx->len.u[1];
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
+        uint64_t mlen;
+        size_t i, j;
 
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
         if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                 return -1;
         ctx->len.u[1] = mlen;
 
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                 /* First call to encrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                 ctx->ares = 0;
         }
 
         ctr = be32toh(ctx->Yi.d[3]);
 
-        n = ctx->mres;
-        if (n) {
-                while (n && len) {
+        if ((n = ctx->mres) > 0) {
+                while (n > 0 && len > 0) {
                         ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
-                        --len;
                         n = (n + 1) % 16;
+                        len--;
                 }
-                if (n == 0)
-                        GCM_MUL(ctx, Xi);
-                else {
+                if (n > 0) {
                         ctx->mres = n;
                         return 0;
                 }
+                gcm_mul(ctx, ctx->Xi.u);
         }
-#if defined(GHASH) && defined(GHASH_CHUNK)
-        while (len >= GHASH_CHUNK) {
-                (*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
-                ctr += GHASH_CHUNK/16;
-                ctx->Yi.d[3] = htobe32(ctr);
-                GHASH(ctx, out, GHASH_CHUNK);
-                out += GHASH_CHUNK;
-                in += GHASH_CHUNK;
-                len -= GHASH_CHUNK;
-        }
-#endif
-        if ((i = (len & (size_t)-16))) {
-                size_t j = i/16;
-
-                (*stream)(in, out, j, key, ctx->Yi.c);
+        if ((i = (len & (size_t)-16)) > 0) {
+                j = i / 16;
+                stream(in, out, j, ctx->key, ctx->Yi.c);
                 ctr += (unsigned int)j;
                 ctx->Yi.d[3] = htobe32(ctr);
+                gcm_ghash(ctx, out, i);
                 in += i;
-                len -= i;
-#if defined(GHASH)
-                GHASH(ctx, out, i);
                 out += i;
-#else
-                while (j--) {
-                        for (i = 0; i < 16; ++i)
-                                ctx->Xi.c[i] ^= out[i];
-                        GCM_MUL(ctx, Xi);
-                        out += 16;
-                }
-#endif
+                len -= i;
         }
-        if (len) {
-                (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
-                ++ctr;
-                ctx->Yi.d[3] = htobe32(ctr);
-                while (len--) {
+        if (len > 0) {
+                ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
+                ctx->Yi.d[3] = htobe32(++ctr);
+                while (len-- > 0) {
                         ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
-                        ++n;
+                        n++;
                 }
         }
 
         ctx->mres = n;
+
         return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_encrypt_ctr32);
 
 int
-CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
-    const unsigned char *in, unsigned char *out,
-    size_t len, ctr128_f stream)
+CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in,
+    unsigned char *out, size_t len, ctr128_f stream)
 {
         unsigned int n, ctr;
-        size_t i;
-        u64 mlen = ctx->len.u[1];
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
+        uint64_t mlen;
+        size_t i, j;
+        uint8_t c;
 
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
         if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                 return -1;
         ctx->len.u[1] = mlen;
 
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                 /* First call to decrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                 ctx->ares = 0;
         }
 
         ctr = be32toh(ctx->Yi.d[3]);
 
-        n = ctx->mres;
-        if (n) {
-                while (n && len) {
-                        u8 c = *(in++);
+        if ((n = ctx->mres) > 0) {
+                while (n > 0 && len > 0) {
+                        c = *(in++);
                         *(out++) = c ^ ctx->EKi.c[n];
                         ctx->Xi.c[n] ^= c;
-                        --len;
                         n = (n + 1) % 16;
+                        len--;
                 }
-                if (n == 0)
-                        GCM_MUL(ctx, Xi);
-                else {
+                if (n > 0) {
                         ctx->mres = n;
                         return 0;
                 }
+                gcm_mul(ctx, ctx->Xi.u);
         }
-#if defined(GHASH) && defined(GHASH_CHUNK)
-        while (len >= GHASH_CHUNK) {
-                GHASH(ctx, in, GHASH_CHUNK);
-                (*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
-                ctr += GHASH_CHUNK/16;
-                ctx->Yi.d[3] = htobe32(ctr);
-                out += GHASH_CHUNK;
-                in += GHASH_CHUNK;
-                len -= GHASH_CHUNK;
-        }
-#endif
-        if ((i = (len & (size_t)-16))) {
-                size_t j = i/16;
-
-#if defined(GHASH)
-                GHASH(ctx, in, i);
-#else
-                while (j--) {
-                        size_t k;
-                        for (k = 0; k < 16; ++k)
-                                ctx->Xi.c[k] ^= in[k];
-                        GCM_MUL(ctx, Xi);
-                        in += 16;
-                }
-                j = i/16;
-                in -= i;
-#endif
-                (*stream)(in, out, j, key, ctx->Yi.c);
+        if ((i = (len & (size_t)-16)) > 0) {
+                j = i / 16;
+                gcm_ghash(ctx, in, i);
+                stream(in, out, j, ctx->key, ctx->Yi.c);
                 ctr += (unsigned int)j;
                 ctx->Yi.d[3] = htobe32(ctr);
-                out += i;
                 in += i;
+                out += i;
                 len -= i;
         }
-        if (len) {
-                (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
-                ++ctr;
-                ctx->Yi.d[3] = htobe32(ctr);
-                while (len--) {
-                        u8 c = in[n];
+        if (len > 0) {
+                ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
+                ctx->Yi.d[3] = htobe32(++ctr);
+                while (len-- > 0) {
+                        c = in[n];
                         ctx->Xi.c[n] ^= c;
                         out[n] = c ^ ctx->EKi.c[n];
-                        ++n;
+                        n++;
                 }
         }
 
         ctx->mres = n;
+
         return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_decrypt_ctr32);
@@ -1240,26 +546,25 @@ int
 CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
     size_t len)
 {
-        u64 alen = ctx->len.u[0] << 3;
-        u64 clen = ctx->len.u[1] << 3;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-#endif
+        uint64_t alen, clen;
 
-        if (ctx->mres || ctx->ares)
-                GCM_MUL(ctx, Xi);
+        alen = ctx->len.u[0] << 3;
+        clen = ctx->len.u[1] << 3;
+
+        if (ctx->ares > 0 || ctx->mres > 0)
+                gcm_mul(ctx, ctx->Xi.u);
 
         ctx->Xi.u[0] ^= htobe64(alen);
         ctx->Xi.u[1] ^= htobe64(clen);
-        GCM_MUL(ctx, Xi);
+        gcm_mul(ctx, ctx->Xi.u);
 
         ctx->Xi.u[0] ^= ctx->EK0.u[0];
         ctx->Xi.u[1] ^= ctx->EK0.u[1];
 
-        if (tag && len <= sizeof(ctx->Xi))
-                return memcmp(ctx->Xi.c, tag, len);
-        else
+        if (tag == NULL || len > sizeof(ctx->Xi))
                 return -1;
+
+        return timingsafe_memcmp(ctx->Xi.c, tag, len);
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_finish);
 
@@ -1267,26 +572,10 @@ void
 CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
 {
         CRYPTO_gcm128_finish(ctx, NULL, 0);
-        memcpy(tag, ctx->Xi.c,
-            len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));
-}
-LCRYPTO_ALIAS(CRYPTO_gcm128_tag);
 
-GCM128_CONTEXT *
-CRYPTO_gcm128_new(void *key, block128_f block)
-{
-        GCM128_CONTEXT *ret;
-
-        if ((ret = malloc(sizeof(GCM128_CONTEXT))))
-                CRYPTO_gcm128_init(ret, key, block);
-
-        return ret;
-}
-LCRYPTO_ALIAS(CRYPTO_gcm128_new);
+        if (len > sizeof(ctx->Xi.c))
+                len = sizeof(ctx->Xi.c);
 
-void
-CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
-{
-        freezero(ctx, sizeof(*ctx));
+        memcpy(tag, ctx->Xi.c, len);
 }
-LCRYPTO_ALIAS(CRYPTO_gcm128_release);
+LCRYPTO_ALIAS(CRYPTO_gcm128_tag);
diff --git a/src/lib/libcrypto/modes/gcm128_amd64.c b/src/lib/libcrypto/modes/gcm128_amd64.c
new file mode 100644
index 0000000000..eaa66fb32f
--- /dev/null
+++ b/src/lib/libcrypto/modes/gcm128_amd64.c
@@ -0,0 +1,44 @@
+/* $OpenBSD: gcm128_amd64.c,v 1.1 2025/06/28 12:39:10 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "crypto_arch.h"
+#include "modes_local.h"
+
+void gcm_init_4bit(u128 Htable[16], uint64_t H[2]);
+void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
+void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+void
+gcm128_init(GCM128_CONTEXT *ctx)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_CLMUL) != 0) {
+                gcm_init_clmul(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_clmul;
+                ctx->ghash = gcm_ghash_clmul;
+                return;
+        }
+
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
+        ctx->gmult = gcm_gmult_4bit;
+        ctx->ghash = gcm_ghash_4bit;
+}
diff --git a/src/lib/libcrypto/modes/gcm128_i386.c b/src/lib/libcrypto/modes/gcm128_i386.c
new file mode 100644
index 0000000000..ac517fdb04
--- /dev/null
+++ b/src/lib/libcrypto/modes/gcm128_i386.c
@@ -0,0 +1,56 @@
+/* $OpenBSD: gcm128_i386.c,v 1.1 2025/06/28 12:39:10 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "crypto_arch.h"
+#include "modes_local.h"
+
+void gcm_init_4bit(u128 Htable[16], uint64_t H[2]);
+
+void gcm_gmult_4bit_mmx(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit_mmx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+void gcm_gmult_4bit_x86(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit_x86(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
+void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+
+void
+gcm128_init(GCM128_CONTEXT *ctx)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_CLMUL) != 0) {
+                gcm_init_clmul(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_clmul;
+                ctx->ghash = gcm_ghash_clmul;
+                return;
+        }
+
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_MMX) != 0) {
+                gcm_init_4bit(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_4bit_mmx;
+                ctx->ghash = gcm_ghash_4bit_mmx;
+                return;
+        }
+
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
+        ctx->gmult = gcm_gmult_4bit_x86;
+        ctx->ghash = gcm_ghash_4bit_x86;
+}
diff --git a/src/lib/libcrypto/modes/modes_local.h b/src/lib/libcrypto/modes/modes_local.h
index c04db034d0..5c1acfc25f 100644
--- a/src/lib/libcrypto/modes/modes_local.h
+++ b/src/lib/libcrypto/modes/modes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: modes_local.h,v 1.4 2025/04/23 14:15:19 jsing Exp $ */
+/* $OpenBSD: modes_local.h,v 1.7 2025/07/13 06:01:33 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -15,67 +15,47 @@
 __BEGIN_HIDDEN_DECLS
 
 #if defined(_LP64)
-typedef long i64;
-typedef unsigned long u64;
 #define U64(C) C##UL
 #else
-typedef long long i64;
-typedef unsigned long long u64;
 #define U64(C) C##ULL
 #endif
 
-typedef unsigned int u32;
-typedef unsigned char u8;
-
 /* GCM definitions */
 
 typedef struct {
-        u64 hi, lo;
+        uint64_t hi, lo;
 } u128;
 
-#ifdef  TABLE_BITS
-#undef  TABLE_BITS
-#endif
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8 [or 1]. For further information see gcm128.c.
- */
-#define TABLE_BITS 4
-
 struct gcm128_context {
         /* Following 6 names follow names in GCM specification */
         union {
-                u64 u[2];
-                u32 d[4];
-                u8 c[16];
+                uint64_t u[2];
+                uint32_t d[4];
+                uint8_t c[16];
                 size_t t[16/sizeof(size_t)];
         } Yi, EKi, EK0, len, Xi, H;
         /* Relative position of Xi, H and pre-computed Htable is used
          * in some assembler modules, i.e. don't change the order! */
-#if TABLE_BITS==8
-        u128 Htable[256];
-#else
         u128 Htable[16];
-        void (*gmult)(u64 Xi[2], const u128 Htable[16]);
-        void (*ghash)(u64 Xi[2], const u128 Htable[16], const u8 *inp,
+        void (*gmult)(uint64_t Xi[2], const u128 Htable[16]);
+        void (*ghash)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
             size_t len);
-#endif
         unsigned int mres, ares;
         block128_f block;
         void *key;
 };
 
 struct xts128_context {
-        void      *key1, *key2;
+        const void *key1, *key2;
         block128_f block1, block2;
 };
 
 struct ccm128_context {
         union {
-                u64 u[2];
-                u8 c[16];
+                uint64_t u[2];
+                uint8_t c[16];
         } nonce, cmac;
-        u64 blocks;
+        uint64_t blocks;
         block128_f block;
         void *key;
 };
diff --git a/src/lib/libcrypto/modes/xts128.c b/src/lib/libcrypto/modes/xts128.c
index 789af9ef65..9c863e73d6 100644
--- a/src/lib/libcrypto/modes/xts128.c
+++ b/src/lib/libcrypto/modes/xts128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xts128.c,v 1.14 2025/04/21 16:01:18 jsing Exp $ */
+/* $OpenBSD: xts128.c,v 1.15 2025/05/18 09:05:59 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
  *
@@ -61,9 +61,9 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
     size_t len, int enc)
 {
         union {
-                u64 u[2];
-                u32 d[4];
-                u8 c[16];
+                uint64_t u[2];
+                uint32_t d[4];
+                uint8_t c[16];
         } tweak, scratch;
         unsigned int i;
 
@@ -83,8 +83,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 scratch.u[0] ^= tweak.u[0];
                 scratch.u[1] ^= tweak.u[1];
 #else
-                scratch.u[0] = ((u64 *)inp)[0] ^ tweak.u[0];
-                scratch.u[1] = ((u64 *)inp)[1] ^ tweak.u[1];
+                scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak.u[0];
+                scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak.u[1];
 #endif
                 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
 #ifdef __STRICT_ALIGNMENT
@@ -92,8 +92,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 scratch.u[1] ^= tweak.u[1];
                 memcpy(out, scratch.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^= tweak.u[0];
-                ((u64 *)out)[1] = scratch.u[1] ^= tweak.u[1];
+                ((uint64_t *)out)[0] = scratch.u[0] ^= tweak.u[0];
+                ((uint64_t *)out)[1] = scratch.u[1] ^= tweak.u[1];
 #endif
                 inp += 16;
                 out += 16;
@@ -115,15 +115,15 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 for (c = 0, i = 0; i < 16; ++i) {
                         /*+ substitutes for |, because c is 1 bit */
                         c += ((size_t)tweak.c[i]) << 1;
-                        tweak.c[i] = (u8)c;
+                        tweak.c[i] = (uint8_t)c;
                         c = c >> 8;
                 }
-                tweak.c[0] ^= (u8)(0x87 & (0 - c));
+                tweak.c[0] ^= (uint8_t)(0x87 & (0 - c));
 #endif
         }
         if (enc) {
                 for (i = 0; i < len; ++i) {
-                        u8 ch = inp[i];
+                        uint8_t ch = inp[i];
                         out[i] = scratch.c[i];
                         scratch.c[i] = ch;
                 }
@@ -135,8 +135,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 memcpy(out - 16, scratch.c, 16);
         } else {
                 union {
-                        u64 u[2];
-                        u8 c[16];
+                        uint64_t u[2];
+                        uint8_t c[16];
                 } tweak1;
 
 #if BYTE_ORDER == LITTLE_ENDIAN
@@ -152,25 +152,25 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 for (c = 0, i = 0; i < 16; ++i) {
                         /*+ substitutes for |, because c is 1 bit */
                         c += ((size_t)tweak.c[i]) << 1;
-                        tweak1.c[i] = (u8)c;
+                        tweak1.c[i] = (uint8_t)c;
                         c = c >> 8;
                 }
-                tweak1.c[0] ^= (u8)(0x87 & (0 - c));
+                tweak1.c[0] ^= (uint8_t)(0x87 & (0 - c));
 #endif
 #ifdef __STRICT_ALIGNMENT
                 memcpy(scratch.c, inp, 16);
                 scratch.u[0] ^= tweak1.u[0];
                 scratch.u[1] ^= tweak1.u[1];
 #else
-                scratch.u[0] = ((u64 *)inp)[0] ^ tweak1.u[0];
-                scratch.u[1] = ((u64 *)inp)[1] ^ tweak1.u[1];
+                scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak1.u[0];
+                scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak1.u[1];
 #endif
                 (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
                 scratch.u[0] ^= tweak1.u[0];
                 scratch.u[1] ^= tweak1.u[1];
 
                 for (i = 0; i < len; ++i) {
-                        u8 ch = inp[16 + i];
+                        uint8_t ch = inp[16 + i];
                         out[16 + i] = scratch.c[i];
                         scratch.c[i] = ch;
                 }
@@ -182,8 +182,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                 scratch.u[1] ^= tweak.u[1];
                 memcpy(out, scratch.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^ tweak.u[0];
-                ((u64 *)out)[1] = scratch.u[1] ^ tweak.u[1];
+                ((uint64_t *)out)[0] = scratch.u[0] ^ tweak.u[0];
+                ((uint64_t *)out)[1] = scratch.u[1] ^ tweak.u[1];
 #endif
         }
 
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 2f4012fe15..d4da6be52c 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_dat.c,v 1.94 2025/02/26 10:48:25 tb Exp $ */
+/* $OpenBSD: obj_dat.c,v 1.95 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,11 +66,11 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
 #include "obj_dat.h"
diff --git a/src/lib/libcrypto/objects/obj_lib.c b/src/lib/libcrypto/objects/obj_lib.c
index 45062dbd4c..56b0b10423 100644
--- a/src/lib/libcrypto/objects/obj_lib.c
+++ b/src/lib/libcrypto/objects/obj_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_lib.c,v 1.19 2023/08/17 09:13:01 tb Exp $ */
+/* $OpenBSD: obj_lib.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 ASN1_OBJECT *
 OBJ_dup(const ASN1_OBJECT *o)
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 728bf02400..124aafec77 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -1053,3 +1053,6 @@ RSA_SHA3_512	1052
 acmeIdentifier  1053
 id_ct_rpkiSignedPrefixList      1054
 tls1_prf        1055
+MLKEM768_X25519 1056
+MLKEM768_ECDH_P256      1057
+MLKEM768_ECDH_P384      1058
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 4d5a52efcf..bdf6ea9fe3 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -1477,3 +1477,9 @@ tc26 1 3 3		: id-tc26-signwithdigest-gost3410-2012-512 : GOST R 34.11-2012 with
                         : AuthECDSA             : auth-ecdsa
                         : AuthGOST01            : auth-gost01
                         : AuthNULL              : auth-null
+
+# Hybrid KEMs from
+# https://www.ietf.org/archive/id/draft-ietf-lamps-pq-composite-kem-06.html#section-7.1
+2 16 840 1 114027 80 5 2 33             : MLKEM768-X25519
+2 16 840 1 114027 80 5 2 34             : MLKEM768-ECDH-P256
+2 16 840 1 114027 80 5 2 35             : MLKEM768-ECDH-P384
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index d8ee33c391..460c1bce5e 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -64,7 +64,6 @@
 #include <stdio.h>
 #include <time.h>
 
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -73,6 +72,7 @@
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "ocsp_local.h"
 
 /* Utility functions related to sending OCSP requests and extracting
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index 69723c2154..db83b35518 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_ht.c,v 1.27 2023/11/28 09:29:20 jsg Exp $ */
+/* $OpenBSD: ocsp_ht.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -60,11 +60,13 @@
 #include <stdlib.h>
 #include <ctype.h>
 #include <string.h>
+
 #include <openssl/asn1.h>
 #include <openssl/ocsp.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 
+#include "err_local.h"
+
 /* Stateful OCSP request code, supporting non-blocking I/O */
 
 /* Opaque OCSP request status structure */
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 521fb67aed..dfa002a594 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_lib.c,v 1.28 2024/08/28 06:27:19 tb Exp $ */
+/* $OpenBSD: ocsp_lib.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -67,13 +67,13 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
index fb7b9651d9..537d5e3d20 100644
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_prn.c,v 1.11 2024/08/28 06:18:44 tb Exp $ */
+/* $OpenBSD: ocsp_prn.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -62,7 +62,6 @@
  */
 
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index 77c5e2e0fd..4b1d73d7ac 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_srv.c,v 1.13 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_srv.c,v 1.14 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -58,13 +58,13 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 
 /* Utility functions related to sending OCSP responses and extracting
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 27d2283ea7..185839f465 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -57,9 +57,9 @@
  */
 
 #include <openssl/ocsp.h>
-#include <openssl/err.h>
 #include <string.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 4fdab48bb2..709e17308b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */
+/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -338,8 +338,6 @@ int	PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 
 STACK_OF(X509_INFO) *   PEM_X509_INFO_read_bio(BIO *bp,
             STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
-int     PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-            unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 
 int     PEM_read(FILE *fp, char **name, char **header,
@@ -351,8 +349,6 @@ void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 int     PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
             void *x, const EVP_CIPHER *enc, unsigned char *kstr,
             int klen, pem_password_cb *callback, void *u);
-STACK_OF(X509_INFO) *   PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
-            pem_password_cb *cb, void *u);
 
 int    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
 int    PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index b979c79b33..26061f6f08 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.27 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,43 +57,81 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
-
-#ifndef OPENSSL_NO_DSA
-#include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
-#endif
+#include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
-STACK_OF(X509_INFO) *
-PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
-    void *u)
+X509_PKEY *
+X509_PKEY_new(void)
+{
+        X509_PKEY *x_pkey;
+
+        if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
+                ASN1error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        return x_pkey;
+}
+
+void
+X509_PKEY_free(X509_PKEY *x_pkey)
+{
+        if (x_pkey == NULL)
+                return;
+
+        EVP_PKEY_free(x_pkey->dec_pkey);
+        free(x_pkey);
+}
+
+X509_INFO *
+X509_INFO_new(void)
 {
-        BIO *b;
-        STACK_OF(X509_INFO) *ret;
+        X509_INFO *ret;
 
-        if ((b = BIO_new(BIO_s_file())) == NULL) {
-                PEMerror(ERR_R_BUF_LIB);
-                return (0);
+        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
+                ASN1error(ERR_R_MALLOC_FAILURE);
+                return NULL;
         }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
-        ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
-        BIO_free(b);
-        return (ret);
+        ret->references = 1;
+
+        return ret;
+}
+LCRYPTO_ALIAS(X509_INFO_new);
+
+void
+X509_INFO_free(X509_INFO *x)
+{
+        if (x == NULL)
+                return;
+
+        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
+                return;
+
+        X509_free(x->x509);
+        X509_CRL_free(x->crl);
+        X509_PKEY_free(x->x_pkey);
+        free(x->enc_data);
+
+        free(x);
 }
-LCRYPTO_ALIAS(PEM_X509_INFO_read);
+LCRYPTO_ALIAS(X509_INFO_free);
 
 STACK_OF(X509_INFO) *
 PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
@@ -290,98 +328,3 @@ err:
         return ret;
 }
 LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
-
-
-/* A TJH addition */
-int
-PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-    unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        EVP_CIPHER_CTX ctx;
-        int i, ret = 0;
-        unsigned char *data = NULL;
-        const char *objstr = NULL;
-        char buf[PEM_BUFSIZE];
-        unsigned char *iv = NULL;
-
-        if (enc != NULL) {
-                objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-                if (objstr == NULL) {
-                        PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                        goto err;
-                }
-        }
-
-        /* now for the fun part ... if we have a private key then
-         * we have to be able to handle a not-yet-decrypted key
-         * being written out correctly ... if it is decrypted or
-         * it is non-encrypted then we use the base code
-         */
-        if (xi->x_pkey != NULL) {
-                if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
-                        if (enc == NULL) {
-                                PEMerror(PEM_R_CIPHER_IS_NULL);
-                                goto err;
-                        }
-
-                        /* copy from weirdo names into more normal things */
-                        iv = xi->enc_cipher.iv;
-                        data = (unsigned char *)xi->enc_data;
-                        i = xi->enc_len;
-
-                        /* we take the encryption data from the
-                         * internal stuff rather than what the
-                         * user has passed us ... as we have to
-                         * match exactly for some strange reason
-                         */
-                        objstr = OBJ_nid2sn(
-                            EVP_CIPHER_nid(xi->enc_cipher.cipher));
-                        if (objstr == NULL) {
-                                PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                                goto err;
-                        }
-
-                        /* create the right magic header stuff */
-                        if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
-                            sizeof buf) {
-                                PEMerror(ASN1_R_BUFFER_TOO_SMALL);
-                                goto err;
-                        }
-                        buf[0] = '\0';
-                        PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
-
-                        /* use the normal code to write things out */
-                        i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
-                        if (i <= 0)
-                                goto err;
-                } else {
-                        /* Add DSA/DH */
-#ifndef OPENSSL_NO_RSA
-                        /* normal optionally encrypted stuff */
-                        if (PEM_write_bio_RSAPrivateKey(bp,
-                            xi->x_pkey->dec_pkey->pkey.rsa,
-                            enc, kstr, klen, cb, u) <= 0)
-                                goto err;
-#endif
-                }
-        }
-
-        /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
-                goto err;
-
-        /* we are ignoring anything else that is loaded into the X509_INFO
-         * structure for the moment ... as I don't need it so I'm not
-         * coding it here and Eric can do it when this makes it into the
-         * base library --tjh
-         */
-
-        ret = 1;
-
-err:
-        explicit_bzero((char *)&ctx, sizeof(ctx));
-        explicit_bzero(buf, PEM_BUFSIZE);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 30db092c3e..7c7f776cae 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.56 2024/02/18 15:44:10 tb Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,7 +64,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -76,6 +75,7 @@
 #endif
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 #define MIN_LENGTH      4
diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c
index 2dca978efd..d466179ad7 100644
--- a/src/lib/libcrypto/pem/pem_oth.c
+++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_oth.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_oth.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,13 @@
 #include <stdio.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 /* Handle 'other' PEMs: not private keys */
 
 void *
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
index 6d0c0cbd57..16bde39a7e 100644
--- a/src/lib/libcrypto/pem/pem_pk8.c
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pk8.c,v 1.14 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_pk8.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,13 +60,13 @@
 #include <string.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid,
     const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u);
 static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder, int nid,
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index d7001c83cc..df8ebaa036 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.28 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -70,6 +69,7 @@
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 int pem_check_suffix(const char *pem_str, const char *suffix);
diff --git a/src/lib/libcrypto/pem/pem_sign.c b/src/lib/libcrypto/pem/pem_sign.c
index 461f957445..878be01b70 100644
--- a/src/lib/libcrypto/pem/pem_sign.c
+++ b/src/lib/libcrypto/pem/pem_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_sign.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_sign.c,v 1.16 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,12 +58,13 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 int
 PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
 {
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 40c9feefe5..395fd9df83 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.30 2025/06/07 09:32:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -66,7 +66,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
@@ -75,6 +74,7 @@
 
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 
@@ -803,8 +803,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 
  err:
         EVP_CIPHER_CTX_free(cctx);
-        if (enctmp && saltlen)
-                free(enctmp);
+        free(enctmp);
+
         return ret;
 }
 
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index f6f42c558c..e45218ba96 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.25 2024/03/02 10:20:27 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 502ccecd25..321115cfcd 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crt.c,v 1.26 2024/08/22 12:22:42 tb Exp $ */
+/* $OpenBSD: p12_crt.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -58,10 +58,10 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 907d4e52a6..8466e92415 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_decr.c,v 1.26 2024/03/02 10:15:16 tb Exp $ */
+/* $OpenBSD: p12_decr.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 
 /* Encrypt/Decrypt a buffer based on password and algor, result in a
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index cd9422d215..ac0f1eeb57 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_init.c,v 1.17 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_init.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 
 /* Initialise a PKCS12 structure to take data */
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 443d632c87..29a99bbca4 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.36 2025/03/09 15:45:52 tb Exp $ */
+/* $OpenBSD: p12_key.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "pkcs12_local.h"
 
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index e4de2eb61c..f6f09ff2de 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.28 2025/01/06 23:35:25 tb Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 
 /* Simplified PKCS#12 routines */
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 2060358188..4a9d0f9757 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.38 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.40 2025/06/03 08:42:15 kenjiro Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -64,10 +64,10 @@
 
 #ifndef OPENSSL_NO_HMAC
 
-#include <openssl/err.h>
 #include <openssl/hmac.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 #include "pkcs12_local.h"
@@ -189,10 +189,10 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
                 PKCS12error(PKCS12_R_MAC_GENERATION_ERROR);
                 return 0;
         }
-        if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) ||
-            memcmp(mac, p12->mac->dinfo->digest->data, maclen))
+        if (maclen != (unsigned int)p12->mac->dinfo->digest->length)
                 return 0;
-        return 1;
+
+        return timingsafe_memcmp(mac, p12->mac->dinfo->digest->data, maclen) == 0;
 }
 LCRYPTO_ALIAS(PKCS12_verify_mac);
 
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 6d3b43ce22..c78deb9182 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_npas.c,v 1.27 2024/01/25 15:33:35 tb Exp $ */
+/* $OpenBSD: p12_npas.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/pem.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
index bf61593266..a8a5039dfb 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8e.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_p8e.c,v 1.13 2024/03/02 10:15:16 tb Exp $ */
+/* $OpenBSD: p12_p8e.c,v 1.14 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -58,9 +58,9 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pkcs12/p12_sbag.c b/src/lib/libcrypto/pkcs12/p12_sbag.c
index 1664e9409d..5fea54073b 100644
--- a/src/lib/libcrypto/pkcs12/p12_sbag.c
+++ b/src/lib/libcrypto/pkcs12/p12_sbag.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_sbag.c,v 1.9 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_sbag.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 1999-2018.
@@ -59,9 +59,9 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 200712039b..aec0362806 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.29 2025/03/09 15:45:52 tb Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.30 2025/05/10 19:01:16 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -77,7 +77,7 @@ extern "C" {
 
 #define PKCS12_MAC_KEY_LENGTH 20
 
-#define PKCS12_SALT_LEN 8
+#define PKCS12_SALT_LEN 16
 
 /* Uncomment out next line for unicode password and names, otherwise ASCII */
 
diff --git a/src/lib/libcrypto/pkcs7/pk7_asn1.c b/src/lib/libcrypto/pkcs7/pk7_asn1.c
index 8a6ae487da..be1c4c1a1d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_asn1.c
+++ b/src/lib/libcrypto/pkcs7/pk7_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_asn1.c,v 1.18 2024/07/08 16:23:27 beck Exp $ */
+/* $OpenBSD: pk7_asn1.c,v 1.19 2025/06/11 18:11:55 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -84,7 +84,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.data",
                         .item = &ASN1_OCTET_STRING_NDEF_it,
                 },
-        
         },
         {
                 .value = NID_pkcs7_signed,
@@ -95,7 +94,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.sign",
                         .item = &PKCS7_SIGNED_it,
                 },
-        
         },
         {
                 .value = NID_pkcs7_enveloped,
@@ -106,7 +104,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.enveloped",
                         .item = &PKCS7_ENVELOPE_it,
                 },
-        
         },
         {
                 .value = NID_pkcs7_signedAndEnveloped,
@@ -117,7 +114,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.signed_and_enveloped",
                         .item = &PKCS7_SIGN_ENVELOPE_it,
                 },
-        
         },
         {
                 .value = NID_pkcs7_digest,
@@ -128,7 +124,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.digest",
                         .item = &PKCS7_DIGEST_it,
                 },
-        
         },
         {
                 .value = NID_pkcs7_encrypted,
@@ -139,7 +134,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                         .field_name = "d.encrypted",
                         .item = &PKCS7_ENCRYPT_it,
                 },
-        
         },
 };
 
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 52463aa3a3..f2e17806db 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_attr.c,v 1.15 2024/02/19 15:37:44 tb Exp $ */
+/* $OpenBSD: pk7_attr.c,v 1.22 2025/07/31 02:24:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -59,23 +59,48 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/x509.h>
 
+#include "asn1_local.h"
+#include "err_local.h"
+#include "x509_local.h"
+
 int
 PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 {
-        ASN1_STRING *seq;
-        if (!(seq = ASN1_STRING_new())) {
+        ASN1_STRING *seq = NULL;
+        unsigned char *data = NULL;
+        int len = 0;
+        int ret = 0;
+
+        if ((len = i2d_X509_ALGORS(cap, &data)) <= 0) {
+                len = 0;
+                goto err;
+        }
+
+        if ((seq = ASN1_STRING_new()) == NULL) {
                 PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
         }
-        seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data,
-            &X509_ALGORS_it);
-        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
-            V_ASN1_SEQUENCE, seq);
+
+        ASN1_STRING_set0(seq, data, len);
+        data = NULL;
+        len = 0;
+
+        if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+
+        ret = 1;
+
+ err:
+        ASN1_STRING_free(seq);
+        freezero(data, len);
+
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap);
 
@@ -84,51 +109,60 @@ PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
 {
         ASN1_TYPE *cap;
         const unsigned char *p;
+        int len;
 
-        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
-        if (!cap || (cap->type != V_ASN1_SEQUENCE))
+        if ((cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities)) == NULL)
+                return NULL;
+        if (cap->type != V_ASN1_SEQUENCE)
                 return NULL;
+
         p = cap->value.sequence->data;
-        return (STACK_OF(X509_ALGOR) *)
-        ASN1_item_d2i(NULL, &p, cap->value.sequence->length,
-            &X509_ALGORS_it);
+        len = cap->value.sequence->length;
+
+        return d2i_X509_ALGORS(NULL, &p, len);
 }
 LCRYPTO_ALIAS(PKCS7_get_smimecap);
 
-/* Basic smime-capabilities OID and optional integer arg */
+/*
+ * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
+ * set |sk| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has an
+ * integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also CMS_add_simple_smimecap().
+ */
 int
-PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
+PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int keysize)
 {
-        X509_ALGOR *alg;
+        X509_ALGOR *alg = NULL;
+        ASN1_INTEGER *parameter = NULL;
+        int parameter_type = V_ASN1_UNDEF;
+        int ret = 0;
 
-        if (!(alg = X509_ALGOR_new())) {
-                PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
-        }
-        ASN1_OBJECT_free(alg->algorithm);
-        alg->algorithm = OBJ_nid2obj(nid);
-        if (arg > 0) {
-                ASN1_INTEGER *nbit;
-
-                if (!(alg->parameter = ASN1_TYPE_new()))
-                        goto err;
-                if (!(nbit = ASN1_INTEGER_new()))
+        if (keysize > 0) {
+                if ((parameter = ASN1_INTEGER_new()) == NULL)
                         goto err;
-                if (!ASN1_INTEGER_set(nbit, arg)) {
-                        ASN1_INTEGER_free(nbit);
+                if (!ASN1_INTEGER_set(parameter, keysize))
                         goto err;
-                }
-                alg->parameter->value.integer = nbit;
-                alg->parameter->type = V_ASN1_INTEGER;
+                parameter_type = V_ASN1_INTEGER;
         }
-        if (sk_X509_ALGOR_push(sk, alg) == 0)
+
+        if ((alg = X509_ALGOR_new()) == NULL)
                 goto err;
-        return 1;
+        if (!X509_ALGOR_set0_by_nid(alg, nid, parameter_type, parameter))
+                goto err;
+        parameter = NULL;
+
+        if (sk_X509_ALGOR_push(sk, alg) <= 0)
+                goto err;
+        alg = NULL;
 
-err:
-        PKCS7error(ERR_R_MALLOC_FAILURE);
+        ret = 1;
+
+ err:
         X509_ALGOR_free(alg);
-        return 0;
+        ASN1_INTEGER_free(parameter);
+
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_simple_smimecap);
 
@@ -147,30 +181,54 @@ LCRYPTO_ALIAS(PKCS7_add_attrib_content_type);
 int
 PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
 {
-        if (!t && !(t = X509_gmtime_adj(NULL, 0))) {
+        ASN1_TIME *tm;
+        int ret = 0;
+
+        if ((tm = t) == NULL)
+                tm = X509_gmtime_adj(NULL, 0);
+        if (tm == NULL) {
                 PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
         }
-        return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,
-            V_ASN1_UTCTIME, t);
+
+        /* RFC 5652, section 11.3 - UTCTime for the years 1950-2049. */
+        if (ASN1_time_parse(tm->data, tm->length, NULL, tm->type) == -1)
+                goto err;
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
+                goto err;
+        tm = NULL;
+
+        ret = 1;
+
+ err:
+        if (tm != t)
+                ASN1_TIME_free(tm);
+
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time);
 
 int
 PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, const unsigned char *md,
-    int mdlen)
+    int md_len)
 {
         ASN1_OCTET_STRING *os;
+        int ret = 0;
 
-        os = ASN1_OCTET_STRING_new();
-        if (!os)
-                return 0;
-        if (!ASN1_STRING_set(os, md, mdlen) ||
-            !PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
-            V_ASN1_OCTET_STRING, os)) {
-                ASN1_OCTET_STRING_free(os);
-                return 0;
-        }
-        return 1;
+        if ((os = ASN1_OCTET_STRING_new()) == NULL)
+                goto err;
+        if (!ASN1_STRING_set(os, md, md_len))
+                goto err;
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
+            V_ASN1_OCTET_STRING, os))
+                goto err;
+        os = NULL;
+
+        ret = 1;
+
+ err:
+        ASN1_OCTET_STRING_free(os);
+
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add1_attrib_digest);
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 020de71fef..e39d960780 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.59 2025/03/18 12:53:25 tb Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.61 2025/07/27 07:06:41 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,11 +60,11 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
@@ -1208,43 +1208,51 @@ PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
 LCRYPTO_ALIAS(PKCS7_set_attributes);
 
 static int
-add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value)
+add_attribute(STACK_OF(X509_ATTRIBUTE) **in_sk, int nid, int atrtype, void *value)
 {
-        X509_ATTRIBUTE *attr = NULL;
+        STACK_OF(X509_ATTRIBUTE) *sk;
+        X509_ATTRIBUTE *old_attr = NULL, *new_attr = NULL;
+        int need_pop = 0;
+        int i;
 
-        if (*sk == NULL) {
-                *sk = sk_X509_ATTRIBUTE_new_null();
-                if (*sk == NULL)
-                        return 0;
-new_attrib:
-                if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
-                        return 0;
-                if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
-                        X509_ATTRIBUTE_free(attr);
-                        return 0;
-                }
-        } else {
-                int i;
-
-                for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
-                        attr = sk_X509_ATTRIBUTE_value(*sk, i);
-                        if (OBJ_obj2nid(attr->object) == nid) {
-                                X509_ATTRIBUTE_free(attr);
-                                attr = X509_ATTRIBUTE_create(nid, atrtype,
-                                    value);
-                                if (attr == NULL)
-                                        return 0;
-                                if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
-                                        X509_ATTRIBUTE_free(attr);
-                                        return 0;
-                                }
-                                goto end;
-                        }
-                }
-                goto new_attrib;
+        if ((sk = *in_sk) == NULL)
+                sk = sk_X509_ATTRIBUTE_new_null();
+        if (sk == NULL)
+                goto err;
+
+        /* Replace an already existing attribute with the given nid. */
+        for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
+                old_attr = sk_X509_ATTRIBUTE_value(sk, i);
+                if(OBJ_obj2nid(old_attr->object) == nid)
+                        break;
+        }
+
+        /* If there is none, make room for the new one, so _set() succeeds. */
+        if (i == sk_X509_ATTRIBUTE_num(sk)) {
+                old_attr = NULL;
+                if (sk_X509_ATTRIBUTE_push(sk, NULL) <= 0)
+                        goto err;
+                need_pop = 1;
         }
-end:
+
+        /* On success, new_attr owns value. */
+        if ((new_attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
+                goto err;
+
+        X509_ATTRIBUTE_free(old_attr);
+        (void)sk_X509_ATTRIBUTE_set(sk, i, new_attr);
+
+        *in_sk = sk;
+
         return 1;
+
+ err:
+        if (need_pop)
+                (void)sk_X509_ATTRIBUTE_pop(sk);
+        if (*in_sk != sk)
+                sk_X509_ATTRIBUTE_pop_free(sk, X509_ATTRIBUTE_free);
+
+        return 0;
 }
 
 int
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index a1c7d61cca..8712a2ecc1 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_lib.c,v 1.30 2024/12/06 07:10:20 tb Exp $ */
+/* $OpenBSD: pk7_lib.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index cff89c34e1..32f28f0505 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.27 2024/04/20 10:11:55 tb Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -60,10 +60,10 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h
index 6fd5adf457..6f0ccc0dc8 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7.h
+++ b/src/lib/libcrypto/pkcs7/pkcs7.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.h,v 1.22 2024/10/23 01:57:19 jsg Exp $ */
+/* $OpenBSD: pkcs7.h,v 1.24 2025/07/02 10:24:17 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -82,7 +82,7 @@ typedef struct pkcs7_issuer_and_serial_st {
 } PKCS7_ISSUER_AND_SERIAL;
 
 typedef struct pkcs7_signer_info_st {
-        ASN1_INTEGER                    *version;       /* version 1 */
+        ASN1_INTEGER                    *version;       /* version 1 */
         PKCS7_ISSUER_AND_SERIAL         *issuer_and_serial;
         X509_ALGOR                      *digest_alg;
         STACK_OF(X509_ATTRIBUTE)        *auth_attr;     /* [ 0 ] */
@@ -145,7 +145,7 @@ typedef struct pkcs7_signedandenveloped_st {
 typedef struct pkcs7_digest_st {
         ASN1_INTEGER                    *version;       /* version 0 */
         X509_ALGOR                      *md;            /* md used */
-        struct pkcs7_st                 *contents;
+        struct pkcs7_st                 *contents;
         ASN1_OCTET_STRING               *digest;
 } PKCS7_DIGEST;
 
@@ -362,7 +362,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type,
     void *data);
-int PKCS7_add_attribute (PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
     void *value);
 ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid);
 ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid);
diff --git a/src/lib/libcrypto/rc2/rc2_cbc.c b/src/lib/libcrypto/rc2/rc2.c
index 1d8e2def99..c122d4b810 100644
--- a/src/lib/libcrypto/rc2/rc2_cbc.c
+++ b/src/lib/libcrypto/rc2/rc2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc2_cbc.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: rc2.c,v 1.1 2025/05/25 05:29:54 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,86 +57,89 @@
  */
 
 #include <openssl/rc2.h>
+
 #include "rc2_local.h"
 
+static const unsigned char key_table[256]={
+        0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79,
+        0x4a,0xa0,0xd8,0x9d,0xc6,0x7e,0x37,0x83,0x2b,0x76,0x53,0x8e,
+        0x62,0x4c,0x64,0x88,0x44,0x8b,0xfb,0xa2,0x17,0x9a,0x59,0xf5,
+        0x87,0xb3,0x4f,0x13,0x61,0x45,0x6d,0x8d,0x09,0x81,0x7d,0x32,
+        0xbd,0x8f,0x40,0xeb,0x86,0xb7,0x7b,0x0b,0xf0,0x95,0x21,0x22,
+        0x5c,0x6b,0x4e,0x82,0x54,0xd6,0x65,0x93,0xce,0x60,0xb2,0x1c,
+        0x73,0x56,0xc0,0x14,0xa7,0x8c,0xf1,0xdc,0x12,0x75,0xca,0x1f,
+        0x3b,0xbe,0xe4,0xd1,0x42,0x3d,0xd4,0x30,0xa3,0x3c,0xb6,0x26,
+        0x6f,0xbf,0x0e,0xda,0x46,0x69,0x07,0x57,0x27,0xf2,0x1d,0x9b,
+        0xbc,0x94,0x43,0x03,0xf8,0x11,0xc7,0xf6,0x90,0xef,0x3e,0xe7,
+        0x06,0xc3,0xd5,0x2f,0xc8,0x66,0x1e,0xd7,0x08,0xe8,0xea,0xde,
+        0x80,0x52,0xee,0xf7,0x84,0xaa,0x72,0xac,0x35,0x4d,0x6a,0x2a,
+        0x96,0x1a,0xd2,0x71,0x5a,0x15,0x49,0x74,0x4b,0x9f,0xd0,0x5e,
+        0x04,0x18,0xa4,0xec,0xc2,0xe0,0x41,0x6e,0x0f,0x51,0xcb,0xcc,
+        0x24,0x91,0xaf,0x50,0xa1,0xf4,0x70,0x39,0x99,0x7c,0x3a,0x85,
+        0x23,0xb8,0xb4,0x7a,0xfc,0x02,0x36,0x5b,0x25,0x55,0x97,0x31,
+        0x2d,0x5d,0xfa,0x98,0xe3,0x8a,0x92,0xae,0x05,0xdf,0x29,0x10,
+        0x67,0x6c,0xba,0xc9,0xd3,0x00,0xe6,0xcf,0xe1,0x9e,0xa8,0x2c,
+        0x63,0x16,0x01,0x3f,0x58,0xe2,0x89,0xa9,0x0d,0x38,0x34,0x1b,
+        0xab,0x33,0xff,0xb0,0xbb,0x48,0x0c,0x5f,0xb9,0xb1,0xcd,0x2e,
+        0xc5,0xf3,0xdb,0x47,0xe5,0xa5,0x9c,0x77,0x0a,0xa6,0x20,0x68,
+        0xfe,0x7f,0xc1,0xad,
+        };
+
+/* It has come to my attention that there are 2 versions of the RC2
+ * key schedule.  One which is normal, and anther which has a hook to
+ * use a reduced key length.
+ * BSAFE uses the 'retarded' version.  What I previously shipped is
+ * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
+ * a version where the bits parameter is the same as len*8 */
 void
-RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
-    RC2_KEY *ks, unsigned char *iv, int encrypt)
+RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
 {
-        unsigned long tin0, tin1;
-        unsigned long tout0, tout1, xor0, xor1;
-        long l = length;
-        unsigned long tin[2];
+        int i, j;
+        unsigned char *k;
+        RC2_INT *ki;
+        unsigned int c, d;
 
-        if (encrypt) {
-                c2l(iv, tout0);
-                c2l(iv, tout1);
-                iv -= 8;
-                for (l -= 8; l >= 0; l -= 8)
-                {
-                        c2l(in, tin0);
-                        c2l(in, tin1);
-                        tin0 ^= tout0;
-                        tin1 ^= tout1;
-                        tin[0] = tin0;
-                        tin[1] = tin1;
-                        RC2_encrypt(tin, ks);
-                        tout0 = tin[0];
-                        l2c(tout0, out);
-                        tout1 = tin[1];
-                        l2c(tout1, out);
-                }
-                if (l != -8) {
-                        c2ln(in, tin0, tin1, l + 8);
-                        tin0 ^= tout0;
-                        tin1 ^= tout1;
-                        tin[0] = tin0;
-                        tin[1] = tin1;
-                        RC2_encrypt(tin, ks);
-                        tout0 = tin[0];
-                        l2c(tout0, out);
-                        tout1 = tin[1];
-                        l2c(tout1, out);
-                }
-                l2c(tout0, iv);
-                l2c(tout1, iv);
-        } else {
-                c2l(iv, xor0);
-                c2l(iv, xor1);
-                iv -= 8;
-                for (l -= 8; l >= 0; l -= 8)
-                {
-                        c2l(in, tin0);
-                        tin[0] = tin0;
-                        c2l(in, tin1);
-                        tin[1] = tin1;
-                        RC2_decrypt(tin, ks);
-                        tout0 = tin[0] ^ xor0;
-                        tout1 = tin[1] ^ xor1;
-                        l2c(tout0, out);
-                        l2c(tout1, out);
-                        xor0 = tin0;
-                        xor1 = tin1;
-                }
-                if (l != -8) {
-                        c2l(in, tin0);
-                        tin[0] = tin0;
-                        c2l(in, tin1);
-                        tin[1] = tin1;
-                        RC2_decrypt(tin, ks);
-                        tout0 = tin[0] ^ xor0;
-                        tout1 = tin[1] ^ xor1;
-                        l2cn(tout0, tout1, out, l + 8);
-                        xor0 = tin0;
-                        xor1 = tin1;
-                }
-                l2c(xor0, iv);
-                l2c(xor1, iv);
+        k = (unsigned char *)&(key->data[0]);
+        *k = 0; /* for if there is a zero length key */
+
+        if (len > 128)
+                len = 128;
+        if (bits <= 0)
+                bits = 1024;
+        if (bits > 1024)
+                bits = 1024;
+
+        for (i = 0; i < len; i++)
+                k[i] = data[i];
+
+        /* expand table */
+        d = k[len - 1];
+        j = 0;
+        for (i = len; i < 128; i++, j++)
+        {
+                d = key_table[(k[j] + d) & 0xff];
+                k[i] = d;
         }
-        tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
-        tin[0] = tin[1] = 0;
+
+        /* hmm.... key reduction to 'bits' bits */
+
+        j = (bits + 7) >> 3;
+        i = 128 - j;
+        c = (0xff >> (-bits & 0x07));
+
+        d = key_table[k[i] & c];
+        k[i] = d;
+        while (i--) {
+                d = key_table[k[i + j] ^ d];
+                k[i] = d;
+        }
+
+        /* copy from bytes into RC2_INT's */
+        ki = &(key->data[63]);
+        for (i = 127; i >= 0; i -= 2)
+                *(ki--) = ((k[i] << 8)|k[i - 1]) & 0xffff;
 }
-LCRYPTO_ALIAS(RC2_cbc_encrypt);
+LCRYPTO_ALIAS(RC2_set_key);
 
 void
 RC2_encrypt(unsigned long *d, RC2_KEY *key)
@@ -234,3 +237,225 @@ RC2_decrypt(unsigned long *d, RC2_KEY *key)
             16L);
 }
 LCRYPTO_ALIAS(RC2_decrypt);
+
+void
+RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+    RC2_KEY *ks, unsigned char *iv, int encrypt)
+{
+        unsigned long tin0, tin1;
+        unsigned long tout0, tout1, xor0, xor1;
+        long l = length;
+        unsigned long tin[2];
+
+        if (encrypt) {
+                c2l(iv, tout0);
+                c2l(iv, tout1);
+                iv -= 8;
+                for (l -= 8; l >= 0; l -= 8)
+                {
+                        c2l(in, tin0);
+                        c2l(in, tin1);
+                        tin0 ^= tout0;
+                        tin1 ^= tout1;
+                        tin[0] = tin0;
+                        tin[1] = tin1;
+                        RC2_encrypt(tin, ks);
+                        tout0 = tin[0];
+                        l2c(tout0, out);
+                        tout1 = tin[1];
+                        l2c(tout1, out);
+                }
+                if (l != -8) {
+                        c2ln(in, tin0, tin1, l + 8);
+                        tin0 ^= tout0;
+                        tin1 ^= tout1;
+                        tin[0] = tin0;
+                        tin[1] = tin1;
+                        RC2_encrypt(tin, ks);
+                        tout0 = tin[0];
+                        l2c(tout0, out);
+                        tout1 = tin[1];
+                        l2c(tout1, out);
+                }
+                l2c(tout0, iv);
+                l2c(tout1, iv);
+        } else {
+                c2l(iv, xor0);
+                c2l(iv, xor1);
+                iv -= 8;
+                for (l -= 8; l >= 0; l -= 8)
+                {
+                        c2l(in, tin0);
+                        tin[0] = tin0;
+                        c2l(in, tin1);
+                        tin[1] = tin1;
+                        RC2_decrypt(tin, ks);
+                        tout0 = tin[0] ^ xor0;
+                        tout1 = tin[1] ^ xor1;
+                        l2c(tout0, out);
+                        l2c(tout1, out);
+                        xor0 = tin0;
+                        xor1 = tin1;
+                }
+                if (l != -8) {
+                        c2l(in, tin0);
+                        tin[0] = tin0;
+                        c2l(in, tin1);
+                        tin[1] = tin1;
+                        RC2_decrypt(tin, ks);
+                        tout0 = tin[0] ^ xor0;
+                        tout1 = tin[1] ^ xor1;
+                        l2cn(tout0, tout1, out, l + 8);
+                        xor0 = tin0;
+                        xor1 = tin1;
+                }
+                l2c(xor0, iv);
+                l2c(xor1, iv);
+        }
+        tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+        tin[0] = tin[1] = 0;
+}
+LCRYPTO_ALIAS(RC2_cbc_encrypt);
+
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void
+RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+    long length, RC2_KEY *schedule, unsigned char *ivec,
+    int *num, int encrypt)
+{
+        unsigned long v0, v1, t;
+        int n = *num;
+        long l = length;
+        unsigned long ti[2];
+        unsigned char *iv, c, cc;
+
+        iv = (unsigned char *)ivec;
+        if (encrypt) {
+                while (l--) {
+                        if (n == 0) {
+                                c2l(iv, v0);
+                                ti[0] = v0;
+                                c2l(iv, v1);
+                                ti[1] = v1;
+                                RC2_encrypt((unsigned long *)ti, schedule);
+                                iv = (unsigned char *)ivec;
+                                t = ti[0];
+                                l2c(t, iv);
+                                t = ti[1];
+                                l2c(t, iv);
+                                iv = (unsigned char *)ivec;
+                        }
+                        c = *(in++) ^ iv[n];
+                        *(out++) = c;
+                        iv[n] = c;
+                        n = (n + 1) & 0x07;
+                }
+        } else {
+                while (l--) {
+                        if (n == 0) {
+                                c2l(iv, v0);
+                                ti[0] = v0;
+                                c2l(iv, v1);
+                                ti[1] = v1;
+                                RC2_encrypt((unsigned long *)ti, schedule);
+                                iv = (unsigned char *)ivec;
+                                t = ti[0];
+                                l2c(t, iv);
+                                t = ti[1];
+                                l2c(t, iv);
+                                iv = (unsigned char *)ivec;
+                        }
+                        cc = *(in++);
+                        c = iv[n];
+                        iv[n] = cc;
+                        *(out++) = c ^ cc;
+                        n = (n + 1) & 0x07;
+                }
+        }
+        v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
+        *num = n;
+}
+LCRYPTO_ALIAS(RC2_cfb64_encrypt);
+
+/* RC2 as implemented frm a posting from
+ * Newsgroups: sci.crypt
+ * Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+ * Subject: Specification for Ron Rivests Cipher No.2
+ * Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+ * Date: 11 Feb 1996 06:45:03 GMT
+ */
+void
+RC2_ecb_encrypt(const unsigned char *in, unsigned char *out, RC2_KEY *ks,
+    int encrypt)
+{
+        unsigned long l, d[2];
+
+        c2l(in, l);
+        d[0] = l;
+        c2l(in, l);
+        d[1] = l;
+        if (encrypt)
+                RC2_encrypt(d, ks);
+        else
+                RC2_decrypt(d, ks);
+        l = d[0];
+        l2c(l, out);
+        l = d[1];
+        l2c(l, out);
+        l = d[0] = d[1] = 0;
+}
+LCRYPTO_ALIAS(RC2_ecb_encrypt);
+
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void
+RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+    long length, RC2_KEY *schedule, unsigned char *ivec,
+    int *num)
+{
+        unsigned long v0, v1, t;
+        int n = *num;
+        long l = length;
+        unsigned char d[8];
+        char *dp;
+        unsigned long ti[2];
+        unsigned char *iv;
+        int save = 0;
+
+        iv = (unsigned char *)ivec;
+        c2l(iv, v0);
+        c2l(iv, v1);
+        ti[0] = v0;
+        ti[1] = v1;
+        dp = (char *)d;
+        l2c(v0, dp);
+        l2c(v1, dp);
+        while (l--) {
+                if (n == 0) {
+                        RC2_encrypt((unsigned long *)ti, schedule);
+                        dp = (char *)d;
+                        t = ti[0];
+                        l2c(t, dp);
+                        t = ti[1];
+                        l2c(t, dp);
+                        save++;
+                }
+                *(out++) = *(in++) ^ d[n];
+                n = (n + 1) & 0x07;
+        }
+        if (save) {
+                v0 = ti[0];
+                v1 = ti[1];
+                iv = (unsigned char *)ivec;
+                l2c(v0, iv);
+                l2c(v1, iv);
+        }
+        t = v0 = v1 = ti[0] = ti[1] = 0;
+        *num = n;
+}
+LCRYPTO_ALIAS(RC2_ofb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 96e395f32d..ead308cf51 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc2.h,v 1.13 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: rc2.h,v 1.14 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,7 +59,12 @@
 #ifndef HEADER_RC2_H
 #define HEADER_RC2_H
 
