1158 files changed, 21829 insertions, 23803 deletions
diff --git a/src/lib/libc/include/namespace.h b/src/lib/libc/include/namespace.h
index 8503de47be..cc83735b90 100644
--- a/src/lib/libc/include/namespace.h
+++ b/src/lib/libc/include/namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: namespace.h,v 1.16 2023/10/29 14:26:13 millert Exp $  */
+/*      $OpenBSD: namespace.h,v 1.17 2025/10/23 19:06:10 miod Exp $     */
 #ifndef _LIBC_NAMESPACE_H_
 #define _LIBC_NAMESPACE_H_
@@ -57,13 +57,13 @@
 #define DEF_WRAP(x)             __weak_alias(x, WRAP(x))
 #define DEF_SYS(x)              __strong_alias(_thread_sys_##x, HIDDEN(x))
-#if !defined(__clang__) && __GNUC__ != 3
+#if !defined(__clang__)
 /* our gcc 4.2 handles redirecting builtins via PROTO_NORMAL()'s asm() label */
 #define DEF_BUILTIN(x)          DEF_STRONG(x)
 #define BUILTIN
 #else
 /*
- * clang and gcc can't redirect builtins via asm() labels, so mark
+ * clang can't redirect builtins via asm() labels, so mark
 * them protected instead.
 */
 #define DEF_BUILTIN(x)          __asm("")
@@ -86,7 +86,7 @@ BUILTIN void	*memmove(void *, const void *, __size_t);
 BUILTIN void    *memcpy(void *__restrict, const void *__restrict, __size_t);
 BUILTIN void    *memset(void *, int, __size_t);
 BUILTIN void    __stack_smash_handler(const char [], int __unused);
-#if !defined(__clang__) && __GNUC__ != 3
+#if !defined(__clang__)
 PROTO_NORMAL(memmove);
 PROTO_NORMAL(memcpy);
 PROTO_NORMAL(memset);
diff --git a/src/lib/libc/include/thread_private.h b/src/lib/libc/include/thread_private.h
index 1ec1071161..3e1dbcdf6e 100644
--- a/src/lib/libc/include/thread_private.h
+++ b/src/lib/libc/include/thread_private.h
@@ -1,10 +1,13 @@
-/* $OpenBSD: thread_private.h,v 1.37 2024/08/18 02:25:51 guenther Exp $ */
+/* $OpenBSD: thread_private.h,v 1.40 2025/08/04 01:44:33 dlg Exp $ */
 /* PUBLIC DOMAIN: No Rights Reserved. Marco S Hyman <marc@snafu.org> */
 #ifndef _THREAD_PRIVATE_H_
 #define _THREAD_PRIVATE_H_
+#include <sys/types.h>
+#include <sys/gmon.h>
 extern int __isthreaded;
 #define _MALLOC_MUTEXES 32
@@ -292,6 +295,12 @@ TAILQ_HEAD(pthread_queue, pthread);
 #ifdef FUTEX
+/*
+ * CAS based implementations
+ */
+#define __CMTX_CAS
 struct pthread_mutex {
        volatile unsigned int lock;
        int type;
@@ -312,6 +321,10 @@ struct pthread_rwlock {
 #else
+/*
+ * spinlock based implementations
+ */
 struct pthread_mutex {
        _atomic_lock_t lock;
        struct pthread_queue lockers;
@@ -336,6 +349,46 @@ struct pthread_rwlock {
 };
 #endif /* FUTEX */
+/* libc mutex */
+#define __CMTX_UNLOCKED         0
+#define __CMTX_LOCKED           1
+#define __CMTX_CONTENDED        2
+#ifdef __CMTX_CAS
+struct __cmtx {
+        volatile unsigned int   lock;
+};
+#define __CMTX_INITIALIZER() {                                          \
+        .lock = __CMTX_UNLOCKED,                                        \
+}
+#else /* __CMTX_CAS */
+struct __cmtx {
+        _atomic_lock_t          spin;
+        volatile unsigned int   lock;
+};
+#define __CMTX_INITIALIZER() {                                          \
+        .spin = _SPINLOCK_UNLOCKED,                                     \
+        .lock = __CMTX_UNLOCKED,                                        \
+}
+#endif /* __CMTX_CAS */
+/* libc recursive mutex */
+struct __rcmtx {
+        volatile pthread_t      owner;
+        struct __cmtx           mtx;
+        unsigned int            depth;
+};
+#define __RCMTX_INITIALIZER() {                                         \
+        .owner = NULL,                                                  \
+        .mtx = __CMTX_INITIALIZER(),                                    \
+        .depth = 0,                                                     \
+}
 struct pthread_mutex_attr {
        int ma_type;
        int ma_protocol;
@@ -390,6 +443,7 @@ struct pthread {
        /* cancel received in a delayed cancel block? */
        int delayed_cancel;
+        struct gmonparam *gmonparam;
 };
 /* flags in pthread->flags */
 #define THREAD_DONE             0x001
@@ -410,6 +464,16 @@ void	_spinlock(volatile _atomic_lock_t *);
 int     _spinlocktry(volatile _atomic_lock_t *);
 void    _spinunlock(volatile _atomic_lock_t *);
+void    __cmtx_init(struct __cmtx *);
+int     __cmtx_enter_try(struct __cmtx *);
+void    __cmtx_enter(struct __cmtx *);
+void    __cmtx_leave(struct __cmtx *);
+void    __rcmtx_init(struct __rcmtx *);
+int     __rcmtx_enter_try(struct __rcmtx *);
+void    __rcmtx_enter(struct __rcmtx *);
+void    __rcmtx_leave(struct __rcmtx *);
 void    _rthread_debug(int, const char *, ...)