-#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2, RC2_INT */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2 */
+
+#ifndef RC2_INT
+/* XXX - typedef */
+#define RC2_INT unsigned int
+#endif
 
 #define RC2_ENCRYPT     1
 #define RC2_DECRYPT     0
diff --git a/src/lib/libcrypto/rc2/rc2_ecb.c b/src/lib/libcrypto/rc2/rc2_ecb.c
deleted file mode 100644
index 6a3c8098eb..0000000000
--- a/src/lib/libcrypto/rc2/rc2_ecb.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/* $OpenBSD: rc2_ecb.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-#include <openssl/opensslv.h>
-
-/* RC2 as implemented frm a posting from
- * Newsgroups: sci.crypt
- * Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
- * Subject: Specification for Ron Rivests Cipher No.2
- * Message-ID: <4fk39f$f70@net.auckland.ac.nz>
- * Date: 11 Feb 1996 06:45:03 GMT
- */
-
-void
-RC2_ecb_encrypt(const unsigned char *in, unsigned char *out, RC2_KEY *ks,
-    int encrypt)
-{
-        unsigned long l, d[2];
-
-        c2l(in, l);
-        d[0] = l;
-        c2l(in, l);
-        d[1] = l;
-        if (encrypt)
-                RC2_encrypt(d, ks);
-        else
-                RC2_decrypt(d, ks);
-        l = d[0];
-        l2c(l, out);
-        l = d[1];
-        l2c(l, out);
-        l = d[0] = d[1] = 0;
-}
-LCRYPTO_ALIAS(RC2_ecb_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
deleted file mode 100644
index d33c02da8c..0000000000
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/* $OpenBSD: rc2_skey.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/crypto.h>
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-
-static const unsigned char key_table[256]={
-        0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79,
-        0x4a,0xa0,0xd8,0x9d,0xc6,0x7e,0x37,0x83,0x2b,0x76,0x53,0x8e,
-        0x62,0x4c,0x64,0x88,0x44,0x8b,0xfb,0xa2,0x17,0x9a,0x59,0xf5,
-        0x87,0xb3,0x4f,0x13,0x61,0x45,0x6d,0x8d,0x09,0x81,0x7d,0x32,
-        0xbd,0x8f,0x40,0xeb,0x86,0xb7,0x7b,0x0b,0xf0,0x95,0x21,0x22,
-        0x5c,0x6b,0x4e,0x82,0x54,0xd6,0x65,0x93,0xce,0x60,0xb2,0x1c,
-        0x73,0x56,0xc0,0x14,0xa7,0x8c,0xf1,0xdc,0x12,0x75,0xca,0x1f,
-        0x3b,0xbe,0xe4,0xd1,0x42,0x3d,0xd4,0x30,0xa3,0x3c,0xb6,0x26,
-        0x6f,0xbf,0x0e,0xda,0x46,0x69,0x07,0x57,0x27,0xf2,0x1d,0x9b,
-        0xbc,0x94,0x43,0x03,0xf8,0x11,0xc7,0xf6,0x90,0xef,0x3e,0xe7,
-        0x06,0xc3,0xd5,0x2f,0xc8,0x66,0x1e,0xd7,0x08,0xe8,0xea,0xde,
-        0x80,0x52,0xee,0xf7,0x84,0xaa,0x72,0xac,0x35,0x4d,0x6a,0x2a,
-        0x96,0x1a,0xd2,0x71,0x5a,0x15,0x49,0x74,0x4b,0x9f,0xd0,0x5e,
-        0x04,0x18,0xa4,0xec,0xc2,0xe0,0x41,0x6e,0x0f,0x51,0xcb,0xcc,
-        0x24,0x91,0xaf,0x50,0xa1,0xf4,0x70,0x39,0x99,0x7c,0x3a,0x85,
-        0x23,0xb8,0xb4,0x7a,0xfc,0x02,0x36,0x5b,0x25,0x55,0x97,0x31,
-        0x2d,0x5d,0xfa,0x98,0xe3,0x8a,0x92,0xae,0x05,0xdf,0x29,0x10,
-        0x67,0x6c,0xba,0xc9,0xd3,0x00,0xe6,0xcf,0xe1,0x9e,0xa8,0x2c,
-        0x63,0x16,0x01,0x3f,0x58,0xe2,0x89,0xa9,0x0d,0x38,0x34,0x1b,
-        0xab,0x33,0xff,0xb0,0xbb,0x48,0x0c,0x5f,0xb9,0xb1,0xcd,0x2e,
-        0xc5,0xf3,0xdb,0x47,0xe5,0xa5,0x9c,0x77,0x0a,0xa6,0x20,0x68,
-        0xfe,0x7f,0xc1,0xad,
-        };
-
-/* It has come to my attention that there are 2 versions of the RC2
- * key schedule.  One which is normal, and anther which has a hook to
- * use a reduced key length.
- * BSAFE uses the 'retarded' version.  What I previously shipped is
- * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
- * a version where the bits parameter is the same as len*8 */
-void
-RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
-{
-        int i, j;
-        unsigned char *k;
-        RC2_INT *ki;
-        unsigned int c, d;
-
-        k = (unsigned char *)&(key->data[0]);
-        *k = 0; /* for if there is a zero length key */
-
-        if (len > 128)
-                len = 128;
-        if (bits <= 0)
-                bits = 1024;
-        if (bits > 1024)
-                bits = 1024;
-
-        for (i = 0; i < len; i++)
-                k[i] = data[i];
-
-        /* expand table */
-        d = k[len - 1];
-        j = 0;
-        for (i = len; i < 128; i++, j++)
-        {
-                d = key_table[(k[j] + d) & 0xff];
-                k[i] = d;
-        }
-
-        /* hmm.... key reduction to 'bits' bits */
-
-        j = (bits + 7) >> 3;
-        i = 128 - j;
-        c = (0xff >> (-bits & 0x07));
-
-        d = key_table[k[i] & c];
-        k[i] = d;
-        while (i--) {
-                d = key_table[k[i + j] ^ d];
-                k[i] = d;
-        }
-
-        /* copy from bytes into RC2_INT's */
-        ki = &(key->data[63]);
-        for (i = 127; i >= 0; i -= 2)
-                *(ki--) = ((k[i] << 8)|k[i - 1]) & 0xffff;
-}
-LCRYPTO_ALIAS(RC2_set_key);
diff --git a/src/lib/libcrypto/rc2/rc2cfb64.c b/src/lib/libcrypto/rc2/rc2cfb64.c
deleted file mode 100644
index 21266c430b..0000000000
--- a/src/lib/libcrypto/rc2/rc2cfb64.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* $OpenBSD: rc2cfb64.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-
-/* The input and output encrypted as though 64bit cfb mode is being
- * used.  The extra state information to record how much of the
- * 64bit block we have used is contained in *num;
- */
-
-void
-RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-    long length, RC2_KEY *schedule, unsigned char *ivec,
-    int *num, int encrypt)
-{
-        unsigned long v0, v1, t;
-        int n = *num;
-        long l = length;
-        unsigned long ti[2];
-        unsigned char *iv, c, cc;
-
-        iv = (unsigned char *)ivec;
-        if (encrypt) {
-                while (l--) {
-                        if (n == 0) {
-                                c2l(iv, v0);
-                                ti[0] = v0;
-                                c2l(iv, v1);
-                                ti[1] = v1;
-                                RC2_encrypt((unsigned long *)ti, schedule);
-                                iv = (unsigned char *)ivec;
-                                t = ti[0];
-                                l2c(t, iv);
-                                t = ti[1];
-                                l2c(t, iv);
-                                iv = (unsigned char *)ivec;
-                        }
-                        c = *(in++) ^ iv[n];
-                        *(out++) = c;
-                        iv[n] = c;
-                        n = (n + 1) & 0x07;
-                }
-        } else {
-                while (l--) {
-                        if (n == 0) {
-                                c2l(iv, v0);
-                                ti[0] = v0;
-                                c2l(iv, v1);
-                                ti[1] = v1;
-                                RC2_encrypt((unsigned long *)ti, schedule);
-                                iv = (unsigned char *)ivec;
-                                t = ti[0];
-                                l2c(t, iv);
-                                t = ti[1];
-                                l2c(t, iv);
-                                iv = (unsigned char *)ivec;
-                        }
-                        cc = *(in++);
-                        c = iv[n];
-                        iv[n] = cc;
-                        *(out++) = c ^ cc;
-                        n = (n + 1) & 0x07;
-                }
-        }
-        v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
-        *num = n;
-}
-LCRYPTO_ALIAS(RC2_cfb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2ofb64.c b/src/lib/libcrypto/rc2/rc2ofb64.c
deleted file mode 100644
index 73d8323e92..0000000000
--- a/src/lib/libcrypto/rc2/rc2ofb64.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/* $OpenBSD: rc2ofb64.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-
-/* The input and output encrypted as though 64bit ofb mode is being
- * used.  The extra state information to record how much of the
- * 64bit block we have used is contained in *num;
- */
-void
-RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-    long length, RC2_KEY *schedule, unsigned char *ivec,
-    int *num)
-{
-        unsigned long v0, v1, t;
-        int n = *num;
-        long l = length;
-        unsigned char d[8];
-        char *dp;
-        unsigned long ti[2];
-        unsigned char *iv;
-        int save = 0;
-
-        iv = (unsigned char *)ivec;
-        c2l(iv, v0);
-        c2l(iv, v1);
-        ti[0] = v0;
-        ti[1] = v1;
-        dp = (char *)d;
-        l2c(v0, dp);
-        l2c(v1, dp);
-        while (l--) {
-                if (n == 0) {
-                        RC2_encrypt((unsigned long *)ti, schedule);
-                        dp = (char *)d;
-                        t = ti[0];
-                        l2c(t, dp);
-                        t = ti[1];
-                        l2c(t, dp);
-                        save++;
-                }
-                *(out++) = *(in++) ^ d[n];
-                n = (n + 1) & 0x07;
-        }
-        if (save) {
-                v0 = ti[0];
-                v1 = ti[1];
-                iv = (unsigned char *)ivec;
-                l2c(v0, iv);
-                l2c(v1, iv);
-        }
-        t = v0 = v1 = ti[0] = ti[1] = 0;
-        *num = n;
-}
-LCRYPTO_ALIAS(RC2_ofb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rrc2.doc b/src/lib/libcrypto/rc2/rrc2.doc
deleted file mode 100644
index f93ee003d2..0000000000
--- a/src/lib/libcrypto/rc2/rrc2.doc
+++ /dev/null
@@ -1,219 +0,0 @@
->From cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news Mon Feb 12 18:48:17 EST 1996
-Article 23601 of sci.crypt:
-Path: cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news
->From: pgut01@cs.auckland.ac.nz (Peter Gutmann)
-Newsgroups: sci.crypt
-Subject: Specification for Ron Rivests Cipher No.2
-Date: 11 Feb 1996 06:45:03 GMT
-Organization: University of Auckland
-Lines: 203
-Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
-Message-ID: <4fk39f$f70@net.auckland.ac.nz>
-NNTP-Posting-Host: cs26.cs.auckland.ac.nz
-X-Newsreader: NN version 6.5.0 #3 (NOV)
-
-
-
-
-                           Ron Rivest's Cipher No.2
-                           ------------------------
- 
-Ron Rivest's Cipher No.2 (hereafter referred to as RRC.2, other people may
-refer to it by other names) is word oriented, operating on a block of 64 bits
-divided into four 16-bit words, with a key table of 64 words.  All data units
-are little-endian.  This functional description of the algorithm is based in
-the paper "The RC5 Encryption Algorithm" (RC5 is a trademark of RSADSI), using
-the same general layout, terminology, and pseudocode style.
- 
- 
-Notation and RRC.2 Primitive Operations
- 
-RRC.2 uses the following primitive operations:
- 
-1. Two's-complement addition of words, denoted by "+".  The inverse operation,
-   subtraction, is denoted by "-".
-2. Bitwise exclusive OR, denoted by "^".
-3. Bitwise AND, denoted by "&".
-4. Bitwise NOT, denoted by "~".
-5. A left-rotation of words; the rotation of word x left by y is denoted
-   x <<< y.  The inverse operation, right-rotation, is denoted x >>> y.
- 
-These operations are directly and efficiently supported by most processors.
- 
- 
-The RRC.2 Algorithm
- 
-RRC.2 consists of three components, a *key expansion* algorithm, an
-*encryption* algorithm, and a *decryption* algorithm.
- 
- 
-Key Expansion
- 
-The purpose of the key-expansion routine is to expand the user's key K to fill
-the expanded key array S, so S resembles an array of random binary words
-determined by the user's secret key K.
- 
-Initialising the S-box
- 
-RRC.2 uses a single 256-byte S-box derived from the ciphertext contents of
-Beale Cipher No.1 XOR'd with a one-time pad.  The Beale Ciphers predate modern
-cryptography by enough time that there should be no concerns about trapdoors
-hidden in the data.  They have been published widely, and the S-box can be
-easily recreated from the one-time pad values and the Beale Cipher data taken
-from a standard source.  To initialise the S-box:
- 
-  for i = 0 to 255 do
-    sBox[ i ] = ( beale[ i ] mod 256 ) ^ pad[ i ]
- 
-The contents of Beale Cipher No.1 and the necessary one-time pad are given as
-an appendix at the end of this document.  For efficiency, implementors may wish
-to skip the Beale Cipher expansion and store the sBox table directly.
- 
-Expanding the Secret Key to 128 Bytes
- 
-The secret key is first expanded to fill 128 bytes (64 words).  The expansion
-consists of taking the sum of the first and last bytes in the user key, looking
-up the sum (modulo 256) in the S-box, and appending the result to the key.  The
-operation is repeated with the second byte and new last byte of the key until
-all 128 bytes have been generated.  Note that the following pseudocode treats
-the S array as an array of 128 bytes rather than 64 words.
- 
-  for j = 0 to length-1 do
-    S[ j ] = K[ j ]
-  for j = length to 127 do
-    s[ j ] = sBox[ ( S[ j-length ] + S[ j-1 ] ) mod 256 ];
- 
-At this point it is possible to perform a truncation of the effective key
-length to ease the creation of espionage-enabled software products.  However
-since the author cannot conceive why anyone would want to do this, it will not
-be considered further.
- 
-The final phase of the key expansion involves replacing the first byte of S
-with the entry selected from the S-box:
- 
-  S[ 0 ] = sBox[ S[ 0 ] ]
- 
- 
-Encryption
- 
-The cipher has 16 full rounds, each divided into 4 subrounds.  Two of the full
-rounds perform an additional transformation on the data.  Note that the
-following pseudocode treats the S array as an array of 64 words rather than 128
-bytes.
- 
-  for i = 0 to 15 do
-    j = i * 4;
-    word0 = ( word0 + ( word1 & ~word3 ) + ( word2 & word3 ) + S[ j+0 ] ) <<< 1
-    word1 = ( word1 + ( word2 & ~word0 ) + ( word3 & word0 ) + S[ j+1 ] ) <<< 2
-    word2 = ( word2 + ( word3 & ~word1 ) + ( word0 & word1 ) + S[ j+2 ] ) <<< 3
-    word3 = ( word3 + ( word0 & ~word2 ) + ( word1 & word2 ) + S[ j+3 ] ) <<< 5
- 
-In addition the fifth and eleventh rounds add the contents of the S-box indexed
-by one of the data words to another of the data words following the four
-subrounds as follows:
- 
-    word0 = word0 + S[ word3 & 63 ];
-    word1 = word1 + S[ word0 & 63 ];
-    word2 = word2 + S[ word1 & 63 ];
-    word3 = word3 + S[ word2 & 63 ];
- 
- 
-Decryption
- 
-The decryption operation is simply the inverse of the encryption operation.
-Note that the following pseudocode treats the S array as an array of 64 words
-rather than 128 bytes.
- 
-  for i = 15 downto 0 do
-    j = i * 4;
-    word3 = ( word3 >>> 5 ) - ( word0 & ~word2 ) - ( word1 & word2 ) - S[ j+3 ]
-    word2 = ( word2 >>> 3 ) - ( word3 & ~word1 ) - ( word0 & word1 ) - S[ j+2 ]
-    word1 = ( word1 >>> 2 ) - ( word2 & ~word0 ) - ( word3 & word0 ) - S[ j+1 ]
-    word0 = ( word0 >>> 1 ) - ( word1 & ~word3 ) - ( word2 & word3 ) - S[ j+0 ]
- 
-In addition the fifth and eleventh rounds subtract the contents of the S-box
-indexed by one of the data words from another one of the data words following
-the four subrounds as follows:
- 
-    word3 = word3 - S[ word2 & 63 ]
-    word2 = word2 - S[ word1 & 63 ]
-    word1 = word1 - S[ word0 & 63 ]
-    word0 = word0 - S[ word3 & 63 ]
- 
- 
-Test Vectors
- 
-The following test vectors may be used to test the correctness of an RRC.2
-implementation:
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x1C, 0x19, 0x8A, 0x83, 0x8D, 0xF0, 0x28, 0xB7
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x21, 0x82, 0x9C, 0x78, 0xA9, 0xF9, 0xC0, 0x74
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Plain:    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-  Cipher:   0x13, 0xDB, 0x35, 0x17, 0xD3, 0x21, 0x86, 0x9E
- 
-  Key:      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x50, 0xDC, 0x01, 0x62, 0xBD, 0x75, 0x7F, 0x31
- 
- 
-Appendix: Beale Cipher No.1, "The Locality of the Vault", and One-time Pad for
-          Creating the S-Box
- 
-Beale Cipher No.1.
- 
-  71, 194,  38,1701,  89,  76,  11,  83,1629,  48,  94,  63, 132,  16, 111,  95,
-  84, 341, 975,  14,  40,  64,  27,  81, 139, 213,  63,  90,1120,   8,  15,   3,
- 126,2018,  40,  74, 758, 485, 604, 230, 436, 664, 582, 150, 251, 284, 308, 231,
- 124, 211, 486, 225, 401, 370,  11, 101, 305, 139, 189,  17,  33,  88, 208, 193,
- 145,   1,  94,  73, 416, 918, 263,  28, 500, 538, 356, 117, 136, 219,  27, 176,
- 130,  10, 460,  25, 485,  18, 436,  65,  84, 200, 283, 118, 320, 138,  36, 416,
- 280,  15,  71, 224, 961,  44,  16, 401,  39,  88,  61, 304,  12,  21,  24, 283,
- 134,  92,  63, 246, 486, 682,   7, 219, 184, 360, 780,  18,  64, 463, 474, 131,
- 160,  79,  73, 440,  95,  18,  64, 581,  34,  69, 128, 367, 460,  17,  81,  12,
- 103, 820,  62, 110,  97, 103, 862,  70,  60,1317, 471, 540, 208, 121, 890, 346,
-  36, 150,  59, 568, 614,  13, 120,  63, 219, 812,2160,1780,  99,  35,  18,  21,
- 136, 872,  15,  28, 170,  88,   4,  30,  44, 112,  18, 147, 436, 195, 320,  37,
- 122, 113,   6, 140,   8, 120, 305,  42,  58, 461,  44, 106, 301,  13, 408, 680,
-  93,  86, 116, 530,  82, 568,   9, 102,  38, 416,  89,  71, 216, 728, 965, 818,
-   2,  38, 121, 195,  14, 326, 148, 234,  18,  55, 131, 234, 361, 824,   5,  81,
- 623,  48, 961,  19,  26,  33,  10,1101, 365,  92,  88, 181, 275, 346, 201, 206
- 
-One-time Pad.
- 
- 158, 186, 223,  97,  64, 145, 190, 190, 117, 217, 163,  70, 206, 176, 183, 194,
- 146,  43, 248, 141,   3,  54,  72, 223, 233, 153,  91, 210,  36, 131, 244, 161,
- 105, 120, 113, 191, 113,  86,  19, 245, 213, 221,  43,  27, 242, 157,  73, 213,
- 193,  92, 166,  10,  23, 197, 112, 110, 193,  30, 156,  51, 125,  51, 158,  67,
- 197, 215,  59, 218, 110, 246, 181,   0, 135,  76, 164,  97,  47,  87, 234, 108,
- 144, 127,   6,   6, 222, 172,  80, 144,  22, 245, 207,  70, 227, 182, 146, 134,
- 119, 176,  73,  58, 135,  69,  23, 198,   0, 170,  32, 171, 176, 129,  91,  24,
- 126,  77, 248,   0, 118,  69,  57,  60, 190, 171, 217,  61, 136, 169, 196,  84,
- 168, 167, 163, 102, 223,  64, 174, 178, 166, 239, 242, 195, 249,  92,  59,  38,
- 241,  46, 236,  31,  59, 114,  23,  50, 119, 186,   7,  66, 212,  97, 222, 182,
- 230, 118, 122,  86, 105,  92, 179, 243, 255, 189, 223, 164, 194, 215,  98,  44,
-  17,  20,  53, 153, 137, 224, 176, 100, 208, 114,  36, 200, 145, 150, 215,  20,
-  87,  44, 252,  20, 235, 242, 163, 132,  63,  18,   5, 122,  74,  97,  34,  97,
- 142,  86, 146, 221, 179, 166, 161,  74,  69, 182,  88, 120, 128,  58,  76, 155,
-  15,  30,  77, 216, 165, 117, 107,  90, 169, 127, 143, 181, 208, 137, 200, 127,
- 170, 195,  26,  84, 255, 132, 150,  58, 103, 250, 120, 221, 237,  37,   8,  99
- 
- 
-Implementation
- 
-A non-US based programmer who has never seen any encryption code before will
-shortly be implementing RRC.2 based solely on this specification and not on
-knowledge of any other encryption algorithms.  Stand by.
-
-
-
diff --git a/src/lib/libcrypto/rc2/version b/src/lib/libcrypto/rc2/version
deleted file mode 100644
index 8ca161a613..0000000000
--- a/src/lib/libcrypto/rc2/version
+++ /dev/null
@@ -1,22 +0,0 @@
-1.1 23/08/96 - eay
-        Changed RC2_set_key() so it now takes another argument.  Many
-        thanks to Peter Gutmann <pgut01@cs.auckland.ac.nz> for the
-        clarification and original specification of RC2.  BSAFE uses
-        this last parameter, 'bits'.  It the key is 128 bits, BSAFE
-        also sets this parameter to 128.  The old behaviour can be
-        duplicated by setting this parameter to 1024.
-
-1.0 08/04/96 - eay
-        First version of SSLeay with rc2.  This has been written from the spec
-        posted sci.crypt.  It is in this directory under rrc2.doc
-        I have no test values for any mode other than ecb, my wrappers for the
-        other modes should be ok since they are basically the same as
-        the ones taken from idea and des :-).  I have implemented them as
-        little-endian operators.
-        While rc2 is included because it is used with SSL, I don't know how
-        far I trust it.  It is about the same speed as IDEA and DES.
-        So if you are paranoid, used Triple DES, else IDEA.  If RC2
-        does get used more, perhaps more people will look for weaknesses in
-        it.
-        
-
diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c
index 56ed43cba7..69b7d0a815 100644
--- a/src/lib/libcrypto/rc4/rc4.c
+++ b/src/lib/libcrypto/rc4/rc4.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc4.c,v 1.13 2025/01/27 14:02:32 jsing Exp $ */
+/* $OpenBSD: rc4.c,v 1.15 2025/08/17 08:04:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,234 +57,123 @@
  */
 
 #include <endian.h>
+#include <stdint.h>
 
 #include <openssl/rc4.h>
 
 #include "crypto_arch.h"
 
-/* RC4 as implemented from a posting from
- * Newsgroups: sci.crypt
- * From: sterndark@netcom.com (David Sterndark)
- * Subject: RC4 Algorithm revealed.
- * Message-ID: <sternCvKL4B.Hyy@netcom.com>
- * Date: Wed, 14 Sep 1994 06:35:31 GMT
- */
-
 #ifdef HAVE_RC4_INTERNAL
-void rc4_internal(RC4_KEY *key, size_t len, const unsigned char *indata,
-    unsigned char *outdata);
+void rc4_internal(RC4_KEY *key, size_t len, const uint8_t *in,
+    uint8_t *out);
 
 #else
-static void
-rc4_internal(RC4_KEY *key, size_t len, const unsigned char *indata,
-    unsigned char *outdata)
+static inline RC4_INT
+rc4_step(RC4_INT *d, RC4_INT *x, RC4_INT *y)
 {
-        RC4_INT *d;
-        RC4_INT x, y,tx, ty;
-        size_t i;
+        RC4_INT tx, ty;
 
-        x = key->x;
-        y = key->y;
-        d = key->data;
+        *x = (*x + 1) & 0xff;
+        tx = d[*x];
+        *y = (tx + *y) & 0xff;
+        d[*x] = ty = d[*y];
+        d[*y] = tx;
 
-#if defined(RC4_CHUNK)
-        /*
-         * The original reason for implementing this(*) was the fact that
-         * pre-21164a Alpha CPUs don't have byte load/store instructions
-         * and e.g. a byte store has to be done with 64-bit load, shift,
-         * and, or and finally 64-bit store. Peaking data and operating
-         * at natural word size made it possible to reduce amount of
-         * instructions as well as to perform early read-ahead without
-         * suffering from RAW (read-after-write) hazard. This resulted
-         * in ~40%(**) performance improvement on 21064 box with gcc.
-         * But it's not only Alpha users who win here:-) Thanks to the
-         * early-n-wide read-ahead this implementation also exhibits
-         * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
-         * on sizeof(RC4_INT)).
-         *
-         * (*)  "this" means code which recognizes the case when input
-         *      and output pointers appear to be aligned at natural CPU
-         *      word boundary
-         * (**) i.e. according to 'apps/openssl speed rc4' benchmark,
-         *      crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
-         *
-         * Caveats.
-         *
-         * - RC4_CHUNK="unsigned long long" should be a #1 choice for
-         *   UltraSPARC. Unfortunately gcc generates very slow code
-         *   (2.5-3 times slower than one generated by Sun's WorkShop
-         *   C) and therefore gcc (at least 2.95 and earlier) should
-         *   always be told that RC4_CHUNK="unsigned long".
-         *
-         *                                      <appro@fy.chalmers.se>
-         */
+        return d[(tx + ty) & 0xff];
+}
 
-# define RC4_STEP       ( \
-                        x=(x+1) &0xff,  \
-                        tx=d[x],        \
-                        y=(tx+y)&0xff,  \
-                        ty=d[y],        \
-                        d[y]=tx,        \
-                        d[x]=ty,        \
-                        (RC4_CHUNK)d[(tx+ty)&0xff]\
-                        )
+#if BYTE_ORDER == BIG_ENDIAN
+static inline uint64_t
+rc4_chunk(RC4_INT *d, RC4_INT *x, RC4_INT *y)
+{
+        uint64_t chunk = 0;
+        size_t i;
 
-        if ((((size_t)indata & (sizeof(RC4_CHUNK) - 1)) |
-            ((size_t)outdata & (sizeof(RC4_CHUNK) - 1))) == 0 ) {
-                RC4_CHUNK ichunk, otp;
+        for (i = 0; i < 8; i++)
+                chunk = chunk << 8 | (uint64_t)rc4_step(d, x, y);
+
+        return chunk;
+}
 
-                /*
-                 * I reckon we can afford to implement both endian
-                 * cases and to decide which way to take at run-time
-                 * because the machine code appears to be very compact
-                 * and redundant 1-2KB is perfectly tolerable (i.e.
-                 * in case the compiler fails to eliminate it:-). By
-                 * suggestion from Terrel Larson <terr@terralogic.net>.
-                 *
-                 * Special notes.
-                 *
-                 * - compilers (those I've tried) don't seem to have
-                 *   problems eliminating either the operators guarded
-                 *   by "if (sizeof(RC4_CHUNK)==8)" or the condition
-                 *   expressions themselves so I've got 'em to replace
-                 *   corresponding #ifdefs from the previous version;
-                 * - I chose to let the redundant switch cases when
-                 *   sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
-                 *   before);
-                 * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
-                 *   [LB]ESHFT guards against "shift is out of range"
-                 *   warnings when sizeof(RC4_CHUNK)!=8
-                 *
-                 *                      <appro@fy.chalmers.se>
-                 */
-#if BYTE_ORDER == BIG_ENDIAN
-# define BESHFT(c)      (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
-                for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
-                        ichunk  = *(RC4_CHUNK *)indata;
-                        otp = RC4_STEP << BESHFT(0);
-                        otp |= RC4_STEP << BESHFT(1);
-                        otp |= RC4_STEP << BESHFT(2);
-                        otp |= RC4_STEP << BESHFT(3);
-                        if (sizeof(RC4_CHUNK) == 8) {
-                                otp |= RC4_STEP << BESHFT(4);
-                                otp |= RC4_STEP << BESHFT(5);
-                                otp |= RC4_STEP << BESHFT(6);
-                                otp |= RC4_STEP << BESHFT(7);
-                        }
-                        *(RC4_CHUNK *)outdata = otp^ichunk;
-                        indata += sizeof(RC4_CHUNK);
-                        outdata += sizeof(RC4_CHUNK);
-                }
 #else
-# define LESHFT(c)      (((c)*8)&(sizeof(RC4_CHUNK)*8-1))
-                for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
-                        ichunk = *(RC4_CHUNK *)indata;
-                        otp = RC4_STEP;
-                        otp |= RC4_STEP << 8;
-                        otp |= RC4_STEP << 16;
-                        otp |= RC4_STEP << 24;
-                        if (sizeof(RC4_CHUNK) == 8) {
-                                otp |= RC4_STEP << LESHFT(4);
-                                otp |= RC4_STEP << LESHFT(5);
-                                otp |= RC4_STEP << LESHFT(6);
-                                otp |= RC4_STEP << LESHFT(7);
-                        }
-                        *(RC4_CHUNK *)outdata = otp ^ ichunk;
-                        indata += sizeof(RC4_CHUNK);
-                        outdata += sizeof(RC4_CHUNK);
-                }
-#endif
-        }
+static inline uint64_t
+rc4_chunk(RC4_INT *d, RC4_INT *x, RC4_INT *y)
+{
+        uint64_t chunk = 0;
+        size_t i;
+
+        for (i = 0; i < 8; i++)
+                chunk |= (uint64_t)rc4_step(d, x, y) << (i * 8);
+
+        return chunk;
+}
 #endif
-#define RC4_LOOP(in,out) \
-                x=((x+1)&0xff); \
-                tx=d[x]; \
-                y=(tx+y)&0xff; \
-                d[x]=ty=d[y]; \
-                d[y]=tx; \
-                (out) = d[(tx+ty)&0xff]^ (in);
 
-        i = len >> 3;
-        if (i) {
-                for (;;) {
-                        RC4_LOOP(indata[0], outdata[0]);
-                        RC4_LOOP(indata[1], outdata[1]);
-                        RC4_LOOP(indata[2], outdata[2]);
-                        RC4_LOOP(indata[3], outdata[3]);
-                        RC4_LOOP(indata[4], outdata[4]);
-                        RC4_LOOP(indata[5], outdata[5]);
-                        RC4_LOOP(indata[6], outdata[6]);
-                        RC4_LOOP(indata[7], outdata[7]);
+static void
+rc4_internal(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out)
+{
+        RC4_INT *d, x, y;
+        size_t i;
 
-                        indata += 8;
-                        outdata += 8;
+        x = key->x;
+        y = key->y;
+        d = key->data;
+
+        /* Process uint64_t chunks if 8 byte aligned. */
+        if ((((size_t)in | (size_t)out) % 8) == 0) {
+                while (len >= 8) {
+                        *(uint64_t *)out = *(const uint64_t *)in ^ rc4_chunk(d, &x, &y);
 
-                        if (--i == 0)
-                                break;
+                        in += 8;
+                        out += 8;
+                        len -= 8;
                 }
         }
-        i = len&0x07;
-        if (i) {
-                for (;;) {
-                        RC4_LOOP(indata[0], outdata[0]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[1], outdata[1]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[2], outdata[2]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[3], outdata[3]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[4], outdata[4]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[5], outdata[5]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[6], outdata[6]);
-                        if (--i == 0)
-                                break;
-                }
+
+        while (len >= 8) {
+                for (i = 0; i < 8; i++)
+                        out[i] = rc4_step(d, &x, &y) ^ in[i];
+
+                in += 8;
+                out += 8;
+                len -= 8;
         }
+        for (i = 0; i < len; i++)
+                out[i] = rc4_step(d, &x, &y) ^ in[i];
+
         key->x = x;
         key->y = y;
 }
 #endif
 
 #ifdef HAVE_RC4_SET_KEY_INTERNAL
-void rc4_set_key_internal(RC4_KEY *key, int len, const unsigned char *data);
+void rc4_set_key_internal(RC4_KEY *key, int len, const uint8_t *data);
 
 #else
 static inline void
-rc4_set_key_internal(RC4_KEY *key, int len, const unsigned char *data)
+rc4_set_key_internal(RC4_KEY *key, int len, const uint8_t *data)
 {
-        RC4_INT tmp;
-        int id1, id2;
-        RC4_INT *d;
-        unsigned int i;
+        RC4_INT *d, tmp;
+        int idx1, idx2;
+        int i, j;
 
-        d = &(key->data[0]);
+        d = key->data;
         key->x = 0;
         key->y = 0;
-        id1 = id2 = 0;
-
-#define SK_LOOP(d,n) { \
-                tmp=d[(n)]; \
-                id2 = (data[id1] + tmp + id2) & 0xff; \
-                if (++id1 == len) id1=0; \
-                d[(n)]=d[id2]; \
-                d[id2]=tmp; }
+        idx1 = idx2 = 0;
 
         for (i = 0; i < 256; i++)
                 d[i] = i;
         for (i = 0; i < 256; i += 4) {
-                SK_LOOP(d, i + 0);
-                SK_LOOP(d, i + 1);
-                SK_LOOP(d, i + 2);
-                SK_LOOP(d, i + 3);
+                for (j = 0; j < 4; j++) {
+                        tmp = d[i + j];
+                        idx2 = (data[idx1] + tmp + idx2) & 0xff;
+                        d[i + j] = d[idx2];
+                        d[idx2] = tmp;
+
+                        if (++idx1 == len)
+                                idx1 = 0;
+                }
         }
 }
 #endif
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index a20472372b..c994b39a31 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc4.h,v 1.16 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: rc4.h,v 1.17 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,10 +59,15 @@
 #ifndef HEADER_RC4_H
 #define HEADER_RC4_H
 
-#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4, RC4_INT */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4 */
 
 #include <stddef.h>
 
+#ifndef RC4_INT
+/* XXX - typedef */
+#define RC4_INT unsigned int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 5a87522289..00fa6afb3d 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.63 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -66,7 +66,6 @@
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
@@ -76,6 +75,7 @@
 
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_blinding.c b/src/lib/libcrypto/rsa/rsa_blinding.c
index cac5bd91d2..590b45f5a1 100644
--- a/src/lib/libcrypto/rsa/rsa_blinding.c
+++ b/src/lib/libcrypto/rsa/rsa_blinding.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_blinding.c,v 1.3 2023/08/09 12:09:06 tb Exp $ */
+/* $OpenBSD: rsa_blinding.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -114,10 +114,10 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 
 #define BN_BLINDING_COUNTER     32
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index b7666e0fed..87d261f88e 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_chk.c,v 1.18 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_chk.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -49,10 +49,10 @@
  */
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 
 int
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index c2e1e22f9a..65ccfc35e1 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.65 2023/08/09 12:09:06 tb Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.66 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -115,10 +115,10 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 
 static int
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index ff64eb2f0e..ebd0aeffd5 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.30 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,10 +60,10 @@
 #include <time.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 91f4938ec9..7b8babdf52 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_lib.c,v 1.50 2024/03/27 01:22:30 tb Exp $ */
+/* $OpenBSD: rsa_lib.c,v 1.51 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,12 +62,12 @@
 
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/rsa.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 
diff --git a/src/lib/libcrypto/rsa/rsa_meth.c b/src/lib/libcrypto/rsa/rsa_meth.c
index 71608caa01..131c4484ab 100644
--- a/src/lib/libcrypto/rsa/rsa_meth.c
+++ b/src/lib/libcrypto/rsa/rsa_meth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rsa_meth.c,v 1.7 2023/07/08 12:26:45 beck Exp $       */
+/*      $OpenBSD: rsa_meth.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
  *
@@ -18,7 +18,6 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
index 9c53dcf595..b8764d54ef 100644
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_none.c,v 1.12 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_none.c,v 1.13 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,9 +60,10 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "err_local.h"
+
 int
 RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
     int flen)
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index d1e138c299..9a175f8c55 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_oaep.c,v 1.39 2024/03/26 05:37:28 joshua Exp $ */
+/* $OpenBSD: rsa_oaep.c,v 1.40 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -74,12 +74,12 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
 #include "constant_time.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 8e56a8c4cd..554e00e8f8 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pk1.c,v 1.17 2024/03/30 04:34:17 jsing Exp $ */
+/* $OpenBSD: rsa_pk1.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,10 +61,10 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 int
 RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 453570cf74..518b077dbc 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.43 2025/01/17 15:39:19 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -65,13 +65,13 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
index 1783563661..ef08f76249 100644
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ b/src/lib/libcrypto/rsa/rsa_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_prn.c,v 1.10 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_prn.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -58,10 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 
+#include "err_local.h"
+
 int
 RSA_print_fp(FILE *fp, const RSA *x, int off)
 {
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index 610ae7c928..72e252ef06 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.19 2024/03/26 05:26:27 joshua Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -61,11 +61,11 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 07a4f5d659..3052fa912f 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.25 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,11 +60,12 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 int
 RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
     unsigned char *sigret, unsigned int *siglen, RSA *rsa)
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 6edd20626d..09e6972293 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,12 +60,12 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
index 52f3f803b2..8a0190d7fe 100644
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_x931.c,v 1.12 2023/05/05 12:19:37 tb Exp $ */
+/* $OpenBSD: rsa_x931.c,v 1.13 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -60,10 +60,11 @@
 #include <string.h>
 
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 
+#include "err_local.h"
+
 int
 RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
     int flen)
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index 5928e083c1..d2491766f3 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -104,13 +104,7 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
 
-$xmm=$ymm=0;
-for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
-
-$ymm=1 if ($xmm &&
-                `$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-                        =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
-                $1>=2.19);      # first version supporting AVX
+$xmm=$ymm=1;
 
 &external_label("OPENSSL_ia32cap_P") if ($xmm);
 
diff --git a/src/lib/libcrypto/sha/asm/sha512-586.pl b/src/lib/libcrypto/sha/asm/sha512-586.pl
index c1d0684e92..fe1ff487bc 100644
--- a/src/lib/libcrypto/sha/asm/sha512-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-586.pl
@@ -38,8 +38,7 @@ require "x86asm.pl";
 
 &asm_init($ARGV[0],"sha512-586.pl",$ARGV[$#ARGV] eq "386");
 
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
+$sse2=1;
 
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
 
diff --git a/src/lib/libcrypto/sha/sha1_aarch64.c b/src/lib/libcrypto/sha/sha1_aarch64.c
new file mode 100644
index 0000000000..04c87761e0
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha1_aarch64.c
@@ -0,0 +1,34 @@
+/* $OpenBSD: sha1_aarch64.c,v 1.1 2025/06/28 12:51:08 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <openssl/sha.h>
+
+#include "crypto_arch.h"
+
+void sha1_block_ce(SHA256_CTX *ctx, const void *in, size_t num);
+void sha1_block_generic(SHA256_CTX *ctx, const void *in, size_t num);
+
+void
+sha1_block_data_order(SHA256_CTX *ctx, const void *in, size_t num)
+{
+        if ((crypto_cpu_caps_aarch64 & CRYPTO_CPU_CAPS_AARCH64_SHA1) != 0) {
+                sha1_block_ce(ctx, in, num);
+                return;
+        }
+
+        sha1_block_generic(ctx, in, num);
+}
diff --git a/src/lib/libcrypto/sha/sha1_aarch64_ce.S b/src/lib/libcrypto/sha/sha1_aarch64_ce.S
new file mode 100644
index 0000000000..8ccf230298
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha1_aarch64_ce.S
@@ -0,0 +1,214 @@
+/* $OpenBSD: sha1_aarch64_ce.S,v 1.1 2025/06/28 12:51:08 jsing Exp $ */
+/*
+ * Copyright (c) 2023,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * SHA-1 implementation using the ARM Cryptographic Extension (CE).
+ *
+ * There are six instructions for hardware acceleration of SHA-1 - the
+ * documentation for these instructions is woefully inadequate:
+ *
+ *  sha1c:   hash update (choose)
+ *  sha1h:   fixed rotate
+ *  sha1m:   hash update (majority)
+ *  sha1p:   hash update (parity)
+ *  sha1su0: message schedule update with sigma0 for four rounds
+ *  sha1su1: message schedule update with sigma1 for four rounds
+ */
+
+#define ctx             x0
+#define in              x1
+#define num             x2
+
+/* Note: the lower 64 bits of v8 through v15 are callee saved. */
+
+#define hc0             v16
+#define hc1             v17
+#define hc1s            s17
+
+#define hs0             v18
+#define hs1             v19
+#define hs1s            s19
+
+#define w0              v20
+#define w1              v21
+#define w2              v22
+#define w3              v23
+
+#define k0              v24
+#define k1              v25
+#define k2              v26
+#define k3              v27
+
+#define tmp0            v28
+#define tmp1            s29
+
+#define tmp2            w11
+
+/*
+ * Update message schedule for m0 (W0:W1:W2:W3), using m1 (W4:W5:W6:W7),
+ * m2 (W8:W9:W10:11) and m3 (W12:W13:W14:W15). The sha1su0 instruction computes
+ * W0 = W8 ^ W2 ^ W0, while sha1su1 computes rol(W0 ^ W13, 1).
+ */
+#define sha1_message_schedule_update(m0, m1, m2, m3) \
+        sha1su0 m0.4s, m1.4s, m2.4s;                                    \
+        sha1su1 m0.4s, m3.4s;
+
+/*
+ * Compute four SHA-1 rounds by adding W0:W1:W2:W3 + K0:K1:K2:K3, then
+ * computing the remainder of each round (including the shuffle) via
+ * sha1{c,p,m}/sha1h.
+ */
+
+#define sha1_round1(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1c   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+
+#define sha1_round2(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1p   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+
+#define sha1_round3(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1m   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+
+#define sha1_round4(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1p   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+
+.arch   armv8-a+sha2
+
+.text
+
+/*
+ * void sha1_block_ce(SHA256_CTX *ctx, const void *in, size_t num);
+ *
+ * Standard ARM ABI: x0 = ctx, x1 = in, x2 = num
+ */
+.globl  sha1_block_ce
+.type   sha1_block_ce,@function
+sha1_block_ce:
+
+        /*
+         * Load SHA-1 round constants.
+         */
+
+        /* Round 1 - 0x5a827999 */
+        movz    tmp2, #0x5a82, lsl #16
+        movk    tmp2, #0x7999
+        dup     k0.4s, tmp2
+
+        /* Round 2 - 0x6ed9eba1 */
+        movz    tmp2, #0x6ed9, lsl #16
+        movk    tmp2, #0xeba1
+        dup     k1.4s, tmp2
+
+        /* Round 3 - 0x8f1bbcdc */
+        movz    tmp2, #0x8f1b, lsl #16
+        movk    tmp2, #0xbcdc
+        dup     k2.4s, tmp2
+
+        /* Round 4 - 0xca62c1d6 */
+        movz    tmp2, #0xca62, lsl #16
+        movk    tmp2, #0xc1d6
+        dup     k3.4s, tmp2
+
+        /* Load current hash state from context (hc0 = a:b:c:d, hc1 = e). */
+        ld1     {hc0.4s}, [ctx]
+        ldr     hc1s, [ctx, #(4*4)]
+
+block_loop:
+        /* Copy current hash state. */
+        mov     hs0.4s, hc0.4s
+        mov     hs1s, hc1.s[0]
+
+        /* Load and byte swap message schedule. */
+        ld1     {w0.16b, w1.16b, w2.16b, w3.16b}, [in], #64
+        rev32   w0.16b, w0.16b
+        rev32   w1.16b, w1.16b
+        rev32   w2.16b, w2.16b
+        rev32   w3.16b, w3.16b
+
+        /* Rounds 0 through 15 (four rounds at a time). */
+        sha1_round1(hs0, hs1s, w0, k0)
+        sha1_round1(hs0, hs1s, w1, k0)
+        sha1_round1(hs0, hs1s, w2, k0)
+        sha1_round1(hs0, hs1s, w3, k0)
+
+        /* Rounds 16 through 31 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+
+        sha1_round1(hs0, hs1s, w0, k0)
+        sha1_round2(hs0, hs1s, w1, k1)
+        sha1_round2(hs0, hs1s, w2, k1)
+        sha1_round2(hs0, hs1s, w3, k1)
+
+        /* Rounds 32 through 47 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+
+        sha1_round2(hs0, hs1s, w0, k1)
+        sha1_round2(hs0, hs1s, w1, k1)
+        sha1_round3(hs0, hs1s, w2, k2)
+        sha1_round3(hs0, hs1s, w3, k2)
+
+        /* Rounds 48 through 63 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+
+        sha1_round3(hs0, hs1s, w0, k2)
+        sha1_round3(hs0, hs1s, w1, k2)
+        sha1_round3(hs0, hs1s, w2, k2)
+        sha1_round4(hs0, hs1s, w3, k3)
+
+        /* Rounds 64 through 79 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+
+        sha1_round4(hs0, hs1s, w0, k3)
+        sha1_round4(hs0, hs1s, w1, k3)
+        sha1_round4(hs0, hs1s, w2, k3)
+        sha1_round4(hs0, hs1s, w3, k3)
+
+        /* Add intermediate state to hash state. */
+        add     hc0.4s, hc0.4s, hs0.4s
+        add     hc1.4s, hc1.4s, hs1.4s
+
+        sub     num, num, #1
+        cbnz    num, block_loop
+
+        /* Store hash state to context. */
+        st1     {hc0.4s}, [ctx]
+        str     hc1s, [ctx, #(4*4)]
+
+        ret
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index a5cb76dd4f..79adf54372 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libssl and libtls the same type of bump!
-major=56
+major=57
 minor=0
diff --git a/src/lib/libcrypto/sm2/sm2_crypt.c b/src/lib/libcrypto/sm2/sm2_crypt.c
index 63fe1e6ab9..3bc1f21fb6 100644
--- a/src/lib/libcrypto/sm2/sm2_crypt.c
+++ b/src/lib/libcrypto/sm2/sm2_crypt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_crypt.c,v 1.3 2024/02/09 07:43:52 tb Exp $ */
+/*      $OpenBSD: sm2_crypt.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2017, 2019 Ribose Inc
  *
@@ -22,10 +22,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/sm2.h>
 
+#include "err_local.h"
 #include "sm2_local.h"
 
 typedef struct SM2_Ciphertext_st SM2_Ciphertext;
diff --git a/src/lib/libcrypto/sm2/sm2_pmeth.c b/src/lib/libcrypto/sm2/sm2_pmeth.c
index 441f5475d1..786e48a992 100644
--- a/src/lib/libcrypto/sm2/sm2_pmeth.c
+++ b/src/lib/libcrypto/sm2/sm2_pmeth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_pmeth.c,v 1.2 2022/11/26 16:08:54 tb Exp $ */
+/*      $OpenBSD: sm2_pmeth.c,v 1.3 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2017, 2019 Ribose Inc
  *
@@ -22,9 +22,9 @@
 #include <openssl/sm2.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "sm2_local.h"
 
diff --git a/src/lib/libcrypto/sm2/sm2_sign.c b/src/lib/libcrypto/sm2/sm2_sign.c
index a5e3a8aee5..1a88d860bc 100644
--- a/src/lib/libcrypto/sm2/sm2_sign.c
+++ b/src/lib/libcrypto/sm2/sm2_sign.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_sign.c,v 1.4 2023/07/05 17:36:19 tb Exp $ */
+/*      $OpenBSD: sm2_sign.c,v 1.5 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2017, 2019 Ribose Inc
  *
@@ -21,10 +21,10 @@
 
 #include <openssl/sm2.h>
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/bn.h>
 
 #include "bn_local.h"
+#include "err_local.h"
 #include "sm2_local.h"
 
 static BIGNUM *
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
index feb2da68f9..aa3f4ba867 100644
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ b/src/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.15 2024/04/15 15:52:46 tb Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
  */
 /* ====================================================================
@@ -58,9 +58,9 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/ts.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = {
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index bd499238f5..0acefa902f 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.15 2024/08/26 22:01:28 op Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -63,7 +63,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/ts.h>
 
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
index d679418060..fa3123863c 100644
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ b/src/lib/libcrypto/ts/ts_req_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_req_utils.c,v 1.9 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_req_utils.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 int
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index e3101340c5..b8cc7e2baf 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -60,11 +60,11 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
@@ -955,28 +955,32 @@ static int
 ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
 {
         ASN1_STRING *seq = NULL;
-        unsigned char *p, *pp = NULL;
-        int len;
+        unsigned char *data = NULL;
+        int len = 0;
+        int ret = 0;
 
-        len = i2d_ESS_SIGNING_CERT(sc, NULL);
-        if (!(pp = malloc(len))) {
-                TSerror(ERR_R_MALLOC_FAILURE);
+        if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) {
+                len = 0;
                 goto err;
         }
-        p = pp;
-        i2d_ESS_SIGNING_CERT(sc, &p);
-        if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
-                TSerror(ERR_R_MALLOC_FAILURE);
+
+        if ((seq = ASN1_STRING_new()) == NULL)
                 goto err;
-        }
-        free(pp);
-        pp = NULL;
-        return PKCS7_add_signed_attribute(si,
-            NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
 
-err:
+        ASN1_STRING_set0(seq, data, len);
+        data = NULL;
+        len = 0;
+
+        if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+
+        ret = 1;
+
+ err:
         ASN1_STRING_free(seq);
-        free(pp);
+        freezero(data, len);
 
-        return 0;
+        return ret;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
index 34994adce8..ecdb46773f 100644
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ b/src/lib/libcrypto/ts/ts_rsp_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_utils.c,v 1.11 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_rsp_utils.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -58,11 +58,11 @@
 
 #include <stdio.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 /* Function definitions. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 69236f68ab..d38bb3b460 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.30 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.31 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 5a2d95c680..23e2557308 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.14 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.15 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2003.
  */
@@ -58,10 +58,10 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
 #include "ts_local.h"
 
 TS_VERIFY_CTX *
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
index 73d899afcc..cc9de59c19 100644
--- a/src/lib/libcrypto/ui/ui_lib.c
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_lib.c,v 1.51 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: ui_lib.c,v 1.52 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
  * project 2001.
  */
@@ -61,9 +61,9 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/ui.h>
 
+#include "err_local.h"
 #include "ui_local.h"
 
 static const UI_METHOD *default_UI_meth = NULL;
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 2b2733a04b..9b239c1e9d 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.48 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_dir.c,v 1.49 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,9 +64,9 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 typedef struct lookup_dir_hashes_st {
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 9b0fd2542c..86d4cd6b60 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_file.c,v 1.31 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_file.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,10 +62,10 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
diff --git a/src/lib/libcrypto/x509/by_mem.c b/src/lib/libcrypto/x509/by_mem.c
index 71afefa8a4..66093dd445 100644
--- a/src/lib/libcrypto/x509/by_mem.c
+++ b/src/lib/libcrypto/x509/by_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_mem.c,v 1.10 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_mem.c,v 1.11 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index a198b23202..4148a6398e 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.121 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.124 2025/08/10 06:36:45 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -178,6 +178,7 @@ DECLARE_STACK_OF(X509)
 #define X509_FLAG_NO_SIGDUMP            (1L << 9)
 #define X509_FLAG_NO_AUX                (1L << 10)
 #define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
+#define X509_FLAG_NO_IDS                (1L << 12)
 
 /* Flags specific to X509_NAME_print_ex() */
 
@@ -244,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
 
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-
-        /* When decrypted, the following will not be NULL */
         EVP_PKEY *dec_pkey;
-
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-
-        int references;
 } X509_PKEY;
 
 #ifndef OPENSSL_NO_EVP
@@ -646,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                 X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
-
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);
@@ -1013,6 +995,7 @@ void ERR_load_X509_strings(void);
 #define X509_R_ERR_ASN1_LIB                              102
 #define X509_R_INVALID_DIRECTORY                         113
 #define X509_R_INVALID_FIELD_NAME                        119
+#define X509_R_INVALID_POLICY_EXTENSION                  201
 #define X509_R_INVALID_TRUST                             123
 #define X509_R_INVALID_VERSION                           137
 #define X509_R_KEY_TYPE_MISMATCH                         115
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 2208cc434e..b4ee92a14b 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.94 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -69,12 +69,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
index 926508c4cd..524fea8009 100644
--- a/src/lib/libcrypto/x509/x509_akey.c
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.3 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.4 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 34734a55bd..ca91493848 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.19 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.20 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_internal.h"
 
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 40ee201a9f..45a154e7d9 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.46 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -68,10 +68,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 4931cbbc17..a442a17746 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_att.c,v 1.25 2024/08/31 10:46:40 tb Exp $ */
+/* $OpenBSD: x509_att.c,v 1.26 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,13 +59,13 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
index 99cb5afe9a..c10f822ccc 100644
--- a/src/lib/libcrypto/x509/x509_bcons.c
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
index 2bc4f9911a..89289b7af0 100644
--- a/src/lib/libcrypto/x509/x509_bitst.c
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.8 2024/08/31 10:23:13 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.9 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static const BIT_STRING_BITNAME ns_cert_type_table[] = {
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 2c1e427093..2479dcdd0d 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.44 2024/03/25 03:41:16 joshua Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.45 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
index e5b18c2f77..2089f72bc7 100644
--- a/src/lib/libcrypto/x509/x509_conf.c
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.29 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.31 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,11 +62,11 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 static int v3_check_critical(const char **value);
@@ -242,8 +242,9 @@ v3_check_critical(const char **value)
         if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
                 return 0;
         p += 9;
-        while (isspace((unsigned char)*p)) p++;
-                *value = p;
+        while (isspace((unsigned char)*p))
+                p++;
+        *value = p;
         return 1;
 }
 
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 6bae2a0482..b6a456023f 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.15 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
index 81f2010df5..75afcefca8 100644
--- a/src/lib/libcrypto/x509/x509_crld.c
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.9 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
index da5036a09a..35460ca46b 100644
--- a/src/lib/libcrypto/x509/x509_extku.c
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index 1ea7155795..5214c394ed 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.7 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.8 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -63,6 +63,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
         {
                 .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
index 4f62a9134c..b8886c6cb8 100644
--- a/src/lib/libcrypto/x509/x509_ia5.c
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.3 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,9 +61,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
index d1de346ee6..c91642a02e 100644
--- a/src/lib/libcrypto/x509/x509_info.c
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_info.c,v 1.6 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
     X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
     STACK_OF(CONF_VALUE) *ret);
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
index 6fa66ab88e..0285ac0d3a 100644
--- a/src/lib/libcrypto/x509/x509_lib.c
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.25 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <stdio.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 const X509V3_EXT_METHOD *
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 0367794fca..1ac3436a6e 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.67 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.68 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int X509_OBJECT_up_ref_count(X509_OBJECT *a);
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
index 148a66e887..f197488d70 100644
--- a/src/lib/libcrypto/x509/x509_ncons.c
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
index 6531b4c420..d0a0d49890 100644
--- a/src/lib/libcrypto/x509/x509_ocsp.c
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.4 2024/12/24 09:14:33 schwarze Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.5 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,10 +65,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 
 /* OCSP extensions and a couple of CRL entry extensions
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
index 66dc57abf6..404fa28724 100644
--- a/src/lib/libcrypto/x509/x509_pcons.c
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
index 5039f65f2e..141a3a6f90 100644
--- a/src/lib/libcrypto/x509/x509_pmaps.c
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index d93760755d..2df965aad1 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.31 2025/03/28 13:11:57 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.33 2025/08/10 06:36:45 beck Exp $ */
 /*
  * Copyright (c) 2022, Google Inc.
  *
@@ -17,19 +17,16 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "stack_local.h"
 #include "x509_internal.h"
 #include "x509_local.h"
 
-/* XXX move to proper place */
-#define X509_R_INVALID_POLICY_EXTENSION 201
-
 /*
  * This file computes the X.509 policy tree, as described in RFC 5280,
  * section 6.1 and RFC 9618. It differs in that:
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
index 3bf7c803e5..23c649a7b9 100644
--- a/src/lib/libcrypto/x509/x509_prn.c
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */
+/* $OpenBSD: x509_prn.c,v 1.7 2025/06/02 12:18:22 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -87,8 +87,9 @@ X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
         for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
                 if (ml)
                         BIO_printf(out, "%*s", indent, "");
-                else if (i > 0) BIO_printf(out, ", ");
-                        nval = sk_CONF_VALUE_value(val, i);
+                else if (i > 0)
+                        BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
                 if (!nval->name)
                         BIO_puts(out, nval->value);
                 else if (!nval->value)
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 619a4b890a..36dfe6abee 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -61,7 +61,6 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 39b392259b..4ca8a87935 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.17 2023/04/25 09:46:36 job Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.18 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 X509 *
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 704acbd897..df1119a55c 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.43 2024/08/31 10:16:52 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,13 +64,13 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
index d2c90b6f1c..e9e915a0c7 100644
--- a/src/lib/libcrypto/x509/x509_skey.c
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
index 08383849c9..4be8630d89 100644
--- a/src/lib/libcrypto/x509/x509_utl.c
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_utl.c,v 1.26 2025/01/26 13:51:41 tb Exp $ */
+/* $OpenBSD: x509_utl.c,v 1.27 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -64,11 +64,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "bytestring.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 /*
  * Match reference identifiers starting with "." to any sub-domain. This
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 688aed15a2..ee14d2dcef 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c93ae81bd8..3d0abda615 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.147 2025/03/04 08:43:25 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,7 +67,6 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
@@ -75,6 +74,7 @@
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 9efe473fc3..19091b12aa 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.55 2025/03/19 17:11:21 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.56 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -61,12 +61,12 @@
 
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* X509_VERIFY_PARAM functions */
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index d2df06ccc6..9a582d34e4 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509name.c,v 1.35 2023/05/29 11:54:50 beck Exp $ */
+/* $OpenBSD: x509name.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,13 +60,13 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index 04c9a6f01b..ef5f9e34c8 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509spki.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509spki.c,v 1.17 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 int
 NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+        /*
+         * The Certificate's signature AlgorithmIdentifier must match the one
+         * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+         */
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
                 return 0;
         return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
             a->signature, a->cert_info, r);
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 892e14a450..c41ff4d1ca 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -1,7 +1,7 @@
 
-  LibReSSL files are retained under the copyright of the authors. New
+  LibreSSL files are retained under the copyright of the authors. New
   additions are ISC licensed as per OpenBSD's normal licensing policy,
-  or are placed in the public domain. 
+  or are placed in the public domain.
 
   The OpenSSL code is distributed under the terms of the original OpenSSL
   licenses which follow:
@@ -25,7 +25,7 @@
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
  *
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
@@ -80,21 +80,21 @@
  * This package is an SSL implementation written
  * by Eric Young (eay@cryptsoft.com).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -109,10 +109,10 @@
  *     Eric Young (eay@cryptsoft.com)"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -124,7 +124,7 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 6dd1699606..13e4f30539 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.40 2023/07/19 13:34:33 tb Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.41 2025/06/02 12:18:22 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -229,9 +229,7 @@ ssl_write(BIO *b, const char *out, int outl)
 
         BIO_clear_retry_flags(b);
 
-/*      ret=SSL_do_handshake(ssl);
-        if (ret > 0) */
-                ret = SSL_write(ssl, out, outl);
+        ret = SSL_write(ssl, out, outl);
 
         switch (SSL_get_error(ssl, ret)) {
         case SSL_ERROR_NONE:
diff --git a/src/lib/libssl/hidden/ssl_namespace.h b/src/lib/libssl/hidden/ssl_namespace.h
index 5d26516f3c..763dcd700f 100644
--- a/src/lib/libssl/hidden/ssl_namespace.h
+++ b/src/lib/libssl/hidden/ssl_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $  */
+/*      $OpenBSD: ssl_namespace.h,v 1.4 2025/08/18 16:00:53 tb Exp $    */
 /*
  * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
  *
@@ -35,7 +35,11 @@
 #else
 #define LSSL_UNUSED(x)
 #define LSSL_USED(x)
+#ifdef _MSC_VER
+#define LSSL_ALIAS(x)
+#else
 #define LSSL_ALIAS(x)           asm("")
+#endif /* _MSC_VER */
 #endif
 
 #endif  /* _LIBSSL_SSL_NAMESPACE_H_ */
diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3
index 3b74a3d6a4..e23a15e121 100644
--- a/src/lib/libssl/man/BIO_f_ssl.3
+++ b/src/lib/libssl/man/BIO_f_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_ssl.3,v 1.16 2024/01/13 18:37:51 tb Exp $
+.\" $OpenBSD: BIO_f_ssl.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BIO_do_handshake
 .Nd SSL BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/bio.h
 .In openssl/ssl.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3
index 047ec0a7ff..bdba1c59b0 100644
--- a/src/lib/libssl/man/DTLSv1_listen.3
+++ b/src/lib/libssl/man/DTLSv1_listen.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: DTLSv1_listen.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 7795475f Dec 18 13:18:31 2015 -0500
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DTLSV1_LISTEN 3
 .Os
 .Sh NAME
 .Nm DTLSv1_listen
 .Nd listen for incoming DTLS connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo DTLSv1_listen
diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3
index f37dccfaac..ec840f5e1c 100644
--- a/src/lib/libssl/man/OPENSSL_init_ssl.3
+++ b/src/lib/libssl/man/OPENSSL_init_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_INIT_SSL 3
 .Os
 .Sh NAME
 .Nm OPENSSL_init_ssl
 .Nd initialise the crypto and ssl libraries
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo OPENSSL_init_ssl
diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
index 3eb1414c62..93bd0b8ebd 100644
--- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3
+++ b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_READ_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm PEM_write_bio_SSL_SESSION
 .Nd encode and decode SSL session objects in PEM format
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fo PEM_read_SSL_SESSION
diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3
index 86c1d3c0ba..fc92eb9723 100644
--- a/src/lib/libssl/man/SSL_CIPHER_get_name.3
+++ b/src/lib/libssl/man/SSL_CIPHER_get_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
+.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.19 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt SSL_CIPHER_GET_NAME 3
 .Os
 .Sh NAME
@@ -70,6 +70,7 @@
 .Nm SSL_CIPHER_description
 .Nd get SSL_CIPHER properties
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher"
@@ -81,7 +82,7 @@
 .Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher"
-.Ft "const EVP_MD *"
+.Ft const EVP_MD *
 .Fn SSL_CIPHER_get_handshake_digest "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher"
diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
index f9e25358d7..0b990ca88e 100644
--- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.7 2024/08/31 10:51:48 tb Exp $
+.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COMP_ADD_COMPRESSION_METHOD 3
 .Os
 .Sh NAME
 .Nm SSL_COMP_get_compression_methods
 .Nd handle SSL/TLS integrated compression methods
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_COMP) *
 .Fn SSL_COMP_get_compression_methods void
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
index 86eb27a523..91c4c80758 100644
--- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD1_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm SSL_clear_chain_certs
 .Nd extra chain certificate processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set0_chain
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b9694b0cbc..891c22a40a 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_clear_extra_chain_certs
 .Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3
index 443bdb542a..df634bcdda 100644
--- a/src/lib/libssl/man/SSL_CTX_add_session.3
+++ b/src/lib/libssl/man/SSL_CTX_add_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_SESSION 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_remove_session
 .Nd manipulate session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c"
diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3
index c91ddff374..4d254d8f48 100644
--- a/src/lib/libssl/man/SSL_CTX_ctrl.3
+++ b/src/lib/libssl/man/SSL_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_callback_ctrl
 .Nd internal handling functions for SSL_CTX and SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg"
diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
index 2ef781cb4a..deabf5200a 100644
--- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FLUSH_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_flush_sessions
 .Nd remove expired sessions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm"
diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3
index 47f247631b..0afef7cd0e 100644
--- a/src/lib/libssl/man/SSL_CTX_free.3
+++ b/src/lib/libssl/man/SSL_CTX_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_free.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_free
 .Nd free an allocated SSL_CTX object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_free "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
index 63c86bd5e0..226e6cd87a 100644
--- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.4 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET0_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_get0_certificate
 .Nd get the active certificate from an SSL context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_CTX_get0_certificate
 .Fa "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
index 3dbaf2e981..30a02cc317 100644
--- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
index 7c87775069..88187f7f3c 100644
--- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_VERIFY_MODE 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_get_verify_callback
 .Nd get currently set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
index 373df2402e..0cc22f433d 100644
--- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_set_default_verify_paths
 .Nd set default locations for trusted CA certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_load_verify_locations
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
index 4b50a03de4..2afad5378c 100644
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_new.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100
 .\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_NEW 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm DTLSv1_2_client_method
 .Nd create a new SSL_CTX object as a framework for TLS enabled functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_CTX_new "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3
index 76d436cd17..854f6256eb 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_number.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_number.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_NUMBER 3
 .Os
 .Sh NAME
@@ -66,6 +66,7 @@
 .Nm SSL_CTX_sess_cache_full
 .Nd obtain session cache statistics
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_number "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
index 6d5fede0b6..e8bfe50a3c 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_CACHE_SIZE 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_sess_get_cache_size
 .Nd manipulate session cache size
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
index e99f2be671..62a6698399 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_GET_CB 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_CTX_sess_get_get_cb
 .Nd provide callback functions for server side external session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_sess_set_new_cb
diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3
index 964d1a7346..627c694cd8 100644
--- a/src/lib/libssl/man/SSL_CTX_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_sessions
 .Nd access internal session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft LHASH_OF(SSL_SESSION) *
 .Fn SSL_CTX_sessions "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
index 0d1eb36ea7..8cd620d3b4 100644
--- a/src/lib/libssl/man/SSL_CTX_set1_groups.3
+++ b/src/lib/libssl/man/SSL_CTX_set1_groups.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET1_GROUPS 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set1_curves_list
 .Nd choose supported EC groups
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set1_groups
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index 2317c57af4..ff69408247 100644
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.11 2025/02/04 14:00:05 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 4 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_get0_alpn_selected
 .Nd handle application layer protocol negotiation (ALPN)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_alpn_protos
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
index 1be1ba2f68..75c145fd78 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_STORE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
index 0e12b48c78..2e2beac850 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_verify_callback
 .Nd set peer certificate verification procedure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_cert_verify_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
index b3f0dc3541..6201dc9f55 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.18 2025/01/18 12:20:02 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.19 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm SSL_set_cipher_list
 .Nd choose list of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
index d19fb93ed0..520be04318 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,16 +48,17 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_client_CA_list ,
 .Nm SSL_set_client_CA_list ,
 .Nm SSL_CTX_add_client_CA ,
-.Nm  SSL_add_client_CA
+.Nm SSL_add_client_CA
 .Nd set list of CAs sent to the client when requesting a client certificate
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
index a2433b5e92..2cf8275602 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CERT_CB 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_client_cert_cb
 .Nd handle client certificate callback function
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_client_cert_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
index 94b4ea543d..e3da1bec66 100644
--- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm SSL_CTX_get_default_passwd_cb_userdata
 .Nd set or get passwd callback for encrypted PEM file handling
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb"
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index d85383d776..29c102ac50 100644
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm GEN_SESSION_CB
 .Nd manipulate generation of SSL session IDs (server only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*GEN_SESSION_CB)
diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
index 76eb8bee61..ec251b5b69 100644
--- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_INFO_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_info_callback
 .Nd handle information callback for SSL connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_info_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
index 24b8f9992f..0cb36b07c6 100644
--- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 16 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_CTX_get_keylog_callback
 .Nd set and get the unused key logging callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef void
 .Fo (*SSL_CTX_keylog_cb_func)
diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
index 89513b1006..700f534f54 100644
--- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MAX_CERT_LIST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_max_cert_list
 .Nd manipulate allowed size for the peer's certificate chain
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size"
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
index a2597cda83..50a5fc448d 100644
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
 .\"
 .\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_get_max_proto_version
 .Nd get and set minimum and maximum supported protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_min_proto_version
diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3
index fca1a977d0..62a7a6deda 100644
--- a/src/lib/libssl/man/SSL_CTX_set_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_mode.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MODE 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_get_mode
 .Nd manipulate SSL engine mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
index a27333e6d9..65df06016a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MSG_CALLBACK 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set_msg_callback_arg
 .Nd install callback for observing protocol messages
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_msg_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
index cb6d7e000a..093387725a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
+++ b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_NUM_TICKETS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm SSL_get_num_tickets
 .Nd set and get the number of TLS 1.3 session tickets to be sent
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets"
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
index 5df0b07785..5e81c978bd 100644
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ b/src/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
 .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm SSL_get_secure_renegotiation_support
 .Nd manipulate SSL options
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
index 71463f1eca..20b882167b 100644
--- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_quiet_shutdown
 .Nd manipulate shutdown behaviour
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
index eae76eb472..208ecfbf1a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
+++ b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_READ_AHEAD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_CTX_get_default_read_ahead
 .Nd manage whether to read as many input bytes as possible
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_read_ahead
diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3
index 89adb3d65d..2d3afa5785 100644
--- a/src/lib/libssl/man/SSL_CTX_set_security_level.3
+++ b/src/lib/libssl/man/SSL_CTX_set_security_level.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SECURITY_LEVEL 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_get_security_level
 .Nd change security level for TLS
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_security_level
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
index 1fe67b2a7e..d19ff79545 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_CACHE_MODE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_session_cache_mode
 .Nd enable/disable session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
index 06fd9348ae..53923888db 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_set_session_id_context
 .Nd set context within which session can be reused (server side only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_session_id_context
diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
index b1bdb92bb0..fe9febe431 100644
--- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SSL_VERSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_ssl_method
 .Nd choose a new TLS/SSL method
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3
index ab99e2016e..da2f811528 100644
--- a/src/lib/libssl/man/SSL_CTX_set_timeout.3
+++ b/src/lib/libssl/man/SSL_CTX_set_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TIMEOUT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_timeout
 .Nd manipulate timeout values for session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
index 79169a004b..b6cece259c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.7 2025/04/18 08:35:34 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set_tlsext_host_name
 .Nd handle server name indication (SNI)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
index d5979af1e8..c9763f9d2f 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_tlsext_status_ocsp_resp
 .Nd OCSP Certificate Status Request functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_status_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
index b6ccabaeca..0427f7dcf5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 25 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_tlsext_ticket_key_cb
 .Nd set a callback for session ticket processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_ticket_key_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
index 04c4833c6a..4acd452ad5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_selected_srtp_profile
 .Nd Configure and query SRTP support
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/srtp.h
 .Ft int
 .Fo SSL_CTX_set_tlsext_use_srtp
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index c6f5253431..9fa830656a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_set_tmp_dh
 .Nd handle DH keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_dh_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
index b4c3a3c647..7009ac6ab5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_need_tmp_RSA
 .Nd handle RSA keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_rsa_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3
index 1ed86407e9..656c85afd4 100644
--- a/src/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/src/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_set_verify_depth
 .Nd set peer certificate verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_verify
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index c88a6971b2..27ec834d16 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000
 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm SSL_check_private_key
 .Nd load certificate and key data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3
index 3f785e95e5..af02a273a0 100644
--- a/src/lib/libssl/man/SSL_SESSION_free.3
+++ b/src/lib/libssl/man/SSL_SESSION_free.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_free.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_FREE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_free
 .Nd SSL_SESSION reference counting
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_SESSION_up_ref "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
index 239a426dbd..4e5b0bb057 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $
+.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_cipher
 .Nd retrieve the SSL cipher associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fo SSL_SESSION_get0_cipher
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
index 6b1ef6680e..98ae1bab9d 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_PEER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_peer
 .Nd get details about peer's certificate for a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_SESSION_get0_peer
diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
index aedc216a15..da0d48ff6c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_COMPRESS_ID 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_compress_id
 .Nd get details about the compression associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft unsigned int
 .Fo SSL_SESSION_get_compress_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
index 9fd6949b6a..55cde1c66b 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3
index 6d0de1e52e..eb14d24111 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_set1_id
 .Nd get and set the SSL session ID
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
index f14c0490e9..dad9eab7ef 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by TJ Saunders <tj@castaglia.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_PROTOCOL_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_protocol_version
 .Nd get the session protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_protocol_version
diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3
index aaadec5137..28aeedf72c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_time.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_time.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_TIME 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_timeout
 .Nd retrieve and manipulate session time and timeout settings
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_SESSION_get_time "const SSL_SESSION *s"
diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
index 322b49feef..07b894c4f8 100644
--- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3
+++ b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_HAS_TICKET 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ticket_lifetime_hint
 .Nd get details about the ticket associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_has_ticket
diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
index 48d7d17889..ddc037c1aa 100644
--- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3
+++ b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_IS_RESUMABLE 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_is_resumable
 .Nd determine whether an SSL_SESSION object can be used for resumption
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_is_resumable
diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3
index 2dcdb264c1..88d1995850 100644
--- a/src/lib/libssl/man/SSL_SESSION_new.3
+++ b/src/lib/libssl/man/SSL_SESSION_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_new.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_NEW 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_new
 .Nd construct a new SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_SESSION_new void
diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3
index e92debde0e..65742140d0 100644
--- a/src/lib/libssl/man/SSL_SESSION_print.3
+++ b/src/lib/libssl/man/SSL_SESSION_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_print.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_SESSION_print_fp
 .Nd print some properties of an SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_print
diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
index dd7595baca..24f1de4fda 100644
--- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
+++ b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_SET1_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_set1_id_context
 .Nd get and set the SSL ID context associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3
index fb1d89eb57..ecb757aaa5 100644
--- a/src/lib/libssl/man/SSL_accept.3
+++ b/src/lib/libssl/man/SSL_accept.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
 .Nm SSL_accept
 .Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_accept "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3
index 354865e546..0f051cc0a6 100644
--- a/src/lib/libssl/man/SSL_alert_type_string.3
+++ b/src/lib/libssl/man/SSL_alert_type_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_alert_type_string.3,v 1.7 2024/10/13 08:25:09 jsg Exp $
+.\"     $OpenBSD: SSL_alert_type_string.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ALERT_TYPE_STRING 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_alert_desc_string_long
 .Nd get textual description of alert information
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_alert_type_string "int value"
diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3
index 809c3b20f4..5e4da1257f 100644
--- a/src/lib/libssl/man/SSL_clear.3
+++ b/src/lib/libssl/man/SSL_clear.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_clear.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CLEAR 3
 .Os
 .Sh NAME
 .Nm SSL_clear
 .Nd reset SSL object to allow another connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_clear "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3
index d5b962a480..a0cd8f8443 100644
--- a/src/lib/libssl/man/SSL_connect.3
+++ b/src/lib/libssl/man/SSL_connect.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_connect.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CONNECT 3
 .Os
 .Sh NAME
 .Nm SSL_connect
 .Nd initiate the TLS/SSL handshake with a TLS/SSL server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_connect "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3
index a7a7a8aa99..75a52e8879 100644
--- a/src/lib/libssl/man/SSL_copy_session_id.3
+++ b/src/lib/libssl/man/SSL_copy_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_copy_session_id.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COPY_SESSION_ID 3
 .Os
 .Sh NAME
 .Nm SSL_copy_session_id
 .Nd copy session details between SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_copy_session_id
diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3
index e9327b4229..78b41db2f4 100644
--- a/src/lib/libssl/man/SSL_do_handshake.3
+++ b/src/lib/libssl/man/SSL_do_handshake.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Martin Sjoegren <martin@strakt.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
 .Nm SSL_do_handshake
 .Nd perform a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_do_handshake "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3
index a83440b431..f7d999fb62 100644
--- a/src/lib/libssl/man/SSL_dup.3
+++ b/src/lib/libssl/man/SSL_dup.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_dup.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP 3
 .Os
 .Sh NAME
 .Nm SSL_dup
 .Nd deep copy of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fo SSL_dup
diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3
index d073b07176..553c03bd8c 100644
--- a/src/lib/libssl/man/SSL_dup_CA_list.3
+++ b/src/lib/libssl/man/SSL_dup_CA_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_dup_CA_list.3,v 1.7 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP_CA_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,8 @@
 .Nd deep copy of a stack of X.509 Name objects
 .\" The capital "N" in "Name" is intentional (X.509 syntax).
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fo SSL_dup_CA_list
 .Fa "const STACK_OF(X509_NAME) *sk"
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
index e32a5c5d61..d3daa3a5a3 100644
--- a/src/lib/libssl/man/SSL_export_keying_material.3
+++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_export_keying_material.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
 .\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_EXPORT_KEYING_MATERIAL 3
 .Os
 .Sh NAME
 .Nm SSL_export_keying_material
 .Nd obtain keying material for application use
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_export_keying_material
diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3
index c713ded121..b630bc8a2e 100644
--- a/src/lib/libssl/man/SSL_free.3
+++ b/src/lib/libssl/man/SSL_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_free.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_free
 .Nd free an allocated SSL structure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_free "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3
index 60fda555bc..eaf1b6ff11 100644
--- a/src/lib/libssl/man/SSL_get_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_get_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_get_SSL_CTX
 .Nd get the SSL_CTX from which an SSL is created
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_get_SSL_CTX "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3
index eb53ea49bf..72ae7ec541 100644
--- a/src/lib/libssl/man/SSL_get_certificate.3
+++ b/src/lib/libssl/man/SSL_get_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_certificate.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_privatekey
 .Nd get SSL certificate and private key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_get_certificate
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
index 8030f0bbb1..d723f7959e 100644
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $
+.\" $OpenBSD: SSL_get_ciphers.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 16 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CIPHERS 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm SSL_get_cipher_list
 .Nd get lists of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_CIPHER) *
 .Fn SSL_get_ciphers "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3
index e80e5cb6f5..8be7020489 100644
--- a/src/lib/libssl/man/SSL_get_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_get_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_client_CA_list
 .Nd get list of client CAs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_get_client_CA_list "const SSL *s"
diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3
index eda74db355..131972b688 100644
--- a/src/lib/libssl/man/SSL_get_client_random.3
+++ b/src/lib/libssl/man/SSL_get_client_random.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_get_client_random.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Nick Mathewson <nickm@torproject.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_RANDOM 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_master_key
 .Nd get internal TLS handshake random values and master key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fo SSL_get_client_random
diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3
index 6b951d03ca..37f6409023 100644
--- a/src/lib/libssl/man/SSL_get_current_cipher.3
+++ b/src/lib/libssl/man/SSL_get_current_cipher.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,17 +48,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CURRENT_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_get_current_cipher ,
 .Nm SSL_get_cipher ,
 .Nm SSL_get_cipher_name ,
-.Nm  SSL_get_cipher_bits ,
+.Nm SSL_get_cipher_bits ,
 .Nm SSL_get_cipher_version
 .Nd get SSL_CIPHER of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fn SSL_get_current_cipher "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3
index 47737d8ee0..ef119780a3 100644
--- a/src/lib/libssl/man/SSL_get_default_timeout.3
+++ b/src/lib/libssl/man/SSL_get_default_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_DEFAULT_TIMEOUT 3
 .Os
 .Sh NAME
 .Nm SSL_get_default_timeout
 .Nd get default session timeout value
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_default_timeout "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3
index 5d325b3f56..ba64b779ac 100644
--- a/src/lib/libssl/man/SSL_get_error.3
+++ b/src/lib/libssl/man/SSL_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $
+.\"     $OpenBSD: SSL_get_error.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Bodo Moeller <bodo@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_ERROR 3
 .Os
 .Sh NAME
 .Nm SSL_get_error
 .Nd obtain result code for TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_error "const SSL *ssl" "int ret"
diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
index a249cda6ac..234034ac2d 100644
--- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $
+.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3
 .Os
 .Sh NAME
 .Nm SSL_get_ex_data_X509_STORE_CTX_idx
 .Nd get ex_data index to access SSL structure from X509_STORE_CTX
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_ex_data_X509_STORE_CTX_idx void
diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3
index cecd25fa44..811df94fc7 100644
--- a/src/lib/libssl/man/SSL_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3
index 1e093424cb..3a7948d35f 100644
--- a/src/lib/libssl/man/SSL_get_fd.3
+++ b/src/lib/libssl/man/SSL_get_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_fd.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_wfd
 .Nd get file descriptor linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_fd "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3
index 3cfb655ea0..e5c8a36cf6 100644
--- a/src/lib/libssl/man/SSL_get_finished.3
+++ b/src/lib/libssl/man/SSL_get_finished.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $
+.\" $OpenBSD: SSL_get_finished.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FINISHED 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_peer_finished
 .Nd get last sent or last expected finished message
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count"
diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
index eb2ae53dc4..c4f778aac6 100644
--- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERT_CHAIN 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_cert_chain
 .Nd get the X509 certificate chain sent by the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509) *
 .Fn SSL_get_peer_cert_chain "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3
index 99f9330288..9ac35a607d 100644
--- a/src/lib/libssl/man/SSL_get_peer_certificate.3
+++ b/src/lib/libssl/man/SSL_get_peer_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_certificate
 .Nd get the X509 certificate of the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fn SSL_get_peer_certificate "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3
index 38096fbecf..7179277f71 100644
--- a/src/lib/libssl/man/SSL_get_rbio.3
+++ b/src/lib/libssl/man/SSL_get_rbio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_rbio.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_RBIO 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_wbio
 .Nd get BIO linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft BIO *
 .Fn SSL_get_rbio "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3
index aeeb358240..c55036d526 100644
--- a/src/lib/libssl/man/SSL_get_server_tmp_key.3
+++ b/src/lib/libssl/man/SSL_get_server_tmp_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SERVER_TMP_KEY 3
 .Os
 .Sh NAME
 .Nm SSL_get_server_tmp_key
 .Nd temporary server key during a handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_get_server_tmp_key
diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3
index 2ab43fdd3e..597888a0bd 100644
--- a/src/lib/libssl/man/SSL_get_session.3
+++ b/src/lib/libssl/man/SSL_get_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $
+.\"     $OpenBSD: SSL_get_session.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get1_session
 .Nd retrieve TLS/SSL session data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_get_session "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3
index 207e8c42eb..9011780527 100644
--- a/src/lib/libssl/man/SSL_get_shared_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_shared_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $
+.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SHARED_CIPHERS 3
 .Os
 .Sh NAME
 .Nm SSL_get_shared_ciphers
 .Nd ciphers supported by both client and server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft char *
 .Fo SSL_get_shared_ciphers
diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3
index 297bbce876..0e1a20e6f7 100644
--- a/src/lib/libssl/man/SSL_get_state.3
+++ b/src/lib/libssl/man/SSL_get_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_state.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_STATE 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm SSL_is_init_finished
 .Nd inspect the state of the SSL state machine
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_state
diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3
index 180cf1bb73..32a397f4a2 100644
--- a/src/lib/libssl/man/SSL_get_verify_result.3
+++ b/src/lib/libssl/man/SSL_get_verify_result.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_verify_result.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_get_verify_result
 .Nd get result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_verify_result "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3
index a6cefb055b..d32dd34e0e 100644
--- a/src/lib/libssl/man/SSL_get_version.3
+++ b/src/lib/libssl/man/SSL_get_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $
+.\" $OpenBSD: SSL_get_version.3,v 1.10 2025/06/08 22:49:42 schwarze Exp $
 .\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,21 +49,16 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_get_version ,
 .Nm SSL_is_dtls ,
 .Nm SSL_version
-.\" The following are intentionally undocumented because
-.\" - the longer term plan is to remove them
-.\" - nothing appears to be using them in the wild
-.\" - and they have the wrong namespace prefix
-.\" Nm TLS1_get_version
-.\" Nm TLS1_get_client_version
 .Nd get the protocol information of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_get_version "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3
index 053c1e6fcb..d25a248617 100644
--- a/src/lib/libssl/man/SSL_library_init.3
+++ b/src/lib/libssl/man/SSL_library_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $
+.\"     $OpenBSD: SSL_library_init.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LIBRARY_INIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSLeay_add_ssl_algorithms
 .Nd initialize SSL library by registering algorithms
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_library_init void
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
index f782d96dce..e57900c941 100644
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LOAD_CLIENT_CA_FILE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_add_dir_cert_subjects_to_stack
 .Nd load certificate names from files
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_load_client_CA_file "const char *file"
diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3
index 22c5dbf2db..3906a346d7 100644
--- a/src/lib/libssl/man/SSL_new.3
+++ b/src/lib/libssl/man/SSL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_new.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_up_ref
 .Nd create a new SSL structure for a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fn SSL_new "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3
index 6a81b76a60..d366f97c4a 100644
--- a/src/lib/libssl/man/SSL_num_renegotiations.3
+++ b/src/lib/libssl/man/SSL_num_renegotiations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_num_renegotiations.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NUM_RENEGOTIATIONS 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_total_renegotiations
 .Nd renegotiation counters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_num_renegotiations
diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3
index bbc2e9bdd2..c304302ed8 100644
--- a/src/lib/libssl/man/SSL_pending.3
+++ b/src/lib/libssl/man/SSL_pending.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $
+.\"     $OpenBSD: SSL_pending.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 23 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_PENDING 3
 .Os
 .Sh NAME
 .Nm SSL_pending
 .Nd obtain number of readable bytes buffered in an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_pending "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3
index bb72a8ed82..3d42fd8a90 100644
--- a/src/lib/libssl/man/SSL_read.3
+++ b/src/lib/libssl/man/SSL_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_read.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_peek
 .Nd read bytes from a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
index 1435c15935..d36b1e49f7 100644
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $
+.\" $OpenBSD: SSL_read_early_data.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ_EARLY_DATA 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm SSL_get_early_data_status
 .Nd transmit application data during the handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_max_early_data
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
index 8188d37323..badfe8c6cb 100644
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_renegotiate.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RENEGOTIATE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_renegotiate_pending
 .Nd initiate a new TLS handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_renegotiate
diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3
index 99613ba3c0..624c1b08ab 100644
--- a/src/lib/libssl/man/SSL_rstate_string.3
+++ b/src/lib/libssl/man/SSL_rstate_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_rstate_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RSTATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_rstate_string_long
 .Nd get textual description of state of an SSL object during read operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_rstate_string "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3
index add61a904b..3340144660 100644
--- a/src/lib/libssl/man/SSL_session_reused.3
+++ b/src/lib/libssl/man/SSL_session_reused.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_session_reused.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_REUSED 3
 .Os
 .Sh NAME
 .Nm SSL_session_reused
 .Nd query whether a reused session was negotiated during handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_session_reused "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3
index 2a3935c3f2..2c6cdbe5a1 100644
--- a/src/lib/libssl/man/SSL_set1_host.3
+++ b/src/lib/libssl/man/SSL_set1_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
+.\" $OpenBSD: SSL_set1_host.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Viktor Dukhovni <viktor@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_HOST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get0_peername
 .Nd SSL server verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_set1_host
diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3
index cd8ad40ad0..2d255a0991 100644
--- a/src/lib/libssl/man/SSL_set1_param.3
+++ b/src/lib/libssl/man/SSL_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $
+.\" $OpenBSD: SSL_set1_param.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set1_param
 .Nd get and set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509_VERIFY_PARAM *
 .Fo SSL_CTX_get0_param
diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3
index 2abaefb292..3a909dabe6 100644
--- a/src/lib/libssl/man/SSL_set_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_set_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_set_SSL_CTX
 .Nd modify an SSL connection object to use another context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fo SSL_set_SSL_CTX
diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3
index e727f442d6..98ce9a7080 100644
--- a/src/lib/libssl/man/SSL_set_bio.3
+++ b/src/lib/libssl/man/SSL_set_bio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $
+.\"     $OpenBSD: SSL_set_bio.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_BIO 3
 .Os
 .Sh NAME
 .Nm SSL_set_bio
 .Nd connect the SSL object with a BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio"
diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3
index c2072c4370..b7d126d046 100644
--- a/src/lib/libssl/man/SSL_set_connect_state.3
+++ b/src/lib/libssl/man/SSL_set_connect_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: SSL_set_connect_state.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_CONNECT_STATE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_is_server
 .Nd prepare SSL object to work in client or server mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_connect_state "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3
index 7b9727e9ad..3c4441e677 100644
--- a/src/lib/libssl/man/SSL_set_fd.3
+++ b/src/lib/libssl/man/SSL_set_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_fd.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_wfd
 .Nd connect the SSL object with a file descriptor
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_fd "SSL *ssl" "int fd"
diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3
index 7de087a743..d5265ebb74 100644
--- a/src/lib/libssl/man/SSL_set_max_send_fragment.3
+++ b/src/lib/libssl/man/SSL_set_max_send_fragment.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod
 .\"     OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_MAX_SEND_FRAGMENT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_max_send_fragment
 .Nd control fragment sizes
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_max_send_fragment
diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
index 7f2bfcc010..d53f5b97c9 100644
--- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
+++ b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $
+.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod
 .\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_psk_use_session_cb_func
 .Nd set TLS pre-shared key client callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*SSL_psk_use_session_cb_func)
diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3
index 7d85f5ad0c..db3fc6a85c 100644
--- a/src/lib/libssl/man/SSL_set_session.3
+++ b/src/lib/libssl/man/SSL_set_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_session.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SESSION 3
 .Os
 .Sh NAME
 .Nm SSL_set_session
 .Nd set a TLS/SSL session to be used during TLS/SSL connect
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3
index ef8c004f76..1c1d59e927 100644
--- a/src/lib/libssl/man/SSL_set_shutdown.3
+++ b/src/lib/libssl/man/SSL_set_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_shutdown.3,v 1.7 2024/12/19 06:45:21 jmc Exp $
+.\"     $OpenBSD: SSL_set_shutdown.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_shutdown
 .Nd manipulate shutdown state of an SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_shutdown "SSL *ssl" "int mode"
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
index 8fd2d9fd5b..0794efdfb7 100644
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $
+.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_TMP_ECDH 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm SSL_CTX_set_tmp_ecdh_callback
 .Nd select a curve for ECDH ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_set_tmp_ecdh
diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3
index 4b7cc6ec3c..f43d375bc9 100644
--- a/src/lib/libssl/man/SSL_set_verify_result.3
+++ b/src/lib/libssl/man/SSL_set_verify_result.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: SSL_set_verify_result.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_set_verify_result
 .Nd override result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_verify_result "SSL *ssl" "long verify_result"
diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3
index bfb1e91ea7..ad49a47d8e 100644
--- a/src/lib/libssl/man/SSL_shutdown.3
+++ b/src/lib/libssl/man/SSL_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_shutdown.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SHUTDOWN 3
 .Os
 .Sh NAME
 .Nm SSL_shutdown
 .Nd shut down a TLS/SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_shutdown "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3
index 1070335448..d202056eec 100644
--- a/src/lib/libssl/man/SSL_state_string.3
+++ b/src/lib/libssl/man/SSL_state_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_state_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_STATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_state_string_long
 .Nd get textual description of state of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_state_string "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3
index 24e8645ba8..c7c2ee4885 100644
--- a/src/lib/libssl/man/SSL_want.3
+++ b/src/lib/libssl/man/SSL_want.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_want.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WANT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_want_x509_lookup
 .Nd obtain state information TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_want "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3
index 2c6fbcef08..54d0953e82 100644
--- a/src/lib/libssl/man/SSL_write.3
+++ b/src/lib/libssl/man/SSL_write.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_write.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WRITE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_write
 .Nd write bytes to a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written"
diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3
index 7a2bc529ab..6b0dfc86b9 100644
--- a/src/lib/libssl/man/d2i_SSL_SESSION.3
+++ b/src/lib/libssl/man/d2i_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm i2d_SSL_SESSION
 .Nd convert SSL_SESSION object from/to ASN1 representation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft  SSL_SESSION *
 .Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length"
diff --git a/src/lib/libssl/pqueue.c b/src/lib/libssl/pqueue.c
index 602969deb0..aafd0a704e 100644
--- a/src/lib/libssl/pqueue.c
+++ b/src/lib/libssl/pqueue.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: pqueue.c,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -68,7 +68,7 @@ typedef struct _pqueue {
 } pqueue_s;
 
 pitem *
-pitem_new(unsigned char *prio64be, void *data)
+pitem_new(const unsigned char *prio64be, void *data)
 {
         pitem *item = malloc(sizeof(pitem));
 
@@ -154,7 +154,7 @@ pqueue_pop(pqueue_s *pq)
 }
 
 pitem *
-pqueue_find(pqueue_s *pq, unsigned char *prio64be)
+pqueue_find(pqueue_s *pq, const unsigned char *prio64be)
 {
         pitem *next;
 
diff --git a/src/lib/libssl/pqueue.h b/src/lib/libssl/pqueue.h
index cdda4a3961..79ddf7a105 100644
--- a/src/lib/libssl/pqueue.h
+++ b/src/lib/libssl/pqueue.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.h,v 1.4 2016/11/04 18:28:58 guenther Exp $ */
+/* $OpenBSD: pqueue.h,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 
 /*
  * DTLS implementation written by Nagendra Modadugu
@@ -61,7 +61,7 @@
 #ifndef HEADER_PQUEUE_H
 #define HEADER_PQUEUE_H
 
-__BEGIN_HIDDEN_DECLS 
+__BEGIN_HIDDEN_DECLS
 
 typedef struct _pqueue *pqueue;
 
@@ -73,7 +73,7 @@ typedef struct _pitem {
 
 typedef struct _pitem *piterator;
 
-pitem *pitem_new(unsigned char *prio64be, void *data);
+pitem *pitem_new(const unsigned char *prio64be, void *data);
 void   pitem_free(pitem *item);
 
 pqueue pqueue_new(void);
@@ -82,12 +82,12 @@ void   pqueue_free(pqueue pq);
 pitem *pqueue_insert(pqueue pq, pitem *item);
 pitem *pqueue_peek(pqueue pq);
 pitem *pqueue_pop(pqueue pq);
-pitem *pqueue_find(pqueue pq, unsigned char *prio64be);
+pitem *pqueue_find(pqueue pq, const unsigned char *prio64be);
 pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 
 int    pqueue_size(pqueue pq);
 
-__END_HIDDEN_DECLS 
+__END_HIDDEN_DECLS
 
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index c2665004b4..97e30d617d 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
-major=59
-minor=1
+major=60
+minor=0
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index eac2d9e61f..90822490e2 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.53 2024/10/09 08:00:29 tb Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.55 2025/05/10 05:49:21 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -669,8 +669,7 @@ SSL_state_func_code(int state) {
 }
 
 void
-SSL_error_internal(const SSL *s, int r, char *f, int l)
+SSL_error_internal(const SSL *s, int r, const char *f, int l)
 {
-        ERR_PUT_error(ERR_LIB_SSL,
-            (SSL_state_func_code(s->s3->hs.state)), r, f, l);
+        ERR_PUT_error(ERR_LIB_SSL, SSL_state_func_code(s->s3->hs.state), r, f, l);
 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ce68981493..630724e670 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.333 2025/06/09 10:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1298,7 +1298,7 @@ SSL_shutdown(SSL *s)
                 return (-1);
         }
 
-        if (s != NULL && !SSL_in_init(s))
+        if (!SSL_in_init(s))
                 return (s->method->ssl_shutdown(s));
 
         return (1);
@@ -3008,8 +3008,9 @@ SSL_dup(SSL *s)
 
         /* Dup the client_CA list */
         if (s->client_CA != NULL) {
-                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
-                        ret->client_CA = sk;
+                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL)
+                        goto err;
+                ret->client_CA = sk;
                 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
                         xn = sk_X509_NAME_value(sk, i);
                         if (sk_X509_NAME_set(sk, i,
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index 3a377030b0..acb87f8650 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.29 2025/04/18 08:07:36 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.33 2025/05/10 06:04:36 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1439,9 +1439,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
     unsigned int mac_secret_length);
 int SSL_state_func_code(int _state);
 
-#define SSLerror(s, r) SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
-#define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-void SSL_error_internal(const SSL *s, int r, char *f, int l);
+void SSL_error_internal(const SSL *s, int r, const char *f, int l);
+#define SSLerror(s, r)  SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
+#define SSLerrorx(r)    ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SYSerror(r)     ERR_PUT_error(ERR_LIB_SYS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
 
 #ifndef OPENSSL_NO_SRTP
 
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 6c8a2be3d3..1490e10ba4 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.51 2023/12/30 06:25:56 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.53 2025/08/14 15:55:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index b19944ca83..9966217ca3 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.23 2024/10/12 03:54:18 tb Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.24 2025/05/22 08:25:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -438,72 +438,7 @@ LSSL_ALIAS(SSL_alert_type_string);
 const char *
 SSL_alert_desc_string(int value)
 {
-        switch (value & 0xff) {
-        case SSL_AD_CLOSE_NOTIFY:
-                return "CN";
-        case SSL_AD_UNEXPECTED_MESSAGE:
-                return "UM";
-        case SSL_AD_BAD_RECORD_MAC:
-                return "BM";
-        case SSL_AD_RECORD_OVERFLOW:
-                return "RO";
-        case SSL_AD_DECOMPRESSION_FAILURE:
-                return "DF";
-        case SSL_AD_HANDSHAKE_FAILURE:
-                return "HF";
-        case SSL_AD_BAD_CERTIFICATE:
-                return "BC";
-        case SSL_AD_UNSUPPORTED_CERTIFICATE:
-                return "UC";
-        case SSL_AD_CERTIFICATE_REVOKED:
-                return "CR";
-        case SSL_AD_CERTIFICATE_EXPIRED:
-                return "CE";
-        case SSL_AD_CERTIFICATE_UNKNOWN:
-                return "CU";
-        case SSL_AD_ILLEGAL_PARAMETER:
-                return "IP";
-        case SSL_AD_UNKNOWN_CA:
-                return "CA";
-        case SSL_AD_ACCESS_DENIED:
-                return "AD";
-        case SSL_AD_DECODE_ERROR:
-                return "DE";
-        case SSL_AD_DECRYPT_ERROR:
-                return "CY";
-        case SSL_AD_PROTOCOL_VERSION:
-                return "PV";
-        case SSL_AD_INSUFFICIENT_SECURITY:
-                return "IS";
-        case SSL_AD_INTERNAL_ERROR:
-                return "IE";
-        case SSL_AD_INAPPROPRIATE_FALLBACK:
-                return "IF";
-        case SSL_AD_USER_CANCELLED:
-                return "US";
-        case SSL_AD_NO_RENEGOTIATION:
-                return "NR";
-        case SSL_AD_MISSING_EXTENSION:
-                return "ME";
-        case SSL_AD_UNSUPPORTED_EXTENSION:
-                return "UE";
-        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
-                return "CO";
-        case SSL_AD_UNRECOGNIZED_NAME:
-                return "UN";
-        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                return "BR";
-        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
-                return "BH";
-        case SSL_AD_UNKNOWN_PSK_IDENTITY:
-                return "UP";
-        case SSL_AD_CERTIFICATE_REQUIRED:
-                return "CQ"; /* XXX */
-        case SSL_AD_NO_APPLICATION_PROTOCOL:
-                return "AP";
-        default:
-                return "UK";
-        }
+        return "!!";
 }
 LSSL_ALIAS(SSL_alert_desc_string);
 
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 08bf5593ec..9209597601 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.156 2025/06/07 10:23:21 tb Exp $ */
 /*
  * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -2410,13 +2410,12 @@ tlsext_randomize_build_order(SSL *s)
 {
         const struct tls_extension *psk_ext;
         size_t idx, new_idx;
-        size_t alpn_idx = 0, sni_idx = 0;
 
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
@@ -2433,28 +2432,6 @@ tlsext_randomize_build_order(SSL *s)
                 s->tlsext_build_order[new_idx] = &tls_extensions[idx];
         }
 
-        /*
-         * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
-         * for clients so that virtual host setups work correctly.
-         */
-
-        if (s->server)
-                return 1;
-
-        for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
-                        alpn_idx = idx;
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
-                        sni_idx = idx;
-        }
-        if (alpn_idx < sni_idx) {
-                const struct tls_extension *tmp;
-
-                tmp = s->tlsext_build_order[alpn_idx];
-                s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
-                s->tlsext_build_order[sni_idx] = tmp;
-        }
-
         return 1;
 }
 
@@ -2466,8 +2443,8 @@ tlsext_linearize_build_order(SSL *s)
         free(s->tlsext_build_order);
         s->tlsext_build_order_len = 0;
 
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
-            N_TLS_EXTENSIONS)) == NULL)
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
+            sizeof(*s->tlsext_build_order))) == NULL)
                 return 0;
         s->tlsext_build_order_len = N_TLS_EXTENSIONS;
 
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b200f78098..57cd180d09 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.206 2025/05/31 15:17:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
 }
 
 struct supported_group {
+        uint16_t group_id;
         int nid;
         int bits;
 };
@@ -160,119 +161,148 @@ struct supported_group {
  * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
  */
 static const struct supported_group nid_list[] = {
-        [1] = {
+        {
+                .group_id = 1,
                 .nid = NID_sect163k1,
                 .bits = 80,
         },
-        [2] = {
+        {
+                .group_id = 2,
                 .nid = NID_sect163r1,
                 .bits = 80,
         },
-        [3] = {
+        {
+                .group_id = 3,
                 .nid = NID_sect163r2,
                 .bits = 80,
         },
-        [4] = {
+        {
+                .group_id = 4,
                 .nid = NID_sect193r1,
                 .bits = 80,
         },
-        [5] = {
+        {
+                .group_id = 5,
                 .nid = NID_sect193r2,
                 .bits = 80,
         },
-        [6] = {
+        {
+                .group_id = 6,
                 .nid = NID_sect233k1,
                 .bits = 112,
         },
-        [7] = {
+        {
+                .group_id = 7,
                 .nid = NID_sect233r1,
                 .bits = 112,
         },
-        [8] = {
+        {
+                .group_id = 8,
                 .nid = NID_sect239k1,
                 .bits = 112,
         },
-        [9] = {
+        {
+                .group_id = 9,
                 .nid = NID_sect283k1,
                 .bits = 128,
         },
-        [10] = {
+        {
+                .group_id = 10,
                 .nid = NID_sect283r1,
                 .bits = 128,
         },
-        [11] = {
+        {
+                .group_id = 11,
                 .nid = NID_sect409k1,
                 .bits = 192,
         },
-        [12] = {
+        {
+                .group_id = 12,
                 .nid = NID_sect409r1,
                 .bits = 192,
         },
-        [13] = {
+        {
+                .group_id = 13,
                 .nid = NID_sect571k1,
                 .bits = 256,
         },
-        [14] = {
+        {
+                .group_id = 14,
                 .nid = NID_sect571r1,
                 .bits = 256,
         },
-        [15] = {
+        {
+                .group_id = 15,
                 .nid = NID_secp160k1,
                 .bits = 80,
         },
-        [16] = {
+        {
+                .group_id = 16,
                 .nid = NID_secp160r1,
                 .bits = 80,
         },
-        [17] = {
+        {
+                .group_id = 17,
                 .nid = NID_secp160r2,
                 .bits = 80,
         },
-        [18] = {
+        {
+                .group_id = 18,
                 .nid = NID_secp192k1,
                 .bits = 80,
         },
-        [19] = {
+        {
+                .group_id = 19,
                 .nid = NID_X9_62_prime192v1,    /* aka secp192r1 */
                 .bits = 80,
         },
-        [20] = {
+        {
+                .group_id = 20,
                 .nid = NID_secp224k1,
                 .bits = 112,
         },
-        [21] = {
+        {
+                .group_id = 21,
                 .nid = NID_secp224r1,
                 .bits = 112,
         },
-        [22] = {
+        {
+                .group_id = 22,
                 .nid = NID_secp256k1,
                 .bits = 128,
         },
-        [23] = {
+        {
+                .group_id = 23,
                 .nid = NID_X9_62_prime256v1,    /* aka secp256r1 */
                 .bits = 128,
         },
-        [24] = {
+        {
+                .group_id = 24,
                 .nid = NID_secp384r1,
                 .bits = 192,
         },
-        [25] = {
+        {
+                .group_id = 25,
                 .nid = NID_secp521r1,
                 .bits = 256,
         },
-        [26] = {
+        {
+                .group_id = 26,
                 .nid = NID_brainpoolP256r1,
                 .bits = 128,
         },
-        [27] = {
+        {
+                .group_id = 27,
                 .nid = NID_brainpoolP384r1,
                 .bits = 192,
         },
-        [28] = {
+        {
+                .group_id = 28,
                 .nid = NID_brainpoolP512r1,
                 .bits = 256,
         },
-        [29] = {
+        {
+                .group_id = 29,
                 .nid = NID_X25519,
                 .bits = 128,
         },
@@ -339,18 +369,41 @@ static const uint16_t ecgroups_server_default[] = {
         24,                     /* secp384r1 (24) */
 };
 
+static const struct supported_group *
+tls1_supported_group_by_id(uint16_t group_id)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (group_id == nid_list[i].group_id)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
+static const struct supported_group *
+tls1_supported_group_by_nid(int nid)
+{
+        int i;
+
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (nid == nid_list[i].nid)
+                        return &nid_list[i];
+        }
+
+        return NULL;
+}
+
 int
 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        int nid;
-
-        if (group_id >= NID_LIST_LEN)
-                return 0;
+        const struct supported_group *sg;
 
-        if ((nid = nid_list[group_id].nid) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        *out_nid = nid;
+        *out_nid = sg->nid;
 
         return 1;
 }
@@ -358,15 +411,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 int
 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        int bits;
-
-        if (group_id >= NID_LIST_LEN)
-                return 0;
+        const struct supported_group *sg;
 
-        if ((bits = nid_list[group_id].bits) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                 return 0;
 
-        *out_bits = bits;
+        *out_bits = sg->bits;
 
         return 1;
 }
@@ -374,19 +424,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 int
 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
 {
-        uint16_t group_id;
+        const struct supported_group *sg;
 
-        if (nid == 0)
+        if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
                 return 0;
 
-        for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
-                if (nid_list[group_id].nid == nid) {
-                        *out_group_id = group_id;
-                        return 1;
-                }
-        }
+        *out_group_id = sg->group_id;
 
-        return 0;
+        return 1;
 }
 
 /*
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 331a3ad1a7..c3470b2931 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.78 2025/06/07 10:25:12 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -538,7 +538,7 @@ tls13_ctx_new(int mode, SSL *ssl)
 {
         struct tls13_ctx *ctx = NULL;
 
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
                 goto err;
 
         ctx->hs = &ssl->s3->hs;
diff --git a/src/lib/libtls/man/tls_accept_socket.3 b/src/lib/libtls/man/tls_accept_socket.3
index 931b9346ec..8922708e0f 100644
--- a/src/lib/libtls/man/tls_accept_socket.3
+++ b/src/lib/libtls/man/tls_accept_socket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_accept_socket.3,v 1.4 2018/05/26 12:35:26 schwarze Exp $
+.\" $OpenBSD: tls_accept_socket.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 26 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_ACCEPT_SOCKET 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_accept_cbs
 .Nd accept an incoming client connection in a TLS server
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_accept_socket
diff --git a/src/lib/libtls/man/tls_client.3 b/src/lib/libtls/man/tls_client.3
index 98f58d4c20..235c779519 100644
--- a/src/lib/libtls/man/tls_client.3
+++ b/src/lib/libtls/man/tls_client.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_client.3,v 1.4 2017/08/12 03:41:48 jsing Exp $
+.\" $OpenBSD: tls_client.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 12 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CLIENT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_free
 .Nd configure a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft struct tls *
 .Fn tls_client void
diff --git a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
index a0694d304f..d776b61ad6 100644
--- a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
+++ b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.5 2017/01/31 20:53:50 jmc Exp $
+.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3
 .Os
 .Sh NAME
 .Nm tls_config_ocsp_require_stapling
 .Nd OCSP configuration for libtls
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_ocsp_require_stapling "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
index 32b8cce757..403bc10b82 100644
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.13 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 2 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_PROTOCOLS 3
 .Os
 .Sh NAME
@@ -26,10 +26,12 @@
 .Nm tls_config_set_ciphers ,
 .Nm tls_config_set_dheparams ,
 .Nm tls_config_set_ecdhecurves ,
+.\" .Nm tls_config_set_ecdhecurve is intentionally undocumented.
 .Nm tls_config_prefer_ciphers_client ,
 .Nm tls_config_prefer_ciphers_server
 .Nd TLS protocol and cipher selection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_protocols
diff --git a/src/lib/libtls/man/tls_config_set_session_id.3 b/src/lib/libtls/man/tls_config_set_session_id.3
index d969e01e33..a869b3f24c 100644
--- a/src/lib/libtls/man/tls_config_set_session_id.3
+++ b/src/lib/libtls/man/tls_config_set_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_session_id.3,v 1.5 2018/02/10 06:07:43 jsing Exp $
+.\" $OpenBSD: tls_config_set_session_id.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 10 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_SESSION_ID 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_add_ticket_key
 .Nd configure resuming of TLS handshakes
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_session_fd
diff --git a/src/lib/libtls/man/tls_config_verify.3 b/src/lib/libtls/man/tls_config_verify.3
index 4a43c834d7..d5b29e858e 100644
--- a/src/lib/libtls/man/tls_config_verify.3
+++ b/src/lib/libtls/man/tls_config_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_verify.3,v 1.4 2017/03/02 11:05:50 jmc Exp $
+.\" $OpenBSD: tls_config_verify.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 2 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_VERIFY 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_insecure_noverifytime
 .Nd insecure TLS configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_verify "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_conn_version.3 b/src/lib/libtls/man/tls_conn_version.3
index 8fb30624d7..3a386cf11f 100644
--- a/src/lib/libtls/man/tls_conn_version.3
+++ b/src/lib/libtls/man/tls_conn_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_conn_version.3,v 1.11 2024/12/10 08:42:12 tb Exp $
+.\" $OpenBSD: tls_conn_version.3,v 1.12 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 .\" Copyright (c) 2016, 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONN_VERSION 3
 .Os
 .Sh NAME
@@ -36,6 +36,7 @@
 .Nm tls_peer_cert_notafter
 .Nd inspect an established TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft const char *
 .Fn tls_conn_version "struct tls *ctx"
diff --git a/src/lib/libtls/man/tls_connect.3 b/src/lib/libtls/man/tls_connect.3
index 4c4f01c256..95a18864b2 100644
--- a/src/lib/libtls/man/tls_connect.3
+++ b/src/lib/libtls/man/tls_connect.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_connect.3,v 1.4 2018/07/09 19:51:18 tb Exp $
+.\" $OpenBSD: tls_connect.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONNECT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm tls_connect_cbs
 .Nd instruct a TLS client to establish a connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_connect
diff --git a/src/lib/libtls/man/tls_init.3 b/src/lib/libtls/man/tls_init.3
index 557998107c..69879c04c7 100644
--- a/src/lib/libtls/man/tls_init.3
+++ b/src/lib/libtls/man/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.13 2018/07/09 19:47:20 tb Exp $
+.\" $OpenBSD: tls_init.3,v 1.14 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm tls_config_error
 .Nd initialize TLS client and server API
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fn tls_init void
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index cf33b575ef..33f486d530 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.14 2022/01/01 02:18:28 jsg Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.15 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2022 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -49,6 +49,7 @@
 .Nm tls_default_ca_cert_file
 .Nd TLS certificate and key configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft uint8_t *
 .Fo tls_load_file
diff --git a/src/lib/libtls/man/tls_ocsp_process_response.3 b/src/lib/libtls/man/tls_ocsp_process_response.3
index 6e3aa4aecc..e7b57a6827 100644
--- a/src/lib/libtls/man/tls_ocsp_process_response.3
+++ b/src/lib/libtls/man/tls_ocsp_process_response.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_ocsp_process_response.3,v 1.6 2018/07/24 02:01:34 tb Exp $
+.\" $OpenBSD: tls_ocsp_process_response.3,v 1.7 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 24 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_OCSP_PROCESS_RESPONSE 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_peer_ocsp_next_update
 .Nd inspect an OCSP response
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_ocsp_process_response
diff --git a/src/lib/libtls/man/tls_read.3 b/src/lib/libtls/man/tls_read.3
index f9d949eef5..f72e63cf63 100644
--- a/src/lib/libtls/man/tls_read.3
+++ b/src/lib/libtls/man/tls_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_read.3,v 1.8 2023/09/18 17:25:15 schwarze Exp $
+.\" $OpenBSD: tls_read.3,v 1.9 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
@@ -18,7 +18,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_READ 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_close
 .Nd use a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft ssize_t
 .Fo tls_read
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 3040494c17..ed8f7473b5 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=32
-minor=1
+major=33
+minor=0
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index a94b4221ed..42a697327a 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
+/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -75,7 +75,7 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
             OPENSSL_NPN_NEGOTIATED)
                 return (SSL_TLSEXT_ERR_OK);
 