                __attribute__((__format__ (printf, 2, 3)));
 pid_t   _thread_dofork(pid_t (*_sys_fork)(void));
diff --git a/src/lib/libc/net/ether_aton.3 b/src/lib/libc/net/ether_aton.3
index 98562dc44c..83fe98880c 100644
--- a/src/lib/libc/net/ether_aton.3
+++ b/src/lib/libc/net/ether_aton.3
@@ -1,8 +1,8 @@
-.\"     $OpenBSD: ether_aton.3,v 1.3 2022/09/11 06:38:10 jmc Exp $
+.\"     $OpenBSD: ether_aton.3,v 1.4 2025/06/29 00:33:46 dlg Exp $
 .\"
 .\" Written by roland@frob.com.  Public domain.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: June 29 2025 $
 .Dt ETHER_ATON 3
 .Os
 .Sh NAME
@@ -19,7 +19,7 @@
 .In netinet/in.h
 .In netinet/if_ether.h
 .Ft char *
-.Fn ether_ntoa "struct ether_addr *e"
+.Fn ether_ntoa "const struct ether_addr *e"
 .Ft struct ether_addr *
 .Fn ether_aton "const char *s"
 .Ft int
diff --git a/src/lib/libc/net/ethers.c b/src/lib/libc/net/ethers.c
index d62be1ca71..6edad5c5e5 100644
--- a/src/lib/libc/net/ethers.c
+++ b/src/lib/libc/net/ethers.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ethers.c,v 1.27 2019/01/25 00:19:25 millert Exp $     */
+/*      $OpenBSD: ethers.c,v 1.28 2025/06/29 00:33:46 dlg Exp $ */
 /*
 * Copyright (c) 1998 Todd C. Miller <millert@openbsd.org>
@@ -42,7 +42,7 @@
 static char * _ether_aton(const char *, struct ether_addr *);
 char *
-ether_ntoa(struct ether_addr *e)
+ether_ntoa(const struct ether_addr *e)
 {
        static char a[] = "xx:xx:xx:xx:xx:xx";
diff --git a/src/lib/libc/net/freeaddrinfo.c b/src/lib/libc/net/freeaddrinfo.c
index 154f70cd75..c06318fb75 100644
--- a/src/lib/libc/net/freeaddrinfo.c
+++ b/src/lib/libc/net/freeaddrinfo.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: freeaddrinfo.c,v 1.9 2016/09/21 04:38:56 guenther Exp $       */
+/*      $OpenBSD: freeaddrinfo.c,v 1.10 2025/12/08 13:30:08 jca Exp $   */
 /*
 * Copyright (c) 1996, 1997, 1998, 1999, Craig Metz, All rights reserved.
@@ -40,11 +40,15 @@ freeaddrinfo(struct addrinfo *ai)
 {
        struct addrinfo *p;
-        do {
+        /*
+         * Calling freeaddrinfo() with a NULL pointer is unspecified,
+         * but try to cope with it anyway for compatibility.
+         */
+        while (ai != NULL) {
                p = ai;
                ai = ai->ai_next;
                free(p->ai_canonname);
                free(p);
-        } while (ai);
+        }
 }
 DEF_WEAK(freeaddrinfo);
diff --git a/src/lib/libc/net/gai_strerror.3 b/src/lib/libc/net/gai_strerror.3
index d271f492c5..93d11aad09 100644
--- a/src/lib/libc/net/gai_strerror.3
+++ b/src/lib/libc/net/gai_strerror.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: gai_strerror.3,v 1.10 2017/05/03 01:58:33 deraadt Exp $
+.\"     $OpenBSD: gai_strerror.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: gai_strerror.3,v 1.1 2005/01/05 03:04:47 itojun Exp $
 .\"
 .\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
@@ -16,7 +16,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 3 2017 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt GAI_STRERROR 3
 .Os
 .Sh NAME
@@ -26,7 +26,7 @@
 .In sys/types.h
 .In sys/socket.h
 .In netdb.h
-.Ft "const char *"
+.Ft const char *
 .Fn gai_strerror "int ecode"
 .Sh DESCRIPTION
 The
diff --git a/src/lib/libc/net/getaddrinfo.3 b/src/lib/libc/net/getaddrinfo.3
index 780c7a409f..2df5fbe896 100644
--- a/src/lib/libc/net/getaddrinfo.3
+++ b/src/lib/libc/net/getaddrinfo.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: getaddrinfo.3,v 1.61 2022/09/11 06:38:10 jmc Exp $
+.\"     $OpenBSD: getaddrinfo.3,v 1.62 2025/12/08 13:30:08 jca Exp $
 .\"     $KAME: getaddrinfo.3,v 1.36 2005/01/05 03:23:05 itojun Exp $
 .\"
 .\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
@@ -16,7 +16,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: December 8 2025 $
 .Dt GETADDRINFO 3
 .Os
 .Sh NAME
@@ -475,3 +475,7 @@ flag bit first appeared in Windows 7.
 .%R RFC 4007
 .%T IPv6 Scoped Address Architecture
 .Re
+.Sh CAVEATS
+The behavior of
+.Fn freeaddrinfo "NULL"
+is not specified and therefore not portable.
diff --git a/src/lib/libc/net/getifaddrs.c b/src/lib/libc/net/getifaddrs.c
index 069ee9afab..448e76097f 100644
--- a/src/lib/libc/net/getifaddrs.c
+++ b/src/lib/libc/net/getifaddrs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: getifaddrs.c,v 1.14 2021/11/29 03:20:37 deraadt Exp $ */
+/*      $OpenBSD: getifaddrs.c,v 1.15 2025/11/13 10:34:32 deraadt Exp $ */
 /*
 * Copyright (c) 1995, 1999
@@ -25,10 +25,10 @@
 *      BSDI getifaddrs.c,v 2.12 2000/02/23 14:51:59 dab Exp
 */
-#include <sys/param.h>  /* ALIGN ALIGNBYTES */
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
+#include <sys/syslog.h>
 #include <net/if.h>
 #include <net/route.h>
 #include <sys/sysctl.h>
@@ -38,35 +38,32 @@
 #include <ifaddrs.h>
 #include <stddef.h>
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include <unistd.h>
+#include <stdio.h>
-#define SALIGN  (sizeof(long) - 1)
+#define roundup(x, y)   ((((uintptr_t)(x)+((y)-1))/(y))*(y))
-#define SA_RLEN(sa)     ((sa)->sa_len ? (((sa)->sa_len + SALIGN) & ~SALIGN) : (SALIGN + 1))
+#define proundup(x, y)  (void *)roundup(x,y)
+#define SA_RLEN(sa)     ((sa)->sa_len ? \
+                            roundup((sa)->sa_len, sizeof(long)) : \
+                            roundup(1, sizeof(long)))
 int
 getifaddrs(struct ifaddrs **pif)
 {
-        int icnt = 1;
+        int icnt = 1, dcnt = 0, ncnt = 0, mib[6], i;
-        int dcnt = 0;
-        int ncnt = 0;
-        int mib[6];
        size_t needed;
-        char *buf = NULL, *bufp;
+        char *buf = NULL, *bufp, *data, *names, *next, *p, *p0;
-        char *next;
+        struct ifaddrs *cif = 0, *ifa, *ift;
-        struct ifaddrs *cif = 0;
-        char *p, *p0;
        struct rt_msghdr *rtm;
        struct if_msghdr *ifm;
        struct ifa_msghdr *ifam;
        struct sockaddr_dl *dl;
        struct sockaddr *sa;
        u_short index = 0;
-        size_t len, alen, dlen;
+        size_t len, alen, dlen, dsize;
-        struct ifaddrs *ifa, *ift;
-        int i;
-        char *data;
-        char *names;
        mib[0] = CTL_NET;
        mib[1] = PF_ROUTE;
@@ -95,6 +92,7 @@ getifaddrs(struct ifaddrs **pif)
                break;
        }
+        /* Calculate data buffer size */
        for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
                rtm = (struct rt_msghdr *)next;
                if (rtm->rtm_version != RTM_VERSION)
@@ -107,10 +105,15 @@ getifaddrs(struct ifaddrs **pif)
                                ++icnt;
                                dl = (struct sockaddr_dl *)(next +
                                    rtm->rtm_hdrlen);
-                                dcnt += SA_RLEN((struct sockaddr *)dl) +
-                                        ALIGNBYTES;
-                                dcnt += sizeof(ifm->ifm_data);
                                ncnt += dl->sdl_nlen + 1;
+                                /* sockaddr's need long alignment */
+                                dcnt = roundup(dcnt, sizeof(long));
+                                dcnt += SA_RLEN((struct sockaddr *)dl);
+                                /* ifm_data[] needs long long alignment */
+                                dcnt = roundup(dcnt, sizeof(long long));
+                                dcnt += sizeof(ifm->ifm_data);
                        } else
                                index = 0;
                        break;
@@ -145,6 +148,8 @@ getifaddrs(struct ifaddrs **pif)
                                        continue;
                                sa = (struct sockaddr *)p;
                                len = SA_RLEN(sa);
+                                /* sockaddr's need long alignment */
+                                dcnt = roundup(dcnt, sizeof(long));
                                if (i == RTAX_NETMASK && sa->sa_len == 0)
                                        dcnt += alen;
                                else
@@ -155,23 +160,29 @@ getifaddrs(struct ifaddrs **pif)
                }
        }
-        if (icnt + dcnt + ncnt == 1) {
+        if (icnt + ncnt + dcnt == 1) {
                *pif = NULL;
                free(buf);
                return (0);
        }
-        data = malloc(sizeof(struct ifaddrs) * icnt + dcnt + ncnt);
+        dsize = sizeof(struct ifaddrs) * icnt;
+        dsize += ncnt;
+        dsize = roundup(dsize, sizeof(long long));
+        dsize += dcnt;
+        data = calloc(dsize, 1);
        if (data == NULL) {
                free(buf);
                return(-1);
        }
-        ifa = (struct ifaddrs *)data;
+        /* ifaddrs[], names, then if_data[] */
+        ift = ifa = (struct ifaddrs *)data;
        data += sizeof(struct ifaddrs) * icnt;
-        names = data + dcnt;
+        names = data;
+        data += ncnt;
-        memset(ifa, 0, sizeof(struct ifaddrs) * icnt);
+        data = proundup(data, sizeof(long long));
-        ift = ifa;
        index = 0;
        for (next = buf; next < buf + needed; next += rtm->rtm_msglen) {
@@ -193,19 +204,21 @@ getifaddrs(struct ifaddrs **pif)
                                names[dl->sdl_nlen] = 0;
                                names += dl->sdl_nlen + 1;
+                                data = proundup(data, sizeof(long));
                                ift->ifa_addr = (struct sockaddr *)data;
                                memcpy(data, dl,
                                    ((struct sockaddr *)dl)->sa_len);
                                data += SA_RLEN((struct sockaddr *)dl);
-                                /* ifm_data needs to be aligned */
+                                /* if_data needs long long alignment */
-                                ift->ifa_data = data = (void *)ALIGN(data);
+                                data = proundup(data, sizeof(long long));
+                                ift->ifa_data = data;
                                dlen = rtm->rtm_hdrlen -
                                    offsetof(struct if_msghdr, ifm_data);
                                if (dlen > sizeof(ifm->ifm_data))
                                        dlen = sizeof(ifm->ifm_data);
                                memcpy(data, &ifm->ifm_data, dlen);
-                                data += sizeof(ifm->ifm_data);
+                                data += dlen;