-        return (SSL_TLSEXT_ERR_NOACK);
+        return (SSL_TLSEXT_ERR_ALERT_FATAL);
 }
 
 static int
diff --git a/src/regress/lib/libc/Makefile b/src/regress/lib/libc/Makefile
index 81d8779db0..7a8db225ef 100644
--- a/src/regress/lib/libc/Makefile
+++ b/src/regress/lib/libc/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.60 2025/04/14 17:33:48 tb Exp $
+#       $OpenBSD: Makefile,v 1.62 2025/08/04 06:10:40 tb Exp $
 
 SUBDIR+= _setjmp
 SUBDIR+= alloca arc4random-fork atexit
@@ -11,7 +11,7 @@ SUBDIR+= ffs fmemopen fnmatch fpclassify fread
 SUBDIR+= gcvt getaddrinfo getcap getopt getopt_long glob
 SUBDIR+= hash
 SUBDIR+= hsearch
-SUBDIR+= ieeefp ifnameindex
+SUBDIR+= ieeefp ifnameindex illumos
 SUBDIR+= ldexp locale longjmp
 SUBDIR+= malloc mkstemp modf
 SUBDIR+= netdb
@@ -19,9 +19,9 @@ SUBDIR+= open_memstream orientation
 SUBDIR+= popen printf
 SUBDIR+= qsort
 SUBDIR+= regex
-SUBDIR+= setjmp setjmp-signal sigsetjmp sigthr sleep sprintf stdio_threading
-SUBDIR+= stpncpy strchr strerror strlcat strlcpy strnlen strtod strtol strtonum
-SUBDIR+= sys
+SUBDIR+= setjmp setjmp-signal sigsetjmp sigthr sleep sprintf stdio
+SUBDIR+= stdio_threading stpncpy strchr strerror strlcat strlcpy strnlen
+SUBDIR+= strtod strtol strtonum sys
 SUBDIR+= telldir time timingsafe
 SUBDIR+= uuid
 SUBDIR+= vis
diff --git a/src/regress/lib/libc/explicit_bzero/explicit_bzero.c b/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
index 496bafb208..30c86290e8 100644
--- a/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
+++ b/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: explicit_bzero.c,v 1.9 2022/02/10 08:39:32 tb Exp $   */
+/*      $OpenBSD: explicit_bzero.c,v 1.10 2025/05/31 15:31:40 tb Exp $  */
 /*
  * Copyright (c) 2014 Google Inc.
  *
@@ -28,9 +28,11 @@
 
 #if defined(__has_feature)
 #if __has_feature(address_sanitizer)
+#ifndef __SANITIZE_ADDRESS__
 #define __SANITIZE_ADDRESS__
 #endif
 #endif
+#endif
 #ifdef __SANITIZE_ADDRESS__
 #define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
 #else
diff --git a/src/regress/lib/libc/hash/hash_test.c b/src/regress/lib/libc/hash/hash_test.c
index f9dc641186..c04a0458fe 100644
--- a/src/regress/lib/libc/hash/hash_test.c
+++ b/src/regress/lib/libc/hash/hash_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hash_test.c,v 1.2 2025/04/14 18:33:56 tb Exp $ */
+/*      $OpenBSD: hash_test.c,v 1.3 2025/08/02 06:05:13 tb Exp $ */
 
 /*
  * Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
@@ -757,7 +757,7 @@ struct hash_ctx {
         void            *ctx;
         void            (*init)(void *);
         void            (*update)(void *, const uint8_t *, size_t);
-        void            (*final)(void *, void *final);
+        void            (*final)(void *, void *);
 };
 
 static const struct hash_tests {
@@ -814,7 +814,7 @@ hash_test_case(struct hash_ctx *ctx, const struct hash_test_case *tc,
         size_t in_len = tc->in != NULL ? strlen(tc->in) : 0;
 
         ctx->init(ctx->ctx);
-        ctx->update(ctx->ctx, (uint8_t *)tc->in, in_len);
+        ctx->update(ctx->ctx, (const uint8_t *)tc->in, in_len);
         ctx->final(ctx->digest, ctx->ctx);
 
         if (memcmp(tc->out, ctx->digest, ctx->digest_len) != 0) {
diff --git a/src/regress/lib/libc/illumos/Makefile b/src/regress/lib/libc/illumos/Makefile
new file mode 100644
index 0000000000..cf2d22eb44
--- /dev/null
+++ b/src/regress/lib/libc/illumos/Makefile
@@ -0,0 +1,7 @@
+#       $OpenBSD: Makefile,v 1.1.1.1 2025/08/02 06:16:34 tb Exp $
+
+SUBDIR += oclo
+
+install:
+
+.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libc/illumos/Makefile.inc b/src/regress/lib/libc/illumos/Makefile.inc
new file mode 100644
index 0000000000..4296b6e690
--- /dev/null
+++ b/src/regress/lib/libc/illumos/Makefile.inc
@@ -0,0 +1,9 @@
+#       $OpenBSD: Makefile.inc,v 1.1.1.1 2025/08/02 06:16:34 tb Exp $
+
+ILLUMOS_OS_TESTDIR = /usr/local/share/illumos-os-tests
+
+.if !exists(${ILLUMOS_OS_TESTDIR})
+regress:
+        @echo package illumos-os-tests is required for this regress
+        @echo SKIPPED
+.endif
diff --git a/src/regress/lib/libc/illumos/oclo/Makefile b/src/regress/lib/libc/illumos/oclo/Makefile
new file mode 100644
index 0000000000..284e49dc73
--- /dev/null
+++ b/src/regress/lib/libc/illumos/oclo/Makefile
@@ -0,0 +1,18 @@
+#       $OpenBSD: Makefile,v 1.2 2025/08/09 18:17:42 anton Exp $
+
+.if exists(/usr/local/share/illumos-os-tests)
+
+PROGS =         oclo
+PROGS +=        oclo_errors
+PROGS +=        ocloexec_verify
+
+LDADD_ocloexec_verify = -lkvm
+
+WARNINGS =      yes
+
+regress: ${PROGS}
+
+.PATH: /usr/local/share/illumos-os-tests/tests/oclo
+.endif
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
index 486c247f0d..57d799f49d 100644
--- a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
+++ b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_errs.c,v 1.5 2024/04/14 17:47:41 otto Exp $    */
+/*      $OpenBSD: malloc_errs.c,v 1.6 2025/05/24 06:40:29 otto Exp $    */
 /*
  * Copyright (c) 2023 Otto Moerbeek <otto@drijf.net>
  *
@@ -286,11 +286,10 @@ int main(int argc, char *argv[])
         int i, status;
         pid_t pid;
         char num[10];
-        char options[10];
-        extern char* malloc_options;
+        char options[40];
+        char const *env[2];
 
-        if (argc == 3) {
-                malloc_options = argv[2];
+        if (argc == 2) {
                 /* prevent coredumps */
                 setrlimit(RLIMIT_CORE, &lim);
                 i = atoi(argv[1]);
@@ -303,9 +302,11 @@ int main(int argc, char *argv[])
                 pid = fork();
                 switch (pid) {
                 case 0:
-                        snprintf(options, sizeof(options), "us%s", tests[i].flags);
+                        snprintf(options, sizeof(options), "MALLOC_OPTIONS=us%s", tests[i].flags);
                         snprintf(num, sizeof(num), "%d", i);
-                        execl(argv[0], argv[0], num, options, NULL);
+                        env[0] = options;
+                        env[1] = NULL;
+                        execle(argv[0], argv[0], num, NULL, env);
                         err(1, "exec");
                 break;
                 case -1:
diff --git a/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c b/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
index 799d2b9117..7e53c32dbc 100644
--- a/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
+++ b/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_ulimit1.c,v 1.5 2019/06/12 11:31:36 bluhm Exp $        */
+/*      $OpenBSD: malloc_ulimit1.c,v 1.6 2025/05/24 06:47:27 otto Exp $ */
 
 /* Public Domain, 2006, Otto Moerbeek <otto@drijf.net> */
 
@@ -23,7 +23,7 @@
 #define FACTOR  1024
 
 /* This test takes forever with junking turned on. */
-char *malloc_options = "jj";
+const char * const malloc_options = "jj";
 
 int
 main()
diff --git a/src/regress/lib/libc/stdio/Makefile b/src/regress/lib/libc/stdio/Makefile
new file mode 100644
index 0000000000..f1e980f688
--- /dev/null
+++ b/src/regress/lib/libc/stdio/Makefile
@@ -0,0 +1,29 @@
+# $OpenBSD: Makefile,v 1.4 2025/06/03 14:35:27 yasuoka Exp $
+
+PROGS=          test_fflush
+CLEANFILES=     test_fflush.tmp
+
+PROGS+=         test_ungetwc
+CLEANFILES+=    test_ungetwc.tmp
+
+PROGS+=         test___freading
+CLEANFILES+=    test___freading.tmp
+
+PROGS+=         test___fwriting
+CLEANFILES+=    test___fwriting.tmp
+
+PROGS+=         test___fpending
+CLEANFILES+=    test___fpending.tmp
+
+PROGS+=         test___freadahead
+CLEANFILES+=    test___freadahead.tmp
+
+PROGS+=         test___freadptr
+CLEANFILES+=    test___freadptr.tmp
+
+PROGS+=         test___fseterr
+CLEANFILES+=    test___fseterr.tmp
+
+WARNINGS=       yes
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libc/stdio/test___fpending.c b/src/regress/lib/libc/stdio/test___fpending.c
new file mode 100644
index 0000000000..96ace2e481
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fpending.c
@@ -0,0 +1,58 @@
+/*      $OpenBSD: test___fpending.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___fpending.tmp"
+
+void test___fpending0(void);
+
+void
+test___fpending0(void)
+{
+        FILE    *fp;
+        int      r;
+        size_t   s;
+
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        s = __fpending(fp);
+        assert(s > 0);          /* assume buffered */
+        r = fflush(fp);
+        assert(r == 0);
+        s = __fpending(fp);
+        assert(s == 0);         /* buffer must be 0 */
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___fpending0();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freadahead.c b/src/regress/lib/libc/stdio/test___freadahead.c
new file mode 100644
index 0000000000..66d5e3492a
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freadahead.c
@@ -0,0 +1,71 @@
+/*      $OpenBSD: test___freadahead.c,v 1.2 2025/06/03 14:35:27 yasuoka Exp $   */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___freadahead.tmp"
+
+void test___freadahead0(void);
+
+void
+test___freadahead0(void)
+{
+        FILE    *fp;
+        int      r;
+        size_t   s;
+
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+
+        fp = fopen(TMPFILENAME, "r");
+        s = __freadahead(fp);
+        assert(s == 0);
+        assert(fgetc(fp) == 'H');
+        s = __freadahead(fp);
+        assert(s == 10);
+        r = fflush(fp);
+#if 0
+        /* fflush() to reading file is not supported (yet) */
+        assert(errno == EBADF);
+#else
+        assert(r == 0);
+        s = __freadahead(fp);
+        assert(s == 0);
+#endif
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___freadahead0();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freading.c b/src/regress/lib/libc/stdio/test___freading.c
new file mode 100644
index 0000000000..f74eb78d35
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freading.c
@@ -0,0 +1,125 @@
+/*      $OpenBSD: test___freading.c,v 1.2 2025/06/12 07:39:26 yasuoka Exp $     */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___freading.tmp"
+
+void setup(void);
+
+void test___freading0(void);
+void test___freading1(void);
+void test___freading2(void);
+
+void
+setup(void)
+{
+        FILE    *fp;
+
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        fputs("Hello world\n", fp);
+        fclose(fp);
+}
+
+void
+test___freading0(void)
+{
+        FILE    *fp;
+        int      r;
+        char     buf[80];
+
+        fp = popen("echo Hello world", "r");
+        assert(fp != NULL);
+        assert(__freading(fp) != 0);
+        assert(fgets(buf, sizeof(buf), fp) != NULL);
+        assert(strcmp(buf, "Hello world\n") == 0);
+        r = pclose(fp);
+        assert(r == 0);
+}
+
+void
+test___freading1(void)
+{
+        FILE    *fp;
+        int      r;
+
+        /* when the last operaiton is read, __freading() returns true */
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        assert(__freading(fp) == 0);
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        assert(__freading(fp) == 0);
+        rewind(fp);
+        assert(fgetc(fp) == 'H');
+        assert(__freading(fp) != 0);
+        /* write */
+        fseek(fp, 0, SEEK_END);
+        r = fputs("\n", fp);
+        assert(__freading(fp) == 0);
+        /* ungetc */
+        rewind(fp);
+        assert(ungetc('X', fp) != 0);
+        assert(__freading(fp) != 0);    /* reading */
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+void
+test___freading2(void)
+{
+        int      r;
+        FILE    *fp;
+
+        /*
+         * until v1.10 of fpurge.c mistakenly enables the writing buffer
+         * without _SRD flag set.
+         */
+        fp = fopen(TMPFILENAME, "r+");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        fpurge(fp);
+        fseek(fp, 0, SEEK_CUR);
+        assert(fputc('X', fp) == 'X');
+        assert(__freading(fp) == 0);
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___freading0();
+        test___freading1();
+        test___freading2();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freadptr.c b/src/regress/lib/libc/stdio/test___freadptr.c
new file mode 100644
index 0000000000..cce362f2ae
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freadptr.c
@@ -0,0 +1,78 @@
+/*      $OpenBSD: test___freadptr.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___freadptr.tmp"
+
+void test___freadptr0(void);
+
+/* test __freadptr() and __freadptrinc() */
+void
+test___freadptr0(void)
+{
+        FILE            *fp;
+        int              r;
+        ssize_t          s;
+        const char      *p;
+
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+
+        fp = fopen(TMPFILENAME, "r");
+        assert(fgetc(fp) == 'H');
+        p = __freadptr(fp, &s);
+        assert(p != NULL);
+        assert(s > 4);          /* this test assume this (not by the spec) */
+        assert(*p == 'e');
+        assert(strncmp(p, "ello world", s) == 0);
+
+        __freadptrinc(fp, 4);
+        assert(fgetc(fp) == ' ');
+
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        p = __freadptr(fp, &s);
+        assert(s > 0);
+        assert(*p == 'A');
+        /* ptr will contains only the pushback buffer */
+        assert(strncmp(p, "AAAworld", s) == 0);
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___freadptr0();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___fseterr.c b/src/regress/lib/libc/stdio/test___fseterr.c
new file mode 100644
index 0000000000..70fb491c6c
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fseterr.c
@@ -0,0 +1,60 @@
+/*      $OpenBSD: test___fseterr.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $      */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___fseterr.tmp"
+
+void test___fseterr0(void);
+
+void
+test___fseterr0(void)
+{
+        FILE    *fp;
+        int      r;
+
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+
+        assert(!ferror(fp));
+
+        r = fprintf(fp, "hello world\n");
+        assert(r > 0);
+
+        __fseterr(fp);
+        assert(ferror(fp));
+
+        r = fprintf(fp, "hello world\n");
+        assert(r == -1);
+
+        fclose(fp);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___fseterr0();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___fwriting.c b/src/regress/lib/libc/stdio/test___fwriting.c
new file mode 100644
index 0000000000..eb4671d3cf
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fwriting.c
@@ -0,0 +1,83 @@
+/*      $OpenBSD: test___fwriting.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test___fwriting.tmp"
+
+void test___fwriting0(void);
+void test___fwriting1(void);
+
+void
+test___fwriting0(void)
+{
+        FILE    *fp;
+        int      r;
+
+        fp = fopen(TMPFILENAME, "w");   /* write only */
+        assert(fp != NULL);
+        assert(__fwriting(fp) != 0);    /* writing is true immediately */
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+        assert(r == 0);
+
+        fp = fopen(TMPFILENAME, "a");   /* append only */
+        assert(fp != NULL);
+        assert(__fwriting(fp) != 0);    /* writing immediately */
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+void
+test___fwriting1(void)
+{
+        FILE    *fp;
+        int      r;
+
+        fp = fopen(TMPFILENAME, "w+");  /* read / write */
+        assert(fp != NULL);
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        assert(__fwriting(fp) != 0);
+        rewind(fp);
+        assert(fgetc(fp) == 'H');       /* read */
+        assert(__fwriting(fp) == 0);    /* writing becomes false */
+        fputc('e', fp);
+        assert(__fwriting(fp) != 0);    /* writing becomes true */
+        ungetc('e', fp);
+        assert(__fwriting(fp) == 0);    /* ungetc -> writing becomes false */
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        test___fwriting0();
+        test___fwriting1();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test_fflush.c b/src/regress/lib/libc/stdio/test_fflush.c
new file mode 100644
index 0000000000..a0586b7d14
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test_fflush.c
@@ -0,0 +1,345 @@
+/*      $OpenBSD: test_fflush.c,v 1.3 2025/06/08 08:53:53 yasuoka Exp $ */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <wchar.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test_fflush.tmp"
+
+void setup(void);
+
+void test_fflush_read0(void);
+void test_fflush_read1(void);
+void test_fflush_read2(void);
+void test_fflush_read3(void);
+void test_fflush_read4(void);
+void setupw(void);
+void test_fflush_read5(void);
+void test_fflush_read6(void);
+
+void
+setup(void)
+{
+        FILE    *fp;
+
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        fputs("Hello world\n", fp);
+        fclose(fp);
+}
+
+/* fflush work with reading file and seekable */
+void
+test_fflush_read0(void)
+{
+        int      r;
+        char     buf[80];
+        FILE    *fp;
+
+        setup();
+
+        /* In POSIX 2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        r = fflush(fp);
+        assert(r == 0);
+
+        /* the position is moved to 1 */
+        assert(ftell(fp) == 1);
+
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "ello world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+/* fflush work with reading file and seekable + unget */
+void
+test_fflush_read1(void)
+{
+        int      r;
+        char     buf[80];
+        FILE    *fp;
+
+        setup();
+
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        assert(fgetc(fp) == 'e');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'o');
+
+        /* push the 'AAAA' back */
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "AAAA world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+
+        /* do the same thing + fflush */
+
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        assert(fgetc(fp) == 'e');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'o');
+
+        /* push 'AAAA' back */
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+
+        /* then fflush */
+        r = fflush(fp);
+        assert(r == 0);
+
+        /* fllush() clears the all pushed back chars */
+
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, " world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+/* fflush() to reading and non-seekable stream */
+void
+test_fflush_read2(void)
+{
+        int      r;
+        FILE    *fp;
+        char     buf[80];
+
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = popen("echo Hello world", "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        r = fflush(fp);
+        assert(r == 0);
+
+        /*
+         * FILE object for read and NOT seekable.  In that case, fflush does
+         * nothing, but must keep the buffer.
+         */
+
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "ello world\n") == 0);
+        r = pclose(fp);
+        assert(r == 0);
+}
+
+/* fflush() to the file which doesn't have any buffer */
+void
+test_fflush_read3(void)
+{
+        int      r;
+        FILE    *fp;
+
+        setup();
+
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        r = fflush(fp);
+        assert(r == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+/* freopen() should call fflush() internal */
+void
+test_fflush_read4(void)
+{
+        int      r;
+        FILE    *fp;
+        off_t    pos;
+        char     buf[80];
+
+        setup();
+
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+
+        assert(fgetc(fp) == 'H');       /* read 1 */
+
+        pos = lseek(fileno(fp), 0, SEEK_CUR);
+        assert(pos >= 1);
+        assert(pos > 1);        /* this test assume the buffer is used */
+
+        /* freopen() should call fflush() internal */
+        fp = freopen(TMPFILENAME, "r", fp);
+        assert(fp != NULL);
+
+        /* can read rest of that on fp */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "Hello world\n") == 0);
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+void
+setupw(void)
+{
+        FILE    *fp;
+
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        /* Konnitiwa Sekai(in Kanji) */
+        fputws(L"\u3053\u3093\u306b\u3061\u308f \u4e16\u754c\n", fp);
+        fclose(fp);
+}
+
+/* fflush work with reading file and seekable + ungetwc */
+void
+test_fflush_read5(void)
+{
+        int      r;
+        wchar_t  buf[80];
+        FILE    *fp;
+
+        setupw();
+
+        fp = fopen(TMPFILENAME, "r");
+
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+
+        /* can read reset of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+
+        r = fclose(fp);
+        assert(r == 0);
+
+        /* do the same thing + fflush */
+        fp = fopen(TMPFILENAME, "r");
+
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+
+        /* then fflush */
+        r = fflush(fp);
+        assert(r == 0);
+
+        /* fllush() clears the all pushed back chars */
+
+        /* can read rest of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+void
+test_fflush_read6(void)
+{
+        int      r, c;
+        FILE    *fp;
+
+        setup();
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+
+        /*
+         * https://pubs.opengroup.org/onlinepubs/9699919799/functions/fflush.html
+         * .. any characters pushed back onto the stream by ungetc() or ungetwc()
+         * that have not subsequently been read from the stream shall be discarded
+         * (without further changing the file offset).
+         */
+
+        assert(fgetc(fp) == 'H');
+        c = getc(fp);
+        ungetc(c, fp);  /* push back the character has been read */
+        r = fflush(fp);
+        assert(r == 0);
+        assert(getc(fp) == c);
+
+        fseek(fp, 0, SEEK_SET);
+        assert(fgetc(fp) == 'H');
+        c = getc(fp);
+        ungetc('X', fp); /* push back the character has not been read */
+        r = fflush(fp);
+        assert(r == 0);
+        assert(getc(fp) == 'l');
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        setlocale(LC_ALL, "C.UTF-8");
+
+        test_fflush_read0();
+        test_fflush_read1();
+        test_fflush_read2();
+        test_fflush_read3();
+        test_fflush_read4();
+        test_fflush_read5();
+        test_fflush_read6();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test_ungetwc.c b/src/regress/lib/libc/stdio/test_ungetwc.c
new file mode 100644
index 0000000000..bb4e853020
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test_ungetwc.c
@@ -0,0 +1,90 @@
+/*      $OpenBSD: test_ungetwc.c,v 1.1 2025/05/25 05:32:45 yasuoka Exp $        */
+
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <locale.h>
+#include <wchar.h>
+
+/* we use assert() */
+#undef  NDEBUG
+
+#define TMPFILENAME     "test_ungetwc.tmp"
+
+void setupw(void);
+void test_fflush_ungetwc0(void);
+
+void
+setupw(void)
+{
+        FILE    *fp;
+
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        /* Konnitiwa Sekai(in Kanji) */
+        fputws(L"\u3053\u3093\u306b\u3061\u308f \u4e16\u754c\n", fp);
+        fclose(fp);
+}
+
+/* fflush work with reading file and seekable + ungetwc */
+void
+test_fflush_ungetwc0(void)
+{
+        int      r;
+        wchar_t  buf[80];
+        FILE    *fp;
+
+        setupw();
+
+        fp = fopen(TMPFILENAME, "r");
+
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+
+        /* can read reset of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+
+        r = fclose(fp);
+        assert(r == 0);
+}
+
+int
+main(int argc, char *argv[])
+{
+        setlocale(LC_ALL, "C.UTF-8");
+
+        test_fflush_ungetwc0();
+
+        exit(0);
+}
diff --git a/src/regress/lib/libc/time/time_conversion/timetest.c b/src/regress/lib/libc/time/time_conversion/timetest.c
index 0706704ee1..1405f1c6a5 100644
--- a/src/regress/lib/libc/time/time_conversion/timetest.c
+++ b/src/regress/lib/libc/time/time_conversion/timetest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: timetest.c,v 1.4 2023/04/13 11:32:06 mbuhl Exp $ */
+/*      $OpenBSD: timetest.c,v 1.5 2025/08/17 08:43:03 phessler Exp $ */
 
 /*
  * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
@@ -79,12 +79,12 @@ struct timetest timetests[] = {
                         .tm_yday=171,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="moon",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-16751025,
                 .local_tm=              {
                         .tm_year=69,
@@ -97,7 +97,7 @@ struct timetest timetests[] = {
                         .tm_yday=171,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=69,
@@ -110,7 +110,7 @@ struct timetest timetests[] = {
                         .tm_yday=171,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -141,7 +141,7 @@ struct timetest timetests[] = {
                         .tm_yday=171,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -172,12 +172,12 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="epoch",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=0,
                 .local_tm=              {
                         .tm_year=70,
@@ -190,7 +190,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=70,
@@ -203,7 +203,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -234,7 +234,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -265,12 +265,12 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="epoch - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-1,
                 .local_tm=              {
                         .tm_year=69,
@@ -283,7 +283,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=69,
@@ -296,7 +296,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -327,7 +327,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -358,12 +358,12 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="legacy min",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-2147483648,
                 .local_tm=              {
                         .tm_year=1,
@@ -376,7 +376,7 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=1,
@@ -389,7 +389,7 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -420,12 +420,12 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="legacy min - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-2147483649,
                 .local_tm=              {
                         .tm_year=1,
@@ -438,7 +438,7 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=1,
@@ -451,7 +451,7 @@ struct timetest timetests[] = {
                         .tm_yday=346,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -482,12 +482,12 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="legacy max",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=2147483647,
                 .local_tm=              {
                         .tm_year=138,
@@ -500,7 +500,7 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=138,
@@ -513,7 +513,7 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -544,12 +544,12 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="legacy max + 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=2147483648,
                 .local_tm=              {
                         .tm_year=138,
@@ -562,7 +562,7 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=138,
@@ -575,7 +575,7 @@ struct timetest timetests[] = {
                         .tm_yday=18,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -611,7 +611,7 @@ struct timetest timetests[] = {
         },
         {
                 .descr="min",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=INT64_MIN,
                 .local_tm=              {
                         .tm_year=0,
@@ -704,7 +704,7 @@ struct timetest timetests[] = {
         },
         {
                 .descr="max",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=9223372036854775807,
                 .local_tm=              {
                         .tm_year=0,
@@ -792,7 +792,7 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -823,12 +823,12 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="maxint struct tm",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=67767976204675199,
                 .local_tm=              {
                         .tm_year=2147481747,
@@ -841,7 +841,7 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=2147481747,
@@ -854,12 +854,12 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="minint struct tm",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-67768038398073601,
                 .local_tm=              {
                         .tm_year=-2147483578,
@@ -872,7 +872,7 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=-2147483578,
@@ -885,7 +885,7 @@ struct timetest timetests[] = {
                         .tm_yday=30,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -916,12 +916,12 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="0000",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=-62167219200,
                 .local_tm=              {
                         .tm_year=-1900,
@@ -934,7 +934,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=-1900,
@@ -947,7 +947,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -978,7 +978,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1009,12 +1009,12 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="9999",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=253402300799,
                 .local_tm=              {
                         .tm_year=8099,
@@ -1027,7 +1027,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=8099,
@@ -1040,7 +1040,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1071,7 +1071,7 @@ struct timetest timetests[] = {
                         .tm_yday=364,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1102,7 +1102,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1133,7 +1133,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1164,12 +1164,12 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="leap second - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=1483228825,
                 .local_tm=              {
                         .tm_year=116,
@@ -1182,7 +1182,7 @@ struct timetest timetests[] = {
                         .tm_yday=365,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=117,
@@ -1195,12 +1195,12 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="leap second",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=1483228826,
                 .local_tm=              {
                         .tm_year=116,
@@ -1213,7 +1213,7 @@ struct timetest timetests[] = {
                         .tm_yday=365,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=117,
@@ -1226,12 +1226,12 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
                 .descr="leap second + 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                 .time=1483228827,
                 .local_tm=              {
                         .tm_year=117,
@@ -1244,7 +1244,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                 },
                 .gmt_tm=                {
                         .tm_year=117,
@@ -1257,7 +1257,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1288,7 +1288,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1319,7 +1319,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1350,7 +1350,7 @@ struct timetest timetests[] = {
                         .tm_yday=0,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1381,7 +1381,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1412,7 +1412,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1443,7 +1443,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1474,7 +1474,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1505,7 +1505,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1536,7 +1536,7 @@ struct timetest timetests[] = {
                         .tm_yday=72,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1567,7 +1567,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1598,7 +1598,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1629,7 +1629,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1660,7 +1660,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1691,7 +1691,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
@@ -1722,7 +1722,7 @@ struct timetest timetests[] = {
                         .tm_yday=310,
                         .tm_isdst=0,
                         .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                 },
         },
         {
diff --git a/src/regress/lib/libcrypto/aes/aes_test.c b/src/regress/lib/libcrypto/aes/aes_test.c
index 37bee05ca7..8d5947a031 100644
--- a/src/regress/lib/libcrypto/aes/aes_test.c
+++ b/src/regress/lib/libcrypto/aes/aes_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: aes_test.c,v 1.3 2023/09/28 08:21:43 tb Exp $ */
+/*      $OpenBSD: aes_test.c,v 1.5 2025/07/05 14:32:47 jsing Exp $ */
 /*
  * Copyright (c) 2022 Joshua Sing <joshua@hypera.dev>
  *
@@ -524,6 +524,161 @@ static const struct aes_test aes_tests[] = {
                 },
                 .out_len = 64,
         },
+
+        /* XTS128 - Test vectors from NIST SP 800-38A */
+        {
+                /* XTSGenAES128 1 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
+                        0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
+                        0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+                        0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f,
+                },
+                .iv = {
+                        0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
+                        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+                        0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
+                },
+                .in_len = 16,
+                .out = {
+                        0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a,
+                        0x82, 0x50, 0x81, 0xd5, 0xbe, 0x47, 0x1c, 0x63,
+                },
+                .out_len = 16,
+        },
+        {
+                /* XTSGenAES128 385 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xb8, 0xdb, 0x0b, 0x9e, 0x63, 0xf5, 0xf0, 0xe6,
+                        0x60, 0x97, 0x98, 0xa6, 0xcb, 0x42, 0xbb, 0x5b,
+                        0x5d, 0x71, 0x39, 0xbb, 0x95, 0x57, 0x99, 0xf5,
+                        0x2a, 0x7c, 0x58, 0x1f, 0x84, 0x63, 0x31, 0x76,
+                },
+                .iv = {
+                        0x8d, 0x46, 0xf9, 0x67, 0x01, 0x16, 0x7a, 0x1d,
+                        0x77, 0xcd, 0x1e, 0x44, 0xda, 0x92, 0xf3, 0xa8,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xb4, 0x64, 0x4d, 0xc1, 0xb3, 0x8d, 0xd5, 0x98,
+                        0xca, 0x84, 0x0a, 0x82, 0xd4, 0xd9, 0xc0, 0x65,
+                        0x67, 0x23, 0xb1, 0x58, 0x01, 0xaa, 0x18, 0xe6,
+                        0x6e,
+                },
+                .in_len = 25,
+                .out = {
+                        0x09, 0x28, 0x8c, 0xf5, 0x1f, 0x1e, 0xb4, 0xad,
+                        0xb8, 0x54, 0x23, 0xd0, 0xe0, 0xd6, 0xe9, 0x58,
+                        0x18, 0x87, 0x06, 0xaf, 0x26, 0x0e, 0x24, 0x67,
+                        0x4e,
+                },
+                .out_len = 25,
+        },
+        {
+                /* XTSGenAES128 404 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xbe, 0x5c, 0xf1, 0xf9, 0x9d, 0x51, 0x59, 0xf2,
+                        0x11, 0xdb, 0xc4, 0xc1, 0x47, 0xf7, 0x9c, 0x55,
+                        0x6b, 0x2d, 0xa5, 0xc6, 0x91, 0xde, 0xed, 0x74,
+                        0x0d, 0x01, 0x57, 0xea, 0xb8, 0xc9, 0xc8, 0x9a,
+                },
+                .iv = {
+                        0x89, 0x24, 0x86, 0x24, 0xb6, 0x96, 0xcf, 0x9c,
+                        0xb1, 0xb5, 0x77, 0x9c, 0xdc, 0xbc, 0xfe, 0x1c,
+                },
+                .iv_len = 16,
+                .in = {
+                        0x3b, 0x80, 0xf8, 0x22, 0xc4, 0xee, 0xe1, 0x31,
+                        0x3f, 0x79, 0xca, 0x3d, 0xb1, 0x34, 0xd9, 0xca,
+                        0x8b, 0x09, 0xa3, 0x53, 0x4d, 0x4e, 0x18, 0xe6,
+                        0x43, 0x9e, 0x1c, 0xdb, 0x86, 0x18, 0x2a, 0x4f,
+                },
+                .in_len = 32,
+                .out = {
+                        0x4b, 0x6a, 0xf4, 0x3a, 0x88, 0xb6, 0x33, 0xeb,
+                        0xd1, 0xe1, 0x27, 0xc1, 0xec, 0x90, 0xcc, 0x47,
+                        0xa2, 0xf1, 0x6e, 0x3b, 0xc7, 0x9f, 0x88, 0x45,
+                        0xe3, 0xbd, 0x00, 0x25, 0xda, 0x87, 0x26, 0x45,
+                },
+                .out_len = 32,
+        },
+        {
+                /* XTSGenAES256 1 */
+                .mode = NID_aes_256_xts,
+                .key = {
+                        0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e,
+                        0x48, 0x01, 0xe4, 0x2f, 0x4b, 0x09, 0x47, 0x14,
+                        0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+                        0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c,
+                        0xd6, 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d,
+                        0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+                        0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58,
+                        0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08,
+                },
+                .iv = {
+                        0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2,
+                        0xf0, 0x42, 0x8e, 0x84, 0xa9, 0xf8, 0x75, 0x64,
+                },
+                .iv_len = 16,
+                .in = {
+                        0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1,
+                        0xac, 0xc6, 0x47, 0xe8, 0x10, 0xbb, 0xc3, 0x64,
+                        0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+                        0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e,
+                },
+                .in_len = 32,
+                .out = {
+                        0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5,
+                        0x0b, 0x37, 0xf9, 0x34, 0xd4, 0x6a, 0x9b, 0x13,
+                        0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+                        0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb,
+                },
+                .out_len = 32,
+        },
+        {
+                /* XTSGenAES256 172 */
+                .mode = NID_aes_256_xts,
+                .key= {
+                        0x5c, 0x7f, 0x7a, 0x36, 0x08, 0x01, 0x78, 0x43,
+                        0x00, 0x83, 0xff, 0x54, 0x92, 0xef, 0x77, 0x26,
+                        0x0f, 0x68, 0x0a, 0x15, 0xa7, 0x66, 0x24, 0xb8,
+                        0x9e, 0x85, 0x4c, 0x94, 0xf0, 0x48, 0x8a, 0x9e,
+                        0x7d, 0xaa, 0x4f, 0x33, 0x01, 0x1f, 0x91, 0xdf,
+                        0x5e, 0x33, 0x80, 0x53, 0xf4, 0x6c, 0xee, 0x65,
+                        0x0f, 0xb0, 0xee, 0x69, 0xf8, 0xc2, 0x15, 0x75,
+                        0x5a, 0x4a, 0x63, 0xcd, 0x42, 0x28, 0xc2, 0x19,
+                },
+                .iv = {
+                        0xa4, 0x01, 0xd7, 0x3c, 0x88, 0x75, 0xe7, 0x59,
+                        0xaa, 0x3e, 0xef, 0x53, 0xe0, 0xfb, 0x62, 0x63,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xb1, 0xe6, 0x29, 0xa6, 0x2a, 0x03, 0xca, 0x96,
+                        0x9b, 0x16, 0x91, 0x52, 0x02, 0xbc, 0xaa, 0x09,
+                        0xe7, 0x8a, 0xe1, 0x85, 0x1b, 0xc8, 0x85, 0x81,
+                        0x16, 0x49, 0x68, 0xa5, 0x65, 0x6c, 0x82, 0xc0,
+                        0xe5, 0xc4, 0x03, 0xba, 0x54, 0xb9, 0xb5, 0xed,
+                        0x9b, 0xab, 0xe8, 0xb0, 0x75, 0x1d, 0x1b, 0x34,
+                },
+                .in_len = 48,
+                .out = {
+                        0xf5, 0xbc, 0xa6, 0x0f, 0xb9, 0x35, 0x2b, 0x1d,
+                        0xe0, 0x4d, 0x71, 0x29, 0x40, 0x56, 0x26, 0xb3,
+                        0xa4, 0x74, 0xa2, 0x64, 0xfb, 0xac, 0x2d, 0x6b,
+                        0xe1, 0x19, 0xe1, 0xd5, 0x7a, 0xa9, 0x98, 0xd0,
+                        0xe0, 0xe4, 0xd9, 0xf9, 0xc9, 0x76, 0x21, 0x0d,
+                        0x93, 0xc4, 0x65, 0xa3, 0xe3, 0x60, 0xcd, 0x92,
+                },
+                .out_len = 48,
+        },
 };
 
 #define N_AES_TESTS (sizeof(aes_tests) / sizeof(aes_tests[0]))
@@ -542,7 +697,10 @@ aes_ecb_test(size_t test_number, const char *label, int key_bits,
 
         /* Encryption */
         memset(out, 0, sizeof(out));
-        AES_set_encrypt_key(at->key, key_bits, &key);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
         AES_ecb_encrypt(at->in, out, &key, 1);
 
         if (memcmp(at->out, out, at->out_len) != 0) {
@@ -553,7 +711,10 @@ aes_ecb_test(size_t test_number, const char *label, int key_bits,
 
         /* Decryption */
         memset(out, 0, sizeof(out));
-        AES_set_decrypt_key(at->key, key_bits, &key);
+        if (AES_set_decrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_decrypt_key failed\n", label, test_number);
+                return 0;
+        }
         AES_ecb_encrypt(at->out, out, &key, 0);
 
         if (memcmp(at->in, out, at->in_len) != 0) {
@@ -582,7 +743,10 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
         /* Encryption */
         memset(out, 0, sizeof(out));
         memcpy(iv, at->iv, at->iv_len);
-        AES_set_encrypt_key(at->key, key_bits, &key);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
         AES_cbc_encrypt(at->in, out, at->in_len, &key, iv, 1);
 
         if (memcmp(at->out, out, at->out_len) != 0) {
@@ -594,7 +758,10 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
         /* Decryption */
         memset(out, 0, sizeof(out));
         memcpy(iv, at->iv, at->iv_len);
-        AES_set_decrypt_key(at->key, key_bits, &key);
+        if (AES_set_decrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_decrypt_key failed\n", label, test_number);
+                return 0;
+        }
         AES_cbc_encrypt(at->out, out, at->out_len, &key, iv, 0);
 
         if (memcmp(at->in, out, at->in_len) != 0) {
@@ -607,6 +774,96 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
 }
 
 static int
+aes_cfb128_test(size_t test_number, const char *label, int key_bits,
+    const struct aes_test *at)
+{
+        AES_KEY key;
+        uint8_t out[64];
+        uint8_t iv[16];
+        int num = 0;
+
+        /* CFB mode has no padding */
+
+        /* Encryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_cfb128_encrypt(at->in, out, at->in_len, &key, iv, &num, AES_ENCRYPT);
+
+        if (memcmp(at->out, out, at->out_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): encryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+
+        /* Decryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        num = 0;
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_cfb128_encrypt(at->out, out, at->out_len, &key, iv, &num, AES_DECRYPT);
+
+        if (memcmp(at->in, out, at->in_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): decryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+
+        return 1;
+}
+
+static int
+aes_ofb128_test(size_t test_number, const char *label, int key_bits,
+    const struct aes_test *at)
+{
+        AES_KEY key;
+        uint8_t out[64];
+        uint8_t iv[16];
+        int num = 0;
+
+        /* OFB mode has no padding */
+
+        /* Encryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_ofb128_encrypt(at->in, out, at->in_len, &key, iv, &num);
+
+        if (memcmp(at->out, out, at->out_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): encryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+
+        /* Decryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        num = 0;
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_ofb128_encrypt(at->out, out, at->out_len, &key, iv, &num);
+
+        if (memcmp(at->in, out, at->in_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): decryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+
+        return 1;
+}
+
+static int
 aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
     int key_bits, const EVP_CIPHER *cipher)
 {
@@ -649,6 +906,10 @@ aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
                 if (in_len > at->in_len - i)
                         in_len = at->in_len - i;
 
+                /* XTS needs to be single shot. */
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_XTS_MODE)
+                        in_len = at->in_len;
+
                 if (!EVP_EncryptUpdate(ctx, out + total_len, &out_len,
                     at->in + i, in_len)) {
                         fprintf(stderr,
@@ -715,6 +976,10 @@ aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
                 if (in_len > at->out_len - i)
                         in_len = at->out_len - i;
 
+                /* XTS needs to be single shot. */
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_XTS_MODE)
+                        in_len = at->in_len;
+
                 if (!EVP_DecryptUpdate(ctx, out + total_len, &out_len,
                     at->out + i, in_len)) {
                         fprintf(stderr,
@@ -881,6 +1146,16 @@ aes_cipher_from_nid(int nid, const char **out_label,
                 *out_cipher = EVP_aes_256_ccm();
                 break;
 
+        /* XTS */
+        case NID_aes_128_xts:
+                *out_label = SN_aes_128_xts;
+                *out_cipher = EVP_aes_128_xts();
+                break;
+        case NID_aes_256_xts:
+                *out_label = SN_aes_256_xts;
+                *out_cipher = EVP_aes_256_xts();
+                break;
+
         /* Unknown */
         default:
                 return 0;
@@ -902,8 +1177,10 @@ aes_test(void)
         for (i = 0; i < N_AES_TESTS; i++) {
                 at = &aes_tests[i];
                 key_bits = aes_key_bits_from_nid(at->mode);
-                if (!aes_cipher_from_nid(at->mode, &label, &cipher))
+                if (!aes_cipher_from_nid(at->mode, &label, &cipher)) {
+                        fprintf(stderr, "unknown cipher\n");
                         goto failed;
+                }
 
                 switch (at->mode) {
                 /* ECB */
@@ -926,14 +1203,16 @@ aes_test(void)
                 case NID_aes_128_cfb128:
                 case NID_aes_192_cfb128:
                 case NID_aes_256_cfb128:
-                        /* XXX - CFB128 non-EVP tests */
+                        if (!aes_cfb128_test(i, label, key_bits, at))
+                                goto failed;
                         break;
 
                 /* OFB128 */
                 case NID_aes_128_ofb128:
                 case NID_aes_192_ofb128:
                 case NID_aes_256_ofb128:
-                        /* XXX - OFB128 non-EVP tests */
+                        if (!aes_ofb128_test(i, label, key_bits, at))
+                                goto failed;
                         break;
 
                 /* GCM */
@@ -947,7 +1226,13 @@ aes_test(void)
                 case NID_aes_128_ccm:
                 case NID_aes_192_ccm:
                 case NID_aes_256_ccm:
-                        /* XXX - CCM non-EVP tests */
+                        /* CCM is EVP-only */
+                        break;
+
+                /* XTS */
+                case NID_aes_128_xts:
+                case NID_aes_256_xts:
+                        /* XTS is EVP-only */
                         break;
 
                 /* Unknown */
diff --git a/src/regress/lib/libcrypto/asn1/asn1time.c b/src/regress/lib/libcrypto/asn1/asn1time.c
index 7223ad9c9b..e0e5139808 100644
--- a/src/regress/lib/libcrypto/asn1/asn1time.c
+++ b/src/regress/lib/libcrypto/asn1/asn1time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1time.c,v 1.30 2024/07/21 13:25:11 tb Exp $ */
+/* $OpenBSD: asn1time.c,v 1.31 2025/05/22 04:54:14 joshua Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2024 Google Inc.
@@ -33,6 +33,7 @@ struct asn1_time_test {
         const char *data;
         const unsigned char der[32];
         time_t time;
+        int generalized_time;
 };
 
 static const struct asn1_time_test asn1_invtime_tests[] = {
@@ -73,20 +74,19 @@ static const struct asn1_time_test asn1_invtime_tests[] = {
         {
                 .str = "aaaaaaaaaaaaaaZ",
         },
-        /* utc time with omitted seconds, should fail */
         {
+                /* UTC time with omitted seconds, should fail */
                 .str = "1609082343Z",
         },
-};
-
-static const struct asn1_time_test asn1_invgentime_tests[] = {
-        /* Generalized time with omitted seconds, should fail */
         {
+                /* Generalized time with omitted seconds, should fail */
                 .str = "201612081934Z",
+                .generalized_time = 1,
         },
-        /* Valid UTC time, should fail as a generalized time */
         {
+                /* Valid UTC time, should fail as a generalized time */
                 .str = "160908234300Z",
+                .generalized_time = 1,
         },
 };
 
@@ -235,7 +235,7 @@ asn1_compare_str(int test_no, const struct asn1_string_st *asn1str,
 }
 
 static int
-asn1_invtime_test(int test_no, const struct asn1_time_test *att, int gen)
+asn1_invtime_test(int test_no, const struct asn1_time_test *att)
 {
         ASN1_GENERALIZEDTIME *gt = NULL;
         ASN1_UTCTIME *ut = NULL;
@@ -255,7 +255,7 @@ asn1_invtime_test(int test_no, const struct asn1_time_test *att, int gen)
                 goto done;
         }
 
-        if (gen)  {
+        if (att->generalized_time)  {
                 failure = 0;
                 goto done;
         }
@@ -842,13 +842,7 @@ main(int argc, char **argv)
         fprintf(stderr, "Invalid time tests...\n");
         for (i = 0; i < N_INVTIME_TESTS; i++) {
                 att = &asn1_invtime_tests[i];
-                failed |= asn1_invtime_test(i, att, 0);
-        }
-
-        fprintf(stderr, "Invalid generalized time tests...\n");
-        for (i = 0; i < N_INVGENTIME_TESTS; i++) {
-                att = &asn1_invgentime_tests[i];
-                failed |= asn1_invtime_test(i, att, 1);
+                failed |= asn1_invtime_test(i, att);
         }
 
         fprintf(stderr, "GENERALIZEDTIME tests...\n");
diff --git a/src/regress/lib/libcrypto/bio/bio_dump.c b/src/regress/lib/libcrypto/bio/bio_dump.c
index 22db80fa3d..fd2bb285fb 100644
--- a/src/regress/lib/libcrypto/bio/bio_dump.c
+++ b/src/regress/lib/libcrypto/bio/bio_dump.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bio_dump.c,v 1.4 2024/02/09 12:48:32 tb Exp $ */
+/*      $OpenBSD: bio_dump.c,v 1.5 2025/05/18 06:41:51 tb Exp $ */
 /*
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
  *
@@ -809,7 +809,7 @@ bio_dump_test(const struct bio_dump_testcase *tc)
                     tc->indent, ret, got_len, strlen(tc->output));
                 goto err;
         }
-        if (strncmp(tc->output, got, got_len) != 0) {
+        if (got_len > 0 && strncmp(tc->output, got, got_len) != 0) {
                 fprintf(stderr, "%d: mismatch\n", tc->indent);
                 goto err;
         }
diff --git a/src/regress/lib/libcrypto/bn/bn_mul_div.c b/src/regress/lib/libcrypto/bn/bn_mul_div.c
index 625d5e318e..dbad01004e 100644
--- a/src/regress/lib/libcrypto/bn/bn_mul_div.c
+++ b/src/regress/lib/libcrypto/bn/bn_mul_div.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mul_div.c,v 1.7 2023/06/21 07:18:10 jsing Exp $ */
+/*      $OpenBSD: bn_mul_div.c,v 1.8 2025/08/12 10:29:35 jsing Exp $ */
 /*
  * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
  *
@@ -233,6 +233,13 @@ struct benchmark benchmarks[] = {
                 .b_bits = 256,
         },
         {
+                .desc = "BN_mul (384 bit x 384 bit)",
+                .setup = benchmark_bn_mul_setup,
+                .run_once = benchmark_bn_mul_run_once,
+                .a_bits = 384,
+                .b_bits = 384,
+        },
+        {
                 .desc = "BN_mul (512 bit x 512 bit)",
                 .setup = benchmark_bn_mul_setup,
                 .run_once = benchmark_bn_mul_run_once,
@@ -294,6 +301,12 @@ struct benchmark benchmarks[] = {
                 .a_bits = 256,
         },
         {
+                .desc = "BN_sqr (384 bit)",
+                .setup = benchmark_bn_sqr_setup,
+                .run_once = benchmark_bn_sqr_run_once,
+                .a_bits = 384,
+        },
+        {
                 .desc = "BN_sqr (512 bit)",
                 .setup = benchmark_bn_sqr_setup,
                 .run_once = benchmark_bn_sqr_run_once,
diff --git a/src/regress/lib/libcrypto/c2sp/Makefile b/src/regress/lib/libcrypto/c2sp/Makefile
index d16d06975b..73ee0b8c22 100644
--- a/src/regress/lib/libcrypto/c2sp/Makefile
+++ b/src/regress/lib/libcrypto/c2sp/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.5 2025/04/27 08:51:24 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2025/07/23 07:35:21 tb Exp $
 
 C2SP_TESTVECTORS = /usr/local/share/c2sp-testvectors/
 
@@ -13,12 +13,12 @@ PROGS += cctv
 SRCS_cctv =
 
 cctv: cctv.go
-        go build -o $@ ${.CURDIR}/cctv.go
+        env GOCACHE=${.OBJDIR}/go-build go build -o $@ ${.CURDIR}/cctv.go
 
 OSSL_LIB =      /usr/local/lib/eopenssl
 OSSL_INC =      /usr/local/include/eopenssl
 
-. for V in 33 34 35
+. for V in 35
 .  if exists(/usr/local/bin/eopenssl$V)
 PROGS +=        cctv-openssl$V
 SRCS_cctv-openssl$V =
@@ -29,10 +29,17 @@ CGO_LDFLAGS_$V += 	-L${OSSL_LIB}$V
 
 cctv-openssl$V: cctv.go
         env CGO_CFLAGS="${CGO_CFLAGS_$V}" CGO_LDFLAGS="${CGO_LDFLAGS_$V}" \
+            GOCACHE=${.OBJDIR}/go-build \
             go build -o $@ ${.CURDIR}/cctv.go
 .  endif
 . endfor
 
+REGRESS_CLEANUP =       clean-go-cache
+
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
+
 .endif
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/certs/Makefile b/src/regress/lib/libcrypto/certs/Makefile
index 621c60907f..f7ba9fcad8 100644
--- a/src/regress/lib/libcrypto/certs/Makefile
+++ b/src/regress/lib/libcrypto/certs/Makefile
@@ -1,21 +1,24 @@
-#       $OpenBSD: Makefile,v 1.1 2020/07/14 18:27:28 jsing Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/07/09 05:04:35 tb Exp $
 
-.if ! (make(clean) || make(cleandir) || make(obj))
-GO_VERSION != sh -c "(go version) 2>/dev/null || true"
-.endif
-
-.if empty(GO_VERSION)
+.if !exists(/usr/local/bin/go)
 regress:
         @echo package go is required for this regress
         @echo SKIPPED
-.endif
+.else
 
 REGRESS_TARGETS=regress-go-verify
+REGRESS_CLEANUP=clean-go-cache
 
 certs:
         cd ${.CURDIR} && sh ./make-certs.sh
 
 regress-go-verify:
-        cd ${.CURDIR} && go test -test.v .
+        cd ${.CURDIR} && env GOCACHE=${.OBJDIR}/go-build go test -test.v .
+
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
+
+.endif
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/ec/Makefile b/src/regress/lib/libcrypto/ec/Makefile
index b21eacb4bc..1d976c77d0 100644
--- a/src/regress/lib/libcrypto/ec/Makefile
+++ b/src/regress/lib/libcrypto/ec/Makefile
@@ -1,12 +1,13 @@
-#       $OpenBSD: Makefile,v 1.11 2025/03/08 20:09:35 tb Exp $
+#       $OpenBSD: Makefile,v 1.13 2025/08/03 08:29:39 jsing Exp $
 
-.ifdef EOPENSSL33
-LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl33 -L/usr/local/lib/eopenssl33
-CFLAGS +=       -I/usr/local/include/eopenssl33/
+.ifdef EOPENSSL35
+LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl35 -L/usr/local/lib/eopenssl35
+CFLAGS +=       -I/usr/local/include/eopenssl35/
 CFLAGS +=       -DOPENSSL_SUPPRESS_DEPRECATED
 .endif
 