                                ift = (ift->ifa_next = ift + 1);
                        } else
@@ -245,12 +258,14 @@ getifaddrs(struct ifaddrs **pif)
                                len = SA_RLEN(sa);
                                switch (i) {
                                case RTAX_IFA:
+                                        data = proundup(data, sizeof(long));
                                        ift->ifa_addr = (struct sockaddr *)data;
                                        memcpy(data, p, len);
                                        data += len;
                                        break;
                                case RTAX_NETMASK:
+                                        data = proundup(data, sizeof(long));
                                        ift->ifa_netmask =
                                            (struct sockaddr *)data;
                                        if (sa->sa_len == 0) {
@@ -263,6 +278,7 @@ getifaddrs(struct ifaddrs **pif)
                                        break;
                                case RTAX_BRD:
+                                        data = proundup(data, sizeof(long));
                                        ift->ifa_broadaddr =
                                            (struct sockaddr *)data;
                                        memcpy(data, p, len);
@@ -278,6 +294,17 @@ getifaddrs(struct ifaddrs **pif)
                }
        }
+        /* XXX temporary paranoia until we are sure it is bug free */
+        if (dsize != (char *)data - (char *)ifa) {
+                char buf[1024];
+                /* <10> is LOG_CRIT */
+                snprintf(buf, sizeof buf,
+                    "<10>%s: getifaddrs: allocated %lu used %lu\n",
+                    __progname, dsize, (char *)data - (char *)ifa);
+                sendsyslog(buf, strlen(buf), LOG_CONS);
+        }
        free(buf);
        if (--ift >= ifa) {
                ift->ifa_next = NULL;
diff --git a/src/lib/libc/net/if_indextoname.3 b/src/lib/libc/net/if_indextoname.3
index 25d2a2722f..9d00d66bd5 100644
--- a/src/lib/libc/net/if_indextoname.3
+++ b/src/lib/libc/net/if_indextoname.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: if_indextoname.3,v 1.16 2015/11/21 07:48:10 jmc Exp $
+.\"     $OpenBSD: if_indextoname.3,v 1.17 2025/06/13 18:34:00 schwarze Exp $
 .\" Copyright (c) 1983, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
 .\"
@@ -28,7 +28,7 @@
 .\"
 .\"     From: @(#)rcmd.3        8.1 (Berkeley) 6/4/93
 .\"
-.Dd $Mdocdate: November 21 2015 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt IF_NAMETOINDEX 3
 .Os
 .Sh NAME
@@ -41,13 +41,13 @@
 .In sys/types.h
 .In sys/socket.h
 .In net/if.h
-.Ft "unsigned int"
+.Ft unsigned int
 .Fn if_nametoindex "const char *ifname"
-.Ft "char *"
+.Ft char *
 .Fn if_indextoname "unsigned int ifindex" "char *ifname"
-.Ft "struct if_nameindex *"
+.Ft struct if_nameindex *
 .Fn if_nameindex "void"
-.Ft "void"
+.Ft void
 .Fn if_freenameindex "struct if_nameindex *ptr"
 .Sh DESCRIPTION
 These functions map interface indexes to interface names (such as
diff --git a/src/lib/libc/net/inet6_opt_init.3 b/src/lib/libc/net/inet6_opt_init.3
index 41ba842166..87244507a9 100644
--- a/src/lib/libc/net/inet6_opt_init.3
+++ b/src/lib/libc/net/inet6_opt_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: inet6_opt_init.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: inet6_opt_init.3,v 1.9 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: inet6_opt_init.3,v 1.7 2004/12/27 05:08:23 itojun Exp $
 .\"
 .\" Copyright (C) 2004 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt INET6_OPT_INIT 3
 .Os
 .\"
@@ -44,19 +44,19 @@
 .\"
 .Sh SYNOPSIS
 .In netinet/in.h
-.Ft "int"
+.Ft int
 .Fn inet6_opt_init "void *extbuf" "socklen_t extlen"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_append "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t type" "socklen_t len" "u_int8_t align" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_finish "void *extbuf" "socklen_t extlen" "int offset"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_set_val "void *databuf" "int offset" "void *val" "socklen_t vallen"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_next "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t *typep" "socklen_t *lenp" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_find "void *extbuf" "socklen_t extlen" "int offset" "u_int8_t type" "socklen_t *lenp" "void **databufp"
-.Ft "int"
+.Ft int
 .Fn inet6_opt_get_val "void *databuf" "socklen_t offset" "void *val" "socklen_t vallen"
 .\"
 .Sh DESCRIPTION
diff --git a/src/lib/libc/net/inet6_rth_space.3 b/src/lib/libc/net/inet6_rth_space.3
index c40b45057e..7304266fe1 100644
--- a/src/lib/libc/net/inet6_rth_space.3
+++ b/src/lib/libc/net/inet6_rth_space.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: inet6_rth_space.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: inet6_rth_space.3,v 1.9 2025/06/13 18:34:00 schwarze Exp $
 .\"     $KAME: inet6_rth_space.3,v 1.7 2005/01/05 03:00:44 itojun Exp $
 .\"
 .\" Copyright (C) 2004 WIDE Project.
@@ -28,7 +28,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt INET6_RTH_SPACE 3
 .Os
 .\"
@@ -45,7 +45,7 @@
 .In netinet/in.h
 .Ft socklen_t
 .Fn inet6_rth_space "int" "int"
-.Ft "void *"
+.Ft void *
 .Fn inet6_rth_init "void *" "socklen_t" "int" "int"
 .Ft int
 .Fn inet6_rth_add "void *" "const struct in6_addr *"
@@ -53,7 +53,7 @@
 .Fn inet6_rth_reverse "const void *" "void *"
 .Ft int
 .Fn inet6_rth_segments "const void *"
-.Ft "struct in6_addr *"
+.Ft struct in6_addr *
 .Fn inet6_rth_getaddr "const void *" "int"
 .\"
 .Sh DESCRIPTION
diff --git a/src/lib/libc/stdlib/exit.3 b/src/lib/libc/stdlib/exit.3
index 22acade86c..ccb416ee82 100644
--- a/src/lib/libc/stdlib/exit.3
+++ b/src/lib/libc/stdlib/exit.3
@@ -29,9 +29,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: exit.3,v 1.18 2024/08/30 03:44:48 guenther Exp $
+.\"     $OpenBSD: exit.3,v 1.19 2025/06/03 14:15:53 yasuoka Exp $
 .\"
-.Dd $Mdocdate: August 30 2024 $
+.Dd $Mdocdate: June 3 2025 $
 .Dt EXIT 3
 .Os
 .Sh NAME
@@ -54,9 +54,7 @@ Call the functions registered with the
 .Xr atexit 3
 function, in the reverse order of their registration.