 PROGS +=        ectest
+PROGS +=        ec_arithmetic
 PROGS +=        ec_asn1_test
 PROGS +=        ec_point_conversion
 
diff --git a/src/regress/lib/libcrypto/ec/ec_arithmetic.c b/src/regress/lib/libcrypto/ec/ec_arithmetic.c
new file mode 100644
index 0000000000..c6f7cd4f8c
--- /dev/null
+++ b/src/regress/lib/libcrypto/ec/ec_arithmetic.c
@@ -0,0 +1,210 @@
+/*      $OpenBSD: ec_arithmetic.c,v 1.1 2025/08/03 08:29:39 jsing Exp $ */
+/*
+ * Copyright (c) 2022,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/time.h>
+
+#include <err.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/objects.h>
+
+static void
+benchmark_ec_point_add(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_add(group, result, a, b, ctx))
+                errx(1, "EC_POINT_add");
+}
+
+static void
+benchmark_ec_point_dbl(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_dbl(group, result, a, ctx))
+                errx(1, "EC_POINT_dbl");
+}
+
+static void
+benchmark_ec_point_mul_generator(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_mul(group, result, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+}
+
+struct benchmark {
+        int curve;
+        const char *desc;
+        void (*func)(const EC_GROUP *, EC_POINT *, const BIGNUM *,
+            const EC_POINT *, const EC_POINT *, BN_CTX *);
+};
+
+static const struct benchmark benchmarks[] = {
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_add() p256",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_add() p384",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_add() p521",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_dbl() p256",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_dbl() p384",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_dbl() p521",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_mul() generator p256",
+                .func = benchmark_ec_point_mul_generator,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_mul() generator p384",
+                .func = benchmark_ec_point_mul_generator,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_mul() generator p521",
+                .func = benchmark_ec_point_mul_generator,
+        },
+};
+
+#define N_BENCHMARKS (sizeof(benchmarks) / sizeof(benchmarks[0]))
+
+static volatile sig_atomic_t benchmark_stop;
+
+static void
+benchmark_sig_alarm(int sig)
+{
+        benchmark_stop = 1;
+}
+
+static void
+benchmark_run(const struct benchmark *bm, int seconds)
+{
+        struct timespec start, end, duration;
+        EC_GROUP *group = NULL;
+        EC_POINT *a = NULL, *b = NULL, *result = NULL;
+        BIGNUM *order = NULL, *scalar = NULL;
+        BN_CTX *ctx = NULL;
+        int i;
+
+        signal(SIGALRM, benchmark_sig_alarm);
+
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+
+        if ((group = EC_GROUP_new_by_curve_name(bm->curve)) == NULL)
+                errx(1, "EC_GROUP_new_by_curve_name");
+        if ((order = BN_new()) == NULL)
+                errx(1, "BN_new");
+        if (!EC_GROUP_get_order(group, order, ctx))
+                errx(1, "EC_GROUP_get_order");
+
+        if ((scalar = BN_new()) == NULL)
+                errx(1, "BN_new");
+        if (!BN_rand_range(scalar, order))
+                errx(1, "BN_rand_range");
+        if (!BN_set_bit(scalar, EC_GROUP_order_bits(group) - 1))
+                errx(1, "BN_set_bit");
+
+        if ((result = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+        if ((a = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+        if ((b = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+
+        if (!EC_POINT_mul(group, a, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+        if (!EC_POINT_mul(group, b, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+
+        benchmark_stop = 0;
+        i = 0;
+        alarm(seconds);
+
+        clock_gettime(CLOCK_MONOTONIC, &start);
+
+        fprintf(stderr, "Benchmarking %s for %ds: ", bm->desc, seconds);
+        while (!benchmark_stop) {
+                bm->func(group, result, scalar, a, b, ctx);
+                i++;
+        }
+        clock_gettime(CLOCK_MONOTONIC, &end);
+        timespecsub(&end, &start, &duration);
+        fprintf(stderr, "%d iterations in %f seconds\n", i,
+            duration.tv_sec + duration.tv_nsec / 1000000000.0);
+
+        EC_GROUP_free(group);
+        EC_POINT_free(result);
+        EC_POINT_free(a);
+        EC_POINT_free(b);
+        BN_free(order);
+        BN_free(scalar);
+        BN_CTX_free(ctx);
+}
+
+static void
+benchmark_ec_mul_single(void)
+{
+        const struct benchmark *bm;
+        size_t i;
+
+        for (i = 0; i < N_BENCHMARKS; i++) {
+                bm = &benchmarks[i];
+                benchmark_run(bm, 5);
+        }
+}
+
+int
+main(int argc, char **argv)
+{
+        int benchmark = 0, failed = 0;
+
+        if (argc == 2 && strcmp(argv[1], "--benchmark") == 0)
+                benchmark = 1;
+
+        if (benchmark && !failed)
+                benchmark_ec_mul_single();
+
+        return failed;
+}
diff --git a/src/regress/lib/libcrypto/ec/ec_asn1_test.c b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
index 03358e69ca..50e6304baf 100644
--- a/src/regress/lib/libcrypto/ec/ec_asn1_test.c
+++ b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: ec_asn1_test.c,v 1.32 2025/03/08 20:09:35 tb Exp $ */
+/* $OpenBSD: ec_asn1_test.c,v 1.36 2025/07/23 07:42:33 tb Exp $ */
 /*
  * Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2024, 2025 Theo Buehler <tb@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,12 +17,17 @@
  */
 
 #include <err.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bio.h>
+#include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/objects.h>
+#include <openssl/sha.h>
 
 #include "ec_local.h"
 
@@ -1281,126 +1286,6 @@ static const struct ec_private_key {
                 },
         },
         {
-                .name = "prime239v1",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x6e,
-                        0x26, 0x5e, 0xde, 0x5b, 0x67, 0xd6, 0x38, 0x52,
-                        0xe7, 0x1e, 0x8d, 0x44, 0xb1, 0xfb, 0xf8, 0xaf,
-                        0xf9, 0x94, 0x2c, 0xe2, 0x0d, 0xa8, 0x5f, 0x03,
-                        0x67, 0x53, 0x7b, 0x8b, 0x2e, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x04, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x33,
-                        0xc6, 0xe5, 0x8a, 0xc1, 0x8b, 0x7c, 0x96, 0x19,
-                        0xc9, 0xe1, 0x54, 0x7f, 0x81, 0x9e, 0x59, 0x62,
-                        0xec, 0xc0, 0x1e, 0xe5, 0x53, 0xd5, 0xae, 0x6b,
-                        0xd3, 0xe0, 0x09, 0x07, 0xc5, 0x27, 0x81, 0xa6,
-                        0x8d, 0x39, 0x8e, 0xfe, 0x01, 0xc2, 0x1d, 0xda,
-                        0xde, 0x7b, 0xdc, 0x76, 0x27, 0x17, 0xf9, 0x6f,
-                        0xe3, 0x04, 0xef, 0x5d, 0x65, 0x75, 0x98, 0x7f,
-                        0x2d, 0xd0, 0x68,
-                },
-                .hex =  "0433C6E58AC18B7C"
-                        "9619C9E1547F819E"
-                        "5962ECC01EE553D5"
-                        "AE6BD3E00907C527"
-                        "81A68D398EFE01C2"
-                        "1DDADE7BDC762717"
-                        "F96FE304EF5D6575"
-                        "987F2DD068",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x33, 0xc6, 0xe5, 0x8a, 0xc1, 0x8b, 0x7c,
-                        0x96, 0x19, 0xc9, 0xe1, 0x54, 0x7f, 0x81, 0x9e,
-                        0x59, 0x62, 0xec, 0xc0, 0x1e, 0xe5, 0x53, 0xd5,
-                        0xae, 0x6b, 0xd3, 0xe0, 0x09, 0x07, 0xc5, 0x27,
-                        0x81, 0xa6, 0x8d, 0x39, 0x8e, 0xfe, 0x01, 0xc2,
-                        0x1d, 0xda, 0xde, 0x7b, 0xdc, 0x76, 0x27, 0x17,
-                        0xf9, 0x6f, 0xe3, 0x04, 0xef, 0x5d, 0x65, 0x75,
-                        0x98, 0x7f, 0x2d, 0xd0, 0x68,
-                },
-        },
-        {
-                .name = "prime239v2",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x30,
-                        0x2f, 0x01, 0x10, 0xe9, 0x09, 0x15, 0xdd, 0xe3,
-                        0xdd, 0xae, 0xcb, 0x9d, 0x3a, 0x58, 0x92, 0x02,
-                        0x1e, 0x6e, 0x02, 0x57, 0xa8, 0x36, 0x0b, 0x20,
-                        0x0b, 0x7e, 0xf4, 0xad, 0x0b, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x05, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x3c,
-                        0x10, 0x27, 0x7b, 0xac, 0xdf, 0x86, 0xc9, 0x4f,
-                        0xf8, 0x39, 0x87, 0x02, 0x39, 0xaf, 0x41, 0xbc,
-                        0x4b, 0x67, 0xd8, 0x5e, 0x04, 0x96, 0x84, 0xb5,
-                        0x60, 0x50, 0x48, 0x6a, 0x20, 0x1d, 0x2b, 0x7e,
-                        0x9f, 0xaf, 0xf8, 0x8e, 0x7e, 0xa4, 0xcd, 0x00,
-                        0xad, 0xb1, 0xad, 0x22, 0x69, 0x32, 0x10, 0x6c,
-                        0xe0, 0xcc, 0xdd, 0x45, 0xd8, 0xa6, 0x29, 0x2f,
-                        0xad, 0x6b, 0xf9,
-                },
-                .hex =  "043C10277BACDF86"
-                        "C94FF839870239AF"
-                        "41BC4B67D85E0496"
-                        "84B56050486A201D"
-                        "2B7E9FAFF88E7EA4"
-                        "CD00ADB1AD226932"
-                        "106CE0CCDD45D8A6"
-                        "292FAD6BF9",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x3c, 0x10, 0x27, 0x7b, 0xac, 0xdf, 0x86,
-                        0xc9, 0x4f, 0xf8, 0x39, 0x87, 0x02, 0x39, 0xaf,
-                        0x41, 0xbc, 0x4b, 0x67, 0xd8, 0x5e, 0x04, 0x96,
-                        0x84, 0xb5, 0x60, 0x50, 0x48, 0x6a, 0x20, 0x1d,
-                        0x2b, 0x7e, 0x9f, 0xaf, 0xf8, 0x8e, 0x7e, 0xa4,
-                        0xcd, 0x00, 0xad, 0xb1, 0xad, 0x22, 0x69, 0x32,
-                        0x10, 0x6c, 0xe0, 0xcc, 0xdd, 0x45, 0xd8, 0xa6,
-                        0x29, 0x2f, 0xad, 0x6b, 0xf9,
-                },
-        },
-        {
-                .name = "prime239v3",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x26,
-                        0x3f, 0x23, 0x4c, 0xe7, 0xbd, 0xa8, 0xe4, 0xfe,
-                        0x7c, 0xf6, 0x18, 0x6a, 0xb2, 0xa6, 0x39, 0x15,
-                        0x6d, 0x72, 0xe8, 0x9e, 0x3f, 0x0f, 0x10, 0x1e,
-                        0xe5, 0xdf, 0xac, 0xe8, 0x2f, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x06, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x37,
-                        0xba, 0x07, 0x7f, 0xd9, 0x46, 0x5a, 0x33, 0x03,
-                        0x31, 0x77, 0x38, 0xef, 0xee, 0xcc, 0x3d, 0xe1,
-                        0xaa, 0x57, 0xe3, 0x8d, 0xb7, 0xcd, 0xe3, 0x01,
-                        0xf4, 0xd6, 0x75, 0x49, 0x72, 0x61, 0x4c, 0xbf,
-                        0xc0, 0x1f, 0x8b, 0x5f, 0x98, 0x9b, 0xa7, 0xe5,
-                        0x6a, 0xb7, 0xfe, 0x63, 0xdb, 0xb0, 0x40, 0xcb,
-                        0x26, 0x81, 0x2a, 0x91, 0x14, 0x0f, 0xc7, 0x31,
-                        0x13, 0x78, 0x16,
-                },
-                .hex =  "0437BA077FD9465A"
-                        "3303317738EFEECC"
-                        "3DE1AA57E38DB7CD"
-                        "E301F4D675497261"
-                        "4CBFC01F8B5F989B"
-                        "A7E56AB7FE63DBB0"
-                        "40CB26812A91140F"
-                        "C731137816",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x37, 0xba, 0x07, 0x7f, 0xd9, 0x46, 0x5a,
-                        0x33, 0x03, 0x31, 0x77, 0x38, 0xef, 0xee, 0xcc,
-                        0x3d, 0xe1, 0xaa, 0x57, 0xe3, 0x8d, 0xb7, 0xcd,
-                        0xe3, 0x01, 0xf4, 0xd6, 0x75, 0x49, 0x72, 0x61,
-                        0x4c, 0xbf, 0xc0, 0x1f, 0x8b, 0x5f, 0x98, 0x9b,
-                        0xa7, 0xe5, 0x6a, 0xb7, 0xfe, 0x63, 0xdb, 0xb0,
-                        0x40, 0xcb, 0x26, 0x81, 0x2a, 0x91, 0x14, 0x0f,
-                        0xc7, 0x31, 0x13, 0x78, 0x16,
-                },
-        },
-        {
                 .name = "prime256v1",
                 .der_len = 121,
                 .der = {
@@ -2468,6 +2353,197 @@ ec_group_check_private_keys(void)
         return failed;
 }
 
+static void
+ec_group_sha1_bignum(BIGNUM *out, const BIGNUM *in)
+{
+        char md[SHA_DIGEST_LENGTH];
+        unsigned char *bin;
+        size_t bin_len;
+
+        if (BN_num_bytes(in) <= 0)
+                errx(1, "%s: invalid bignum", __func__);
+
+        bin_len = BN_num_bytes(in);
+        if ((bin = calloc(1, bin_len)) == NULL)
+                err(1, "calloc");
+        if (BN_bn2bin(in, bin) <= 0)
+                errx(1, "BN_bn2bin");
+
+        SHA1(bin, bin_len, md);
+        free(bin);
+
+        if (BN_bin2bn(md, sizeof(md), out) == NULL)
+                errx(1, "BN_bin2bn");
+}
+
+static int
+ec_group_check_seed(const EC_builtin_curve *curve, BN_CTX *ctx)
+{
+        EC_GROUP *group = NULL;
+        BIGNUM *p, *a, *b, *pow2, *r, *seed_bn, *w;
+        const unsigned char *seed;
+        size_t seed_len;
+        int i, g, h, s, t;
+        int failed = 1;
+
+        if ((group = EC_GROUP_new_by_curve_name(curve->nid)) == NULL)
+                errx(1, "EC_GROUP_new_by_curve_name");
+
+        BN_CTX_start(ctx);
+
+        if ((p = BN_CTX_get(ctx)) == NULL)
+                errx(1, "p = BN_CTX_get()");
+        if ((a = BN_CTX_get(ctx)) == NULL)
+                errx(1, "a = BN_CTX_get()");
+        if ((b = BN_CTX_get(ctx)) == NULL)
+                errx(1, "b = BN_CTX_get()");
+        if ((r = BN_CTX_get(ctx)) == NULL)
+                errx(1, "r = BN_CTX_get()");
+        if ((pow2 = BN_CTX_get(ctx)) == NULL)
+                errx(1, "pow2 = BN_CTX_get()");
+        if ((seed_bn = BN_CTX_get(ctx)) == NULL)
+                errx(1, "seed_bn = BN_CTX_get()");
+        if ((w = BN_CTX_get(ctx)) == NULL)
+                errx(1, "w = BN_CTX_get()");
+
+        /*
+         * If the curve has a seed, verify that its parameters a and b have
+         * been selected using that seed, loosely following X9.62, F.3.4.b.
+         * Otherwise there's nothing to do.
+         */
+        if ((seed = EC_GROUP_get0_seed(group)) == NULL)
+                goto done;
+        seed_len = EC_GROUP_get_seed_len(group);
+
+        /*
+         * This isn't a requirement but happens to be the case for NIST
+         * curves - the only built-in curves that have a seed.
+         */
+        if (seed_len != SHA_DIGEST_LENGTH) {
+                fprintf(stderr, "%s FAIL: unexpected seed length. "
+                    "want %d, got %zu\n", __func__, SHA_DIGEST_LENGTH, seed_len);
+                goto err;
+        }
+
+        /* Seed length in bits, per F.3.3.b. */
+        g = 8 * seed_len;
+
+        /*
+         * Prepare to build the verifiably random element r of GFp by
+         * concatenating the SHA-1 of modifications of the seed as a number.
+         */
+        if (BN_bin2bn(seed, seed_len, seed_bn) == NULL)
+                errx(1, "BN_bin2bn");
+
+        if (!EC_GROUP_get_curve(group, p, a, b, ctx))
+                errx(1, "EC_GROUP_get_curve");
+
+        t = BN_num_bits(p);     /* bit length needed. */
+        s = (t - 1) / 160;      /* number of SHA-1 fitting in bit length. */
+        h = t - 160 * s;        /* remaining number of bits in r. */
+
+        /*
+         * Steps 1 - 3: compute hash of the seed and take h - 1 rightmost bits.
+         */
+
+        ec_group_sha1_bignum(r, seed_bn);
+        BN_zero(pow2);
+        if (!BN_set_bit(pow2, h - 1))
+                errx(1, "BN_set_bit");
+        if (!BN_mod(r, r, pow2, ctx))
+                errx(1, "BN_nnmod");
+
+        /*
+         * Steps 4 - 6: for i from 1 to s do Wi = SHA-1(SEED + i mod 2^g),
+         * With W0 = r as already computed, let r = W0 || W1 || ... || Ws.
+         */
+
+        BN_zero(pow2);
+        if (!BN_set_bit(pow2, g))
+                errx(1, "BN_set_bit");
+
+        for (i = 0; i < s; i++) {
+                /*
+                 * This is a bit silly since the seed isn't going to have all
+                 * its bits set, so BN_add_word(seed_bn, 1) would do, but for
+                 * the sake of correctness...
+                 */
+                if (!BN_mod_add(seed_bn, seed_bn, BN_value_one(), pow2, ctx))
+                        errx(1, "BN_mod_add");
+
+                ec_group_sha1_bignum(w, seed_bn);
+
+                if (!BN_lshift(r, r, 8 * SHA_DIGEST_LENGTH))
+                        errx(1, "BN_lshift");
+                if (!BN_add(r, r, w))
+                        errx(1, "BN_add");
+        }
+
+        /*
+         * Step 7: check that r * b^2 == a^3 (mod p)
+         */
+
+        /* Compute r = r * b^2 (mod p). */
+        if (!BN_mod_sqr(b, b, p, ctx))
+                errx(1, "BN_mod_sqr");
+        if (!BN_mod_mul(r, r, b, p, ctx))
+                errx(1, "BN_mod_mul");
+
+        /* Compute a = a^3 (mod p). */
+        if (!BN_mod_sqr(b, a, p, ctx))
+                errx(1, "BN_mod_sqr");
+        if (!BN_mod_mul(a, a, b, p, ctx))
+                errx(1, "BN_mod_mul");
+
+        /*
+         * XXX - this assumes that a, b, p >= 0, so the results are in [0, p).
+         * This is currently enforced in the EC code.
+         */
+        if (BN_cmp(r, a) != 0) {
+                fprintf(stderr, "FAIL: %s verification failed for %s\nr * b^2:\t",
+                    __func__, curve->comment);
+                BN_print_fp(stderr, r);
+                fprintf(stderr, "\na^3:\t\t");
+                BN_print_fp(stderr, a);
+                fprintf(stderr, "\n");
+                goto err;
+        }
+
+ done:
+        failed = 0;
+
+ err:
+        BN_CTX_end(ctx);
+        EC_GROUP_free(group);
+
+        return failed;
+}
+
+static int
+ec_group_check_seeds(void)
+{
+        BN_CTX *ctx = NULL;
+        EC_builtin_curve *all_curves = NULL;
+        size_t curve_id, ncurves;
+        int failed = 0;
+
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+
+        ncurves = EC_get_builtin_curves(NULL, 0);
+        if ((all_curves = calloc(ncurves, sizeof(*all_curves))) == NULL)
+                err(1, "calloc builtin curves");
+        EC_get_builtin_curves(all_curves, ncurves);
+
+        for (curve_id = 0; curve_id < ncurves; curve_id++)
+                failed |= ec_group_check_seed(&all_curves[curve_id], ctx);
+
+        free(all_curves);
+        BN_CTX_free(ctx);
+
+        return failed;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -2479,6 +2555,7 @@ main(int argc, char **argv)
         failed |= ec_group_roundtrip_builtin_curves();
         failed |= ec_group_non_builtin_curves();
         failed |= ec_group_check_private_keys();
+        failed |= ec_group_check_seeds();
 
         return failed;
 }
diff --git a/src/regress/lib/libcrypto/ec/ectest.c b/src/regress/lib/libcrypto/ec/ectest.c
index fc44f9c886..3e81954174 100644
--- a/src/regress/lib/libcrypto/ec/ectest.c
+++ b/src/regress/lib/libcrypto/ec/ectest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ectest.c,v 1.35 2025/01/24 11:49:13 tb Exp $  */
+/*      $OpenBSD: ectest.c,v 1.36 2025/07/23 07:40:07 tb Exp $  */
 /*
  * Originally written by Bodo Moeller for the OpenSSL project.
  */
@@ -71,14 +71,11 @@
 
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
 
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/objects.h>
-#include <openssl/bn.h>
 #include <openssl/opensslconf.h>
 
 #define ABORT do { \
diff --git a/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c b/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
index d4825f68e8..1d2fa60be7 100644
--- a/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
+++ b/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_pkey_cleanup.c,v 1.5 2024/02/29 20:02:00 tb Exp $ */
+/*      $OpenBSD: evp_pkey_cleanup.c,v 1.6 2025/05/21 03:53:20 kenjiro Exp $ */
 
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -38,6 +38,8 @@ int pkey_ids[] = {
         EVP_PKEY_RSA,
         EVP_PKEY_RSA_PSS,
         EVP_PKEY_X25519,
+        EVP_PKEY_HKDF,
+        EVP_PKEY_TLS1_PRF,
 };
 
 static const size_t N_PKEY_IDS = sizeof(pkey_ids) / sizeof(pkey_ids[0]);
diff --git a/src/regress/lib/libcrypto/evp/evp_test.c b/src/regress/lib/libcrypto/evp/evp_test.c
index a699832c45..0bd8b4d092 100644
--- a/src/regress/lib/libcrypto/evp/evp_test.c
+++ b/src/regress/lib/libcrypto/evp/evp_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_test.c,v 1.20 2024/07/09 17:24:12 tb Exp $ */
+/*      $OpenBSD: evp_test.c,v 1.21 2025/05/22 00:13:47 kenjiro Exp $ */
 /*
  * Copyright (c) 2017, 2022 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2023, 2024 Theo Buehler <tb@openbsd.org>
@@ -802,6 +802,85 @@ kdf_compare_bytes(const char *label, const unsigned char *d1, int len1,
 }
 
 static int
+evp_kdf_hkdf_basic(void)
+{
+        EVP_PKEY_CTX *pctx;
+        unsigned char out[42];
+        size_t outlen = sizeof(out);
+        int failed = 1;
+
+        /* Test vector from RFC 5869, Appendix A.1. */
+        const unsigned char ikm[] = {
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b,
+        };
+        const unsigned char salt[] = {
+                0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
+                0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+                0x0c,
+        };
+        const unsigned char info[] = {
+                0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
+                0xf6, 0xf7, 0xf8, 0xf9,
+        };
+        const unsigned char expected[42] = {
+                0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
+                0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
+                0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
+                0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
+                0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
+                0x58, 0x65,
+        };
+
+        if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_new_id\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_derive_init(pctx) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_derive_init\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set_hkdf_md\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, sizeof(salt)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set1_hkdf_salt\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, sizeof(ikm)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set1_hkdf_key\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, sizeof(info)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_add1_hkdf_info\n");
+                goto err;
+        }
+
+        if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_derive\n");
+                goto err;
+        }
+
+        if (!kdf_compare_bytes("HKDF test", out, outlen, expected, sizeof(expected)))
+                goto err;
+
+        failed = 0;
+
+ err:
+        EVP_PKEY_CTX_free(pctx);
+        return failed;
+}
+
+static int
 evp_kdf_tls1_prf_basic(void)
 {
         EVP_PKEY_CTX *pctx;
@@ -1038,6 +1117,7 @@ main(int argc, char **argv)
         failed |= obj_name_do_all_test();
         failed |= evp_get_cipherbyname_test();
         failed |= evp_get_digestbyname_test();
+        failed |= evp_kdf_hkdf_basic();
         failed |= evp_kdf_tls1_prf_basic();
         failed |= evp_kdf_tls1_prf();
 
diff --git a/src/regress/lib/libcrypto/gcm128/gcm128test.c b/src/regress/lib/libcrypto/gcm128/gcm128test.c
index def7653c7b..78631979fe 100644
--- a/src/regress/lib/libcrypto/gcm128/gcm128test.c
+++ b/src/regress/lib/libcrypto/gcm128/gcm128test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: gcm128test.c,v 1.7 2022/09/05 21:06:31 tb Exp $       */
+/*      $OpenBSD: gcm128test.c,v 1.8 2025/05/16 14:03:49 jsing Exp $    */
 /* ====================================================================
  * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
  *
@@ -57,11 +57,6 @@
 #include <openssl/aes.h>
 #include <openssl/modes.h>
 
-/* XXX - something like this should be in the public headers. */
-struct gcm128_context {
-        uint64_t opaque[64];
-};
-
 struct gcm128_test {
         const uint8_t K[128];
         size_t K_len;
@@ -856,7 +851,7 @@ struct gcm128_test gcm128_tests[] = {
 static int
 do_gcm128_test(int test_no, struct gcm128_test *tv)
 {
-        GCM128_CONTEXT ctx;
+        GCM128_CONTEXT *ctx;
         AES_KEY key;
         uint8_t *out = NULL;
         size_t out_len;
@@ -873,13 +868,16 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
 
         if (out_len != 0)
                 memset(out, 0, out_len);
-        CRYPTO_gcm128_init(&ctx, &key, (block128_f)AES_encrypt);
-        CRYPTO_gcm128_setiv(&ctx, tv->IV, tv->IV_len);
+
+        if ((ctx = CRYPTO_gcm128_new(&key, (block128_f)AES_encrypt)) == NULL)
+                err(1, "CRYPTO_gcm128_new");
+
+        CRYPTO_gcm128_setiv(ctx, tv->IV, tv->IV_len);
         if (tv->A_len > 0)
-                CRYPTO_gcm128_aad(&ctx, tv->A, tv->A_len);
+                CRYPTO_gcm128_aad(ctx, tv->A, tv->A_len);
         if (tv->P_len > 0)
-                CRYPTO_gcm128_encrypt(&ctx, tv->P, out, out_len);
-        if (CRYPTO_gcm128_finish(&ctx, tv->T, 16)) {
+                CRYPTO_gcm128_encrypt(ctx, tv->P, out, out_len);
+        if (CRYPTO_gcm128_finish(ctx, tv->T, 16)) {
                 fprintf(stderr, "TEST %d: CRYPTO_gcm128_finish failed\n",
                     test_no);
                 goto fail;
@@ -891,12 +889,12 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
 
         if (out_len != 0)
                 memset(out, 0, out_len);
-        CRYPTO_gcm128_setiv(&ctx, tv->IV, tv->IV_len);
+        CRYPTO_gcm128_setiv(ctx, tv->IV, tv->IV_len);
         if (tv->A_len > 0)
-                CRYPTO_gcm128_aad(&ctx, tv->A, tv->A_len);
+                CRYPTO_gcm128_aad(ctx, tv->A, tv->A_len);
         if (tv->C_len > 0)
-                CRYPTO_gcm128_decrypt(&ctx, tv->C, out, out_len);
-        if (CRYPTO_gcm128_finish(&ctx, tv->T, 16)) {
+                CRYPTO_gcm128_decrypt(ctx, tv->C, out, out_len);
+        if (CRYPTO_gcm128_finish(ctx, tv->T, 16)) {
                 fprintf(stderr, "TEST %d: CRYPTO_gcm128_finish failed\n",
                     test_no);
                 goto fail;
@@ -909,6 +907,8 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
         ret = 0;
 
 fail:
+        CRYPTO_gcm128_release(ctx);
+
         free(out);
         return (ret);
 }
diff --git a/src/regress/lib/libcrypto/man/check_complete.pl b/src/regress/lib/libcrypto/man/check_complete.pl
index 5f2d12ec73..3cbf02f16a 100755
--- a/src/regress/lib/libcrypto/man/check_complete.pl
+++ b/src/regress/lib/libcrypto/man/check_complete.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+# Copyright (c) 2021,2022,2023,2024,2025 Ingo Schwarze <schwarze@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -30,6 +30,9 @@ my %internal = (
         BN_MASK2 BN_MASK2h BN_MASK2h1 BN_MASK2l
         BN_TBIT BN_ULLONG
     )],
+    conf => [qw(
+        conf_st conf_method_st
+    )],
     evp => [qw(
         ASN1_PKEY_CTRL_CMS_ENVELOPE ASN1_PKEY_CTRL_CMS_RI_TYPE
         ASN1_PKEY_CTRL_CMS_SIGN
@@ -116,7 +119,7 @@ my %postponed = (
 
 my $MANW = 'man -M /usr/share/man -w';
 my $srcdir = '/usr/src/lib/libcrypto/man';
-my $hfile = '/usr/include/openssl';
+my $hfile = '/usr/include';
 
 my $in_cplusplus = 0;
 my $in_comment = 0;
@@ -133,6 +136,7 @@ if (defined $ARGV[0] && $ARGV[0] eq '-v') {
         shift @ARGV;
 }
 $#ARGV == 0 or die "usage: $0 [-v] headername";
+$hfile .= "/openssl" unless $ARGV[0] eq 'tls';
 $hfile .= "/$ARGV[0].h";
 open my $in_fh, '<', $hfile or die "$hfile: $!";
 
@@ -236,6 +240,7 @@ try_again:
         # Uninteresting lines.
 
         if (/^\s*$/ ||
+            /^DECLARE_LHASH_OF\(\w+\);$/ ||
             /^DECLARE_STACK_OF\(\w+\)$/ ||
             /^DECLARE_PKCS12_STACK_OF\(\w+\)$/ ||
             /^TYPEDEF_D2I2D_OF\(\w+\);$/ ||
@@ -288,7 +293,7 @@ try_again:
                         print "D- $line\n" if $verbose;
                         next;
                 }
-                if ($id =~ /^(?:ASN1|BIO|BN|EVP|X509(?:V3)?)_[FR]_\w+$/) {
+                if ($id =~ /^(?:ASN1|BIO|BN|CONF|EVP|X509(?:V3)?)_[FR]_\w+$/) {
                         print "D- $line\n" if $verbose;
                         next;
                 }
diff --git a/src/regress/lib/libcrypto/md/Makefile b/src/regress/lib/libcrypto/md/Makefile
index 94bec95e05..1df57283b2 100644
--- a/src/regress/lib/libcrypto/md/Makefile
+++ b/src/regress/lib/libcrypto/md/Makefile
@@ -1,9 +1,15 @@
-#       $OpenBSD: Makefile,v 1.1.1.1 2022/09/02 13:34:48 tb Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/05/22 03:24:47 joshua Exp $
 
-PROG=   md_test
-LDADD=  -lcrypto
-DPADD=  ${LIBCRYPTO}
-WARNINGS=       Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+PROG =          md_test
+LDADD =         -lcrypto
+DPADD =         ${LIBCRYPTO}
+WARNINGS =      Yes
+CFLAGS +=       -DLIBRESSL_INTERNAL -Werror
+CFLAGS +=       -I${.CURDIR}/../test
+SRCS +=         md_test.c
+SRCS +=         test.c
+SRCS +=         test_util.c
+
+.PATH: ${.CURDIR}/../test
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/md/md_test.c b/src/regress/lib/libcrypto/md/md_test.c
index 590bb50ee3..752f2e4958 100644
--- a/src/regress/lib/libcrypto/md/md_test.c
+++ b/src/regress/lib/libcrypto/md/md_test.c
@@ -1,6 +1,6 @@
-/*      $OpenBSD: md_test.c,v 1.3 2025/01/19 10:17:39 tb Exp $ */
+/*      $OpenBSD: md_test.c,v 1.4 2025/05/22 03:24:47 joshua Exp $ */
 /*
- * Copyright (c) 2022 Joshua Sing <joshua@hypera.dev>
+ * Copyright (c) 2022, 2025 Joshua Sing <joshua@joshuasing.dev>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -22,6 +22,8 @@
 #include <stdint.h>
 #include <string.h>
 
+#include "test.h"
+
 struct md_test {
         const int algorithm;
         const uint8_t in[128];
@@ -30,7 +32,7 @@ struct md_test {
 };
 
 static const struct md_test md_tests[] = {
-        /* MD4 (RFC 1320 test vectors)  */
+        /* MD4 (RFC 1320 test vectors) */
         {
                 .algorithm = NID_md4,
                 .in = "",
@@ -99,7 +101,7 @@ static const struct md_test md_tests[] = {
                 }
         },
 
-        /* MD5 (RFC 1321 test vectors)  */
+        /* MD5 (RFC 1321 test vectors) */
         {
                 .algorithm = NID_md5,
                 .in = "",
@@ -175,25 +177,21 @@ typedef unsigned char *(*md_hash_func)(const unsigned char *, size_t,
     unsigned char *);
 
 static int
-md_hash_from_algorithm(int algorithm, const char **out_label,
-    md_hash_func *out_func, const EVP_MD **out_md, size_t *out_len)
+md_hash_from_algorithm(int algorithm, md_hash_func *out_func,
+    const EVP_MD **out_md, size_t *out_len)
 {
         switch (algorithm) {
         case NID_md4:
-                *out_label = SN_md4;
                 *out_func = MD4;
                 *out_md = EVP_md4();
                 *out_len = MD4_DIGEST_LENGTH;
                 break;
         case NID_md5:
-                *out_label = SN_md5;
                 *out_func = MD5;
                 *out_md = EVP_md5();
                 *out_len = MD5_DIGEST_LENGTH;
                 break;
         default:
-                fprintf(stderr, "FAIL: unknown algorithm (%d)\n",
-                        algorithm);
                 return 0;
         }
 
@@ -201,108 +199,100 @@ md_hash_from_algorithm(int algorithm, const char **out_label,
 }
 
 static void
-hexdump(const unsigned char *buf, size_t len)
-{
-        size_t i;
-
-        for (i = 1; i <= len; i++)
-                fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
-
-        fprintf(stderr, "\n");
-}
-
-static int
-md_test(void)
+test_md_tv(struct test *t, const void *arg)
 {
-        unsigned char *(*md_func)(const unsigned char *, size_t, unsigned char *);
-        const struct md_test *st;
-        EVP_MD_CTX *hash = NULL;
+        const struct md_test *st = arg;
+        md_hash_func md_func;
         const EVP_MD *md;
+        EVP_MD_CTX *hash = NULL;
         uint8_t out[EVP_MAX_MD_SIZE];
         size_t in_len, out_len;
-        size_t i;
-        const char *label;
-        int failed = 1;
 
-        if ((hash = EVP_MD_CTX_new()) == NULL) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
-                goto failed;
+        if (!md_hash_from_algorithm(st->algorithm, &md_func, &md, &out_len)) {
+                test_errorf(t, "md_hash_from_algorithm: unknown algorithm: %d",
+                    st->algorithm);
+                goto fail;
         }
 
-        for (i = 0; i < N_MD_TESTS; i++) {
-                st = &md_tests[i];
-                if (!md_hash_from_algorithm(st->algorithm, &label, &md_func,
-                    &md, &out_len))
-                        goto failed;
-
-                /* Digest */
-                memset(out, 0, sizeof(out));
-                md_func(st->in, st->in_len, out);
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s): mismatch\n", label);
-                        goto failed;
-                }
+        if ((hash = EVP_MD_CTX_new()) == NULL) {
+                test_errorf(t, "EVP_MD_CTX_new()");
+                goto fail;
+        }
 
-                /* EVP single-shot digest */
-                memset(out, 0, sizeof(out));
-                if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
-                        fprintf(stderr, "FAIL (%s): EVP_Digest failed\n",
-                            label);
-                        goto failed;
-                }
+        /* Digest */
+        memset(out, 0, sizeof(out));
+        md_func(st->in, st->in_len, out);
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "MD: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
 
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s): EVP single-shot mismatch\n",
-                            label);
-                        goto failed;
-                }
+        /* EVP single-shot digest */
+        memset(out, 0, sizeof(out));
+        if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
+                test_errorf(t, "EVP_Digest()");
+                goto fail;
+        }
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP_Digest: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
 
-                /* EVP digest */
-                memset(out, 0, sizeof(out));
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        fprintf(stderr, "FAIL (%s): EVP_DigestInit_ex failed\n",
-                            label);
-                        goto failed;
-                }
+        /* EVP digest */
+        memset(out, 0, sizeof(out));
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
+                test_errorf(t, "EVP_DigestInit_ex()");
+                goto fail;
+        }
 
-                in_len = st->in_len / 2;
-                if (!EVP_DigestUpdate(hash, st->in, in_len)) {
-                        fprintf(stderr,
-                            "FAIL (%s): EVP_DigestUpdate first half failed\n",
-                            label);
-                        goto failed;
-                }
+        in_len = st->in_len / 2;
+        if (!EVP_DigestUpdate(hash, st->in, in_len)) {
+                test_errorf(t, "EVP_DigestUpdate: first half failed");
+                goto fail;
+        }
 
-                if (!EVP_DigestUpdate(hash, st->in + in_len,
-                        st->in_len - in_len)) {
-                        fprintf(stderr,
-                            "FAIL (%s): EVP_DigestUpdate second half failed\n",
-                            label);
-                        goto failed;
-                }
+        if (!EVP_DigestUpdate(hash, st->in + in_len,
+                st->in_len - in_len)) {
+                test_errorf(t, "EVP_DigestUpdate: second half failed");
+                goto fail;
+        }
 
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s): EVP_DigestFinal_ex failed\n",
-                            label);
-                        goto failed;
-                }
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+                test_errorf(t, "EVP_DigestFinal_ex()");
+                goto fail;
+        }
 
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s): EVP mismatch\n", label);
-                        goto failed;
-                }
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
         }
 
-        failed = 0;
 
- failed:
+ fail:
         EVP_MD_CTX_free(hash);
-        return failed;
 }
 
-static int
-md5_large_test(void)
+static void
+test_md(struct test *t, const void *arg)
+{
+        const struct md_test *st;
+        size_t i;
+        char *name;
+
+        for (i = 0; i < N_MD_TESTS; i++) {
+                st = &md_tests[i];
+                if (asprintf(&name, "%s: '%s'", OBJ_nid2sn(st->algorithm), st->in) == -1) {
+                        test_errorf(t, "create test name");
+                        return;
+                }
+
+                test_run(t, name, test_md_tv, st);
+                free(name);
+        }
+}
+
+static void
+test_md5_large(struct test *t, const void *arg)
 {
         MD5_CTX ctx;
         uint8_t in[1024];
@@ -310,12 +300,10 @@ md5_large_test(void)
         unsigned int out_len;
         size_t in_len;
         size_t i;
-        const char *label;
         uint8_t want[] = {
                 0xd8, 0xbc, 0xae, 0x13, 0xb5, 0x5a, 0xb0, 0xfc,
                 0x7f, 0x8a, 0xe1, 0x78, 0x27, 0x8d, 0x44, 0x1b,
         };
-        int failed = 1;
 
         memset(in, 'A', sizeof(in));
         in_len = sizeof(in);
@@ -323,44 +311,34 @@ md5_large_test(void)
         memset(out, 0, sizeof(out));
         out_len = 16;
 
-        label = "md5";
-
         MD5_Init(&ctx);
 
         for (i = 0; i < (1<<29) + 1; i += in_len) {
                 if (!MD5_Update(&ctx, in, in_len)) {
-                        fprintf(stderr, "FAIL (%s): MD5_Update failed\n", label);
-                        goto failed;
+                        test_errorf(t, "MD5_Update()");
+                        return;
                 }
         }
         if (!MD5_Final(out, &ctx)) {
-                fprintf(stderr, "FAIL (%s): MD5_Final failed\n", label);
-                goto failed;
+                test_errorf(t, "MD5_Final()");
+                return;
         }
 
         if (memcmp(out, want, out_len) != 0) {
-                fprintf(stderr, "FAIL (%s): MD5 mismatch\n", label);
-                hexdump(out, out_len);
-                goto failed;
+                test_errorf(t, "MD5 digest output mismatch");
+                test_hexdump(t, out, out_len);
         }
-        if (ctx.Nh != 0x1 || ctx.Nl != 0x2000) {
-                fprintf(stderr, "FAIL (%s): MD5 incorrect bit length\n", label);
-                goto failed;
-        }
-
-        failed = 0;
-
- failed:
-        return failed;
+        if (ctx.Nh != 0x1 || ctx.Nl != 0x2000)
+                test_errorf(t, "MD5 incorrect bit length");
 }
 
 int
 main(int argc, char **argv)
 {
-        int failed = 0;
+        struct test *t = test_init();
 
-        failed |= md_test();
-        failed |= md5_large_test();
+        test_run(t, "md", test_md, NULL);
+        test_run(t, "md5 large", test_md5_large, NULL);
 
-        return failed;
+        return test_result(t);
 }
diff --git a/src/regress/lib/libcrypto/mlkem/Makefile b/src/regress/lib/libcrypto/mlkem/Makefile
index a08623c90a..3acaf78e63 100644
--- a/src/regress/lib/libcrypto/mlkem/Makefile
+++ b/src/regress/lib/libcrypto/mlkem/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.9 2024/12/29 20:14:15 tb Exp $
+#       $OpenBSD: Makefile,v 1.10 2025/08/15 14:46:37 tb Exp $
 
 REGRESS_SLOW_TARGETS += run-regress-mlkem_iteration_tests
 
@@ -22,7 +22,7 @@ run-regress-mlkem_tests: mlkem_tests
         ./mlkem_tests $f ${.CURDIR}/$f.txt
 .endfor
 
-SRCS_mlkem_tests =      mlkem_tests.c mlkem_tests_util.c parse_test_file.c
+SRCS_mlkem_tests =      mlkem_tests.c parse_test_file.c
 SRCS_mlkem_iteration_tests = mlkem_iteration_tests.c mlkem_tests_util.c
 SRCS_mlkem_unittest =   mlkem_unittest.c mlkem_tests_util.c
 
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c b/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
index 5a61248090..053f8e1222 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_iteration_tests.c,v 1.2 2024/12/26 07:26:45 tb Exp $ */
+/*      $OpenBSD: mlkem_iteration_tests.c,v 1.8 2025/08/17 19:26:35 tb Exp $ */
 /*
  * Copyright (c) 2024 Google Inc.
  * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,7 +22,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 
 #include "mlkem_internal.h"
 #include "mlkem_tests_util.h"
@@ -63,46 +63,49 @@ const uint8_t kExpectedAdam1024[32] = {
         0x04, 0xab, 0xdb, 0x94, 0x8b, 0x90, 0x8b, 0x75, 0xba, 0xd5
 };
 
-struct iteration_ctx {
-        uint8_t *encoded_public_key;
-        size_t encoded_public_key_len;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-        uint8_t *invalid_ciphertext;
-        size_t invalid_ciphertext_len;
-        void *priv;
-        void *pub;
-
-        mlkem_encode_private_key_fn encode_private_key;
-        mlkem_encap_external_entropy_fn encap_external_entropy;
-        mlkem_generate_key_external_entropy_fn generate_key_external_entropy;
-        mlkem_public_from_private_fn public_from_private;
-        mlkem_decap_fn decap;
-
-        const uint8_t *start;
-        size_t start_len;
-
-        const uint8_t *expected;
-        size_t expected_len;
-};
-
 static int
-MlkemIterativeTest(struct iteration_ctx *ctx)
+MlkemIterativeTest(int rank)
 {
-        uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
+        const uint8_t *start, *expected;
+        size_t start_len;
         uint8_t encap_entropy[MLKEM_ENCAP_ENTROPY];
-        uint8_t seed[MLKEM_SEED_BYTES] = {0};
+        uint8_t seed[MLKEM_SEED_LENGTH] = {0};
+        uint8_t *shared_secret = NULL;
         sha3_ctx drng, results;
         uint8_t out[32];
         int i;
 
+        start = kExpectedSeedStart;
+        start_len = sizeof(kExpectedSeedStart);
+        switch(rank){
+        case RANK768:
+                expected = kExpectedAdam768;
+                break;
+        case RANK1024:
+                expected = kExpectedAdam1024;
+                break;
+        default:
+                errx(1, "invalid rank %d", rank);
+        }
+
         shake128_init(&drng);
         shake128_init(&results);
 
         shake_xof(&drng);
         for (i = 0; i < 10000; i++) {
-                uint8_t *encoded_private_key = NULL;
-                size_t encoded_private_key_len;
+                uint8_t *encoded_public_key = NULL, *ciphertext = NULL,
+                    *encoded_private_key = NULL, *invalid_ciphertext = NULL;
+                size_t encoded_public_key_len, ciphertext_len,
+                    encoded_private_key_len, invalid_ciphertext_len;
+                MLKEM_private_key *priv;
+                MLKEM_public_key *pub;
+                size_t s_len = 0;
+
+                /* allocate keys for this iteration */
+                if ((priv = MLKEM_private_key_new(rank)) == NULL)
+                        errx(1, "malloc");
+                if ((pub = MLKEM_public_key_new(rank)) == NULL)
+                        errx(1, "malloc");
 
                 /*
                  * This should draw both d and z from DRNG concatenating in
@@ -110,118 +113,91 @@ MlkemIterativeTest(struct iteration_ctx *ctx)
                  */
                 shake_out(&drng, seed, sizeof(seed));
                 if (i == 0) {
-                        if (compare_data(seed, ctx->start, ctx->start_len,
+                        if (compare_data(seed, start, start_len,
                             "seed start") != 0)
                                 errx(1, "compare_data");
                 }
 
                 /* generate ek as encoded_public_key */
-                ctx->generate_key_external_entropy(ctx->encoded_public_key,
-                    ctx->priv, seed);
-                ctx->public_from_private(ctx->pub, ctx->priv);
+                if (!MLKEM_generate_key_external_entropy(priv,
+                    &encoded_public_key, &encoded_public_key_len,
+                    seed))
+                        errx(1, "generate_key_external_entropy");
+
+                if (!MLKEM_public_from_private(priv, pub))
+                        errx(1, "public_from_private");
 
                 /* hash in ek */
-                shake_update(&results, ctx->encoded_public_key,
-                    ctx->encoded_public_key_len);
+                shake_update(&results, encoded_public_key,
+                    encoded_public_key_len);
 
                 /* marshal priv to dk as encoded_private_key */
-                if (!ctx->encode_private_key(ctx->priv, &encoded_private_key,
+                if (!MLKEM_marshal_private_key(priv, &encoded_private_key,
                     &encoded_private_key_len))
-                        errx(1, "encode private key");
+                        errx(1, "marshal private key");
 
                 /* hash in dk */
                 shake_update(&results, encoded_private_key,
                     encoded_private_key_len);
 
-                free(encoded_private_key);
+                freezero(encoded_private_key, encoded_private_key_len);
 
                 /* draw m as encap entropy from DRNG */
                 shake_out(&drng, encap_entropy, sizeof(encap_entropy));
 
                 /* generate ct as ciphertext, k as shared_secret */
-                ctx->encap_external_entropy(ctx->ciphertext, shared_secret,
-                    ctx->pub, encap_entropy);
+                if (!MLKEM_encap_external_entropy(pub, encap_entropy,
+                    &ciphertext, &ciphertext_len, &shared_secret, &s_len))
+                        errx(1, "encap_external_entropy");
 
                 /* hash in ct */
-                shake_update(&results, ctx->ciphertext, ctx->ciphertext_len);
+                shake_update(&results, ciphertext, ciphertext_len);
                 /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
+                shake_update(&results, shared_secret, s_len);
+
+                freezero(shared_secret, s_len);
+                shared_secret = NULL;
+
+                invalid_ciphertext_len = ciphertext_len;
+                if ((invalid_ciphertext = calloc(1, invalid_ciphertext_len))
+                    == NULL)
+                        errx(1, "malloc");
 
                 /* draw ct as invalid_ciphertxt from DRNG */
-                shake_out(&drng, ctx->invalid_ciphertext,
-                    ctx->invalid_ciphertext_len);
+                shake_out(&drng, invalid_ciphertext, invalid_ciphertext_len);
 
                 /* generate k as shared secret from invalid ciphertext */
-                if (!ctx->decap(shared_secret, ctx->invalid_ciphertext,
-                    ctx->invalid_ciphertext_len, ctx->priv))
-                        errx(1, "decap failed");
+                if (!MLKEM_decap(priv, invalid_ciphertext,
+                    invalid_ciphertext_len, &shared_secret, &s_len))
+                        errx(1, "decap failed, iteration %d", i);
 
                 /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
+                shake_update(&results, shared_secret, s_len);
+
+                freezero(shared_secret, s_len);
+                shared_secret = NULL;
+                freezero(invalid_ciphertext, invalid_ciphertext_len);
+                invalid_ciphertext = NULL;
+
+                /* free keys and intermediate products for this iteration */
+                MLKEM_private_key_free(priv);
+                MLKEM_public_key_free(pub);
+                freezero(encoded_public_key, encoded_public_key_len);
+                freezero(ciphertext, ciphertext_len);
         }
         shake_xof(&results);
         shake_out(&results, out, sizeof(out));
 
-        return compare_data(ctx->expected, out, sizeof(out), "final result hash");
+        return compare_data(expected, out, sizeof(out), "final result hash");
 }
 
 int
 main(void)
 {
-        uint8_t encoded_public_key768[MLKEM768_PUBLIC_KEY_BYTES];
-        uint8_t ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
-        uint8_t invalid_ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
-        struct MLKEM768_private_key priv768;
-        struct MLKEM768_public_key pub768;
-        struct iteration_ctx iteration768 = {
-                .encoded_public_key = encoded_public_key768,
-                .encoded_public_key_len = sizeof(encoded_public_key768),
-                .ciphertext = ciphertext768,
-                .ciphertext_len = sizeof(ciphertext768),
-                .invalid_ciphertext = invalid_ciphertext768,
-                .invalid_ciphertext_len = sizeof(invalid_ciphertext768),
-                .priv = &priv768,
-                .pub = &pub768,
-                .encap_external_entropy = mlkem768_encap_external_entropy,
-                .encode_private_key = mlkem768_encode_private_key,
-                .generate_key_external_entropy =
-                    mlkem768_generate_key_external_entropy,
-                .public_from_private = mlkem768_public_from_private,
-                .decap = mlkem768_decap,
-                .start = kExpectedSeedStart,
-                .start_len = sizeof(kExpectedSeedStart),
-                .expected = kExpectedAdam768,
-                .expected_len = sizeof(kExpectedAdam768),
-        };
-        uint8_t encoded_public_key1024[MLKEM1024_PUBLIC_KEY_BYTES];
-        uint8_t ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        uint8_t invalid_ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        struct MLKEM1024_private_key priv1024;
-        struct MLKEM1024_public_key pub1024;
-        struct iteration_ctx iteration1024 = {
-                .encoded_public_key = encoded_public_key1024,
-                .encoded_public_key_len = sizeof(encoded_public_key1024),
-                .ciphertext = ciphertext1024,
-                .ciphertext_len = sizeof(ciphertext1024),
-                .invalid_ciphertext = invalid_ciphertext1024,
-                .invalid_ciphertext_len = sizeof(invalid_ciphertext1024),
-                .priv = &priv1024,
-                .pub = &pub1024,
-                .encap_external_entropy = mlkem1024_encap_external_entropy,
-                .encode_private_key = mlkem1024_encode_private_key,
-                .generate_key_external_entropy =
-                    mlkem1024_generate_key_external_entropy,
-                .public_from_private = mlkem1024_public_from_private,
-                .decap = mlkem1024_decap,
-                .start = kExpectedSeedStart,
-                .start_len = sizeof(kExpectedSeedStart),
-                .expected = kExpectedAdam1024,
-                .expected_len = sizeof(kExpectedAdam1024),
-        };
         int failed = 0;
 
-        failed |= MlkemIterativeTest(&iteration768);
-        failed |= MlkemIterativeTest(&iteration1024);
+        failed |= MlkemIterativeTest(RANK768);
+        failed |= MlkemIterativeTest(RANK1024);
 
         return failed;
 }
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests.c b/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
index 2801a58890..361467afd0 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests.c,v 1.2 2024/12/26 00:10:19 tb Exp $ */
+/*      $OpenBSD: mlkem_tests.c,v 1.10 2025/08/15 21:47:39 tb Exp $ */
 /*
  * Copyright (c) 2024 Google Inc.
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -23,12 +23,11 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "bytestring.h"
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 
+#include "bytestring.h"
 #include "mlkem_internal.h"
 
-#include "mlkem_tests_util.h"
 #include "parse_test_file.h"
 
 enum test_type {
@@ -39,11 +38,7 @@ enum test_type {
 struct decap_ctx {
         struct parse *parse_ctx;
 
-        void *private_key;
-        size_t private_key_len;
-
-        mlkem_parse_private_key_fn parse_private_key;
-        mlkem_decap_fn decap;
+        int rank;
 };
 
 enum decap_states {
@@ -102,8 +97,10 @@ static int
 MlkemDecapFileTest(struct decap_ctx *decap)
 {
         struct parse *p = decap->parse_ctx;
-        uint8_t shared_secret_buf[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv_key = NULL;
         CBS ciphertext, shared_secret, private_key;
+        uint8_t *shared_secret_buf = NULL;
+        size_t shared_secret_buf_len = 0;
         int should_fail;
         int failed = 1;
 
@@ -112,20 +109,31 @@ MlkemDecapFileTest(struct decap_ctx *decap)
         parse_get_cbs(p, DECAP_PRIVATE_KEY, &private_key);
         parse_get_int(p, DECAP_RESULT, &should_fail);
 
-        if (!decap->parse_private_key(decap->private_key, &private_key)) {
+        if ((priv_key = MLKEM_private_key_new(decap->rank)) == NULL)
+                parse_errx(p, "MLKEM_private_key_new");
+
+        if (!MLKEM_parse_private_key(priv_key,
+            CBS_data(&private_key), CBS_len(&private_key))) {
                 if ((failed = !should_fail))
                         parse_info(p, "parse private key");
                 goto err;
         }
-        if (!decap->decap(shared_secret_buf,
-            CBS_data(&ciphertext), CBS_len(&ciphertext), decap->private_key)) {
+        if (!MLKEM_decap(priv_key, CBS_data(&ciphertext), CBS_len(&ciphertext),
+            &shared_secret_buf, &shared_secret_buf_len)) {
                 if ((failed = !should_fail))
                         parse_info(p, "decap");
                 goto err;
         }
 
+        if (shared_secret_buf_len != MLKEM_SHARED_SECRET_LENGTH) {
+                if ((failed = !should_fail))
+                        parse_info(p, "shared secret length %zu != %d",
+                            shared_secret_buf_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
+
         failed = !parse_data_equal(p, "shared_secret", &shared_secret,
-            shared_secret_buf, sizeof(shared_secret_buf));
+            shared_secret_buf, shared_secret_buf_len);
 
         if (should_fail != failed) {
                 parse_info(p, "FAIL: should_fail %d, failed %d",
@@ -134,6 +142,9 @@ MlkemDecapFileTest(struct decap_ctx *decap)
         }
 
  err:
+        MLKEM_private_key_free(priv_key);
+        freezero(shared_secret_buf, shared_secret_buf_len);
+
         return failed;
 }
 
@@ -192,35 +203,49 @@ static int
 MlkemNistDecapFileTest(struct decap_ctx *decap)
 {
         struct parse *p = decap->parse_ctx;
-        uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv_key = NULL;
         CBS dk, c, k;
+        uint8_t *shared_secret = NULL;
+        size_t shared_secret_len = 0;
         int failed = 1;
 
         parse_instruction_get_cbs(p, NIST_DECAP_DK, &dk);
         parse_get_cbs(p, NIST_DECAP_C, &c);
         parse_get_cbs(p, NIST_DECAP_K, &k);
 
+        if ((priv_key = MLKEM_private_key_new(decap->rank)) == NULL)
+                parse_errx(p, "MLKEM_private_key_new");
+
         if (!parse_length_equal(p, "private key",
-            decap->private_key_len, CBS_len(&dk)))
+            MLKEM_private_key_encoded_length(priv_key), CBS_len(&dk)))
                 goto err;
         if (!parse_length_equal(p, "shared secret",
-            MLKEM_SHARED_SECRET_BYTES, CBS_len(&k)))
+            MLKEM_SHARED_SECRET_LENGTH, CBS_len(&k)))
                 goto err;
 
-        if (!decap->parse_private_key(decap->private_key, &dk)) {
+        if (!MLKEM_parse_private_key(priv_key, CBS_data(&dk), CBS_len(&dk))) {
                 parse_info(p, "parse private key");
                 goto err;
         }
-        if (!decap->decap(shared_secret, CBS_data(&c), CBS_len(&c),
-            decap->private_key)) {
+        if (!MLKEM_decap(priv_key, CBS_data(&c), CBS_len(&c),
+            &shared_secret, &shared_secret_len)) {
                 parse_info(p, "decap");
                 goto err;
         }
 
+        if (shared_secret_len != MLKEM_SHARED_SECRET_LENGTH) {
+                parse_info(p, "shared secret length %zu != %d",
+                    shared_secret_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
+
         failed = !parse_data_equal(p, "shared secret", &k,
-            shared_secret, MLKEM_SHARED_SECRET_BYTES);
+            shared_secret, shared_secret_len);
 
  err:
+        MLKEM_private_key_free(priv_key);
+        freezero(shared_secret, shared_secret_len);
+
         return failed;
 }
 
@@ -244,46 +269,24 @@ static const struct test_parse nist_decap_parse = {
 };
 
 static int
-mlkem_decap_tests(const char *fn, size_t size, enum test_type test_type)
+mlkem_decap_tests(const char *fn, int rank, enum test_type test_type)
 {
-        struct MLKEM768_private_key private_key768;
-        struct decap_ctx decap768 = {
-                .private_key = &private_key768,
-                .private_key_len = MLKEM768_PRIVATE_KEY_BYTES,
-
-                .parse_private_key = mlkem768_parse_private_key,
-                .decap = mlkem768_decap,
+        struct decap_ctx decap = {
+                .rank = rank,
         };
-        struct MLKEM1024_private_key private_key1024;
-        struct decap_ctx decap1024 = {
-                .private_key = &private_key1024,
-                .private_key_len = MLKEM1024_PRIVATE_KEY_BYTES,
 
-                .parse_private_key = mlkem1024_parse_private_key,
-                .decap = mlkem1024_decap,
-        };
-
-        if (size == 768 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &decap_parse, &decap768);
-        if (size == 768 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_decap_parse, &decap768);
-        if (size == 1024 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &decap_parse, &decap1024);
-        if (size == 1024 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_decap_parse, &decap1024);
+        if (test_type == TEST_TYPE_NORMAL)
+                return parse_test_file(fn, &decap_parse, &decap);
+        if (test_type == TEST_TYPE_NIST)
+                return parse_test_file(fn, &nist_decap_parse, &decap);
 
-        errx(1, "unknown decap test: size %zu, type %d", size, test_type);
+        errx(1, "unknown decap test: rank %d, type %d", rank, test_type);
 }
 
 struct encap_ctx {
         struct parse *parse_ctx;
 
-        void *public_key;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-
-        mlkem_parse_public_key_fn parse_public_key;
-        mlkem_encap_external_entropy_fn encap_external_entropy;
+        int rank;
 };
 
 enum encap_states {
@@ -349,8 +352,12 @@ static int
 MlkemEncapFileTest(struct encap_ctx *encap)
 {
         struct parse *p = encap->parse_ctx;
-        uint8_t shared_secret_buf[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_public_key *pub_key = NULL;
         CBS entropy, public_key, ciphertext, shared_secret;
+        uint8_t *ciphertext_buf = NULL;
+        size_t ciphertext_buf_len = 0;
+        uint8_t *shared_secret_buf = NULL;
+        size_t shared_secret_buf_len = 0;
         int should_fail;
         int failed = 1;
 
@@ -360,18 +367,34 @@ MlkemEncapFileTest(struct encap_ctx *encap)
         parse_get_cbs(p, ENCAP_SHARED_SECRET, &shared_secret);
         parse_get_int(p, ENCAP_RESULT, &should_fail);
 
-        if (!encap->parse_public_key(encap->public_key, &public_key)) {
+        if ((pub_key = MLKEM_public_key_new(encap->rank)) == NULL)
+                parse_errx(p, "MLKEM_public_key_new");
+
+        if (!MLKEM_parse_public_key(pub_key,
+            CBS_data(&public_key), CBS_len(&public_key))) {
                 if ((failed = !should_fail))
                         parse_info(p, "parse public key");
                 goto err;
         }
-        encap->encap_external_entropy(encap->ciphertext, shared_secret_buf,
-            encap->public_key, CBS_data(&entropy));
+        if (!MLKEM_encap_external_entropy(pub_key, CBS_data(&entropy),
+            &ciphertext_buf, &ciphertext_buf_len,
+            &shared_secret_buf, &shared_secret_buf_len)) {
+                if ((failed = !should_fail))
+                        parse_info(p, "encap_external_entropy");
+                goto err;
+        }
+
+        if (shared_secret_buf_len != MLKEM_SHARED_SECRET_LENGTH) {
+                if ((failed = !should_fail))
+                        parse_info(p, "shared secret length %zu != %d",
+                            shared_secret_buf_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
 
         failed = !parse_data_equal(p, "shared_secret", &shared_secret,
-            shared_secret_buf, sizeof(shared_secret_buf));
+            shared_secret_buf, shared_secret_buf_len);
         failed |= !parse_data_equal(p, "ciphertext", &ciphertext,
-            encap->ciphertext, encap->ciphertext_len);
+            ciphertext_buf, ciphertext_buf_len);
 
         if (should_fail != failed) {
                 parse_info(p, "FAIL: should_fail %d, failed %d",
@@ -380,6 +403,10 @@ MlkemEncapFileTest(struct encap_ctx *encap)
         }
 
  err:
+        MLKEM_public_key_free(pub_key);
+        freezero(ciphertext_buf, ciphertext_buf_len);
+        freezero(shared_secret_buf, shared_secret_buf_len);
+
         return failed;
 }
 
@@ -400,48 +427,19 @@ static const struct test_parse encap_parse = {
 };
 
 static int
-mlkem_encap_tests(const char *fn, size_t size)
+mlkem_encap_tests(const char *fn, int rank)
 {
-        struct MLKEM768_public_key public_key768;
-        uint8_t ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
-        struct encap_ctx encap768 = {
-                .public_key = &public_key768,
-                .ciphertext = ciphertext768,
-                .ciphertext_len = sizeof(ciphertext768),
-
-                .parse_public_key = mlkem768_parse_public_key,
-                .encap_external_entropy = mlkem768_encap_external_entropy,
-        };
-        struct MLKEM1024_public_key public_key1024;
-        uint8_t ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        struct encap_ctx encap1024 = {
-                .public_key = &public_key1024,
-                .ciphertext = ciphertext1024,
-                .ciphertext_len = sizeof(ciphertext1024),
-
-                .parse_public_key = mlkem1024_parse_public_key,
-                .encap_external_entropy = mlkem1024_encap_external_entropy,
+        struct encap_ctx encap = {
+                .rank = rank,
         };
 
-        if (size == 768)
-                return parse_test_file(fn, &encap_parse, &encap768);
-        if (size == 1024)
-                return parse_test_file(fn, &encap_parse, &encap1024);
-
-        errx(1, "unknown encap test: size %zu", size);
+        return parse_test_file(fn, &encap_parse, &encap);
 }
 
 struct keygen_ctx {
         struct parse *parse_ctx;
 
-        void *private_key;
-        void *encoded_public_key;
-        size_t encoded_public_key_len;
-        size_t private_key_len;
-        size_t public_key_len;
-
-        mlkem_generate_key_external_entropy_fn generate_key_external_entropy;
-        mlkem_encode_private_key_fn encode_private_key;
+        int rank;
 };
 
 enum keygen_states {
@@ -492,27 +490,38 @@ static int
 MlkemKeygenFileTest(struct keygen_ctx *keygen)
 {
         struct parse *p = keygen->parse_ctx;
+        MLKEM_private_key *priv_key = NULL;
         CBS seed, public_key, private_key;
         uint8_t *encoded_private_key = NULL;
         size_t encoded_private_key_len = 0;
+        uint8_t *encoded_public_key = NULL;
+        size_t encoded_public_key_len = 0;
         int failed = 1;
 
         parse_get_cbs(p, KEYGEN_SEED, &seed);
         parse_get_cbs(p, KEYGEN_PUBLIC_KEY, &public_key);
         parse_get_cbs(p, KEYGEN_PRIVATE_KEY, &private_key);
 
-        if (!parse_length_equal(p, "seed", MLKEM_SEED_BYTES, CBS_len(&seed)))
+        if (!parse_length_equal(p, "seed", MLKEM_SEED_LENGTH, CBS_len(&seed)))
                 goto err;
+
+        if ((priv_key = MLKEM_private_key_new(keygen->rank)) == NULL)
+                parse_errx(p, "MLKEM_public_key_free");
+
+        if (!MLKEM_generate_key_external_entropy(priv_key,
+            &encoded_public_key, &encoded_public_key_len, CBS_data(&seed))) {
+                parse_info(p, "generate_key_external_entropy");
+                goto err;
+        }
+
         if (!parse_length_equal(p, "public key",
-            keygen->public_key_len, CBS_len(&public_key)))
+            encoded_public_key_len, CBS_len(&public_key)))
                 goto err;
         if (!parse_length_equal(p, "private key",
-            keygen->private_key_len, CBS_len(&private_key)))
+            MLKEM_private_key_encoded_length(priv_key), CBS_len(&private_key)))
                 goto err;
 
-        keygen->generate_key_external_entropy(keygen->encoded_public_key,
-            keygen->private_key, CBS_data(&seed));
-        if (!keygen->encode_private_key(keygen->private_key,
+        if (!MLKEM_marshal_private_key(priv_key,
             &encoded_private_key, &encoded_private_key_len)) {
                 parse_info(p, "encode private key");
                 goto err;
@@ -521,10 +530,12 @@ MlkemKeygenFileTest(struct keygen_ctx *keygen)
         failed = !parse_data_equal(p, "private key", &private_key,
             encoded_private_key, encoded_private_key_len);
         failed |= !parse_data_equal(p, "public key", &public_key,
-            keygen->encoded_public_key, keygen->encoded_public_key_len);
+            encoded_public_key, encoded_public_key_len);
 
  err:
+        MLKEM_private_key_free(priv_key);
         freezero(encoded_private_key, encoded_private_key_len);
+        freezero(encoded_public_key, encoded_public_key_len);
 
         return failed;
 }
@@ -584,12 +595,15 @@ static int
 MlkemNistKeygenFileTest(struct keygen_ctx *keygen)
 {
         struct parse *p = keygen->parse_ctx;
+        MLKEM_private_key *priv_key = NULL;
         CBB seed_cbb;
         CBS z, d, ek, dk;
-        uint8_t seed[MLKEM_SEED_BYTES];
+        uint8_t seed[MLKEM_SEED_LENGTH];
         size_t seed_len;
         uint8_t *encoded_private_key = NULL;
         size_t encoded_private_key_len = 0;
+        uint8_t *encoded_public_key = NULL;
+        size_t encoded_public_key_len = 0;
         int failed = 1;
 
         parse_get_cbs(p, NIST_KEYGEN_Z, &z);
@@ -606,24 +620,33 @@ MlkemNistKeygenFileTest(struct keygen_ctx *keygen)
         if (!CBB_finish(&seed_cbb, NULL, &seed_len))
                 parse_errx(p, "CBB_finish");
 
-        if (!parse_length_equal(p, "bogus z or d", MLKEM_SEED_BYTES, seed_len))
+        if (!parse_length_equal(p, "bogus z or d", MLKEM_SEED_LENGTH, seed_len))
                 goto err;
 
-        keygen->generate_key_external_entropy(keygen->encoded_public_key,
-            keygen->private_key, seed);
-        if (!keygen->encode_private_key(keygen->private_key,
+        if ((priv_key = MLKEM_private_key_new(keygen->rank)) == NULL)
+                parse_errx(p, "MLKEM_private_key_new");
+
+        if (!MLKEM_generate_key_external_entropy(priv_key,
+            &encoded_public_key, &encoded_public_key_len, seed)) {
+                parse_info(p, "MLKEM_generate_key_external_entropy");
+                goto err;
+        }
+
+        if (!MLKEM_marshal_private_key(priv_key,
             &encoded_private_key, &encoded_private_key_len)) {
                 parse_info(p, "encode private key");
                 goto err;
         }
 
         failed = !parse_data_equal(p, "public key", &ek,
-            keygen->encoded_public_key, keygen->encoded_public_key_len);
+            encoded_public_key, encoded_public_key_len);
         failed |= !parse_data_equal(p, "private key", &dk,
             encoded_private_key, encoded_private_key_len);
 
  err:
+        MLKEM_private_key_free(priv_key);
         freezero(encoded_private_key, encoded_private_key_len);
+        freezero(encoded_public_key, encoded_public_key_len);
 
         return failed;
 }
@@ -645,73 +668,45 @@ static const struct test_parse nist_keygen_parse = {
 };
 
 static int
-mlkem_keygen_tests(const char *fn, size_t size, enum test_type test_type)
+mlkem_keygen_tests(const char *fn, int rank, enum test_type test_type)
 {
-        struct MLKEM768_private_key private_key768;
-        uint8_t encoded_public_key768[MLKEM768_PUBLIC_KEY_BYTES];
-        struct keygen_ctx keygen768 = {
-                .private_key = &private_key768,
-                .encoded_public_key = encoded_public_key768,
-                .encoded_public_key_len = sizeof(encoded_public_key768),
-                .private_key_len = MLKEM768_PRIVATE_KEY_BYTES,
-                .public_key_len = MLKEM768_PUBLIC_KEY_BYTES,
-                .generate_key_external_entropy =
-                    mlkem768_generate_key_external_entropy,
-                .encode_private_key =
-                    mlkem768_encode_private_key,
-        };
-        struct MLKEM1024_private_key private_key1024;
-        uint8_t encoded_public_key1024[MLKEM1024_PUBLIC_KEY_BYTES];
-        struct keygen_ctx keygen1024 = {
-                .private_key = &private_key1024,
-                .encoded_public_key = encoded_public_key1024,
-                .encoded_public_key_len = sizeof(encoded_public_key1024),
-                .private_key_len = MLKEM1024_PRIVATE_KEY_BYTES,
-                .public_key_len = MLKEM1024_PUBLIC_KEY_BYTES,
-
-                .generate_key_external_entropy =
-                    mlkem1024_generate_key_external_entropy,
-                .encode_private_key =
-                    mlkem1024_encode_private_key,
+        struct keygen_ctx keygen = {
+                .rank = rank,
         };
 
-        if (size == 768 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &keygen_parse, &keygen768);
-        if (size == 768 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_keygen_parse, &keygen768);
-        if (size == 1024 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &keygen_parse, &keygen1024);
-        if (size == 1024 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_keygen_parse, &keygen1024);
+        if (test_type == TEST_TYPE_NORMAL)
+                return parse_test_file(fn, &keygen_parse, &keygen);
+        if (test_type == TEST_TYPE_NIST)
+                return parse_test_file(fn, &nist_keygen_parse, &keygen);
 
-        errx(1, "unknown keygen test: size %zu, type %d", size, test_type);
+        errx(1, "unknown keygen test: rank %d, type %d", rank, test_type);
 }
 
 static int
 run_mlkem_test(const char *test, const char *fn)
 {
         if (strcmp(test, "mlkem768_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 768, TEST_TYPE_NORMAL);
+                return mlkem_decap_tests(fn, RANK768, TEST_TYPE_NORMAL);
         if (strcmp(test, "mlkem768_nist_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 768, TEST_TYPE_NIST);
+                return mlkem_decap_tests(fn, RANK768, TEST_TYPE_NIST);
         if (strcmp(test, "mlkem1024_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 1024, TEST_TYPE_NORMAL);
+                return mlkem_decap_tests(fn, RANK1024, TEST_TYPE_NORMAL);
         if (strcmp(test, "mlkem1024_nist_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 1024, TEST_TYPE_NIST);
+                return mlkem_decap_tests(fn, RANK1024, TEST_TYPE_NIST);
 
         if (strcmp(test, "mlkem768_encap_tests") == 0)
-                return mlkem_encap_tests(fn, 768);
+                return mlkem_encap_tests(fn, RANK768);
         if (strcmp(test, "mlkem1024_encap_tests") == 0)
-                return mlkem_encap_tests(fn, 1024);
+                return mlkem_encap_tests(fn, RANK1024);
 
         if (strcmp(test, "mlkem768_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 768, TEST_TYPE_NORMAL);
+                return mlkem_keygen_tests(fn, RANK768, TEST_TYPE_NORMAL);
         if (strcmp(test, "mlkem768_nist_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 768, TEST_TYPE_NIST);
+                return mlkem_keygen_tests(fn, RANK768, TEST_TYPE_NIST);
         if (strcmp(test, "mlkem1024_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 1024, TEST_TYPE_NORMAL);
+                return mlkem_keygen_tests(fn, RANK1024, TEST_TYPE_NORMAL);
         if (strcmp(test, "mlkem1024_nist_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 1024, TEST_TYPE_NIST);
+                return mlkem_keygen_tests(fn, RANK1024, TEST_TYPE_NIST);
 
         errx(1, "unknown test %s (test file %s)", test, fn);
 }
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
index 1bb2ed3a8b..d2e0fbd7c7 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests_util.c,v 1.5 2024/12/26 00:04:24 tb Exp $ */
+/*      $OpenBSD: mlkem_tests_util.c,v 1.10 2025/08/15 14:47:54 tb Exp $ */
 /*
  * Copyright (c) 2024 Google Inc.
  * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,11 +22,6 @@
 #include <stdio.h>
 #include <string.h>
 
-#include "bytestring.h"
-#include "mlkem.h"
-
-#include "mlkem_internal.h"
-
 #include "mlkem_tests_util.h"
 
 static void
@@ -59,209 +54,3 @@ compare_data(const uint8_t *want, const uint8_t *got, size_t len, const char *ms
 
         return 1;
 }
-
-int
-mlkem768_encode_private_key(const void *private_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-
-        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM768_marshal_private_key(&cbb, private_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-
-        ret = 1;
-
- err:
-        CBB_cleanup(&cbb);
-
-        return ret;
-}
-
-int
-mlkem768_encode_public_key(const void *public_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-
-        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM768_marshal_public_key(&cbb, public_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-
-        ret = 1;
-
- err:
-        CBB_cleanup(&cbb);
-
-        return ret;
-}
-
-int
-mlkem1024_encode_private_key(const void *private_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-
-        if (!CBB_init(&cbb, MLKEM1024_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM1024_marshal_private_key(&cbb, private_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-
-        ret = 1;
-
- err:
-        CBB_cleanup(&cbb);
-
-        return ret;
-}
-
-int
-mlkem1024_encode_public_key(const void *public_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-
-        if (!CBB_init(&cbb, MLKEM1024_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM1024_marshal_public_key(&cbb, public_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-
-        ret = 1;
-
- err:
-        CBB_cleanup(&cbb);
-
-        return ret;
-}
-
-int
-mlkem768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *private_key)
-{
-        return MLKEM768_decap(out_shared_secret, ciphertext, ciphertext_len,
-            private_key);
-}
-
-void
-mlkem768_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key)
-{
-        MLKEM768_encap(out_ciphertext, out_shared_secret, public_key);
-}
-
-void
-mlkem768_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key, const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
-{
-        MLKEM768_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-
-void
-mlkem768_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key)
-{
-        MLKEM768_generate_key(out_encoded_public_key, optional_out_seed,
-            out_private_key);
-}
-
-void
-mlkem768_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES])
-{
-        MLKEM768_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-
-int
-mlkem768_parse_private_key(void *out_private_key, CBS *private_key_cbs)
-{
-        return MLKEM768_parse_private_key(out_private_key, private_key_cbs);
-}
-
-int
-mlkem768_parse_public_key(void *out_public_key, CBS *public_key_cbs)
-{
-        return MLKEM768_parse_public_key(out_public_key, public_key_cbs);
-}
-
-void
-mlkem768_public_from_private(void *out_public_key, const void *private_key)
-{
-        MLKEM768_public_from_private(out_public_key, private_key);
-}
-
-int
-mlkem1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *private_key)
-{
-        return MLKEM1024_decap(out_shared_secret, ciphertext, ciphertext_len,
-            private_key);
-}
-
-void
-mlkem1024_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key)
-{
-        MLKEM1024_encap(out_ciphertext, out_shared_secret, public_key);
-}
-
-void
-mlkem1024_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key, const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
-{
-        MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-
-void
-mlkem1024_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key)
-{
-        MLKEM1024_generate_key(out_encoded_public_key, optional_out_seed,
-            out_private_key);
-}
-
-void
-mlkem1024_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES])
-{
-        MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-
-int
-mlkem1024_parse_private_key(void *out_private_key, CBS *private_key_cbs)
-{
-        return MLKEM1024_parse_private_key(out_private_key, private_key_cbs);
-}
-
-void
-mlkem1024_public_from_private(void *out_public_key, const void *private_key)
-{
-        MLKEM1024_public_from_private(out_public_key, private_key);
-}
-
-int
-mlkem1024_parse_public_key(void *out_public_key, CBS *public_key_cbs)
-{
-        return MLKEM1024_parse_public_key(out_public_key, public_key_cbs);
-}
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
index 7fbe6f76a9..514a309112 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests_util.h,v 1.4 2024/12/26 00:04:24 tb Exp $ */
+/*      $OpenBSD: mlkem_tests_util.h,v 1.9 2025/08/15 14:47:54 tb Exp $ */
 /*
  * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -22,68 +22,7 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#include "bytestring.h"
-
-#include "mlkem.h"
-#include "mlkem_internal.h"
-
 int compare_data(const uint8_t *want, const uint8_t *got, size_t len,
     const char *msg);
 
-int mlkem768_encode_private_key(const void *priv, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem768_encode_public_key(const void *pub, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem1024_encode_private_key(const void *priv, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem1024_encode_public_key(const void *pub, uint8_t **out_buf,
-    size_t *out_len);
-
-int mlkem768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *priv);
-void mlkem768_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub);
-void mlkem768_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
-void mlkem768_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key);
-void mlkem768_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES]);
-int mlkem768_parse_private_key(void *priv, CBS *private_key_cbs);
-int mlkem768_parse_public_key(void *pub, CBS *in);
-void mlkem768_public_from_private(void *out_public_key, const void *private_key);
-
-int mlkem1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *priv);
-void mlkem1024_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub);
-void mlkem1024_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
-void mlkem1024_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key);
-void mlkem1024_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES]);
-int mlkem1024_parse_private_key(void *priv, CBS *private_key_cbs);
-int mlkem1024_parse_public_key(void *pub, CBS *in);
-void mlkem1024_public_from_private(void *out_public_key, const void *private_key);
-
-typedef int (*mlkem_encode_private_key_fn)(const void *, uint8_t **, size_t *);
-typedef int (*mlkem_encode_public_key_fn)(const void *, uint8_t **, size_t *);
-typedef int (*mlkem_decap_fn)(uint8_t [MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *, size_t, const void *);
-typedef void (*mlkem_encap_fn)(uint8_t *, uint8_t [MLKEM_SHARED_SECRET_BYTES],
-    const void *);
-typedef void (*mlkem_encap_external_entropy_fn)(uint8_t *,
-    uint8_t [MLKEM_SHARED_SECRET_BYTES], const void *,
-    const uint8_t [MLKEM_ENCAP_ENTROPY]);
-typedef void (*mlkem_generate_key_fn)(uint8_t *, uint8_t *, void *);
-typedef void (*mlkem_generate_key_external_entropy_fn)(uint8_t *, void *,
-    const uint8_t [MLKEM_SEED_BYTES]);
-typedef int (*mlkem_parse_private_key_fn)(void *, CBS *);
-typedef int (*mlkem_parse_public_key_fn)(void *, CBS *);
-typedef void (*mlkem_public_from_private_fn)(void *out_public_key,
-    const void *private_key);
-
 #endif /* MLKEM_TEST_UTIL_H */
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c b/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
index 23b3d8b261..f802324189 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_unittest.c,v 1.6 2024/12/26 12:35:25 tb Exp $ */
+/*      $OpenBSD: mlkem_unittest.c,v 1.15 2025/08/17 19:26:35 tb Exp $ */
 /*
  * Copyright (c) 2024 Google Inc.
  * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,132 +22,201 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "bytestring.h"
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 
+#include "mlkem_internal.h"
 #include "mlkem_tests_util.h"
 
-struct unittest_ctx {
-        void *priv;
-        void *pub;
-        void *priv2;
-        void *pub2;
-        uint8_t *encoded_public_key;
-        size_t encoded_public_key_len;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-        mlkem_decap_fn decap;
-        mlkem_encap_fn encap;
-        mlkem_generate_key_fn generate_key;
-        mlkem_parse_private_key_fn parse_private_key;
-        mlkem_parse_public_key_fn parse_public_key;
-        mlkem_encode_private_key_fn encode_private_key;
-        mlkem_encode_public_key_fn encode_public_key;
-        mlkem_public_from_private_fn public_from_private;
-};
-
 static int
-MlKemUnitTest(struct unittest_ctx *ctx)
+MlKemUnitTest(int rank)
 {
-        uint8_t shared_secret1[MLKEM_SHARED_SECRET_BYTES];
-        uint8_t shared_secret2[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv = NULL, *priv2 = NULL, *priv3 = NULL;
+        MLKEM_public_key *pub = NULL, *pub2 = NULL, *pub3 = NULL;
+        uint8_t *encoded_public_key = NULL, *ciphertext = NULL,
+            *shared_secret2 = NULL, *shared_secret1 = NULL,
+            *encoded_private_key = NULL, *tmp_buf = NULL, *seed_buf = NULL;
+        size_t encoded_public_key_len, ciphertext_len,
+            encoded_private_key_len, tmp_buf_len;
         uint8_t first_two_bytes[2];
-        uint8_t *encoded_private_key = NULL, *tmp_buf = NULL;
-        size_t encoded_private_key_len, tmp_buf_len;
-        CBS cbs;
+        size_t s_len = 0;
         int failed = 0;
 
-        ctx->generate_key(ctx->encoded_public_key, NULL, ctx->priv);
+        if ((pub = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+
+        if ((pub2 = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+
+        if ((priv = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+
+        if ((priv2 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+
+        if (!MLKEM_generate_key(priv, &encoded_public_key,
+            &encoded_public_key_len, &seed_buf, &s_len)) {
+                warnx("generate_key failed");
+                failed |= 1;
+        }
+
+        if (s_len != MLKEM_SEED_LENGTH) {
+                warnx("seed length %zu != %d", s_len, MLKEM_SEED_LENGTH);
+                failed |= 1;
+        }
+
+        if ((priv3 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+
+        if ((pub3 = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
 
-        memcpy(first_two_bytes, ctx->encoded_public_key, sizeof(first_two_bytes));
-        memset(ctx->encoded_public_key, 0xff, sizeof(first_two_bytes));
+        if (!MLKEM_private_key_from_seed(priv3, seed_buf, s_len)) {
+                warnx("private_key_from_seed failed");
+                failed |= 1;
+        }
+
+        free(seed_buf);
+        seed_buf = NULL;
 
-        CBS_init(&cbs, ctx->encoded_public_key, ctx->encoded_public_key_len);
+        if (!MLKEM_public_from_private(priv3, pub3)) {
+                warnx("public_from_private");
+                failed |= 1;
+        }
+
+        memcpy(first_two_bytes, encoded_public_key, sizeof(first_two_bytes));
+        memset(encoded_public_key, 0xff, sizeof(first_two_bytes));
 
         /* Parsing should fail because the first coefficient is >= kPrime. */
-        if (ctx->parse_public_key(ctx->pub, &cbs)) {
+        if (MLKEM_parse_public_key(pub, encoded_public_key,
+            encoded_public_key_len)) {
                 warnx("parse_public_key should have failed");
                 failed |= 1;
         }
 
-        memcpy(ctx->encoded_public_key, first_two_bytes, sizeof(first_two_bytes));
-        CBS_init(&cbs, ctx->encoded_public_key, ctx->encoded_public_key_len);
-        if (!ctx->parse_public_key(ctx->pub, &cbs)) {
-                warnx("MLKEM768_parse_public_key");
+        memcpy(encoded_public_key, first_two_bytes, sizeof(first_two_bytes));
+
+        MLKEM_public_key_free(pub);
+        if ((pub = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+        if (!MLKEM_parse_public_key(pub, encoded_public_key,
+            encoded_public_key_len)) {
+                warnx("MLKEM_parse_public_key");
                 failed |= 1;
         }
 
-        if (CBS_len(&cbs) != 0u) {
-                warnx("CBS_len must be 0");
+        if (!MLKEM_marshal_public_key(pub, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_public_key");
+                failed |= 1;
+        }
+        if (encoded_public_key_len != tmp_buf_len) {
+                warnx("encoded public key lengths differ %d != %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                 failed |= 1;
         }
 
-        if (!ctx->encode_public_key(ctx->pub, &tmp_buf, &tmp_buf_len)) {
-                warnx("encode_public_key");
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
+            "encoded public keys") != 0) {
+                warnx("compare_data");
                 failed |= 1;
         }
-        if (ctx->encoded_public_key_len != tmp_buf_len) {
-                warnx("encoded public key lengths differ");
+        free(tmp_buf);
+        tmp_buf = NULL;
+        tmp_buf_len = 0;
+
+        if (!MLKEM_marshal_public_key(pub3, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_public_key");
+                failed |= 1;
+        }
+        if (encoded_public_key_len != tmp_buf_len) {
+                warnx("encoded public key lengths differ %d != %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                 failed |= 1;
         }
 
-        if (compare_data(ctx->encoded_public_key, tmp_buf, tmp_buf_len,
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
             "encoded public keys") != 0) {
                 warnx("compare_data");
                 failed |= 1;
         }
         free(tmp_buf);
         tmp_buf = NULL;
+        tmp_buf_len = 0;
 
-        ctx->public_from_private(ctx->pub2, ctx->priv);
-        if (!ctx->encode_public_key(ctx->pub2, &tmp_buf, &tmp_buf_len)) {
-                warnx("encode_public_key");
+        if (!MLKEM_public_from_private(priv, pub2)) {
+                warnx("public_from_private");
+                failed |= 1;
+        }
+        if (!MLKEM_marshal_public_key(pub2, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_public_key");
                 failed |= 1;
         }
-        if (ctx->encoded_public_key_len != tmp_buf_len) {
-                warnx("encoded public key lengths differ");
+        if (encoded_public_key_len != tmp_buf_len) {
+                warnx("encoded public key lengths differ %d %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                 failed |= 1;
         }
 
-        if (compare_data(ctx->encoded_public_key, tmp_buf, tmp_buf_len,
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
             "encoded public keys") != 0) {
                 warnx("compare_data");
                 failed |= 1;
         }
         free(tmp_buf);
         tmp_buf = NULL;
+        tmp_buf_len = 0;
 
-        if (!ctx->encode_private_key(ctx->priv, &encoded_private_key,
+        if (!MLKEM_marshal_private_key(priv, &encoded_private_key,
             &encoded_private_key_len)) {
-                warnx("mlkem768_encode_private_key");
+                warnx("marshal_private_key");
                 failed |= 1;
         }
 
         memcpy(first_two_bytes, encoded_private_key, sizeof(first_two_bytes));
         memset(encoded_private_key, 0xff, sizeof(first_two_bytes));
-        CBS_init(&cbs, encoded_private_key, encoded_private_key_len);
 
         /*  Parsing should fail because the first coefficient is >= kPrime. */
-        if (ctx->parse_private_key(ctx->priv2, &cbs)) {
-                warnx("MLKEM768_parse_private_key should have failed");
+        if (MLKEM_parse_private_key(priv2, encoded_private_key,
+            encoded_private_key_len)) {
+                warnx("parse_private_key should have failed");
                 failed |= 1;
         }
 
         memcpy(encoded_private_key, first_two_bytes, sizeof(first_two_bytes));
-        CBS_init(&cbs, encoded_private_key, encoded_private_key_len);
 
-        if (!ctx->parse_private_key(ctx->priv2, &cbs)) {
-                warnx("MLKEM768_parse_private_key");
+        MLKEM_private_key_free(priv2);
+        priv2 = NULL;
+
+        if ((priv2 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+        if (!MLKEM_parse_private_key(priv2, encoded_private_key,
+            encoded_private_key_len)) {
+                warnx("parse_private_key");
                 failed |= 1;
         }
 
-        if (!ctx->encode_private_key(ctx->priv2, &tmp_buf, &tmp_buf_len)) {
-                warnx("encode_private_key");
+        if (!MLKEM_marshal_private_key(priv2, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_private_key");
                 failed |= 1;
         }
 
         if (encoded_private_key_len != tmp_buf_len) {
-                warnx("encode private key lengths differ");
+                warnx("encoded private key lengths differ");
                 failed |= 1;
         }
 
@@ -160,100 +229,79 @@ MlKemUnitTest(struct unittest_ctx *ctx)
         free(tmp_buf);
         tmp_buf = NULL;
 
-        ctx->encap(ctx->ciphertext, shared_secret1, ctx->pub);
-        ctx->decap(shared_secret2, ctx->ciphertext, ctx->ciphertext_len,
-            ctx->priv);
-        if (compare_data(shared_secret1, shared_secret2, MLKEM_SHARED_SECRET_BYTES,
+        if (!MLKEM_encap(pub, &ciphertext, &ciphertext_len, &shared_secret1,
+            &s_len)) {
+                warnx("encap failed using pub");
+                failed |= 1;
+        }
+
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+
+        if (!MLKEM_decap(priv, ciphertext, ciphertext_len,
+            &shared_secret2, &s_len)) {
+                warnx("decap() failed using priv");
+                failed |= 1;
+        }
+
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+
+        if (compare_data(shared_secret1, shared_secret2, s_len,
             "shared secrets with priv") != 0) {
                 warnx("compare_data");
                 failed |= 1;
         }
 
-        ctx->decap(shared_secret2, ctx->ciphertext, ctx->ciphertext_len,
-            ctx->priv2);
-        if (compare_data(shared_secret1, shared_secret2, MLKEM_SHARED_SECRET_BYTES,
+        free(shared_secret2);
+        shared_secret2 = NULL;
+
+        if (!MLKEM_decap(priv2, ciphertext, ciphertext_len,
+            &shared_secret2, &s_len)){
+                warnx("decap() failed using priv2");
+                failed |= 1;
+        }
+
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+
+        if (compare_data(shared_secret1, shared_secret2, s_len,
             "shared secrets with priv2") != 0) {
                 warnx("compare_data");
                 failed |= 1;
         }
 
+        MLKEM_public_key_free(pub);
+        MLKEM_public_key_free(pub2);
+        MLKEM_public_key_free(pub3);
+        MLKEM_private_key_free(priv);
+        MLKEM_private_key_free(priv2);
+        MLKEM_private_key_free(priv3);
+        free(encoded_public_key);
+        free(ciphertext);
         free(encoded_private_key);
+        free(shared_secret1);
+        free(shared_secret2);
 
         return failed;
 }
 
-static int
-mlkem768_unittest(void)
-{
-        struct MLKEM768_private_key mlkem768_priv, mlkem768_priv2;
-        struct MLKEM768_public_key mlkem768_pub, mlkem768_pub2;
-        uint8_t mlkem768_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES];
-        uint8_t mlkem768_ciphertext[MLKEM768_CIPHERTEXT_BYTES];
-        struct unittest_ctx mlkem768_test = {
-                .priv = &mlkem768_priv,
-                .pub = &mlkem768_pub,
-                .priv2 = &mlkem768_priv2,
-                .pub2 = &mlkem768_pub2,
-                .encoded_public_key = mlkem768_encoded_public_key,
-                .encoded_public_key_len = sizeof(mlkem768_encoded_public_key),
-                .ciphertext = mlkem768_ciphertext,
-                .ciphertext_len = sizeof(mlkem768_ciphertext),
-                .decap = mlkem768_decap,
-                .encap = mlkem768_encap,
-                .generate_key = mlkem768_generate_key,
-                .parse_private_key = mlkem768_parse_private_key,
-                .parse_public_key = mlkem768_parse_public_key,
-                .encode_private_key = mlkem768_encode_private_key,
-                .encode_public_key = mlkem768_encode_public_key,
-                .public_from_private = mlkem768_public_from_private,
-        };
-
-        return MlKemUnitTest(&mlkem768_test);
-}
-
-static int
-mlkem1024_unittest(void)
-{
-        struct MLKEM1024_private_key mlkem1024_priv, mlkem1024_priv2;
-        struct MLKEM1024_public_key mlkem1024_pub, mlkem1024_pub2;
-        uint8_t mlkem1024_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES];
-        uint8_t mlkem1024_ciphertext[MLKEM1024_CIPHERTEXT_BYTES];
-        struct unittest_ctx mlkem1024_test = {
-                .priv = &mlkem1024_priv,
-                .pub = &mlkem1024_pub,
-                .priv2 = &mlkem1024_priv2,
-                .pub2 = &mlkem1024_pub2,
-                .encoded_public_key = mlkem1024_encoded_public_key,
-                .encoded_public_key_len = sizeof(mlkem1024_encoded_public_key),
-                .ciphertext = mlkem1024_ciphertext,
-                .ciphertext_len = sizeof(mlkem1024_ciphertext),
-                .decap = mlkem1024_decap,
-                .encap = mlkem1024_encap,
-                .generate_key = mlkem1024_generate_key,
-                .parse_private_key = mlkem1024_parse_private_key,
-                .parse_public_key = mlkem1024_parse_public_key,
-                .encode_private_key = mlkem1024_encode_private_key,
-                .encode_public_key = mlkem1024_encode_public_key,
-                .public_from_private = mlkem1024_public_from_private,
-        };
-
-        return MlKemUnitTest(&mlkem1024_test);
-}
-
 int
 main(void)
 {
         int failed = 0;
 
-        /*
-         * XXX - this is split into two helper functions since having a few
-         * ML-KEM key blobs on the stack makes Emscripten's stack explode,
-         * leading to inscrutable silent failures unles ASAN is enabled.
-         * Go figure.
-         */
-
-        failed |= mlkem768_unittest();
-        failed |= mlkem1024_unittest();
+        failed |= MlKemUnitTest(RANK768);
+        failed |= MlKemUnitTest(RANK1024);
 
         return failed;
 }
diff --git a/src/regress/lib/libcrypto/mlkem/parse_test_file.c b/src/regress/lib/libcrypto/mlkem/parse_test_file.c
index b68dc50431..9f3e5f3a1a 100644
--- a/src/regress/lib/libcrypto/mlkem/parse_test_file.c
+++ b/src/regress/lib/libcrypto/mlkem/parse_test_file.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: parse_test_file.c,v 1.4 2025/04/13 09:14:56 tb Exp $ */
+/*      $OpenBSD: parse_test_file.c,v 1.6 2025/06/03 10:29:37 tb Exp $ */
 
 /*
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -646,7 +646,8 @@ parse_reinit(struct parse *p)
         p->state.running_test_case = 0;
         parse_line_data_clear(p);
         tctx->finish(p->ctx);
-        tctx->init(p->ctx, p);
+        if (!tctx->init(p->ctx, p))
+                parse_errx(p, "init failed");
 }
 
 static int
@@ -708,7 +709,8 @@ parse_init(struct parse *p, const char *fn, const struct test_parse *tctx,
         parse_state_init(&p->state, tctx->num_states, tctx->num_instructions);
         p->tctx = tctx;
         p->ctx = ctx;
-        tctx->init(ctx, p);
+        if (!tctx->init(p->ctx, p))
+                parse_errx(p, "init failed");
 }
 
 static int
@@ -734,7 +736,10 @@ parse_next_line(struct parse *p)
 static void
 parse_finish(struct parse *p)
 {
+        const struct test_parse *tctx = p->tctx;
+
         parse_state_finish(&p->state);
+        tctx->finish(p->ctx);
 
         free(p->buf);
 
diff --git a/src/regress/lib/libcrypto/sha/Makefile b/src/regress/lib/libcrypto/sha/Makefile
index 6ec223116d..c6ab0398ba 100644
--- a/src/regress/lib/libcrypto/sha/Makefile
+++ b/src/regress/lib/libcrypto/sha/Makefile
@@ -1,9 +1,15 @@
-#       $OpenBSD: Makefile,v 1.5 2022/09/01 14:02:41 tb Exp $
+#       $OpenBSD: Makefile,v 1.6 2025/05/22 03:35:40 joshua Exp $
 
 PROG =          sha_test
 LDADD =         -lcrypto
 DPADD =         ${LIBCRYPTO}
 WARNINGS =      Yes
 CFLAGS +=       -DLIBRESSL_INTERNAL -Werror
+CFLAGS +=       -I${.CURDIR}/../test
+SRCS +=         sha_test.c
+SRCS +=         test.c
+SRCS +=         test_util.c
+
+.PATH: ${.CURDIR}/../test
 
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/sha/sha_test.c b/src/regress/lib/libcrypto/sha/sha_test.c
index 82a0c4cceb..904924c890 100644
--- a/src/regress/lib/libcrypto/sha/sha_test.c
+++ b/src/regress/lib/libcrypto/sha/sha_test.c
@@ -1,6 +1,6 @@
-/*      $OpenBSD: sha_test.c,v 1.6 2023/07/19 15:11:42 joshua Exp $ */
+/*      $OpenBSD: sha_test.c,v 1.7 2025/05/22 03:35:40 joshua Exp $ */
 /*
- * Copyright (c) 2022, 2023 Joshua Sing <joshua@hypera.dev>
+ * Copyright (c) 2022, 2023, 2025 Joshua Sing <joshua@joshuasing.dev>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -21,6 +21,8 @@
 #include <stdint.h>
 #include <string.h>
 
+#include "test.h"
+
 struct sha_test {
         const int algorithm;
         const uint8_t in[128];
@@ -677,260 +679,240 @@ typedef unsigned char *(*sha_hash_func)(const unsigned char *, size_t,
     unsigned char *);
 
 static int
-sha_hash_from_algorithm(int algorithm, const char **out_label,
-    sha_hash_func *out_func, const EVP_MD **out_md, size_t *out_len)
+sha_hash_from_algorithm(int algorithm, sha_hash_func *out_func,
+    const EVP_MD **out_md)
 {
-        const char *label;
         sha_hash_func sha_func;
         const EVP_MD *md;
-        size_t len;
 
         switch (algorithm) {
         case NID_sha1:
-                label = SN_sha1;
                 sha_func = SHA1;
                 md = EVP_sha1();
-                len = SHA_DIGEST_LENGTH;
                 break;
         case NID_sha224:
-                label = SN_sha224;
                 sha_func = SHA224;
                 md = EVP_sha224();
-                len = SHA224_DIGEST_LENGTH;
                 break;
         case NID_sha256:
-                label = SN_sha256;
                 sha_func = SHA256;
                 md = EVP_sha256();
-                len = SHA256_DIGEST_LENGTH;
                 break;
         case NID_sha384:
-                label = SN_sha384;
                 sha_func = SHA384;
                 md = EVP_sha384();
-                len = SHA384_DIGEST_LENGTH;
                 break;
         case NID_sha512:
-                label = SN_sha512;
                 sha_func = SHA512;
                 md = EVP_sha512();
-                len = SHA512_DIGEST_LENGTH;
                 break;
         case NID_sha3_224:
-                label = SN_sha3_224;
                 sha_func = NULL;
                 md = EVP_sha3_224();
-                len = 224 / 8;
                 break;
         case NID_sha3_256:
-                label = SN_sha3_256;
                 sha_func = NULL;
                 md = EVP_sha3_256();
-                len = 256 / 8;
                 break;
         case NID_sha3_384:
-                label = SN_sha3_384;
                 sha_func = NULL;
                 md = EVP_sha3_384();
-                len = 384 / 8;
                 break;
         case NID_sha3_512:
-                label = SN_sha3_512;
                 sha_func = NULL;
                 md = EVP_sha3_512();
-                len = 512 / 8;
                 break;
         default:
-                fprintf(stderr, "FAIL: unknown algorithm (%d)\n",
-                    algorithm);
                 return 0;
         }
 
-        if (out_label != NULL)
-                *out_label = label;
         if (out_func != NULL)
                 *out_func = sha_func;
         if (out_md != NULL)
                 *out_md = md;
-        if (out_len != NULL)
-                *out_len = len;
 
         return 1;
 }
 
-static int
-sha_test(void)
+static void
+test_sha_tv(struct test *t, const void *arg)
 {
+        const struct sha_test *st = arg;
         sha_hash_func sha_func;
-        const struct sha_test *st;
         EVP_MD_CTX *hash = NULL;
         const EVP_MD *md;
         uint8_t out[EVP_MAX_MD_SIZE];
         size_t in_len, out_len;
-        size_t i;
-        const char *label;
-        int failed = 1;
 
         if ((hash = EVP_MD_CTX_new()) == NULL) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
-                goto failed;
+                test_errorf(t, "EVP_MD_CTX_new()");
+                goto fail;
         }
 
-        for (i = 0; i < N_SHA_TESTS; i++) {
-                st = &sha_tests[i];
-                if (!sha_hash_from_algorithm(st->algorithm, &label, &sha_func,
-                    &md, &out_len))
-                        goto failed;
-
-                /* Digest */
-                if (sha_func != NULL) {
-                        memset(out, 0, sizeof(out));
-                        sha_func(st->in, st->in_len, out);
-                        if (memcmp(st->out, out, out_len) != 0) {
-                                fprintf(stderr, "FAIL (%s:%zu): mismatch\n",
-                                    label, i);
-                                goto failed;
-                        }
-                }
+        if (!sha_hash_from_algorithm(st->algorithm, &sha_func, &md))
+                goto fail;
 
-                /* EVP single-shot digest */
-                memset(out, 0, sizeof(out));
-                if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
-                        fprintf(stderr, "FAIL (%s:%zu): EVP_Digest failed\n",
-                            label, i);
-                        goto failed;
-                }
+        out_len = EVP_MD_size(md);
 
+        /* Digest */
+        if (sha_func != NULL) {
+                memset(out, 0, sizeof(out));
+                sha_func(st->in, st->in_len, out);
                 if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP single-shot mismatch\n",
-                            label, i);
-                        goto failed;
+                        test_errorf(t, "SHA: digest output mismatch");
+                        test_hexdiff(t, out, out_len, st->out);
                 }
+        }
 
-                /* EVP digest */
-                memset(out, 0, sizeof(out));
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestInit_ex failed\n",
-                            label, i);
-                        goto failed;
-                }
+        /* EVP single-shot digest */
+        memset(out, 0, sizeof(out));
+        if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
+                test_errorf(t, "EVP_Digest()");
+                goto fail;
+        }
 
-                in_len = st->in_len / 2;
-                if (!EVP_DigestUpdate(hash, st->in, in_len)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestUpdate first half "
-                            "failed\n", label, i);
-                        goto failed;
-                }
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP single-shot: output diget mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
 
-                if (!EVP_DigestUpdate(hash, st->in + in_len,
-                    st->in_len - in_len)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestUpdate second half "
-                            "failed\n", label, i);
-                        goto failed;
-                }
+        /* EVP digest */
+        memset(out, 0, sizeof(out));
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
+                test_errorf(t, "EVP_DigestInit_ex() ");
+                goto fail;
+        }
 
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestFinal_ex failed\n",
-                            label, i);
-                        goto failed;
-                }
+        in_len = st->in_len / 2;
+        if (!EVP_DigestUpdate(hash, st->in, in_len)) {
+                test_errorf(t, "EVP_DigestUpdate() first half");
+                goto fail;
+        }
 
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s:%zu): EVP mismatch\n",
-                            label, i);
-                        goto failed;
-                }
+        if (!EVP_DigestUpdate(hash, st->in + in_len,
+            st->in_len - in_len)) {
+                test_errorf(t, "EVP_DigestUpdate() second half");
+                goto fail;
         }
 
-        failed = 0;
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+                test_errorf(t, "EVP_DigestFinal_ex()");
+                goto fail;
+        }
 
- failed:
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
+
+
+ fail:
         EVP_MD_CTX_free(hash);
-        return failed;
 }
 
-static int
-sha_repetition_test(void)
+static void
+test_sha(struct test *t, const void *arg)
 {
-        const struct sha_repetition_test *st;
+        const struct sha_test *st;
+        size_t i;
+        char *name;
+
+        for (i = 0; i < N_SHA_TESTS; i++) {
+                st = &sha_tests[i];
+                if (asprintf(&name, "%s: '%s'", OBJ_nid2sn(st->algorithm), st->in) == -1) {
+                        test_errorf(t, "create test name failed");
+                        return;
+                }
+
+                test_run(t, name, test_sha_tv, st);
+                free(name);
+        }
+}
+
+static void
+test_sha_repetition_tv(struct test *t, const void *arg)
+{
+        const struct sha_repetition_test *st = arg;
         EVP_MD_CTX *hash = NULL;
         const EVP_MD *md;
         uint8_t buf[1024];
         uint8_t out[EVP_MAX_MD_SIZE];
         size_t out_len, part_len;
-        size_t i, j;
-        const char *label;
-        int failed = 1;
+        size_t i;
 
         if ((hash = EVP_MD_CTX_new()) == NULL) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
-                goto failed;
+                test_errorf(t, "EVP_MD_CTX_new()");
+                goto fail;
         }
 
-        for (i = 0; i < N_SHA_REPETITION_TESTS; i++) {
-                st = &sha_repetition_tests[i];
-                if (!sha_hash_from_algorithm(st->algorithm, &label, NULL, &md,
-                    &out_len))
-                        goto failed;
-
-                /* EVP digest */
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestInit_ex failed\n",
-                            label, i);
-                        goto failed;
-                }
+        if (!sha_hash_from_algorithm(st->algorithm, NULL, &md))
+                goto fail;
 
-                memset(buf, st->in, sizeof(buf));
+        out_len = EVP_MD_size(md);
 
-                for (j = 0; j < st->in_repetitions;) {
-                        part_len = arc4random_uniform(sizeof(buf));
-                        if (part_len > st->in_repetitions - j)
-                                part_len = st->in_repetitions - j;
+        /* EVP digest */
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
+                test_errorf(t, "EVP_DigestInit_ex()");
+                goto fail;
+        }
 
-                        if (!EVP_DigestUpdate(hash, buf, part_len)) {
-                                fprintf(stderr,
-                                    "FAIL (%s:%zu): EVP_DigestUpdate failed\n",
-                                    label, i);
-                                goto failed;
-                        }
+        memset(buf, st->in, sizeof(buf));
 
-                        j += part_len;
-                }
+        for (i = 0; i < st->in_repetitions;) {
+                part_len = arc4random_uniform(sizeof(buf));
+                if (part_len > st->in_repetitions - i)
+                        part_len = st->in_repetitions - i;
 
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestFinal_ex failed\n",
-                            label, i);
-                        goto failed;
+                if (!EVP_DigestUpdate(hash, buf, part_len)) {
+                        test_errorf(t, "EVP_DigestUpdate()");
+                        goto fail;
                 }
 
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s:%zu): EVP mismatch\n",
-                            label, i);
-                        goto failed;
-                }
+                i += part_len;
+        }
+
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+                test_errorf(t, "EVP_DigestFinal_ex()");
+                goto fail;
         }
 
-        failed = 0;
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+                goto fail;
+        }
 
- failed:
+ fail:
         EVP_MD_CTX_free(hash);
-        return failed;
+}
+
+static void
+test_sha_repetition(struct test *t, const void *arg)
+{
+        const struct sha_repetition_test *st;
+        size_t i;
+        char *name;
+
+        for (i = 0; i < N_SHA_REPETITION_TESTS; i++) {
+                st = &sha_repetition_tests[i];
+                if (asprintf(&name, "%s: '%hhu' x %zu", OBJ_nid2sn(st->algorithm),
+                    st->in, st->in_repetitions) == -1) {
+                        test_errorf(t, "create test name failed");
+                        return;
+                }
+
+                test_run(t, name, test_sha_repetition_tv, st);
+                free(name);
+        }
 }
 
 int
 main(int argc, char **argv)
 {
-        int failed = 0;
+        struct test *t = test_init();
 
-        failed |= sha_test();
-        failed |= sha_repetition_test();
+        test_run(t, "sha", test_sha, NULL);
+        test_run(t, "sha repetition", test_sha_repetition, NULL);
 