 .It
-Flush all open output streams.
+Flush and close all open streams.
-.It
-Close all open streams.
 .It
 Unlink all files created with the
 .Xr tmpfile 3
@@ -79,6 +77,7 @@ function never returns.
 .Sh SEE ALSO
 .Xr _exit 2 ,
 .Xr atexit 3 ,
+.Xr fflush 3 ,
 .Xr intro 3 ,
 .Xr sysexits 3 ,
 .Xr tmpfile 3
@@ -86,7 +85,7 @@ function never returns.
 The
 .Fn exit
 function conforms to
-.St -isoC-99 .
+.St -p1003.1-2024 .
 .Sh HISTORY
 An
 .Fn exit
diff --git a/src/lib/libc/stdlib/malloc.3 b/src/lib/libc/stdlib/malloc.3
index bea5575bf8..ee13b01bd4 100644
--- a/src/lib/libc/stdlib/malloc.3
+++ b/src/lib/libc/stdlib/malloc.3
@@ -30,9 +30,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: malloc.3,v 1.142 2024/08/03 20:09:24 guenther Exp $
+.\"     $OpenBSD: malloc.3,v 1.147 2025/06/04 00:38:01 yasuoka Exp $
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 4 2025 $
 .Dt MALLOC 3
 .Os
 .Sh NAME
@@ -69,7 +69,8 @@
 .Fn malloc_conceal "size_t size"
 .Ft void *
 .Fn calloc_conceal "size_t nmemb" "size_t size"
-.Vt char *malloc_options ;
+.Vt const char * const
+.Va malloc_options ;
 .Sh DESCRIPTION
 The standard functions
 .Fn malloc ,
@@ -268,7 +269,15 @@ next checks the environment for a variable called
 and finally looks at the global variable
 .Va malloc_options
 in the program.
-Each is scanned for the flags documented below.
+Since
+.Fn malloc
+might already get called before the beginning of
+.Fn main ,
+either initialize
+.Va malloc_options
+to a string literal at file scope or do not declare it at all.
+.Pp
+Each of the three strings is scanned for the flags documented below.
 Unless otherwise noted uppercase means on, lowercase means off.
 During initialization, flags occurring later modify the behaviour
 that was requested by flags processed earlier.
@@ -363,18 +372,9 @@ Use with
 to get a verbose dump of malloc's internal state.
 .It Cm X
 .Dq xmalloc .
-Rather than return failure,
+Rather than return failure to handle out-of-memory conditions gracefully,
 .Xr abort 3
 the program with a diagnostic message on stderr.
-It is the intention that this option be set at compile time by
-including in the source:
-.Bd -literal -offset indent
-extern char *malloc_options;
-malloc_options = "X";
-.Ed
-.Pp
-Note that this will cause code that is supposed to handle
-out-of-memory conditions gracefully to abort instead.
 .It Cm <
 .Dq Halve the cache size .
 Decrease the size of the free page cache by a factor of two.
diff --git a/src/lib/libc/stdlib/malloc.c b/src/lib/libc/stdlib/malloc.c
index cad8e5d6a1..f067dd1f37 100644
--- a/src/lib/libc/stdlib/malloc.c
+++ b/src/lib/libc/stdlib/malloc.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc.c,v 1.297 2024/09/20 02:00:46 jsg Exp $        */
+/*      $OpenBSD: malloc.c,v 1.300 2025/10/23 18:49:46 miod Exp $       */
 /*
 * Copyright (c) 2008, 2010, 2011, 2016, 2023 Otto Moerbeek <otto@drijf.net>
 * Copyright (c) 2012 Matthew Dempsky <matthew@openbsd.org>
@@ -31,7 +31,6 @@
 #include <sys/queue.h>
 #include <sys/mman.h>
 #include <sys/sysctl.h>
-#include <uvm/uvmexp.h>
 #include <errno.h>
 #include <stdarg.h>
 #include <stdint.h>
@@ -264,7 +263,8 @@ static union {
                __attribute__((section(".openbsd.mutable")));
 #define mopts   malloc_readonly.mopts
-char            *malloc_options;        /* compile-time options */
+/* compile-time options */
+const char *const malloc_options __attribute__((weak));
 static __dead void wrterror(struct dir_info *d, char *msg, ...)
    __attribute__((__format__ (printf, 2, 3)));
@@ -501,7 +501,8 @@ omalloc_parseopt(char opt)
 static void
 omalloc_init(void)
 {
-        char *p, *q, b[16];
+        const char *p;
+        char *q, b[16];
        int i, j;
        const int mib[2] = { CTL_VM, VM_MALLOC_CONF };
        size_t sb;
@@ -1090,24 +1091,6 @@ err:
        return NULL;
 }
-#if defined(__GNUC__) && __GNUC__ < 4
-static inline unsigned int
-lb(u_int x)
-{
-#if defined(__m88k__)
-        __asm__ __volatile__ ("ff1 %0, %0" : "=r" (x) : "0" (x));
-        return x;
-#else
-        /* portable version */
-        unsigned int count = 0;
-        while ((x & (1U << (sizeof(int) * CHAR_BIT - 1))) == 0) {
-                count++;
-                x <<= 1;
-        }
-        return (sizeof(int) * CHAR_BIT - 1) - count;
-#endif
-}
-#else
 /* using built-in function version */
 static inline unsigned int
 lb(u_int x)
@@ -1115,7 +1098,6 @@ lb(u_int x)
        /* I need an extension just for integer-length (: */
        return (sizeof(int) * CHAR_BIT - 1) - __builtin_clz(x);
 }
-#endif
 /* https://pvk.ca/Blog/2015/06/27/linear-log-bucketing-fast-versatile-simple/
   via Tony Finch */
diff --git a/src/lib/libc/stdlib/mkstemp.c b/src/lib/libc/stdlib/mkstemp.c
index 75a9d27d1a..760575005f 100644
--- a/src/lib/libc/stdlib/mkstemp.c
+++ b/src/lib/libc/stdlib/mkstemp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mkstemp.c,v 1.1 2024/01/19 19:45:02 millert Exp $ */
+/*      $OpenBSD: mkstemp.c,v 1.2 2025/08/04 04:59:31 guenther Exp $ */
 /*
 * Copyright (c) 2024 Todd C. Miller
 *
@@ -20,7 +20,8 @@
 #include <fcntl.h>
 #include <stdlib.h>
-#define MKOSTEMP_FLAGS  (O_APPEND | O_CLOEXEC | O_DSYNC | O_RSYNC | O_SYNC)
+#define MKOSTEMP_FLAGS \
+        (O_APPEND | O_CLOEXEC | O_CLOFORK | O_DSYNC | O_RSYNC | O_SYNC)
 static int
 mkstemp_cb(const char *path, int flags)
diff --git a/src/lib/libc/stdlib/mktemp.3 b/src/lib/libc/stdlib/mktemp.3
index 83b7c9eb30..a967358164 100644
--- a/src/lib/libc/stdlib/mktemp.3
+++ b/src/lib/libc/stdlib/mktemp.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: mktemp.3,v 1.2 2024/03/01 21:30:40 millert Exp $
+.\"     $OpenBSD: mktemp.3,v 1.4 2025/08/04 14:11:37 schwarze Exp $
 .\"
 .\" Copyright (c) 1989, 1991, 1993
 .\"     The Regents of the University of California.  All rights reserved.
@@ -27,17 +27,17 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 1 2024 $
+.Dd $Mdocdate: August 4 2025 $
 .Dt MKTEMP 3
 .Os
 .Sh NAME
 .Nm mktemp ,
 .Nm mkstemp ,
-.Nm mkostemp ,
 .Nm mkstemps ,
-.Nm mkostemps ,
 .Nm mkdtemp ,
-.Nm mkdtemps
+.Nm mkdtemps ,
+.Nm mkostemp ,
+.Nm mkostemps
 .Nd make temporary file name (unique)
 .Sh SYNOPSIS
 .In stdlib.h
@@ -119,6 +119,8 @@ system call:
 Append on each write.
 .It Dv O_CLOEXEC
 Set the close-on-exec flag on the new file descriptor.
+.It Dv O_CLOFORK
+Set the close-on-fork flag on the new file descriptor.
 .It Dv O_SYNC
 Perform synchronous I/O operations.
 .El
@@ -163,8 +165,8 @@ functions return a pointer to the template on success and
 on failure.
 The
 .Fn mkstemp ,
-.Fn mkostemp ,
 .Fn mkstemps ,
+.Fn mkostemp ,
 and
 .Fn mkostemps
 functions return \-1 if no suitable file could be created.
@@ -253,9 +255,9 @@ of
 The
 .Fn mktemp ,
 .Fn mkstemp ,
-.Fn mkostemp ,
+.Fn mkdtemp ,
 and
-.Fn mkdtemp
+.Fn mkostemp
 functions may set
 .Va errno
 to one of the following values:
@@ -318,8 +320,8 @@ function.
 .Pp
 The
 .Fn mkstemp ,
-.Fn mkostemp ,
 .Fn mkstemps ,
+.Fn mkostemp ,
 and
 .Fn mkostemps
 functions may also set
@@ -345,18 +347,16 @@ function.
 .Xr tmpnam 3
 .Sh STANDARDS
 The
-.Fn mkdtemp
+.Fn mkstemp ,
+.Fn mkdtemp ,
 and
-.Fn mkstemp
+.Fn mkostemp
 functions conform to the
-.St -p1003.1-2008
+.St -p1003.1-2024
 specification.
 The ability to specify more than six
 .Em X Ns s
 is an extension to that standard.
-The
-.Fn mkostemp
-function is expected to conform to a future revision of that standard.
 .Pp
 The
 .Fn mktemp
@@ -368,9 +368,9 @@ it is no longer a part of the standard.
 .Pp
 The
 .Fn mkstemps ,
-.Fn mkostemps ,
+.Fn mkdtemps ,
 and
-.Fn mkdtemps
+.Fn mkostemps
 functions are non-standard and should not be used if portability is required.
 .Sh HISTORY
 A
@@ -378,14 +378,14 @@ A
 function appeared in
 .At v7 .
 The
-.Fn mkdtemp
-function appeared in
-.Ox 2.2 .
-The
 .Fn mkstemp
 function appeared in
 .Bx 4.3 .
 The
+.Fn mkdtemp
+function appeared in
+.Ox 2.2 .
+The
 .Fn mkstemps
 function appeared in
 .Ox 2.3 .
diff --git a/src/lib/libc/stdlib/ptsname.3 b/src/lib/libc/stdlib/ptsname.3
index 98705528f5..eea36a5a02 100644
--- a/src/lib/libc/stdlib/ptsname.3
+++ b/src/lib/libc/stdlib/ptsname.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ptsname.3,v 1.2 2012/12/04 18:42:16 millert Exp $
+.\"     $OpenBSD: ptsname.3,v 1.3 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2002 The FreeBSD Project, Inc.
 .\" All rights reserved.
@@ -32,7 +32,7 @@
 .\"
 .\" $FreeBSD: head/lib/libc/stdlib/ptsname.3 240412 2012-09-12 17:54:09Z emaste $
 .\"
-.Dd $Mdocdate: December 4 2012 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt PTSNAME 3
 .Os
 .Sh NAME
@@ -44,7 +44,7 @@
 .In stdlib.h
 .Ft int
 .Fn grantpt "int fildes"
-.Ft "char *"
+.Ft char *
 .Fn ptsname "int fildes"
 .Ft int
 .Fn unlockpt "int fildes"
diff --git a/src/lib/libc/stdlib/rand48.3 b/src/lib/libc/stdlib/rand48.3
index fa7a7179bc..02e1999db9 100644
--- a/src/lib/libc/stdlib/rand48.3
+++ b/src/lib/libc/stdlib/rand48.3
@@ -9,9 +9,9 @@
 .\" of any kind. I shall in no event be liable for anything that happens
 .\" to anyone/anything when using this software.