-        return failed;
+        return test_result(t);
 }
diff --git a/src/regress/lib/libcrypto/test/test.c b/src/regress/lib/libcrypto/test/test.c
new file mode 100644
index 0000000000..1188ec34ef
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test.c
@@ -0,0 +1,226 @@
+/*      $OpenBSD: test.c,v 1.4 2025/05/31 11:36:48 tb Exp $ */
+/*
+ * Copyright (c) 2025 Joshua Sing <joshua@joshuasing.dev>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <err.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "test.h"
+
+struct test {
+        struct test *parent;
+        char *name;
+        FILE *out;
+        int skipped;
+        int failed;
+};
+
+static struct test *
+test_new(struct test *pt, const char *name)
+{
+        struct test *t;
+
+        if ((t = calloc(1, sizeof(*t))) == NULL)
+                err(1, "calloc");
+
+        if (name != NULL) {
+                if ((t->name = strdup(name)) == NULL)
+                        err(1, "strdup");
+        }
+
+        if (pt != NULL)
+                t->out = pt->out;
+        t->parent = pt;
+
+        return t;
+}
+
+struct test *
+test_init(void)
+{
+        struct test *t;
+        char *tmp_file;
+        int out_fd;
+        char *v;
+
+        t = test_new(NULL, NULL);
+        t->out = stderr;
+
+        if (((v = getenv("TEST_VERBOSE")) != NULL) && strcmp(v, "0") != 0)
+                return t;
+
+        /* Create a temporary file for logging in non-verbose mode */
+        if ((tmp_file = strdup("/tmp/libressl-test.XXXXXXXX")) == NULL)
+                err(1, "strdup");
+        if ((out_fd = mkstemp(tmp_file)) == -1)
+                err(1, "mkstemp");
+
+        unlink(tmp_file);
+        free(tmp_file);
+        if ((t->out = fdopen(out_fd, "w+")) == NULL)
+                err(1, "fdopen");
+
+        return t;
+}
+
+static void
+test_cleanup(struct test *t)
+{
+        free(t->name);
+        free(t);
+}
+
+int
+test_result(struct test *t)
+{
+        int failed = t->failed;
+
+        if (t->parent == NULL && t->out != stderr)
+                fclose(t->out);
+
+        test_cleanup(t);
+
+        return failed;
+}
+
+void
+test_fail(struct test *t)
+{
+        t->failed = 1;
+
+        /* Also fail parent. */
+        if (t->parent != NULL)
+                test_fail(t->parent);
+}
+
+static void
+test_vprintf(struct test *t, const char *fmt, va_list ap)
+{
+        if (vfprintf(t->out, fmt, ap) == -1)
+                err(1, "vfprintf");
+}
+
+void
+test_printf(struct test *t, const char *fmt, ...)
+{
+        va_list ap;
+
+        va_start(ap, fmt);
+        test_vprintf(t, fmt, ap);
+        va_end(ap);
+}
+
+static void
+test_vlogf_internal(struct test *t, const char *label, const char *func,
+    const char *file, int line, const char *fmt, va_list ap)
+{
+        char *msg = NULL;
+        char *l = ": ";
+        const char *filename;
+
+        if (label == NULL) {
+                label = "";
+                l = "";
+        }
+
+        if (vasprintf(&msg, fmt, ap) == -1)
+                err(1, "vasprintf");
+
+        if ((filename = strrchr(file, '/')) != NULL)
+                filename++;
+        else
+                filename = file;
+
+        test_printf(t, "%s [%s:%d]%s%s: %s\n",
+            func, filename, line, l, label, msg);
+
+        free(msg);
+}
+
+void
+test_logf_internal(struct test *t, const char *label, const char *func,
+    const char *file, int line, const char *fmt, ...)
+{
+        va_list ap;
+
+        va_start(ap, fmt);
+        test_vlogf_internal(t, label, func, file, line, fmt, ap);
+        va_end(ap);
+}
+
+void
+test_skip(struct test *t, const char *reason)
+{
+        t->skipped = 1;
+        test_printf(t, "%s\n", reason);
+}
+
+void
+test_skipf(struct test *t, const char *fmt, ...)
+{
+        va_list ap;
+
+        t->skipped = 1;
+
+        va_start(ap, fmt);
+        test_vprintf(t, fmt, ap);
+        if (fputc('\n', t->out) == EOF)
+                err(1, "fputc");
+        va_end(ap);
+}
+
+void
+test_run(struct test *pt, const char *name, test_run_func *fn, const void *arg)
+{
+        struct test *t = test_new(pt, name);
+        char *status = "PASS";
+        char buf[1024];
+        size_t buflen;
+        int ferr;
+
+        /* Run test */
+        test_printf(t, "=== RUN   %s\n", t->name);
+        fn(t, arg);
+
+        if (t->skipped)
+                status = "SKIP";
+        if (t->failed)
+                status = "FAIL";
+
+        test_printf(t, "--- %s: %s\n\n", status, t->name);
+
+        /* Print result of test */
+        if (t->failed && t->out != stderr) {
+                /* Copy logs to stderr */
+                rewind(t->out);
+                while ((buflen = fread(buf, 1, sizeof(buf), t->out)) > 0)
+                        fwrite(buf, 1, buflen, stderr);
+                if ((ferr = ferror(t->out)) != 0)
+                        errx(1, "ferror: %d", ferr);
+        }
+
+        if (t->out != NULL && t->out != stderr)  {
+                /* Reset output file */
+                rewind(t->out);
+                ftruncate(fileno(t->out), 0);
+        }
+
+        test_cleanup(t);
+}
diff --git a/src/regress/lib/libcrypto/test/test.h b/src/regress/lib/libcrypto/test/test.h
new file mode 100644
index 0000000000..1c8391d4ec
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test.h
@@ -0,0 +1,137 @@
+/*      $OpenBSD: test.h,v 1.4 2025/05/31 11:37:18 tb Exp $ */
+/*
+ * Copyright (c) 2025 Joshua Sing <joshua@joshuasing.dev>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef HEADER_TEST_H
+#define HEADER_TEST_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+struct test;
+
+/*
+ * test_init creates a new root test struct.
+ *
+ * Additional tests may be run under the root test struct by calling test_run.
+ *
+ * If the TEST_VERBOSE environment variable is set and not equal to "0", then
+ * verbose mode will be enabled and all test logs will be written to stderr.
+ */
+struct test *test_init(void);
+
+/*
+ * test_result cleans up after all tests have completed and returns an
+ * appropriate exit code indicating the result of the tests.
+ */
+int test_result(struct test *_t);
+
+/*
+ * test_run_func is an individual test function. It is passed the test struct
+ * and an arbitrary argument which may be passed when test_run is called.
+ */
+typedef void (test_run_func)(struct test *_t, const void *_arg);
+
+/*
+ * test_fail marks the test and its parents as failed.
+ */
+void test_fail(struct test *_t);
+
+/*
+ * test_printf prints a test log message. When in verbose mode, the log message
+ * will be written to stderr, otherwise it will be buffered and only written to
+ * stderr if the test fails.
+ *
+ * This printf will write directly, without any additional formatting.
+ */
+void test_printf(struct test *_t, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+
+/*
+ * test_logf_internal prints a test log message. When in verbose mode, the
+ * log message will be written to stderr, otherwise it will be buffered and
+ * only written to stderr if the test fails.
+ *
+ * label is an optional label indicating the severity of the log.
+ * func, file and line are used to show where the log comes from and are
+ * automatically set in the test log macros.
+ *
+ * This function should never be called directly.
+ */
+void test_logf_internal(struct test *_t, const char *_label, const char *_func,
+    const char *_file, int _line, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 6, 7)))
+    __attribute__((__nonnull__ (6)));
+
+/*
+ * test_logf prints an informational log message. When in verbose mode, the log
+ * will be written to stderr, otherwise it will be buffered and only written to
+ * stderr if the test fails.
+ */
+#define test_logf(t, fmt, ...) \
+    do { \
+        test_logf_internal(t, NULL, __func__, __FILE__, __LINE__, fmt, ##__VA_ARGS__); \
+    } while (0)
+
+/*
+ * test_errorf prints an error message. It will also cause the test to fail.
+ * If the test cannot proceed, it is recommended to return or goto a cleanup
+ * label.
+ *
+ * Tests should not fail-fast if continuing will provide more detailed
+ * information about what is broken.
+ */
+#define test_errorf(t, fmt, ...) \
+    do { \
+        test_logf_internal(t, "ERROR", __func__, __FILE__, __LINE__, fmt, ##__VA_ARGS__); \
+        test_fail(t); \
+    } while (0)
+
+/*
+ * test_skip marks the test as skipped. Once called, the test should return.
+ */
+void test_skip(struct test *_t, const char *_reason);
+
+/*
+ * test_skipf marks the test as skipped with a formatted reason. Once called,
+ * the test should return.
+ */
+void test_skipf(struct test *_t, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+
+/*
+ * test_run runs a test function. It will create a new test struct with the
+ * given test as the parent. An argument may be provided to pass data to the
+ * test function, otherwise NULL should be passed.
+ *
+ * Each test should have a unique and informational name.
+ */
+void test_run(struct test *_t, const char *_name, test_run_func *_fn, const void *_arg);
+
+/*
+ * test_hexdump prints the given data as hexadecimal.
+ */
+void test_hexdump(struct test *_t, const unsigned char *_buf, size_t _len);
+
+/*
+ * test_hexdiff prints the given data as hexadecimal. If a second comparison
+ * buffer is not NULL, any differing bytes will be marked with an astrix.
+ */
+void test_hexdiff(struct test *_t, const uint8_t *_buf, size_t _len, const uint8_t *_compare);
+
+#endif /* HEADER_TEST_H */
diff --git a/src/regress/lib/libcrypto/test/test_util.c b/src/regress/lib/libcrypto/test/test_util.c
new file mode 100644
index 0000000000..6ecb574788
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test_util.c
@@ -0,0 +1,51 @@
+/*      $OpenBSD: test_util.c,v 1.1 2025/05/21 08:57:13 joshua Exp $ */
+/*
+ * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+
+#include "test.h"
+
+void
+test_hexdump(struct test *t, const unsigned char *buf, size_t len)
+{
+        size_t i;
+
+        for (i = 1; i <= len; i++)
+                test_printf(t, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n");
+
+        if ((len % 8) != 0)
+                test_printf(t, "\n");
+}
+
+void
+test_hexdiff(struct test *t, const uint8_t *buf, size_t len, const uint8_t *compare)
+{
+        const char *mark = "", *newline;
+        size_t i;
+
+        for (i = 1; i <= len; i++) {
+                if (compare != NULL)
+                        mark = (buf[i - 1] != compare[i - 1]) ? "*" : " ";
+                newline = i % 8 ? "" : "\n";
+                test_printf(t, " %s0x%02x,%s", mark, buf[i - 1], newline);
+        }
+
+        if ((len % 8) != 0)
+                test_printf(t, "\n");
+}
diff --git a/src/regress/lib/libcrypto/wycheproof/Makefile b/src/regress/lib/libcrypto/wycheproof/Makefile
index f2f7910b5b..a68a270580 100644
--- a/src/regress/lib/libcrypto/wycheproof/Makefile
+++ b/src/regress/lib/libcrypto/wycheproof/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.9 2023/07/08 19:41:07 tb Exp $
+# $OpenBSD: Makefile,v 1.10 2025/07/09 05:04:35 tb Exp $
 
 WYCHEPROOF_TESTVECTORS = /usr/local/share/wycheproof/testvectors/
 
@@ -18,11 +18,17 @@ REGRESS_TARGETS += regress-wycheproof
 CLEANFILES +=   wycheproof
 
 wycheproof: wycheproof.go
-        go build -o wycheproof ${.CURDIR}/wycheproof.go
+        env GOCACHE=${.OBJDIR}/go-build go build -o wycheproof ${.CURDIR}/wycheproof.go
 
 regress-wycheproof: wycheproof
         ./wycheproof
 
+REGRESS_CLEANUP =       clean-go-cache
+
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
+
 . endif
 
 PROGS += wycheproof-primes
diff --git a/src/regress/lib/libcrypto/x509/Makefile b/src/regress/lib/libcrypto/x509/Makefile
index 19e65efddd..94e9e476a0 100644
--- a/src/regress/lib/libcrypto/x509/Makefile
+++ b/src/regress/lib/libcrypto/x509/Makefile
@@ -1,6 +1,6 @@
-#       $OpenBSD: Makefile,v 1.24 2025/03/15 06:37:49 tb Exp $
+#       $OpenBSD: Makefile,v 1.25 2025/05/05 06:33:34 tb Exp $
 
-PROGS = constraints verify x509attribute x509name x509req_ext callback
+PROGS = constraints verify x509attribute x509req_ext callback
 PROGS += expirecallback callbackfailures x509_asn1 x509_extensions_test
 PROGS += x509_name_test
 LDADD = -lcrypto
@@ -16,7 +16,7 @@ CFLAGS +=	-I${.CURDIR}/../../../../lib/libcrypto/bytestring
 
 SUBDIR += bettertls policy rfc3779
 
-CLEANFILES +=   x509name.result callback.out
+CLEANFILES +=   callback.out
 
 .if make(clean) || make(cleandir)
 . if ${.OBJDIR} != ${.CURDIR}
@@ -29,10 +29,6 @@ run-regress-verify: verify
         perl ${.CURDIR}/make-dir-roots.pl ${.CURDIR}/../certs .
         ./verify ${.CURDIR}/../certs
 
-run-regress-x509name: x509name
-        ./x509name > x509name.result
-        diff -u ${.CURDIR}/x509name.expected x509name.result
-
 run-regress-callback: callback
         ./callback ${.CURDIR}/../certs
         perl ${.CURDIR}/callback.pl callback.out
diff --git a/src/regress/lib/libcrypto/x509/bettertls/Makefile b/src/regress/lib/libcrypto/x509/bettertls/Makefile
index 2724140635..2a06239fc5 100644
--- a/src/regress/lib/libcrypto/x509/bettertls/Makefile
+++ b/src/regress/lib/libcrypto/x509/bettertls/Makefile
@@ -1,10 +1,10 @@
-#       $OpenBSD: Makefile,v 1.6 2024/12/27 08:02:27 tb Exp $
+#       $OpenBSD: Makefile,v 1.7 2025/07/23 07:46:12 tb Exp $
 
 PROGS =         verify
 
-.ifdef EOPENSSL33
-LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl33 -L/usr/local/lib/eopenssl33
-CFLAGS +=       -I/usr/local/include/eopenssl33/
+.ifdef EOPENSSL35
+LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl35 -L/usr/local/lib/eopenssl35
+CFLAGS +=       -I/usr/local/include/eopenssl35/
 .endif
 
 LDADD +=        -lcrypto
diff --git a/src/regress/lib/libcrypto/x509/x509_name_test.c b/src/regress/lib/libcrypto/x509/x509_name_test.c
index eaf7076d74..24e62cc766 100644
--- a/src/regress/lib/libcrypto/x509/x509_name_test.c
+++ b/src/regress/lib/libcrypto/x509/x509_name_test.c
@@ -1,7 +1,9 @@
-/*      $OpenBSD: x509_name_test.c,v 1.2 2025/03/19 11:19:17 tb Exp $ */
+/*      $OpenBSD: x509_name_test.c,v 1.3 2025/05/05 06:33:34 tb Exp $ */
 
 /*
  * Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2025 Kenjiro Nakayama <nakayamakenjiro@gmail.com>
+ * Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -288,12 +290,131 @@ x509_name_compat_test(void)
         return failed;
 }
 
+static const struct x509_name_entry_test {
+        const char *field;
+        const char *value;
+        int loc;
+        int set;
+        const char *expected_str;
+        const int expected_set[4];
+        const int expected_count;
+} entry_tests[] = {
+        {
+                .field = "ST",
+                .value = "BaWue",
+                .loc = -1,
+                .set = 0,
+                .expected_str = "ST=BaWue",
+                .expected_set = { 0 },
+                .expected_count = 1,
+        },
+        {
+                .field = "O",
+                .value = "KIT",
+                .loc = -1,
+                .set = 0,
+                .expected_str = "ST=BaWue, O=KIT",
+                .expected_set = { 0, 1 },
+                .expected_count = 2,
+        },
+        {
+                .field = "L",
+                .value = "Karlsruhe",
+                .loc = 1,
+                .set = 0,
+                .expected_str = "ST=BaWue, L=Karlsruhe, O=KIT",
+                .expected_set = { 0, 1, 2 },
+                .expected_count = 3,
+        },
+        {
+                .field = "C",
+                .value = "DE",
+                .loc = 0,
+                .set = 1,
+                .expected_str = "C=DE + ST=BaWue, L=Karlsruhe, O=KIT",
+                .expected_set = { 0, 0, 1, 2 },
+                .expected_count = 4,
+        },
+};
+
+#define N_ENTRY_TESTS (sizeof(entry_tests) / sizeof(entry_tests[0]))
+
+static int
+verify_x509_name_output(X509_NAME *name, const struct x509_name_entry_test *tc)
+{
+        BIO *bio;
+        char *got;
+        long got_len;
+        int loc, ret;
+        int failed = 1;
+
+        if ((bio = BIO_new(BIO_s_mem())) == NULL)
+                goto fail;
+
+        if ((ret = X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC)) == -1)
+                goto fail;
+
+        if ((got_len = BIO_get_mem_data(bio, &got)) < 0)
+                goto fail;
+
+        if (ret != got_len || strlen(tc->expected_str) != (size_t)ret)
+                goto fail;
+
+        if (strncmp(tc->expected_str, got, got_len) != 0)
+                goto fail;
+
+        if (X509_NAME_entry_count(name) != tc->expected_count)
+                goto fail;
+
+        for (loc = 0; loc < X509_NAME_entry_count(name); loc++) {
+                X509_NAME_ENTRY *e = X509_NAME_get_entry(name, loc);
+                if (e == NULL || X509_NAME_ENTRY_set(e) != tc->expected_set[loc])
+                        goto fail;
+        }
+
+        failed = 0;
+
+ fail:
+        BIO_free(bio);
+
+        return failed;
+}
+
+static int
+x509_name_add_entry_test(void)
+{
+        X509_NAME *name;
+        int failed = 1;
+
+        if ((name = X509_NAME_new()) == NULL)
+                goto done;
+
+        for (size_t i = 0; i < N_ENTRY_TESTS; i++) {
+                const struct x509_name_entry_test *t = &entry_tests[i];
+
+                if (!X509_NAME_add_entry_by_txt(name, t->field, MBSTRING_ASC,
+                    (const unsigned char *)t->value, -1, t->loc, t->set))
+                        goto done;
+
+                if (verify_x509_name_output(name, t))
+                        goto done;
+        }
+
+        failed = 0;
+
+ done:
+        X509_NAME_free(name);
+
+        return failed;
+}
+
 int
 main(void)
 {
         int failed = 0;
 
         failed |= x509_name_compat_test();
+        failed |= x509_name_add_entry_test();
 
         return failed;
 }
diff --git a/src/regress/lib/libcrypto/x509/x509name.c b/src/regress/lib/libcrypto/x509/x509name.c
deleted file mode 100644
index 9deeeb2986..0000000000
--- a/src/regress/lib/libcrypto/x509/x509name.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* $OpenBSD: x509name.c,v 1.3 2021/10/31 08:27:15 tb Exp $ */
-/*
- * Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <err.h>
-#include <stdio.h>
-
-#include <openssl/x509.h>
-
-static void      debug_print(X509_NAME *);
-
-static void
-debug_print(X509_NAME *name)
-{
-        int loc;
-
-        for (loc = 0; loc < X509_NAME_entry_count(name); loc++)
-                printf("%d:",
-                    X509_NAME_ENTRY_set(X509_NAME_get_entry(name, loc)));
-        putchar(' ');
-        X509_NAME_print_ex_fp(stdout, name, 0, XN_FLAG_SEP_CPLUS_SPC);
-        putchar('\n');
-}
-
-int
-main(void)
-{
-        X509_NAME *name;
-
-        if ((name = X509_NAME_new()) == NULL)
-                err(1, NULL);
-        X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_ASC,
-            "BaWue", -1, -1, 0);
-        X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
-            "KIT", -1, -1, 0);
-        debug_print(name);
-
-        X509_NAME_add_entry_by_txt(name, "L", MBSTRING_ASC,
-            "Karlsruhe", -1, 1, 0);
-        debug_print(name);
-
-        X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
-            "DE", -1, 0, 1);
-        debug_print(name);
-
-        X509_NAME_free(name);
-
-        return 0;
-}
diff --git a/src/regress/lib/libcrypto/x509/x509name.expected b/src/regress/lib/libcrypto/x509/x509name.expected
deleted file mode 100644
index 6cee7cc435..0000000000
--- a/src/regress/lib/libcrypto/x509/x509name.expected
+++ /dev/null
@@ -1,3 +0,0 @@
-0:1: ST=BaWue, O=KIT
-0:1:2: ST=BaWue, L=Karlsruhe, O=KIT
-0:0:1:2: C=DE + ST=BaWue, L=Karlsruhe, O=KIT
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index bdc67f627a..e1e9633d37 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.23 2025/07/25 16:33:15 tb Exp $
 
-SUBDIR =        libressl openssl33 openssl34
+SUBDIR =        libressl openssl35
 
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
index 85877d4290..56bcdaf4bd 100644
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ b/src/regress/lib/libssl/interop/botan/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -20,11 +20,8 @@ CXX = /usr/local/bin/eg++
 .endif
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-LIBRARIES +=            openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
+.if exists(/usr/local/bin/eopenssl35)
+LIBRARIES +=            openssl35
 .endif
 
 PROGS =         client
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 74c63c86a8..9698c56acd 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.16 2025/07/25 16:33:15 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 3.x.  Create client and server certificates
@@ -7,11 +7,8 @@
 # and check the result of certificate verification.
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-LIBRARIES +=            openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
+.if exists(/usr/local/bin/eopenssl35)
+LIBRARIES +=            openssl35
 .endif
 
 .for cca in noca ca fakeca
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index fa7e25f9ee..5bdc9089fe 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.19 2025/07/25 16:33:15 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create lists of supported ciphers
@@ -7,11 +7,8 @@
 # have used correct cipher by grepping in their session print out.
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-LIBRARIES +=            openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
+.if exists(/usr/local/bin/eopenssl35)
+LIBRARIES +=            openssl35
 .endif
 
 CLEANFILES =    *.tmp *.ciphers ciphers.mk
@@ -41,8 +38,7 @@ client-${clib}-server-${slib}.ciphers: \
         uniq -d <$@.tmp >$@
         # we are only interested in ciphers supported by libressl
         sort $@ client-libressl.ciphers >$@.tmp
-. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \
-        "${clib}" == "openssl34" || "${slib}" == "openssl34"
+. if "${clib}" == "openssl35" || "${slib}" == "openssl35"
         # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
         sed -i '/^TLS_/d' $@.tmp
 . endif
@@ -70,8 +66,7 @@ regress: ciphers.mk
 .endif
 
 LEVEL_libressl =
-LEVEL_openssl33 = ,@SECLEVEL=0
-LEVEL_openssl34 = ,@SECLEVEL=0
+LEVEL_openssl35 = ,@SECLEVEL=0
 
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
@@ -132,7 +127,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
         # libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl33" || "${slib}" == "openssl34"
+.  if "${slib}" == "openssl35"
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
         egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
index 3b8e3f95be..cff6b7ea76 100644
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ b/src/regress/lib/libssl/interop/netcat/Makefile
@@ -1,11 +1,8 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-LIBRARIES +=            openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
+.if exists(/usr/local/bin/eopenssl35)
+LIBRARIES +=            openssl35
 .endif
 
 # run netcat server and connect with test client
diff --git a/src/regress/lib/libssl/interop/openssl33/Makefile b/src/regress/lib/libssl/interop/openssl33/Makefile
deleted file mode 100644
index eff61704d0..0000000000
--- a/src/regress/lib/libssl/interop/openssl33/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
-
-.if ! exists(/usr/local/bin/eopenssl33)
-regress:
-        # install openssl-3.3 from ports for interop tests
-        @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3'
-        @echo SKIPPED
-.else
-
-PROGS =                 client server
-CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
-CPPFLAGS =              -I /usr/local/include/eopenssl33
-LDFLAGS =               -L /usr/local/lib/eopenssl33
-LDADD =                 -lssl -lcrypto
-DPADD =                 /usr/local/lib/eopenssl33/libssl.a \
-                        /usr/local/lib/eopenssl33/libcrypto.a
-LD_LIBRARY_PATH =       /usr/local/lib/eopenssl33
-REGRESS_TARGETS =       run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-
-.for p in ${PROGS}
-
-run-ldd-$p: ldd-$p.out
-        # check that $p is linked with OpenSSL 3.3
-        grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out
-        grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out
-        # check that $p is not linked with LibreSSL
-        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-
-run-version-$p: $p-self.out
-        # check that runtime version is OpenSSL 3.3
-        grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out
-
-run-protocol-$p: $p-self.out
-        # check that OpenSSL 3.3 protocol version is TLS 1.3
-        grep 'Protocol *: TLSv1.3' $p-self.out
-
-.endfor
-
-.endif # exists(/usr/local/bin/eopenssl33)
-
-.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl34/Makefile b/src/regress/lib/libssl/interop/openssl34/Makefile
deleted file mode 100644
index 72246bb621..0000000000
--- a/src/regress/lib/libssl/interop/openssl34/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
-
-.if ! exists(/usr/local/bin/eopenssl34)
-regress:
-        # install openssl-3.4 from ports for interop tests
-        @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4'
-        @echo SKIPPED
-.else
-
-PROGS =                 client server
-CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
-CPPFLAGS =              -I /usr/local/include/eopenssl34
-LDFLAGS =               -L /usr/local/lib/eopenssl34
-LDADD =                 -lssl -lcrypto
-DPADD =                 /usr/local/lib/eopenssl34/libssl.a \
-                        /usr/local/lib/eopenssl34/libcrypto.a
-LD_LIBRARY_PATH =       /usr/local/lib/eopenssl34
-REGRESS_TARGETS =       run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-
-.for p in ${PROGS}
-
-run-ldd-$p: ldd-$p.out
-        # check that $p is linked with OpenSSL 3.4
-        grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out
-        grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out
-        # check that $p is not linked with LibreSSL
-        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-
-run-version-$p: $p-self.out
-        # check that runtime version is OpenSSL 3.4
-        grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out
-
-run-protocol-$p: $p-self.out
-        # check that OpenSSL 3.4 protocol version is TLS 1.3
-        grep 'Protocol *: TLSv1.3' $p-self.out
-
-.endfor
-
-.endif # exists(/usr/local/bin/eopenssl34)
-
-.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl35/Makefile b/src/regress/lib/libssl/interop/openssl35/Makefile
new file mode 100644
index 0000000000..e11ad5dd20
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl35/Makefile
@@ -0,0 +1,44 @@
+# $OpenBSD: Makefile,v 1.1 2025/07/09 17:48:02 tb Exp $
+
+.if ! exists(/usr/local/bin/eopenssl35)
+regress:
+        # install openssl-3.5 from ports for interop tests
+        @echo 'Run "pkg_add openssl--%3.5" to run tests against OpenSSL 3.5'
+        @echo SKIPPED
+.else
+
+PROGS =                 client server
+CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
+CPPFLAGS =              -I /usr/local/include/eopenssl35
+LDFLAGS =               -L /usr/local/lib/eopenssl35
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl35/libssl.a \
+                        /usr/local/lib/eopenssl35/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl35
+REGRESS_TARGETS =       run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+
+.for p in ${PROGS}
+
+run-ldd-$p: ldd-$p.out
+        # check that $p is linked with OpenSSL 3.5
+        grep -q /usr/local/lib/eopenssl35/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl35/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v -e libc.so -e libpthread.so ldd-$p.out | grep /usr/lib/
+
+run-version-$p: $p-self.out
+        # check that runtime version is OpenSSL 3.5
+        grep 'SSLEAY_VERSION: OpenSSL 3.5' $p-self.out
+
+run-protocol-$p: $p-self.out
+        # check that OpenSSL 3.5 protocol version is TLS 1.3
+        grep 'Protocol *: TLSv1.3' $p-self.out
+
+.endfor
+
+.endif # exists(/usr/local/bin/eopenssl35)
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
index e9a353f99e..fff66b169b 100644
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ b/src/regress/lib/libssl/interop/session/Makefile
@@ -1,11 +1,8 @@
-# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.14 2025/07/25 16:33:15 tb Exp $
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-#LIBRARIES +=           openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-#LIBRARIES +=           openssl34
+.if exists(/usr/local/bin/eopenssl35)
+#LIBRARIES +=           openssl35
 .endif
 
 run-session-client-libressl-server-libressl:
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 605fba252f..5ee7d4c4f3 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -7,11 +7,8 @@
 # print out.
 
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
-LIBRARIES +=            openssl33
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
+.if exists(/usr/local/bin/eopenssl35)
+LIBRARIES +=            openssl35
 .endif
 
 VERSIONS =      any TLS1_2 TLS1_3
@@ -29,8 +26,7 @@ FAIL_${cver}_${sver} = !
 .for slib in ${LIBRARIES}
 
 .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
-    ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \
-    (("${clib}" != openssl34 && "${slib}" != openssl34)) || \
+    ((("${clib}" != openssl35 && "${slib}" != openssl35)) || \
     (("${cver}" != any && "${sver}" != any) && \
     ("${cver}" != TLS1 && "${sver}" != TLS1) && \
     ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
diff --git a/src/regress/lib/libssl/openssl-ruby/Makefile b/src/regress/lib/libssl/openssl-ruby/Makefile
index af8083f662..19d2f2fc40 100644
--- a/src/regress/lib/libssl/openssl-ruby/Makefile
+++ b/src/regress/lib/libssl/openssl-ruby/Makefile
@@ -1,10 +1,10 @@
-#       $OpenBSD: Makefile,v 1.14 2024/08/31 11:14:58 tb Exp $
+#       $OpenBSD: Makefile,v 1.17 2025/06/27 03:32:08 tb Exp $
 
 OPENSSL_RUBY_TESTS =    /usr/local/share/openssl-ruby-tests
-.if exists(/usr/local/bin/ruby32)
-RUBY_BINREV =           32
-.else
+.if exists(/usr/local/bin/ruby33)
 RUBY_BINREV =           33
+.else
+RUBY_BINREV =           34
 .endif
 RUBY =                  ruby${RUBY_BINREV}
 
@@ -71,6 +71,21 @@ ${_t}: ${_BUILD_COOKIE}
                 -n ${_t}
 .endfor
 
+# These tests can be a pain to run. To run a small set of individual
+# ssl tests, set the test names separated by spaces in the environment
+# variable RUBY_SSL_TEST_TARGETS - then you can type "make <test_name>"
+# to run a single ruby ssl test.
+.for _t in ${RUBY_SSL_TEST_TARGETS}
+REGRESS_TARGETS += ${_t}
+REGRESS_EXPECTED_FAILURES += ${_t}
+${_t}: ${_BUILD_COOKIE}
+        cd ${BUILDDIR} && \
+            ${RUBY} -I. -I${OPENSSL_RUBY_TESTS}/test/openssl \
+                -I${OPENSSL_RUBY_TESTS}/lib \
+                ${OPENSSL_RUBY_TESTS}/test/openssl/test_ssl.rb \
+                -n ${_t}
+.endfor
+
 CLEANFILES +=           ${_BUILD_COOKIE} ${_TEST_COOKIE} ${_BUILDDIR_COOKIE}
 
 . if make(clean) || make(cleandir)
diff --git a/src/regress/lib/libssl/pqueue/Makefile b/src/regress/lib/libssl/pqueue/Makefile
index 48c2cb7e61..05fe9a268d 100644
--- a/src/regress/lib/libssl/pqueue/Makefile
+++ b/src/regress/lib/libssl/pqueue/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2016/11/04 19:45:12 jsing Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/05/04 11:04:02 tb Exp $
 
 PROG=   pq_test
 SRC=    ${.CURDIR}/../../../../lib/libssl
@@ -9,9 +9,4 @@ DPADD=	${LIBSSL} ${LIBCRYPTO}
 WARNINGS=       Yes
 CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
 
-REGRESS_TARGETS= regress-pq_test
-
-regress-pq_test: ${PROG}
-        ${.OBJDIR}/pq_test | cmp -s ${.CURDIR}/expected.txt /dev/stdin
-
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/pqueue/expected.txt b/src/regress/lib/libssl/pqueue/expected.txt
deleted file mode 100644
index c59d6cd838..0000000000
--- a/src/regress/lib/libssl/pqueue/expected.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-item    6966726167696c69
-item    7374696365787069
-item    737570657263616c
diff --git a/src/regress/lib/libssl/pqueue/pq_test.c b/src/regress/lib/libssl/pqueue/pq_test.c
index a078ba5366..822fdea961 100644
--- a/src/regress/lib/libssl/pqueue/pq_test.c
+++ b/src/regress/lib/libssl/pqueue/pq_test.c
@@ -59,60 +59,77 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+
 #include "pqueue.h"
 
-/* remember to change expected.txt if you change these values */
-unsigned char prio1[8] = "supercal";
-unsigned char prio2[8] = "ifragili";
-unsigned char prio3[8] = "sticexpi";
+static const unsigned char *pq_expected[3] = {
+        "ifragili",
+        "sticexpi",
+        "supercal"
+};
 
-static void
-pqueue_print(pqueue pq)
+static int
+test_pqueue(void)
 {
-        pitem *iter, *item;
-
-        iter = pqueue_iterator(pq);
-        for (item = pqueue_next(&iter); item != NULL;
-            item = pqueue_next(&iter)) {
-                printf("item\t%02x%02x%02x%02x%02x%02x%02x%02x\n",
-                    item->priority[0], item->priority[1],
-                    item->priority[2], item->priority[3],
-                    item->priority[4], item->priority[5],
-                    item->priority[6], item->priority[7]);
-        }
-}
+        const unsigned char *prio1 = pq_expected[2];
+        const unsigned char *prio2 = pq_expected[0];
+        const unsigned char *prio3 = pq_expected[1];
+        pqueue pq = NULL;
+        pitem *item = NULL;
+        pitem *iter = NULL;
+        int i = 0;
+        int failed = 1;
 
-int
-main(void)
-{
-        pitem *item;
-        pqueue pq;
+        if ((pq = pqueue_new()) == NULL)
+                goto failure;
 
-        pq = pqueue_new();
+        if (!pqueue_insert(pq, pitem_new(prio3, NULL)))
+                goto failure;
+        if (!pqueue_insert(pq, pitem_new(prio1, NULL)))
+                goto failure;
+        if (!pqueue_insert(pq, pitem_new(prio2, NULL)))
+                goto failure;
 
-        item = pitem_new(prio3, NULL);
-        pqueue_insert(pq, item);
+        if (pqueue_size(pq) != 3)
+                goto failure;
 
-        item = pitem_new(prio1, NULL);
-        pqueue_insert(pq, item);
+        if ((item = pqueue_find(pq, prio1)) == NULL)
+                goto failure;
+        if ((item = pqueue_find(pq, prio2)) == NULL)
+                goto failure;
+        if ((item = pqueue_find(pq, prio3)) == NULL)
+                goto failure;
 
-        item = pitem_new(prio2, NULL);
-        pqueue_insert(pq, item);
+        if ((item = pqueue_peek(pq)) == NULL)
+                goto failure;
 
-        item = pqueue_find(pq, prio1);
-        fprintf(stderr, "found %p\n", item->priority);
+        if (memcmp(item->priority, pq_expected[0], 8))
+                goto failure;
 
-        item = pqueue_find(pq, prio2);
-        fprintf(stderr, "found %p\n", item->priority);
+        iter = pqueue_iterator(pq);
+        for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
+                if (memcmp(item->priority, pq_expected[i], 8) != 0)
+                        goto failure;
+                i++;
+        }
 
-        item = pqueue_find(pq, prio3);
-        fprintf(stderr, "found %p\n", item ? item->priority: 0);
+        failed = (i != 3);
 
-        pqueue_print(pq);
+ failure:
 
         for (item = pqueue_pop(pq); item != NULL; item = pqueue_pop(pq))
                 pitem_free(item);
-
         pqueue_free(pq);
-        return 0;
+
+        return failed;
+}
+
+int
+main(void)
+{
+        int failed = 0;
+
+        failed |= test_pqueue();
+
+        return failed;
 }
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 4adf27421d..68584998ce 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.92 2024/09/11 15:04:16 tb Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.94 2025/05/03 08:37:28 tb Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -3740,6 +3740,11 @@ test_tlsext_keyshare_client(void)
                 FAIL("Did not select a key share");
                 goto done;
         }
+        if (tls_key_share_group(ssl->s3->hs.key_share) != 29) {
+                FAIL("wrong key share group: got %d, expected 29\n",
+                     tls_key_share_group(ssl->s3->hs.key_share));
+                goto done;
+        }
 
         /*
          * Pretend the client did not send the supported groups extension. We
@@ -4542,12 +4547,10 @@ test_tlsext_valid_hostnames(void)
 #define N_TLSEXT_RANDOMIZATION_TESTS 1000
 
 static int
-test_tlsext_check_extension_order(SSL *ssl)
+test_tlsext_check_psk_is_last_extension(SSL *ssl)
 {
         const struct tls_extension *ext;
         uint16_t type;
-        size_t alpn_idx, sni_idx;
-        size_t i;
 
         if (ssl->tlsext_build_order_len == 0) {
                 FAIL("Unexpected zero build order length");
@@ -4560,34 +4563,6 @@ test_tlsext_check_extension_order(SSL *ssl)
                 return 1;
         }
 
-        if (ssl->server)
-                return 0;
-
-        alpn_idx = sni_idx = ssl->tlsext_build_order_len;
-        for (i = 0; i < ssl->tlsext_build_order_len; i++) {
-                ext = ssl->tlsext_build_order[i];
-                if (tls_extension_type(ext) == TLSEXT_TYPE_alpn)
-                        alpn_idx = i;
-                if (tls_extension_type(ext) == TLSEXT_TYPE_server_name)
-                        sni_idx = i;
-        }
-
-        if (alpn_idx == ssl->tlsext_build_order_len) {
-                FAIL("could not find alpn extension\n");
-                return 1;
-        }
-
-        if (sni_idx == ssl->tlsext_build_order_len) {
-                FAIL("could not find alpn extension\n");
-                return 1;
-        }
-
-        if (sni_idx >= alpn_idx) {
-                FAIL("sni does not precede alpn: %zu >= %zu\n",
-                    sni_idx, alpn_idx);
-                return 1;
-        }
-
         return 0;
 }
 
@@ -4600,7 +4575,7 @@ test_tlsext_randomized_extensions(SSL *ssl)
         for (i = 0; i < N_TLSEXT_RANDOMIZATION_TESTS; i++) {
                 if (!tlsext_randomize_build_order(ssl))
                         errx(1, "failed to randomize extensions");
-                failed |= test_tlsext_check_extension_order(ssl);
+                failed |= test_tlsext_check_psk_is_last_extension(ssl);
         }
 
         return failed;
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 91aedad165..ff678ec9a8 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.56 2024/09/18 19:12:37 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.57 2025/06/15 09:44:57 tb Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -72,7 +72,7 @@ def substitute_alert(want, got):
     return f"Expected alert description \"{want}\" " \
         + f"does not match received \"{got}\""
 
-# test-tls13-finished.py has 70 failing tests that expect a "decode_error"
+# test_tls13_finished.py has 70 failing tests that expect a "decode_error"
 # instead of the "decrypt_error" sent by tls13_server_finished_recv().
 # Both alerts appear to be reasonable in this context, so work around this
 # in the test instead of the library.
@@ -164,46 +164,46 @@ def generate_test_tls13_finished_args():
     return args
 
 tls13_tests = TestGroup("TLSv1.3 tests", [
-    Test("test-tls13-ccs.py"),
-    Test("test-tls13-conversation.py"),
-    Test("test-tls13-count-tickets.py"),
-    Test("test-tls13-empty-alert.py"),
-    Test("test-tls13-finished.py", generate_test_tls13_finished_args()),
-    Test("test-tls13-finished-plaintext.py"),
-    Test("test-tls13-hrr.py"),
-    Test("test-tls13-keyshare-omitted.py"),
-    Test("test-tls13-legacy-version.py"),
-    Test("test-tls13-nociphers.py"),
-    Test("test-tls13-record-padding.py"),
+    Test("test_tls13_ccs.py"),
+    Test("test_tls13_conversation.py"),
+    Test("test_tls13_count_tickets.py"),
+    Test("test_tls13_empty_alert.py"),
+    Test("test_tls13_finished.py", generate_test_tls13_finished_args()),
+    Test("test_tls13_finished_plaintext.py"),
+    Test("test_tls13_hrr.py"),
+    Test("test_tls13_keyshare_omitted.py"),
+    Test("test_tls13_legacy_version.py"),
+    Test("test_tls13_nociphers.py"),
+    Test("test_tls13_record_padding.py"),
     # Exclude QUIC transport parameters
-    Test("test-tls13-shuffled-extentions.py", [ "--exc", "57" ]),
-    Test("test-tls13-zero-content-type.py"),
+    Test("test_tls13_shuffled_extentions.py", [ "--exc", "57" ]),
+    Test("test_tls13_zero_content_type.py"),
 
     # The skipped tests fail due to a bug in BIO_gets() which masks the retry
     # signalled from an SSL_read() failure. Testing with httpd(8) shows we're
     # handling these corner cases correctly since tls13_record_layer.c -r1.47.
-    Test("test-tls13-zero-length-data.py", [
+    Test("test_tls13_zero_length_data.py", [
         "-e", "zero-length app data",
         "-e", "zero-length app data with large padding",
         "-e", "zero-length app data with padding",
     ]),
 
     # We don't currently handle NSTs
-    Test("test-tls13-connection-abort.py", ["-e", "After NewSessionTicket"]),
+    Test("test_tls13_connection_abort.py", ["-e", "After NewSessionTicket"]),
 ])
 
 # Tests that take a lot of time (> ~30s on an x280)
 tls13_slow_tests = TestGroup("slow TLSv1.3 tests", [
     # XXX: Investigate the occasional message
     # "Got shared secret with 1 most significant bytes equal to zero."
-    Test("test-tls13-dhe-shared-secret-padding.py", tls13_unsupported_ciphers),
+    Test("test_tls13_dhe_shared_secret_padding.py", tls13_unsupported_ciphers),
 
-    Test("test-tls13-invalid-ciphers.py"),
-    Test("test-tls13-serverhello-random.py", tls13_unsupported_ciphers),
+    Test("test_tls13_invalid_ciphers.py"),
+    Test("test_tls13_serverhello_random.py", tls13_unsupported_ciphers),
 
     # Mark two tests cases as xfail for now. The tests expect an arguably
     # correct decode_error while we send a decrypt_error (like fizz/boring).
-    Test("test-tls13-record-layer-limits.py", [
+    Test("test_tls13_record_layer_limits.py", [
         "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_AES_128_GCM_SHA256",
         "-X", substitute_alert("decode_error", "decrypt_error"),
         "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_CHACHA20_POLY1305_SHA256",
@@ -212,22 +212,22 @@ tls13_slow_tests = TestGroup("slow TLSv1.3 tests", [
     # We don't accept an empty ECPF extension since it must advertise the
     # uncompressed point format. Exclude this extension type from the test.
     Test(
-        "test-tls13-large-number-of-extensions.py",
+        "test_tls13_large_number_of_extensions.py",
         tls13_args = ["--exc", "11"],
     ),
 ])
 
 tls13_extra_cert_tests = TestGroup("TLSv1.3 certificate tests", [
     # need to set up client certs to run these
-    Test("test-tls13-certificate-request.py"),
-    Test("test-tls13-certificate-verify.py"),
-    Test("test-tls13-ecdsa-in-certificate-verify.py"),
-    Test("test-tls13-eddsa-in-certificate-verify.py"),
+    Test("test_tls13_certificate_request.py"),
+    Test("test_tls13_certificate_verify.py"),
+    Test("test_tls13_ecdsa_in_certificate_verify.py"),
+    Test("test_tls13_eddsa_in_certificate_verify.py"),
 
     # Test expects the server to have installed three certificates:
     # with P-256, P-384 and P-521 curve. Also SHA1+ECDSA is verified
     # to not work.
-    Test("test-tls13-ecdsa-support.py"),
+    Test("test_tls13_ecdsa_support.py"),
 ])
 
 tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
@@ -235,7 +235,7 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
     # With X25519, we accept weak peer public keys and fail when we actually
     # compute the keyshare.  Other tests seem to indicate that we could be
     # stricter about what keyshares we accept.
-    Test("test-tls13-crfg-curves.py", [
+    Test("test_tls13_crfg_curves.py", [
         '-e', 'all zero x448 key share',
         '-e', 'empty x448 key share',
         '-e', 'sanity x448 with compression ansiX962_compressed_char2',
@@ -245,7 +245,7 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
         '-e', 'too small x448 key share',
         '-e', 'x448 key share of "1"',
     ]),
-    Test("test-tls13-ecdhe-curves.py", [
+    Test("test_tls13_ecdhe_curves.py", [
         '-e', 'sanity - x448',
         '-e', 'x448 - key share from other curve',
         '-e', 'x448 - point at infinity',
@@ -258,21 +258,21 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
     # We have the logic corresponding to NSS's fix for CVE-2020-25648
     # https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
     # so should not be affected by this issue.
-    Test("test-tls13-multiple-ccs-messages.py"),
+    Test("test_tls13_multiple_ccs_messages.py"),
 
     # https://github.com/openssl/openssl/issues/8369
-    Test("test-tls13-obsolete-curves.py"),
+    Test("test_tls13_obsolete_curves.py"),
 
     # 3 failing rsa_pss_pss tests
-    Test("test-tls13-rsa-signatures.py"),
+    Test("test_tls13_rsa_signatures.py"),
 
     # The failing tests all expect an ri extension.  What's up with that?
-    Test("test-tls13-version-negotiation.py"),
+    Test("test_tls13_version_negotiation.py"),
 ])
 
 tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
     # Other test failures bugs in keyshare/tlsext negotiation?
-    Test("test-tls13-unrecognised-groups.py"),    # unexpected closure
+    Test("test_tls13_unrecognised_groups.py"),    # unexpected closure
 
     # 5 occasional failures:
     #   'app data split, conversation with KeyUpdate msg'
@@ -280,43 +280,43 @@ tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
     #   'multiple KeyUpdate messages'
     #   'post-handshake KeyUpdate msg with update_not_request'
     #   'post-handshake KeyUpdate msg with update_request'
-    Test("test-tls13-keyupdate.py"),
+    Test("test_tls13_keyupdate.py"),
 
-    Test("test-tls13-symetric-ciphers.py"),       # unexpected message from peer
+    Test("test_tls13_symetric_ciphers.py"),       # unexpected message from peer
 
     # 6 tests fail: 'rsa_pkcs1_{md5,sha{1,224,256,384,512}} signature'
     # We send server hello, but the test expects handshake_failure
-    Test("test-tls13-pkcs-signature.py"),
+    Test("test_tls13_pkcs_signature.py"),
     # 8 tests fail: 'tls13 signature rsa_pss_{pss,rsae}_sha{256,384,512}
-    Test("test-tls13-rsapss-signatures.py"),
+    Test("test_tls13_rsapss_signatures.py"),
 ])
 
 tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
     # Tests for features we don't support
-    Test("test-tls13-0rtt-garbage.py"),
-    Test("test-tls13-ffdhe-groups.py"),
-    Test("test-tls13-ffdhe-sanity.py"),
-    Test("test-tls13-psk_dhe_ke.py"),
-    Test("test-tls13-psk_ke.py"),
+    Test("test_tls13_0rtt_garbage.py"),
+    Test("test_tls13_ffdhe_groups.py"),
+    Test("test_tls13_ffdhe_sanity.py"),
+    Test("test_tls13_psk_dhe_ke.py"),
+    Test("test_tls13_psk_ke.py"),
 
     # need server to react to HTTP GET for /keyupdate
-    Test("test-tls13-keyupdate-from-server.py"),
+    Test("test_tls13_keyupdate_from_server.py"),
 
     # needs an echo server
-    Test("test-tls13-lengths.py"),
+    Test("test_tls13_lengths.py"),
 
     # Weird test: tests servers that don't support 1.3
-    Test("test-tls13-non-support.py"),
+    Test("test_tls13_non_support.py"),
 
     # broken test script
     # UnboundLocalError: local variable 'cert' referenced before assignment
-    Test("test-tls13-post-handshake-auth.py"),
+    Test("test_tls13_post_handshake_auth.py"),
 
     # ExpectNewSessionTicket
-    Test("test-tls13-session-resumption.py"),
+    Test("test_tls13_session_resumption.py"),
 
     # Server must be configured to support only rsa_pss_rsae_sha512
-    Test("test-tls13-signature-algorithms.py"),
+    Test("test_tls13_signature_algorithms.py"),
 ])
 
 tls12_exclude_legacy_protocols = [
@@ -345,52 +345,52 @@ tls12_exclude_legacy_protocols = [
 
 tls12_tests = TestGroup("TLSv1.2 tests", [
     # Tests that pass as they are.
-    Test("test-aes-gcm-nonces.py"),
-    Test("test-connection-abort.py"),
-    Test("test-conversation.py"),
-    Test("test-cve-2016-2107.py"),
-    Test("test-cve-2016-6309.py"),
-    Test("test-dhe-rsa-key-exchange.py"),
-    Test("test-early-application-data.py"),
-    Test("test-empty-extensions.py"),
-    Test("test-extensions.py"),
-    Test("test-fuzzed-MAC.py"),
-    Test("test-fuzzed-ciphertext.py"),
-    Test("test-fuzzed-finished.py"),
-    Test("test-fuzzed-padding.py"),
-    Test("test-fuzzed-plaintext.py"), # fails once in a while
-    Test("test-hello-request-by-client.py"),
-    Test("test-invalid-cipher-suites.py"),
-    Test("test-invalid-content-type.py"),
-    Test("test-invalid-session-id.py"),
-    Test("test-invalid-version.py"),
-    Test("test-large-number-of-extensions.py"),
-    Test("test-lucky13.py"),
-    Test("test-message-skipping.py"),
-    Test("test-no-heartbeat.py"),
-    Test("test-record-layer-fragmentation.py"),
-    Test("test-sslv2-connection.py"),
-    Test("test-truncating-of-finished.py"),
-    Test("test-truncating-of-kRSA-client-key-exchange.py"),
-    Test("test-unsupported-curve-fallback.py"),
-    Test("test-version-numbers.py"),
-    Test("test-zero-length-data.py"),
+    Test("test_aes_gcm_nonces.py"),
+    Test("test_connection_abort.py"),
+    Test("test_conversation.py"),
+    Test("test_cve_2016_2107.py"),
+    Test("test_cve_2016_6309.py"),
+    Test("test_dhe_rsa_key_exchange.py"),
+    Test("test_early_application_data.py"),
+    Test("test_empty_extensions.py"),
+    Test("test_extensions.py"),
+    Test("test_fuzzed_MAC.py"),
+    Test("test_fuzzed_ciphertext.py"),
+    Test("test_fuzzed_finished.py"),
+    Test("test_fuzzed_padding.py"),
+    Test("test_fuzzed_plaintext.py"), # fails once in a while
+    Test("test_hello_request_by_client.py"),
+    Test("test_invalid_cipher_suites.py"),
+    Test("test_invalid_content_type.py"),
+    Test("test_invalid_session_id.py"),
+    Test("test_invalid_version.py"),
+    Test("test_large_number_of_extensions.py"),
+    Test("test_lucky13.py"),
+    Test("test_message_skipping.py"),
+    Test("test_no_heartbeat.py"),
+    Test("test_record_layer_fragmentation.py"),
+    Test("test_sslv2_connection.py"),
+    Test("test_truncating_of_finished.py"),
+    Test("test_truncating_of_kRSA_client_key_exchange.py"),
+    Test("test_unsupported_curve_fallback.py"),
+    Test("test_version_numbers.py"),
+    Test("test_zero_length_data.py"),
 
     # Tests that need tweaking for unsupported features and ciphers.
     Test(
-        "test-atypical-padding.py", [
+        "test_atypical_padding.py", [
             "-e", "sanity - encrypt then MAC",
             "-e", "2^14 bytes of AppData with 256 bytes of padding (SHA1 + Encrypt then MAC)",
         ]
     ),
     Test(
-        "test-ccs.py", [
+        "test_ccs.py", [
             "-x", "two bytes long CCS",
             "-X", substitute_alert("unexpected_message", "decode_error"),
         ]
     ),
     Test(
-        "test-dhe-rsa-key-exchange-signatures.py", [
+        "test_dhe_rsa_key_exchange_signatures.py", [
             "-e", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature",
             "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature",
             "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature",
@@ -398,14 +398,14 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
             "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature",
         ]
     ),
-    Test("test-dhe-rsa-key-exchange-with-bad-messages.py", [
+    Test("test_dhe_rsa_key_exchange_with_bad_messages.py", [
         "-x", "invalid dh_Yc value - missing",
         "-X", substitute_alert("decode_error", "illegal_parameter"),
     ]),
-    Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
-    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
+    Test("test_dhe_key_share_random.py", tls12_exclude_legacy_protocols),
+    Test("test_export_ciphers_rejected.py", ["--min-ver", "TLSv1.2"]),
     Test(
-        "test-downgrade-protection.py",
+        "test_downgrade_protection.py",
         tls12_args = ["--server-max-protocol", "TLSv1.2"],
         tls13_args = [
             "--server-max-protocol", "TLSv1.3",
@@ -414,7 +414,7 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
         ]
     ),
     Test(
-        "test-fallback-scsv.py",
+        "test_fallback_scsv.py",
         tls13_args = [
             "--tls-1.3",
             "-e", "FALLBACK - hello TLSv1.1 - pos 0",
@@ -428,7 +428,7 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
         ]
     ),
 
-    Test("test-invalid-compression-methods.py", [
+    Test("test_invalid_compression_methods.py", [
         "-x", "invalid compression methods",
         "-X", substitute_alert("illegal_parameter", "decode_error"),
         "-x", "only deflate compression method",
@@ -437,134 +437,134 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
 
     # Skip extended_master_secret test. Since we don't support this
     # extension, we don't notice that it was dropped.
-    Test("test-renegotiation-changed-clienthello.py", [
+    Test("test_renegotiation_changed_clienthello.py", [
         "-e", "drop extended_master_secret in renegotiation",
     ]),
 
-    Test("test-sessionID-resumption.py", [
+    Test("test_sessionID_resumption.py", [
         "-x", "Client Hello too long session ID",
         "-X", substitute_alert("decode_error", "illegal_parameter"),
     ]),
 
     # Without --sig-algs-drop-ok, two tests fail since we do not currently
     # implement the signature_algorithms_cert extension (although we MUST).
-    Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
+    Test("test_sig_algs_renegotiation_resumption.py", ["--sig-algs-drop-ok"]),
 
-    Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+    Test("test_serverhello_random.py", args = tls12_exclude_legacy_protocols),
 
-    Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
+    Test("test_chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
 ])
 
 tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
-    Test("test-cve-2016-7054.py"),
-    Test("test-dhe-no-shared-secret-padding.py", tls12_exclude_legacy_protocols),
-    Test("test-ecdhe-padded-shared-secret.py", tls12_exclude_legacy_protocols),
-    Test("test-ecdhe-rsa-key-share-random.py", tls12_exclude_legacy_protocols),
+    Test("test_cve_2016_7054.py"),
+    Test("test_dhe_no_shared_secret_padding.py", tls12_exclude_legacy_protocols),
+    Test("test_ecdhe_padded_shared_secret.py", tls12_exclude_legacy_protocols),
+    Test("test_ecdhe_rsa_key_share_random.py", tls12_exclude_legacy_protocols),
     # Start at extension number 58 to avoid QUIC transport parameters (57)
-    Test("test-large-hello.py", [ "-m", "58" ]),
+    Test("test_large_hello.py", [ "-m", "58" ]),
 ])
 
 tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
     # no shared cipher
-    Test("test-aesccm.py"),
+    Test("test_aesccm.py"),
     # need server to set up alpn
-    Test("test-alpn-negotiation.py"),
+    Test("test_alpn_negotiation.py"),
     # Failing on TLS_RSA_WITH_AES_128_CBC_SHA because server does not support it.
-    Test("test-bleichenbacher-timing-pregenerate.py"),
+    Test("test_bleichenbacher_timing_pregenerate.py"),
     # many tests fail due to unexpected server_name extension
-    Test("test-bleichenbacher-workaround.py"),
+    Test("test_bleichenbacher_workaround.py"),
 
     # need client key and cert plus extra server setup
-    Test("test-certificate-malformed.py"),
-    Test("test-certificate-request.py"),
-    Test("test-certificate-verify-malformed-sig.py"),
-    Test("test-certificate-verify-malformed.py"),
-    Test("test-certificate-verify.py"),
-    Test("test-ecdsa-in-certificate-verify.py"),
-    Test("test-eddsa-in-certificate-verify.py"),
-    Test("test-renegotiation-disabled-client-cert.py"),
-    Test("test-rsa-pss-sigs-on-certificate-verify.py"),
-    Test("test-rsa-sigs-on-certificate-verify.py"),
+    Test("test_certificate_malformed.py"),
+    Test("test_certificate_request.py"),
+    Test("test_certificate_verify_malformed_sig.py"),
+    Test("test_certificate_verify_malformed.py"),
+    Test("test_certificate_verify.py"),
+    Test("test_ecdsa_in_certificate_verify.py"),
+    Test("test_eddsa_in_certificate_verify.py"),
+    Test("test_renegotiation_disabled_client_cert.py"),
+    Test("test_rsa_pss_sigs_on_certificate_verify.py"),
+    Test("test_rsa_sigs_on_certificate_verify.py"),
 
     # test doesn't expect session ticket
-    Test("test-client-compatibility.py"),
+    Test("test_client_compatibility.py"),
     # abrupt closure
-    Test("test-client-hello-max-size.py"),
+    Test("test_client_hello_max_size.py"),
     # unknown signature algorithms
-    Test("test-clienthello-md5.py"),
+    Test("test_clienthello_md5.py"),
 
     # Tests expect an illegal_parameter or a decode_error alert.  Should be
     # added to ssl3_get_client_key_exchange on kex function failure.
-    Test("test-ecdhe-rsa-key-exchange-with-bad-messages.py"),
+    Test("test_ecdhe_rsa_key_exchange_with_bad_messages.py"),
 
     # We send a handshake_failure due to no shared ciphers while the
     # test expects to succeed.
-    Test("test-ecdhe-rsa-key-exchange.py"),
+    Test("test_ecdhe_rsa_key_exchange.py"),
 
     # no shared cipher
-    Test("test-ecdsa-sig-flexibility.py"),
+    Test("test_ecdsa_sig_flexibility.py"),
 
     # Tests expect SH but we send unexpected_message or handshake_failure
     #   'Application data inside Client Hello'
     #   'Application data inside Client Key Exchange'
     #   'Application data inside Finished'
-    Test("test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py"),
+    Test("test_interleaved_application_data_and_fragmented_handshakes_in_renegotiation.py"),
     # Tests expect SH but we send handshake_failure
     #   'Application data before Change Cipher Spec'
     #   'Application data before Client Key Exchange'
     #   'Application data before Finished'
-    Test("test-interleaved-application-data-in-renegotiation.py"),
+    Test("test_interleaved_application_data_in_renegotiation.py"),
 
     # broken test script
     # TypeError: '<' not supported between instances of 'int' and 'NoneType'
-    Test("test-invalid-client-hello-w-record-overflow.py"),
+    Test("test_invalid_client_hello_w_record_overflow.py"),
 
     # Lots of failures. abrupt closure
-    Test("test-invalid-client-hello.py"),
+    Test("test_invalid_client_hello.py"),
 
     # abrupt closure
     # 'encrypted premaster set to all zero (n)' n in 256 384 512
-    Test("test-invalid-rsa-key-exchange-messages.py"),
+    Test("test_invalid_rsa_key_exchange_messages.py"),
 
     # test expects illegal_parameter, we send unrecognized_name (which seems
     # correct according to rfc 6066?)
-    Test("test-invalid-server-name-extension-resumption.py"),
+    Test("test_invalid_server_name_extension_resumption.py"),
     # let through some server names without sending an alert
     # again illegal_parameter vs unrecognized_name
-    Test("test-invalid-server-name-extension.py"),
+    Test("test_invalid_server_name_extension.py"),
 
     # 4 failures:
     #   'insecure (legacy) renegotiation with GET after 2nd handshake'
     #   'insecure (legacy) renegotiation with incomplete GET'
     #   'secure renegotiation with GET after 2nd handshake'
     #   'secure renegotiation with incomplete GET'
-    Test("test-legacy-renegotiation.py"),
+    Test("test_legacy_renegotiation.py"),
 
     # 1 failure (timeout): we don't send the unexpected_message alert
     # 'duplicate change cipher spec after Finished'
-    Test("test-message-duplication.py"),
+    Test("test_message_duplication.py"),
 
     # server should send status_request
-    Test("test-ocsp-stapling.py"),
+    Test("test_ocsp_stapling.py"),
 
     # unexpected closure
-    Test("test-openssl-3712.py"),
+    Test("test_openssl_3712.py"),
 
     # failed: 3 (expect an alert, we send AD)
     # 'try insecure (legacy) renegotiation with incomplete GET'
     # 'try secure renegotiation with GET after 2nd CH'
     # 'try secure renegotiation with incomplete GET'
-    Test("test-renegotiation-disabled.py"),
+    Test("test_renegotiation_disabled.py"),
 
     # 'resumption of safe session with NULL cipher'
     # 'resumption with cipher from old CH but not selected by server'
-    Test("test-resumption-with-wrong-ciphers.py"),
+    Test("test_resumption_with_wrong_ciphers.py"),
 
     # 'session resumption with empty session_id'
     # 'session resumption with random session_id'
     # 'session resumption with renegotiation'
     # AssertionError: Server did not send extension(s): session_ticket
-    Test("test-session-ticket-resumption.py"),
+    Test("test_session_ticket_resumption.py"),
 
     # 5 failures:
     #   'empty sigalgs'
@@ -572,7 +572,7 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
     #   'rsa_pss_pss_sha256 only'
     #   'rsa_pss_pss_sha384 only'
     #   'rsa_pss_pss_sha512 only'
-    Test("test-sig-algs.py"),
+    Test("test_sig_algs.py"),
 
     # 13 failures:
     #   'duplicated n non-rsa schemes' for n in 202 2342 8119 23741 32744
@@ -581,51 +581,51 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
     #   'tolerance 32758 methods with sig_alg_cert'
     #   'tolerance max 32744 number of methods with sig_alg_cert'
     #   'tolerance max (32760) number of methods'
-    Test("test-signature-algorithms.py"),
+    Test("test_signature_algorithms.py"),
 
     # times out
-    Test("test-ssl-death-alert.py"),
+    Test("test_ssl_death_alert.py"),
 
     # 17 pass, 13 fail. padding and truncation
-    Test("test-truncating-of-client-hello.py"),
+    Test("test_truncating_of_client_hello.py"),
 
     # x448 tests need disabling plus x25519 corner cases need sorting out
-    Test("test-x25519.py"),
+    Test("test_x25519.py"),
 
     # Needs TLS 1.0 or 1.1
-    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
+    Test("test_TLSv1_2_rejected_without_TLSv1_2.py"),
 ])
 
 tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
     # protocol_version
-    Test("test-SSLv3-padding.py"),
+    Test("test_SSLv3_padding.py"),
     # we don't do RSA key exchanges
-    Test("test-bleichenbacher-timing.py"),
+    Test("test_bleichenbacher_timing.py"),
     # no encrypt-then-mac
-    Test("test-encrypt-then-mac-renegotiation.py"),
-    Test("test-encrypt-then-mac.py"),
+    Test("test_encrypt_then_mac_renegotiation.py"),
+    Test("test_encrypt_then_mac.py"),
     # no EME support
-    Test("test-extended-master-secret-extension-with-client-cert.py"),
-    Test("test-extended-master-secret-extension.py"),
+    Test("test_extended_master_secret_extension_with_client_cert.py"),
+    Test("test_extended_master_secret_extension.py"),
     # no ffdhe
-    Test("test-ffdhe-expected-params.py"),
-    Test("test-ffdhe-negotiation.py"),
+    Test("test_ffdhe_expected_params.py"),
+    Test("test_ffdhe_negotiation.py"),
     # record_size_limit/max_fragment_length extension (RFC 8449)
-    Test("test-record-size-limit.py"),
+    Test("test_record_size_limit.py"),
     # expects the server to send the heartbeat extension
-    Test("test-heartbeat.py"),
+    Test("test_heartbeat.py"),
     # needs an echo server
-    Test("test-lengths.py"),
+    Test("test_lengths.py"),
 ])
 
 # These tests take a ton of time to fail against an 1.3 server,
 # so don't run them against 1.3 pending further investigation.
 legacy_tests = TestGroup("Legacy protocol tests", [
-    Test("test-sslv2-force-cipher-3des.py"),
-    Test("test-sslv2-force-cipher-non3des.py"),
-    Test("test-sslv2-force-cipher.py"),
-    Test("test-sslv2-force-export-cipher.py"),
-    Test("test-sslv2hello-protocol.py"),
+    Test("test_sslv2_force_cipher_3des.py"),
+    Test("test_sslv2_force_cipher_non3des.py"),
+    Test("test_sslv2_force_cipher.py"),
+    Test("test_sslv2_force_export_cipher.py"),
+    Test("test_sslv2hello_protocol.py"),
 ])
 
 all_groups = [
diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c
index b675c798b4..d52156128d 100644
--- a/src/regress/lib/libtls/tls/tlstest.c
+++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.16 2024/08/02 15:02:22 tb Exp $ */
+/* $OpenBSD: tlstest.c,v 1.17 2025/06/04 10:28:00 tb Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  *
@@ -531,6 +531,142 @@ do_tls_version_tests(void)
         return failure;
 }
 
+static int
+test_tls_alpn(const char *client_alpn, const char *server_alpn,
+    const char *selected)
+{
+        struct tls_config *client_cfg, *server_cfg;
+        struct tls *client, *server, *server_cctx;
+        const char *got_server, *got_client;
+        int failed = 1;
+
+        if ((client = tls_client()) == NULL)
+                errx(1, "failed to create tls client");
+        if ((client_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls client config");
+        tls_config_insecure_noverifyname(client_cfg);
+        if (tls_config_set_alpn(client_cfg, client_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(client_cfg));
+        if (tls_config_set_ca_file(client_cfg, cafile) == -1)
+                errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
+
+        if ((server = tls_server()) == NULL)
+                errx(1, "failed to create tls server");
+        if ((server_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls server config");
+        if (tls_config_set_alpn(server_cfg, server_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(server_cfg));
+        if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
+                errx(1, "failed to set keypair: %s",
+                    tls_config_error(server_cfg));
+
+        if (tls_configure(client, client_cfg) == -1)
+                errx(1, "failed to configure client: %s", tls_error(client));
+        tls_reset(server);
+        if (tls_configure(server, server_cfg) == -1)
+                errx(1, "failed to configure server: %s", tls_error(server));
+
+        tls_config_free(client_cfg);
+        tls_config_free(server_cfg);
+
+        circular_init();
+
+        if (tls_accept_cbs(server, &server_cctx, server_read, server_write,
+            NULL) == -1)
+                errx(1, "failed to accept: %s", tls_error(server));
+
+        if (tls_connect_cbs(client, client_read, client_write, NULL,
+            "test") == -1)
+                errx(1, "failed to connect: %s", tls_error(client));
+
+        if (do_client_server_test("alpn", client, server_cctx) != 0)
+                goto fail;
+
+        got_server = tls_conn_alpn_selected(server_cctx);
+        got_client = tls_conn_alpn_selected(client);
+
+        if (got_server == NULL || got_client == NULL) {
+                printf("FAIL: expected ALPN for server and client, got "
+                    "server: %p, client %p\n", got_server, got_client);
+                goto fail;
+        }
+
+        if (strcmp(got_server, got_client) != 0) {
+                printf("FAIL: ALPN mismatch: server %s, client %s\n",
+                    got_server, got_client);
+                goto fail;
+        }
+
+        if (strcmp(selected, got_server) != 0) {
+                printf("FAIL: ALPN mismatch: want %s, got %s\n",
+                    selected, got_server);
+                goto fail;
+        }
+
+        failed = 0;
+
+ fail:
+        tls_free(client);
+        tls_free(server);
+        tls_free(server_cctx);
+
+        return (failed);
+}
+
+static const struct test_alpn {
+        const char *client;
+        const char *server;
+        const char *selected;
+} tls_test_alpn[] = {
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/1.1,http/2",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1,http/2",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/1.1",
+        },
+};
+
+#define N_TLS_ALPN_TESTS (sizeof(tls_test_alpn) / sizeof(tls_test_alpn[0]))
+
+static int
+do_tls_alpn_tests(void)
+{
+        const struct test_alpn *ta;
+        int failure = 0;
+        size_t i;
+
+        printf("== TLS alpn tests ==\n");
+
+        for (i = 0; i < N_TLS_ALPN_TESTS; i++) {
+                ta = &tls_test_alpn[i];
+                printf("INFO: alpn test %zu - client alpn '%s' "
+                    "and server alpn '%s'\n", i, ta->client, ta->server);
+                failure |= test_tls_alpn(ta->client, ta->server, ta->selected);
+                printf("\n");
+        }
+
+        return failure;
+}
+
 int
 main(int argc, char **argv)
 {
@@ -549,6 +685,7 @@ main(int argc, char **argv)
         failure |= do_tls_tests();
         failure |= do_tls_ordering_tests();
         failure |= do_tls_version_tests();
+        failure |= do_tls_alpn_tests();
 
         return (failure);
 }
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 76b6dc018e..2ffdcd1ea6 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.98 2024/04/01 12:40:18 deraadt Exp $
+.\"     $OpenBSD: nc.1,v 1.101 2025/06/24 13:37:39 tb Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 1 2024 $
+.Dd $Mdocdate: June 24 2025 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -257,6 +257,10 @@ with the handshake.
 The following TLS options specify a value in the form of a
 .Ar key Ns = Ns Ar value
 pair:
+.Cm alpn ,
+which allows the TLS ALPN to be specified (see
+.Xr tls_config_set_alpn 3
+for further details);
 .Cm ciphers ,
 which allows the supported TLS ciphers to be specified (see
 .Xr tls_config_set_ciphers 3
@@ -338,12 +342,18 @@ when talking to the proxy server.
 Supported protocols are
 .Cm 4
 (SOCKS v.4),
+.Cm 4A
+(SOCKS v.4A),
 .Cm 5
 (SOCKS v.5)
 and
 .Cm connect
 (HTTPS proxy).
 If the protocol is not specified, SOCKS version 5 is used.
+Note that the SOCKS v.4 protocol is very limited and can only be used when
+the destination host can be resolved to an IPv4 address.
+The other protocols pass the destination as a string to be interpreted
+by the remote proxy and do not have this limitation.
 .It Fl x Ar proxy_address Ns Op : Ns Ar port
 Connect to
 .Ar destination
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 8c60fd1882..e3c9c939e2 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.229 2024/11/02 17:19:27 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.234 2025/06/24 13:37:11 tb Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -108,6 +108,7 @@ char	*tls_expectname;			/* required name in peer cert */
 char    *tls_expecthash;                        /* required hash of peer cert */
 char    *tls_ciphers;                           /* TLS ciphers */
 char    *tls_protocols;                         /* TLS protocols */
+char    *tls_alpn;                              /* TLS ALPN */
 FILE    *Zflag;                                 /* file to save peer cert */
 
 int recvcount, recvlimit;
@@ -190,6 +191,8 @@ main(int argc, char *argv[])
                                 socksv = -1; /* HTTP proxy CONNECT */
                         else if (strcmp(optarg, "4") == 0)
                                 socksv = 4; /* SOCKS v.4 */
+                        else if (strcasecmp(optarg, "4A") == 0)
+                                socksv = 44; /* SOCKS v.4A */
                         else if (strcmp(optarg, "5") == 0)
                                 socksv = 5; /* SOCKS v.5 */
                         else
@@ -532,6 +535,8 @@ main(int argc, char *argv[])
                         errx(1, "%s", tls_config_error(tls_cfg));
                 if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
                         errx(1, "%s", tls_config_error(tls_cfg));
+                if (tls_alpn != NULL && tls_config_set_alpn(tls_cfg, tls_alpn) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
                 if (!lflag && (TLSopt & TLS_CCERT))
                         errx(1, "clientcert is only valid with -l");
                 if (TLSopt & TLS_NONAME)
@@ -1669,11 +1674,12 @@ process_tls_opt(char *s, int *flags)
                 int              flag;
                 char            **value;
         } *t, tlskeywords[] = {
+                { "alpn",               -1,                     &tls_alpn },
                 { "ciphers",            -1,                     &tls_ciphers },
                 { "clientcert",         TLS_CCERT,              NULL },
                 { "muststaple",         TLS_MUSTSTAPLE,         NULL },
-                { "noverify",           TLS_NOVERIFY,           NULL },
                 { "noname",             TLS_NONAME,             NULL },
+                { "noverify",           TLS_NOVERIFY,           NULL },
                 { "protocols",          -1,                     &tls_protocols },
                 { NULL,                 -1,                     NULL },
         };
@@ -1692,6 +1698,8 @@ process_tls_opt(char *s, int *flags)
                                         errx(1, "invalid tls value `%s'", s);
                                 *t->value = v;
                         } else {
+                                if (v != NULL)
+                                        errx(1, "invalid tls value `%s'", s);
                                 *flags |= t->flag;
                         }
                         return 1;
@@ -1718,7 +1726,7 @@ void
 report_tls(struct tls *tls_ctx, char *host)
 {
         time_t t;
-        const char *ocsp_url;
+        const char *alpn_proto, *ocsp_url;
 
         fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
             tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
@@ -1770,6 +1778,8 @@ report_tls(struct tls *tls_ctx, char *host)
                     tls_peer_ocsp_result(tls_ctx));
                 break;
         }
+        if ((alpn_proto = tls_conn_alpn_selected(tls_ctx)) != NULL)
+                fprintf(stderr, "Application Layer Protocol: %s\n", alpn_proto);
 }
 
 void
@@ -1842,7 +1852,7 @@ help(void)
         \t-v            Verbose\n\
         \t-W recvlimit  Terminate after receiving a number of packets\n\
         \t-w timeout    Timeout for connects and final net reads\n\
-        \t-X proto      Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+        \t-X proto      Proxy protocol: \"4\", \"4A\", \"5\" (SOCKS) or \"connect\"\n\
         \t-x addr[:port]\tSpecify proxy address and port\n\
         \t-Z            Peer certificate file\n\
         \t-z            Zero-I/O mode [used for scanning]\n\
diff --git a/src/usr.bin/nc/socks.c b/src/usr.bin/nc/socks.c
index 7c7448c9c5..1f1fb96e2a 100644
--- a/src/usr.bin/nc/socks.c
+++ b/src/usr.bin/nc/socks.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: socks.c,v 1.31 2022/06/08 20:20:26 djm Exp $  */
+/*      $OpenBSD: socks.c,v 1.34 2025/05/22 06:40:26 djm Exp $  */
 
 /*
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -293,19 +293,33 @@ socks_connect(const char *host, const char *port,
                 default:
                         errx(1, "connection failed, unsupported address type");
                 }
-        } else if (socksv == 4) {
-                /* This will exit on lookup failure */
-                decode_addrport(host, port, (struct sockaddr *)&addr,
-                    sizeof(addr), 1, 0);
+        } else if (socksv == 4 || socksv == 44) {
+                if (socksv == 4) {
+                        /* This will exit on lookup failure */
+                        decode_addrport(host, port, (struct sockaddr *)&addr,
+                            sizeof(addr), 1, 0);
+                }
 
                 /* Version 4 */
                 buf[0] = SOCKS_V4;
                 buf[1] = SOCKS_CONNECT; /* connect */
                 memcpy(buf + 2, &in4->sin_port, sizeof in4->sin_port);
-                memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+                if (socksv == 4) {
+                        memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+                } else {
+                        /* SOCKS4A uses addr of 0.0.0.x, and hostname later */
+                        buf[4] = buf[5] = buf[6] = 0;
+                        buf[7] = 1;
+                }
                 buf[8] = 0;     /* empty username */
                 wlen = 9;
-
+                if (socksv == 44) {
+                        /* SOCKS4A has nul-terminated hostname after user */
+                        if (strlcpy(buf + 9, host,
+                            sizeof(buf) - 9) >= sizeof(buf) - 9)
+                                errx(1, "hostname too big");
+                        wlen = 9 + strlen(host) + 1;
+                }
                 cnt = atomicio(vwrite, proxyfd, buf, wlen);
                 if (cnt != wlen)
                         err(1, "write failed (%zu/%zu)", cnt, wlen);
@@ -373,16 +387,16 @@ socks_connect(const char *host, const char *port,
                 /* Read status reply */
                 proxy_read_line(proxyfd, buf, sizeof(buf));
                 if (proxyuser != NULL &&
-                    (strncmp(buf, "HTTP/1.0 407 ", 12) == 0 ||
-                    strncmp(buf, "HTTP/1.1 407 ", 12) == 0)) {
+                    (strncmp(buf, "HTTP/1.0 407 ", 13) == 0 ||
+                    strncmp(buf, "HTTP/1.1 407 ", 13) == 0)) {
                         if (authretry > 1) {
                                 fprintf(stderr, "Proxy authentication "
                                     "failed\n");
                         }
                         close(proxyfd);
                         goto again;
-                } else if (strncmp(buf, "HTTP/1.0 200 ", 12) != 0 &&
-                    strncmp(buf, "HTTP/1.1 200 ", 12) != 0)
+                } else if (strncmp(buf, "HTTP/1.0 200 ", 13) != 0 &&
+                    strncmp(buf, "HTTP/1.1 200 ", 13) != 0)
                         errx(1, "Proxy error: \"%s\"", buf);
 
                 /* Headers continue until we hit an empty line */
diff --git a/src/usr.bin/openssl/certhash.c b/src/usr.bin/openssl/certhash.c
index 5ee29b8d01..1ee1165516 100644
--- a/src/usr.bin/openssl/certhash.c
+++ b/src/usr.bin/openssl/certhash.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: certhash.c,v 1.21 2023/03/06 14:32:05 tb Exp $ */
+/*      $OpenBSD: certhash.c,v 1.22 2025/07/27 14:46:20 joshua Exp $ */
 /*
  * Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
  *
@@ -297,11 +297,10 @@ hashinfo_from_linkname(const char *linkname, const char *target)
 }
 
 static struct hashinfo *
-certhash_cert(BIO *bio, const char *filename)
+certhash_cert(BIO *bio, const char *filename, const EVP_MD *digest)
 {
         unsigned char fingerprint[EVP_MAX_MD_SIZE];
         struct hashinfo *hi = NULL;
-        const EVP_MD *digest;
         X509 *cert = NULL;
         unsigned long hash;
         unsigned int len;
@@ -311,7 +310,6 @@ certhash_cert(BIO *bio, const char *filename)
 
         hash = X509_subject_name_hash(cert);
 
-        digest = EVP_sha256();
         if (X509_digest(cert, digest, fingerprint, &len) != 1) {
                 fprintf(stderr, "out of memory\n");
                 goto err;
@@ -326,11 +324,10 @@ certhash_cert(BIO *bio, const char *filename)
 }
 
 static struct hashinfo *
-certhash_crl(BIO *bio, const char *filename)
+certhash_crl(BIO *bio, const char *filename, const EVP_MD *digest)
 {
         unsigned char fingerprint[EVP_MAX_MD_SIZE];
         struct hashinfo *hi = NULL;
-        const EVP_MD *digest;
         X509_CRL *crl = NULL;
         unsigned long hash;
         unsigned int len;
@@ -340,7 +337,6 @@ certhash_crl(BIO *bio, const char *filename)
 
         hash = X509_NAME_hash(X509_CRL_get_issuer(crl));
 
-        digest = EVP_sha256();
         if (X509_CRL_digest(crl, digest, fingerprint, &len) != 1) {
                 fprintf(stderr, "out of memory\n");
                 goto err;
@@ -509,7 +505,7 @@ certhash_link(struct dirent *dep, struct hashinfo **links)
 
 static int
 certhash_file(struct dirent *dep, struct hashinfo **certs,
-    struct hashinfo **crls)
+    struct hashinfo **crls, const EVP_MD *digest)
 {
         struct hashinfo *hi = NULL;
         int has_cert, has_crl;
@@ -529,7 +525,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
                 goto err;
         }
 
-        if ((hi = certhash_cert(bio, dep->d_name)) != NULL) {
+        if ((hi = certhash_cert(bio, dep->d_name, digest)) != NULL) {
                 has_cert = 1;
                 *certs = hashinfo_chain(*certs, hi);
         }
@@ -539,7 +535,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
                 goto err;
         }
 
-        if ((hi = certhash_crl(bio, dep->d_name)) != NULL) {
+        if ((hi = certhash_crl(bio, dep->d_name, digest)) != NULL) {
                 has_crl = hi->is_crl = 1;
                 *crls = hashinfo_chain(*crls, hi);
         }
@@ -557,7 +553,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
 }
 
 static int
-certhash_directory(const char *path)
+certhash_directory(const char *path, const EVP_MD *digest)
 {
         struct hashinfo *links = NULL, *certs = NULL, *crls = NULL, *link;
         int ret = 0;
@@ -579,7 +575,7 @@ certhash_directory(const char *path)
                                 goto err;
                 }
                 if (filename_is_pem(dep->d_name)) {
-                        if (certhash_file(dep, &certs, &crls) == -1)
+                        if (certhash_file(dep, &certs, &crls, digest) == -1)
                                 goto err;
                 }
         }
@@ -678,7 +674,7 @@ certhash_main(int argc, char **argv)
                         ret = 1;
                         continue;
                 }
-                ret |= certhash_directory(argv[i]);
+                ret |= certhash_directory(argv[i], EVP_sha256());
                 if (fchdir(cwdfd) == -1) {
                         perror("failed to restore current directory");
                         ret = 1;
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index 7420d0ab8c..458ddb0e3b 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */
+/* $OpenBSD: cms.c,v 1.38 2025/06/07 08:24:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -193,15 +193,33 @@ get_cipher_by_name(char *name)
 static int
 cms_opt_cipher(int argc, char **argv, int *argsused)
 {
+        const EVP_CIPHER *cipher;
         char *name = argv[0];
 
         if (*name++ != '-')
                 return (1);
 
-        if ((cfg.cipher = get_cipher_by_name(name)) == NULL)
-                if ((cfg.cipher = EVP_get_cipherbyname(name)) == NULL)
+        if ((cipher = get_cipher_by_name(name)) == NULL)
+                if ((cipher = EVP_get_cipherbyname(name)) == NULL)
                         return (1);
 
+        /*
+         * XXX - this should really be done in CMS_{encrypt,decrypt}() until
+         * we have proper support for AuthEnvelopedData (RFC 5084), but this
+         * is good enough for now to avoid outputting garbage with this rusty
+         * swiss army knife.
+         */
+        if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
+                BIO_printf(bio_err, "AuthEnvelopedData is not supported\n");
+                return (1);
+        }
+        if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE) {
+                BIO_printf(bio_err, "XTS mode not supported\n");
+                return (1);
+        }
+
+        cfg.cipher = cipher;
+
         *argsused = 1;
         return (0);
 }
@@ -475,7 +493,7 @@ static const struct option cms_options[] = {
         },
         {
                 .name = "aes256",
-                .desc = "Encrypt PEM output with CBC AES",
+                .desc = "Encrypt PEM output with CBC AES (default)",
                 .type = OPTION_ARGV_FUNC,
                 .opt.argvfunc = cms_opt_cipher,
         },
@@ -509,7 +527,7 @@ static const struct option cms_options[] = {
         },
         {
                 .name = "des3",
-                .desc = "Encrypt with triple DES (default)",
+                .desc = "Encrypt with triple DES",
                 .type = OPTION_ARGV_FUNC,
                 .opt.argvfunc = cms_opt_cipher,
         },
@@ -1291,14 +1309,8 @@ cms_main(int argc, char **argv)
         }
 
         if (cfg.operation == SMIME_ENCRYPT) {
-                if (cfg.cipher == NULL) {
-#ifndef OPENSSL_NO_DES
-                        cfg.cipher = EVP_des_ede3_cbc();
-#else
-                        BIO_printf(bio_err, "No cipher selected\n");
-                        goto end;
-#endif
-                }
+                if (cfg.cipher == NULL)
+                        cfg.cipher = EVP_aes_256_cbc();
                 if (cfg.secret_key != NULL &&
                     cfg.secret_keyid == NULL) {
                         BIO_printf(bio_err, "No secret key id\n");
diff --git a/src/usr.bin/openssl/gendsa.c b/src/usr.bin/openssl/gendsa.c
index 00635c4551..69a7994da7 100644
--- a/src/usr.bin/openssl/gendsa.c
+++ b/src/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.17 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: gendsa.c,v 1.18 2025/06/07 08:33:58 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -80,7 +80,8 @@ static struct {
         char *passargout;
 } cfg;
 
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
         if (name == NULL || strcmp(name, "") == 0)
                 return (NULL);
diff --git a/src/usr.bin/openssl/genrsa.c b/src/usr.bin/openssl/genrsa.c
index 0b5323fa5f..647780d8fa 100644
--- a/src/usr.bin/openssl/genrsa.c
+++ b/src/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.22 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: genrsa.c,v 1.23 2025/06/07 08:33:58 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -108,7 +108,8 @@ set_public_exponent(int argc, char **argv, int *argsused)
         return (0);
 }
 
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
         if (name == NULL || strcmp(name, "") == 0)
                 return (NULL);
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index d35940a7ae..01d28aa1f0 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.26 2024/08/31 18:39:25 tb Exp $ */
+/* $OpenBSD: ocsp.c,v 1.27 2025/05/09 12:50:59 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -194,18 +194,18 @@ x509v3_add_value(const char *name, const char *value,
         int ret = 0;
 
         if ((conf_value = calloc(1, sizeof(*conf_value))) == NULL) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("calloc");
                 goto err;
         }
         if (name != NULL) {
                 if ((conf_value->name = strdup(name)) == NULL) {
-                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        perror("strdup");
                         goto err;
                 }
         }
         if (value != NULL) {
                 if ((conf_value->value = strdup(value)) == NULL) {
-                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        perror("strdup");
                         goto err;
                 }
         }
@@ -213,12 +213,12 @@ x509v3_add_value(const char *name, const char *value,
         if ((extlist = *out_extlist) == NULL)
                 extlist = sk_CONF_VALUE_new_null();
         if (extlist == NULL) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("sk_CONF_VALUE_new_null");
                 goto err;
         }
 
         if (!sk_CONF_VALUE_push(extlist, conf_value)) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("sk_CONF_VALUE_push");
                 goto err;
         }
         conf_value = NULL;
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index d27b504ce3..40defdc38b 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.164 2025/04/19 17:20:24 kn Exp $
+.\" $OpenBSD: openssl.1,v 1.167 2025/06/07 08:29:20 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: April 19 2025 $
+.Dd $Mdocdate: June 7 2025 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -1091,7 +1091,7 @@ The encryption algorithm to use.
 128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
 DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, triple DES is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt
@@ -2973,9 +2973,6 @@ command processes private keys
 (both encrypted and unencrypted)
 in PKCS#8 format
 with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
-The default encryption is only 56 bits;
-keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
-are more secure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3021,16 +3018,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
 .El
 .It Fl v2 Ar alg
 Use PKCS#5 v2.0 algorithms.
-Supports algorithms such as 168-bit triple DES or 128-bit RC2,
-however not many implementations support PKCS#5 v2.0 yet
-(if using private keys with
-.Nm openssl
-this doesn't matter).
-.Pp
-.Ar alg
-is the encryption algorithm to use;
-valid values include des, des3, and rc2.
-It is recommended that des3 is used.
+These are block ciphers used in CBC mode.
+The default is AES-256-CBC.
+With the exception of AES, the choices available in RFC 8018
+are considered decrepit.
+They can be enabled with des, des3, and rc2
+(rc5 is no longer supported).
 .El
 .Tg pkcs12
 .Sh PKCS12
@@ -5105,7 +5098,7 @@ The remaining options are as follows:
 The encryption algorithm to use.
 128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, 40-bit RC2 is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt .
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 75a0e4d266..a1ef139009 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.39 2025/01/02 13:10:03 tb Exp $ */
+/* $OpenBSD: openssl.c,v 1.40 2025/05/25 04:54:41 joshua Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -235,9 +235,6 @@ FUNCTION functions[] = {
         { FUNC_TYPE_MD, "sm3", dgst_main },
         { FUNC_TYPE_MD, "sm3WithRSAEncryption", dgst_main },
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-        { FUNC_TYPE_MD, "whirlpool", dgst_main },
-#endif
 
         /* Ciphers. */
         { FUNC_TYPE_CIPHER, "base64", enc_main },
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index 1407a96e03..efd6d59163 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.29 2024/12/26 14:10:48 tb Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.30 2025/06/07 08:33:58 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -152,7 +152,8 @@ pkcs12_opt_passarg(char *arg)
         return (0);
 }
 
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
         if (name == NULL || strcmp(name, "") == 0)
                 return (NULL);
diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index 10fad7aed1..5d7c52f865 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.18 2025/01/02 12:31:44 tb Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.19 2025/05/24 02:35:25 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -224,8 +224,8 @@ pkcs8_main(int argc, char **argv)
                 BIO_printf(bio_err, "Error getting passwords\n");
                 goto end;
         }
-        if ((cfg.pbe_nid == -1) && !cfg.cipher)
-                cfg.pbe_nid = NID_pbeWithMD5AndDES_CBC;
+        if (cfg.pbe_nid == -1 && cfg.cipher == NULL)
+                cfg.cipher = EVP_aes_256_cbc();
 
         if (cfg.infile) {
                 if (!(in = BIO_new_file(cfg.infile, "rb"))) {
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index 46bfa08679..f9d7049ff9 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
+/* $OpenBSD: smime.c,v 1.21 2025/06/07 08:28:49 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -271,7 +271,7 @@ static const struct option smime_options[] = {
         },
         {
                 .name = "aes256",
-                .desc = "Encrypt PEM output with CBC AES",
+                .desc = "Encrypt PEM output with CBC AES (default)",
                 .type = OPTION_ARGV_FUNC,
                 .opt.argvfunc = smime_opt_cipher,
         },
@@ -313,7 +313,7 @@ static const struct option smime_options[] = {
 #ifndef OPENSSL_NO_RC2
         {
                 .name = "rc2-40",
-                .desc = "Encrypt with RC2-40 (default)",
+                .desc = "Encrypt with RC2-40",
                 .type = OPTION_ARGV_FUNC,
                 .opt.argvfunc = smime_opt_cipher,
         },
@@ -825,14 +825,8 @@ smime_main(int argc, char **argv)
         }
 
         if (cfg.operation == SMIME_ENCRYPT) {
-                if (cfg.cipher == NULL) {
-#ifndef OPENSSL_NO_RC2
-                        cfg.cipher = EVP_rc2_40_cbc();
-#else
-                        BIO_printf(bio_err, "No cipher selected\n");
-                        goto end;
-#endif
-                }
+                if (cfg.cipher == NULL)
+                        cfg.cipher = EVP_aes_256_cbc();
                 if ((encerts = sk_X509_new_null()) == NULL)
                         goto end;
                 while (*args != NULL) {
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 9d03c6516e..3e9b4faa9d 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.41 2025/01/02 13:37:43 tb Exp $ */
+/* $OpenBSD: speed.c,v 1.46 2025/05/25 05:05:30 joshua Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -142,9 +142,6 @@
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-#include <openssl/whrlpool.h>
-#endif
 
 #define BUFSIZE (1024*8+64)
 volatile sig_atomic_t run;
@@ -152,7 +149,6 @@ volatile sig_atomic_t run;
 static int mr = 0;
 static int usertime = 1;
 
-static double Time_F(int s);
 static void print_message(const char *s, long num, int length);
 static void
 pkey_print_message(const char *str, const char *str2,
@@ -160,7 +156,7 @@ pkey_print_message(const char *str, const char *str2,
 static void print_result(int alg, int run_no, int count, double time_used);
 static int do_multi(int multi);
 
-#define ALGOR_NUM       32
+#define ALGOR_NUM       31
 #define SIZE_NUM        5
 #define RSA_NUM         4
 #define DSA_NUM         3
@@ -174,7 +170,7 @@ static const char *names[ALGOR_NUM] = {
         "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc",
         "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
         "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
-        "evp", "sha256", "sha512", "whirlpool",
+        "evp", "sha256", "sha512",
         "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash",
         "aes-128 gcm", "aes-256 gcm", "chacha20 poly1305",
 };
@@ -895,6 +891,22 @@ static const unsigned char test4096[] = {
         0xaf, 0xf8, 0x2a, 0x91, 0x9d, 0x50, 0x44, 0x21, 0x17,
 };
 
+static const unsigned char key16[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+};
+static const unsigned char key24[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+};
+static const unsigned char key32[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56,
+};
+
 static void
 sig_done(int sig)
 {
@@ -904,16 +916,14 @@ sig_done(int sig)
 #define START   TM_RESET
 #define STOP    TM_GET
 
-
 static double
-Time_F(int s)
+time_f(int s)
 {
         if (usertime)
                 return app_timer_user(s);
-        else
-                return app_timer_real(s);
-}
 
+        return app_timer_real(s);
+}
 
 static const int KDF1_SHA1_len = 20;
 static void *
@@ -942,28 +952,7 @@ speed_main(int argc, char **argv)
         long rsa_count;
         unsigned rsa_num;
         unsigned char md[EVP_MAX_MD_SIZE];
-#ifndef OPENSSL_NO_MD4
-        unsigned char md4[MD4_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_MD5
-        unsigned char md5[MD5_DIGEST_LENGTH];
-        unsigned char hmac[MD5_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_SHA
-        unsigned char sha[SHA_DIGEST_LENGTH];
-#ifndef OPENSSL_NO_SHA256
-        unsigned char sha256[SHA256_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_SHA512
-        unsigned char sha512[SHA512_DIGEST_LENGTH];
-#endif
-#endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-        unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_RIPEMD
-        unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
-#endif
+
 #ifndef OPENSSL_NO_RC4
         RC4_KEY rc4_ks;
 #endif
@@ -979,38 +968,8 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAST
         CAST_KEY cast_ks;
 #endif
-        static const unsigned char key16[16] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
-#ifndef OPENSSL_NO_AES
-        static const unsigned char key24[24] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
-        static const unsigned char key32[32] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-                0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
-        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-        static const unsigned char ckey24[24] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
-        static const unsigned char ckey32[32] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-                0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
-        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
-#endif
-#ifndef OPENSSL_NO_AES
-#define MAX_BLOCK_SIZE 128
-#else
-#define MAX_BLOCK_SIZE 64
-#endif
         unsigned char DES_iv[8];
-        unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
+        unsigned char iv[2 * 16];
 #ifndef OPENSSL_NO_DES
         static DES_cblock key = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
         static DES_cblock key2 = {0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
@@ -1049,14 +1008,13 @@ speed_main(int argc, char **argv)
 #define D_EVP           21
 #define D_SHA256        22
 #define D_SHA512        23
-#define D_WHIRLPOOL     24
-#define D_IGE_128_AES   25
-#define D_IGE_192_AES   26
-#define D_IGE_256_AES   27
-#define D_GHASH         28
-#define D_AES_128_GCM   29
-#define D_AES_256_GCM   30
-#define D_CHACHA20_POLY1305     31
+#define D_IGE_128_AES   24
+#define D_IGE_192_AES   25
+#define D_IGE_256_AES   26
+#define D_GHASH         27
+#define D_AES_128_GCM   28
+#define D_AES_256_GCM   29
+#define D_CHACHA20_POLY1305     30
         double d = 0.0;
         long c[ALGOR_NUM][SIZE_NUM];
 #define R_DSA_512       0
@@ -1275,11 +1233,6 @@ speed_main(int argc, char **argv)
                 else
 #endif
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-                if (strcmp(*argv, "whirlpool") == 0)
-                        doit[D_WHIRLPOOL] = 1;
-                else
-#endif
 #ifndef OPENSSL_NO_RIPEMD
                 if (strcmp(*argv, "ripemd") == 0)
                         doit[D_RMD160] = 1;
@@ -1462,16 +1415,12 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA512
                         BIO_printf(bio_err, "sha512   ");
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-                        BIO_printf(bio_err, "whirlpool");
-#endif
 #ifndef OPENSSL_NO_RIPEMD160
                         BIO_printf(bio_err, "rmd160");
 #endif
 #if !defined(OPENSSL_NO_MD2) || \
     !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
-    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
-    !defined(OPENSSL_NO_WHIRLPOOL)
+    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160)
                         BIO_printf(bio_err, "\n");
 #endif
 
@@ -1602,8 +1551,8 @@ speed_main(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
         Camellia_set_key(key16, 128, &camellia_ks1);
-        Camellia_set_key(ckey24, 192, &camellia_ks2);
-        Camellia_set_key(ckey32, 256, &camellia_ks3);
+        Camellia_set_key(key24, 192, &camellia_ks2);
+        Camellia_set_key(key32, 256, &camellia_ks3);
 #endif
 #ifndef OPENSSL_NO_IDEA
         idea_set_encrypt_key(key16, &idea_ks);
@@ -1634,10 +1583,10 @@ speed_main(int argc, char **argv)
         if (doit[D_MD4]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_MD4], c[D_MD4][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_MD4][j]); count++)
-                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md4[0]), NULL, EVP_md4(), NULL);
-                        d = Time_F(STOP);
+                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], md, NULL, EVP_md4(), NULL);
+                        d = time_f(STOP);
                         print_result(D_MD4, j, count, d);
                 }
         }
@@ -1647,10 +1596,10 @@ speed_main(int argc, char **argv)
         if (doit[D_MD5]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_MD5], c[D_MD5][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_MD5][j]); count++)
-                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md5[0]), NULL, EVP_get_digestbyname("md5"), NULL);
-                        d = Time_F(STOP);
+                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], md, NULL, EVP_get_digestbyname("md5"), NULL);
+                        d = time_f(STOP);
                         print_result(D_MD5, j, count, d);
                 }
         }
@@ -1670,7 +1619,7 @@ speed_main(int argc, char **argv)
 
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_HMAC], c[D_HMAC][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_HMAC][j]); count++) {
                                 if (!HMAC_Init_ex(hctx, NULL, 0, NULL, NULL)) {
                                         HMAC_CTX_free(hctx);
@@ -1680,12 +1629,12 @@ speed_main(int argc, char **argv)
                                         HMAC_CTX_free(hctx);
                                         goto end;
                                 }
-                                if (!HMAC_Final(hctx, &(hmac[0]), NULL)) {
+                                if (!HMAC_Final(hctx, md, NULL)) {
                                         HMAC_CTX_free(hctx);
                                         goto end;
                                 }
                         }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_HMAC, j, count, d);
                 }
                 HMAC_CTX_free(hctx);
@@ -1695,10 +1644,10 @@ speed_main(int argc, char **argv)
         if (doit[D_SHA1]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_SHA1], c[D_SHA1][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_SHA1][j]); count++)
-                                EVP_Digest(buf, (unsigned long) lengths[j], &(sha[0]), NULL, EVP_sha1(), NULL);
-                        d = Time_F(STOP);
+                                EVP_Digest(buf, (unsigned long) lengths[j], md, NULL, EVP_sha1(), NULL);
+                        d = time_f(STOP);
                         print_result(D_SHA1, j, count, d);
                 }
         }
@@ -1706,10 +1655,10 @@ speed_main(int argc, char **argv)
         if (doit[D_SHA256]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_SHA256], c[D_SHA256][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_SHA256][j]); count++)
-                                SHA256(buf, lengths[j], sha256);
-                        d = Time_F(STOP);
+                                SHA256(buf, lengths[j], md);
+                        d = time_f(STOP);
                         print_result(D_SHA256, j, count, d);
                 }
         }
@@ -1719,37 +1668,24 @@ speed_main(int argc, char **argv)
         if (doit[D_SHA512]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_SHA512], c[D_SHA512][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_SHA512][j]); count++)
-                                SHA512(buf, lengths[j], sha512);
-                        d = Time_F(STOP);
+                                SHA512(buf, lengths[j], md);
+                        d = time_f(STOP);
                         print_result(D_SHA512, j, count, d);
                 }
         }
 #endif
 #endif
 
-#ifndef OPENSSL_NO_WHIRLPOOL
-        if (doit[D_WHIRLPOOL]) {
-                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][j], lengths[j]);
-                        Time_F(START);
-                        for (count = 0, run = 1; COND(c[D_WHIRLPOOL][j]); count++)
-                                WHIRLPOOL(buf, lengths[j], whirlpool);
-                        d = Time_F(STOP);
-                        print_result(D_WHIRLPOOL, j, count, d);
-                }
-        }
-#endif
-
 #ifndef OPENSSL_NO_RIPEMD
         if (doit[D_RMD160]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_RMD160], c[D_RMD160][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_RMD160][j]); count++)
-                                EVP_Digest(buf, (unsigned long) lengths[j], &(rmd160[0]), NULL, EVP_ripemd160(), NULL);
-                        d = Time_F(STOP);
+                                EVP_Digest(buf, (unsigned long) lengths[j], md, NULL, EVP_ripemd160(), NULL);
+                        d = time_f(STOP);
                         print_result(D_RMD160, j, count, d);
                 }
         }
@@ -1758,11 +1694,11 @@ speed_main(int argc, char **argv)
         if (doit[D_RC4]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_RC4], c[D_RC4][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_RC4][j]); count++)
                                 RC4(&rc4_ks, (unsigned int) lengths[j],
                                     buf, buf);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_RC4, j, count, d);
                 }
         }
@@ -1771,23 +1707,23 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_DES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_DES], c[D_CBC_DES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_DES][j]); count++)
                                 DES_ncbc_encrypt(buf, buf, lengths[j], &sch,
                                     &DES_iv, DES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_DES, j, count, d);
                 }
         }
         if (doit[D_EDE3_DES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_EDE3_DES], c[D_EDE3_DES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_EDE3_DES][j]); count++)
                                 DES_ede3_cbc_encrypt(buf, buf, lengths[j],
                                     &sch, &sch2, &sch3,
                                     &DES_iv, DES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_EDE3_DES, j, count, d);
                 }
         }
@@ -1796,72 +1732,72 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_128_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_128_AES][j]); count++)
                                 AES_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &aes_ks1,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_128_AES, j, count, d);
                 }
         }
         if (doit[D_CBC_192_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_192_AES][j]); count++)
                                 AES_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &aes_ks2,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_192_AES, j, count, d);
                 }
         }
         if (doit[D_CBC_256_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_256_AES][j]); count++)
                                 AES_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &aes_ks3,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_256_AES, j, count, d);
                 }
         }
         if (doit[D_IGE_128_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_IGE_128_AES][j]); count++)
                                 AES_ige_encrypt(buf, buf2,
                                     (unsigned long) lengths[j], &aes_ks1,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_IGE_128_AES, j, count, d);
                 }
         }
         if (doit[D_IGE_192_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_IGE_192_AES][j]); count++)
                                 AES_ige_encrypt(buf, buf2,
                                     (unsigned long) lengths[j], &aes_ks2,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_IGE_192_AES, j, count, d);
                 }
         }
         if (doit[D_IGE_256_AES]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_IGE_256_AES][j]); count++)
                                 AES_ige_encrypt(buf, buf2,
                                     (unsigned long) lengths[j], &aes_ks3,
                                     iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_IGE_256_AES, j, count, d);
                 }
         }
@@ -1871,10 +1807,10 @@ speed_main(int argc, char **argv)
 
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_GHASH], c[D_GHASH][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_GHASH][j]); count++)
                                 CRYPTO_gcm128_aad(ctx, buf, lengths[j]);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_GHASH, j, count, d);
                 }
                 CRYPTO_gcm128_release(ctx);
@@ -1897,11 +1833,11 @@ speed_main(int argc, char **argv)
 
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_AES_128_GCM],c[D_AES_128_GCM][j],lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_AES_128_GCM][j]); count++)
                                 EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                     nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_AES_128_GCM,j,count,d);
                 }
                 EVP_AEAD_CTX_free(ctx);
@@ -1925,11 +1861,11 @@ speed_main(int argc, char **argv)
 
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_AES_256_GCM],c[D_AES_256_GCM][j],lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_AES_256_GCM][j]); count++)
                                 EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                     nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_AES_256_GCM, j, count, d);
                 }
                 EVP_AEAD_CTX_free(ctx);
@@ -1955,11 +1891,11 @@ speed_main(int argc, char **argv)
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CHACHA20_POLY1305],
                             c[D_CHACHA20_POLY1305][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CHACHA20_POLY1305][j]); count++)
                                 EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                     nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CHACHA20_POLY1305, j, count, d);
                 }
                 EVP_AEAD_CTX_free(ctx);
@@ -1969,36 +1905,36 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_128_CML]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_128_CML][j]); count++)
                                 Camellia_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &camellia_ks1,
                                     iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_128_CML, j, count, d);
                 }
         }
         if (doit[D_CBC_192_CML]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_192_CML][j]); count++)
                                 Camellia_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &camellia_ks2,
                                     iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_192_CML, j, count, d);
                 }
         }
         if (doit[D_CBC_256_CML]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_256_CML][j]); count++)
                                 Camellia_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &camellia_ks3,
                                     iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_256_CML, j, count, d);
                 }
         }
@@ -2007,12 +1943,12 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_IDEA]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_IDEA][j]); count++)
                                 idea_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &idea_ks,
                                     iv, IDEA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_IDEA, j, count, d);
                 }
         }
@@ -2021,12 +1957,12 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_RC2]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_RC2], c[D_CBC_RC2][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_RC2][j]); count++)
                                 RC2_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &rc2_ks,
                                     iv, RC2_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_RC2, j, count, d);
                 }
         }
@@ -2035,12 +1971,12 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_BF]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_BF], c[D_CBC_BF][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_BF][j]); count++)
                                 BF_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &bf_ks,
                                     iv, BF_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_BF, j, count, d);
                 }
         }
@@ -2049,12 +1985,12 @@ speed_main(int argc, char **argv)
         if (doit[D_CBC_CAST]) {
                 for (j = 0; j < SIZE_NUM; j++) {
                         print_message(names[D_CBC_CAST], c[D_CBC_CAST][j], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(c[D_CBC_CAST][j]); count++)
                                 CAST_cbc_encrypt(buf, buf,
                                     (unsigned long) lengths[j], &cast_ks,
                                     iv, CAST_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         print_result(D_CBC_CAST, j, count, d);
                 }
         }
@@ -2087,7 +2023,7 @@ speed_main(int argc, char **argv)
                                         EVP_EncryptInit_ex(ctx, evp_cipher, NULL, key16, iv);
                                 EVP_CIPHER_CTX_set_padding(ctx, 0);
 
-                                Time_F(START);
+                                time_f(START);
                                 if (decrypt)
                                         for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
                                                 EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[j]);
@@ -2098,7 +2034,7 @@ speed_main(int argc, char **argv)
                                         EVP_DecryptFinal_ex(ctx, buf, &outl);
                                 else
                                         EVP_EncryptFinal_ex(ctx, buf, &outl);
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                                 EVP_CIPHER_CTX_free(ctx);
                         }
                         if (evp_md) {
@@ -2106,11 +2042,11 @@ speed_main(int argc, char **argv)
                                 print_message(names[D_EVP], save_count,
                                     lengths[j]);
 
-                                Time_F(START);
+                                time_f(START);
                                 for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
                                         EVP_Digest(buf, lengths[j], &(md[0]), NULL, evp_md, NULL);
 
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                         }
                         print_result(D_EVP, j, count, d);
                 }
@@ -2130,7 +2066,7 @@ speed_main(int argc, char **argv)
                             rsa_c[j][0], rsa_bits[j],
                             RSA_SECONDS);
 /*                      RSA_blinding_on(rsa_key[j],NULL); */
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(rsa_c[j][0]); count++) {
                                 ret = RSA_sign(NID_md5_sha1, buf, 36, buf2,
                                     &rsa_num, rsa_key[j]);
@@ -2142,7 +2078,7 @@ speed_main(int argc, char **argv)
                                         break;
                                 }
                         }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         BIO_printf(bio_err, mr ? "+R1:%ld:%d:%.2f\n"
                             : "%ld %d bit private RSA in %.2fs\n",
                             count, rsa_bits[j], d);
@@ -2159,7 +2095,7 @@ speed_main(int argc, char **argv)
                         pkey_print_message("public", "rsa",
                             rsa_c[j][1], rsa_bits[j],
                             RSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(rsa_c[j][1]); count++) {
                                 ret = RSA_verify(NID_md5_sha1, buf, 36, buf2,
                                     rsa_num, rsa_key[j]);
@@ -2171,7 +2107,7 @@ speed_main(int argc, char **argv)
                                         break;
                                 }
                         }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         BIO_printf(bio_err, mr ? "+R2:%ld:%d:%.2f\n"
                             : "%ld %d bit public RSA in %.2fs\n",
                             count, rsa_bits[j], d);
@@ -2204,7 +2140,7 @@ speed_main(int argc, char **argv)
                         pkey_print_message("sign", "dsa",
                             dsa_c[j][0], dsa_bits[j],
                             DSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(dsa_c[j][0]); count++) {
                                 ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2,
                                     &kk, dsa_key[j]);
@@ -2216,7 +2152,7 @@ speed_main(int argc, char **argv)
                                         break;
                                 }
                         }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         BIO_printf(bio_err, mr ? "+R3:%ld:%d:%.2f\n"
                             : "%ld %d bit DSA signs in %.2fs\n",
                             count, dsa_bits[j], d);
@@ -2234,7 +2170,7 @@ speed_main(int argc, char **argv)
                         pkey_print_message("verify", "dsa",
                             dsa_c[j][1], dsa_bits[j],
                             DSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
                         for (count = 0, run = 1; COND(dsa_c[j][1]); count++) {
                                 ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2,
                                     kk, dsa_key[j]);
@@ -2246,7 +2182,7 @@ speed_main(int argc, char **argv)
                                         break;
                                 }
                         }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                         BIO_printf(bio_err, mr ? "+R4:%ld:%d:%.2f\n"
                             : "%ld %d bit DSA verify in %.2fs\n",
                             count, dsa_bits[j], d);
@@ -2287,7 +2223,7 @@ speed_main(int argc, char **argv)
                                     test_curves_bits[j],
                                     ECDSA_SECONDS);
 
-                                Time_F(START);
+                                time_f(START);
                                 for (count = 0, run = 1; COND(ecdsa_c[j][0]);
                                     count++) {
                                         ret = ECDSA_sign(0, buf, 20,
@@ -2300,7 +2236,7 @@ speed_main(int argc, char **argv)
                                                 break;
                                         }
                                 }
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
 
                                 BIO_printf(bio_err, mr ? "+R5:%ld:%d:%.2f\n" :
                                     "%ld %d bit ECDSA signs in %.2fs \n",
@@ -2321,7 +2257,7 @@ speed_main(int argc, char **argv)
                                     ecdsa_c[j][1],
                                     test_curves_bits[j],
                                     ECDSA_SECONDS);
-                                Time_F(START);
+                                time_f(START);
                                 for (count = 0, run = 1; COND(ecdsa_c[j][1]); count++) {
                                         ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]);
                                         if (ret != 1) {
@@ -2331,7 +2267,7 @@ speed_main(int argc, char **argv)
                                                 break;
                                         }
                                 }
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                                 BIO_printf(bio_err, mr ? "+R6:%ld:%d:%.2f\n"
                                     : "%ld %d bit ECDSA verify in %.2fs\n",
                                     count, test_curves_bits[j], d);
@@ -2408,7 +2344,7 @@ speed_main(int argc, char **argv)
                                             ecdh_c[j][0],
                                             test_curves_bits[j],
                                             ECDH_SECONDS);
-                                        Time_F(START);
+                                        time_f(START);
                                         for (count = 0, run = 1;
                                              COND(ecdh_c[j][0]); count++) {
                                                 ECDH_compute_key(secret_a,
@@ -2416,7 +2352,7 @@ speed_main(int argc, char **argv)
                                                     EC_KEY_get0_public_key(ecdh_b[j]),
                                                     ecdh_a[j], kdf);
                                         }
-                                        d = Time_F(STOP);
+                                        d = time_f(STOP);
                                         BIO_printf(bio_err, mr
                                             ? "+R7:%ld:%d:%.2f\n"
                                             : "%ld %d-bit ECDH ops in %.2fs\n",