 .\"
-.\"     $OpenBSD: rand48.3,v 1.21 2019/12/20 19:16:40 tb Exp $
+.\"     $OpenBSD: rand48.3,v 1.22 2025/06/13 18:34:00 schwarze Exp $
 .\"
-.Dd $Mdocdate: December 20 2019 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DRAND48 3
 .Os
 .Sh NAME
@@ -46,9 +46,9 @@
 .Fn srand48 "long seed"
 .Ft void
 .Fn srand48_deterministic "long seed"
-.Ft "unsigned short *"
+.Ft unsigned short *
 .Fn seed48 "unsigned short xseed[3]"
-.Ft "unsigned short *"
+.Ft unsigned short *
 .Fn seed48_deterministic "unsigned short xseed[3]"
 .Ft void
 .Fn lcong48 "unsigned short p[7]"
diff --git a/src/lib/libc/stdlib/realpath.3 b/src/lib/libc/stdlib/realpath.3
index 1dec10fef4..1f932e3bb5 100644
--- a/src/lib/libc/stdlib/realpath.3
+++ b/src/lib/libc/stdlib/realpath.3
@@ -28,9 +28,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: realpath.3,v 1.26 2021/10/13 15:04:53 kn Exp $
+.\"     $OpenBSD: realpath.3,v 1.27 2025/06/13 18:34:00 schwarze Exp $
 .\"
-.Dd $Mdocdate: October 13 2021 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt REALPATH 3
 .Os
 .Sh NAME
@@ -39,7 +39,7 @@
 .Sh SYNOPSIS
 .In limits.h
 .In stdlib.h
-.Ft "char *"
+.Ft char *
 .Fn realpath "const char *pathname" "char *resolved"
 .Sh DESCRIPTION
 The
diff --git a/src/lib/libc/string/Makefile.inc b/src/lib/libc/string/Makefile.inc
index 204ca1b266..f8b6330453 100644
--- a/src/lib/libc/string/Makefile.inc
+++ b/src/lib/libc/string/Makefile.inc
@@ -1,13 +1,13 @@
-#       $OpenBSD: Makefile.inc,v 1.40 2024/07/14 09:51:18 jca Exp $
+#       $OpenBSD: Makefile.inc,v 1.41 2025/10/24 11:30:06 claudio Exp $
 # string sources
 .PATH: ${LIBCSRCDIR}/arch/${MACHINE_CPU}/string ${LIBCSRCDIR}/string
-SRCS+=  explicit_bzero.c memccpy.c memmem.c memrchr.c stpcpy.c stpncpy.c \
+SRCS+=  explicit_bzero.c ffsl.c ffsll.c memccpy.c memmem.c memrchr.c \
-        strcasecmp.c strcasecmp_l.c strcasestr.c strcoll.c strcoll_l.c \
+        stpcpy.c stpncpy.c strcasecmp.c strcasecmp_l.c strcasestr.c \
-        strdup.c strerror.c strerror_l.c strerror_r.c strmode.c \
+        strcoll.c strcoll_l.c strdup.c strerror.c strerror_l.c strerror_r.c \
-        strndup.c strnlen.c strsignal.c strtok.c strxfrm.c strxfrm_l.c \
+        strmode.c strndup.c strnlen.c strsignal.c strtok.c strxfrm.c \
-        timingsafe_bcmp.c timingsafe_memcmp.c \
+        strxfrm_l.c timingsafe_bcmp.c timingsafe_memcmp.c \
        wcscat.c wcschr.c wcscmp.c wcscpy.c wcscspn.c wcslcat.c wcslcpy.c \
        wcslen.c wcsncat.c wcsncmp.c wcsncpy.c wcsnlen.c wcspbrk.c wcsrchr.c \
        wcsspn.c wcsstr.c wcstok.c wcswcs.c wcswidth.c wmemchr.c wmemcmp.c \
diff --git a/src/lib/libc/string/ffs.3 b/src/lib/libc/string/ffs.3
index e78ab99e8f..0b78fbfd33 100644
--- a/src/lib/libc/string/ffs.3
+++ b/src/lib/libc/string/ffs.3
@@ -27,24 +27,33 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $OpenBSD: ffs.3,v 1.11 2019/08/30 18:35:03 deraadt Exp $
+.\"     $OpenBSD: ffs.3,v 1.13 2025/11/06 17:19:11 schwarze Exp $
 .\"
-.Dd $Mdocdate: August 30 2019 $
+.Dd $Mdocdate: November 6 2025 $
 .Dt FFS 3
 .Os
 .Sh NAME
-.Nm ffs
+.Nm ffs ,
+.Nm ffsl ,
+.Nm ffsll
 .Nd find first bit set in a bit string
 .Sh SYNOPSIS
 .In strings.h
 .Ft int
 .Fn ffs "int value"
+.Ft int
+.Fn ffsl "long value"
+.Ft int
+.Fn ffsll "long long value"
 .Sh DESCRIPTION
 The
-.Fn ffs
+.Fn ffs ,
-function finds the first bit set in
+.Fn ffsl ,
+and
+.Fn ffsll
+functions find the first bit set in
 .Fa value
-and returns the index of that bit.
+and return the index of that bit.
 Bits are numbered starting from 1, starting at the rightmost bit.
 A return value of 0 means that the argument was zero.
 .Sh SEE ALSO
@@ -54,8 +63,20 @@ The
 .Fn ffs
 function conforms to
 .St -p1003.1-2008 .
+The
+.Fn ffsl
+and
+.Fn ffsll
+functions conform to
+.St -p1003.1-2024 .
 .Sh HISTORY
 The
 .Fn ffs
 function first appeared in
 .Bx 4.2 .
+The
+.Fn ffsl
+and
+.Fn ffsll
+functions first appeared in
+.Ox 7.9 .
diff --git a/src/lib/libc/string/ffsl.c b/src/lib/libc/string/ffsl.c
new file mode 100644
index 0000000000..182318c3d6
--- /dev/null
+++ b/src/lib/libc/string/ffsl.c
@@ -0,0 +1,17 @@
+/*      $OpenBSD: ffsl.c,v 1.1 2025/10/24 11:30:06 claudio Exp $        */
+/*
+ * Public domain.
+ * Written by Claudio Jeker.
+ */
+#include <strings.h>
+/*
+ * ffs -- find the first (least significant) bit set
+ */
+int
+ffsl(long mask)
+{
+        return (mask ? __builtin_ctzl(mask) + 1 : 0);
+}
diff --git a/src/lib/libc/string/ffsll.c b/src/lib/libc/string/ffsll.c
new file mode 100644
index 0000000000..9370c5ae41
--- /dev/null
+++ b/src/lib/libc/string/ffsll.c
@@ -0,0 +1,17 @@
+/*      $OpenBSD: ffsll.c,v 1.1 2025/10/24 11:30:06 claudio Exp $       */
+/*
+ * Public domain.
+ * Written by Claudio Jeker.
+ */
+#include <strings.h>
+/*
+ * ffs -- find the first (least significant) bit set
+ */
+int
+ffsll(long long mask)
+{
+        return (mask ? __builtin_ctzll(mask) + 1 : 0);
+}
diff --git a/src/lib/libc/string/memmem.3 b/src/lib/libc/string/memmem.3
index de62d738de..eeb621f8f6 100644
--- a/src/lib/libc/string/memmem.3
+++ b/src/lib/libc/string/memmem.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: memmem.3,v 1.4 2024/08/03 20:13:23 guenther Exp $
+.\"     $OpenBSD: memmem.3,v 1.5 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2005 Pascal Gloor <pascal.gloor@spale.com>
 .\"
@@ -26,7 +26,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt MEMMEM 3
 .Os
 .Sh NAME
@@ -34,7 +34,7 @@
 .Nd locate a byte substring in a byte string
 .Sh SYNOPSIS
 .In string.h
-.Ft "void *"
+.Ft void *
 .Fo memmem
 .Fa "const void *big" "size_t big_len"
 .Fa "const void *little" "size_t little_len"
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index db3bc767d9..92866400c2 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.231 2024/12/19 23:56:32 tb Exp $
+# $OpenBSD: Makefile,v 1.244 2025/09/05 23:30:12 beck Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -25,6 +25,7 @@ CFLAGS+= -DLIBRESSL_NAMESPACE -DLIBRESSL_CRYPTO_NAMESPACE
 CFLAGS+= -DHAVE_FUNOPEN
 CFLAGS+= -I${LCRYPTO_SRC}
+CFLAGS+= -I${LCRYPTO_SRC}/aes
 CFLAGS+= -I${LCRYPTO_SRC}/arch/${MACHINE_CPU}
 CFLAGS+= -I${LCRYPTO_SRC}/asn1
 CFLAGS+= -I${LCRYPTO_SRC}/bio
@@ -67,7 +68,6 @@ SRCS+= crypto_memory.c
 # aes/
 SRCS+= aes.c
 SRCS+= aes_core.c
-SRCS+= aes_ige.c
 # asn1/
 SRCS+= a_bitstr.c
@@ -119,10 +119,8 @@ SRCS+= x_attrib.c
 SRCS+= x_bignum.c
 SRCS+= x_crl.c
 SRCS+= x_exten.c
-SRCS+= x_info.c
 SRCS+= x_long.c
 SRCS+= x_name.c
-SRCS+= x_pkey.c
 SRCS+= x_pubkey.c
 SRCS+= x_req.c
 SRCS+= x_sig.c
@@ -152,13 +150,13 @@ SRCS+= bss_conn.c
 SRCS+= bss_dgram.c
 SRCS+= bss_fd.c
 SRCS+= bss_file.c
-SRCS+= bss_log.c
 SRCS+= bss_mem.c
 SRCS+= bss_null.c
 SRCS+= bss_sock.c
 # bn/
 SRCS+= bn_add.c
+SRCS+= bn_add_sub.c
 SRCS+= bn_bpsw.c
 SRCS+= bn_const.c
 SRCS+= bn_convert.c
@@ -172,6 +170,7 @@ SRCS+= bn_kron.c
 SRCS+= bn_lib.c
 SRCS+= bn_mod.c
 SRCS+= bn_mod_sqrt.c
+SRCS+= bn_mod_words.c
 SRCS+= bn_mont.c
 SRCS+= bn_mul.c
 SRCS+= bn_prime.c
@@ -281,11 +280,13 @@ SRCS+= ec_asn1.c
 SRCS+= ec_convert.c
 SRCS+= ec_curve.c
 SRCS+= ec_err.c
+SRCS+= ec_field.c
 SRCS+= ec_key.c
 SRCS+= ec_lib.c
 SRCS+= ec_mult.c
 SRCS+= ec_pmeth.c
 SRCS+= eck_prn.c
+SRCS+= ecp_hp_methods.c
 SRCS+= ecp_methods.c
 SRCS+= ecx_methods.c
@@ -373,8 +374,9 @@ SRCS+= md4.c
 SRCS+= md5.c
 # mlkem/
-SRCS+= mlkem768.c
+SRCS+= mlkem.c
-SRCS+= mlkem1024.c
+SRCS+= mlkem_internal.c
+SRCS+= mlkem_key.c
 # modes/
 SRCS+= cbc128.c
@@ -450,11 +452,7 @@ SRCS+= rand_lib.c
 SRCS+= randfile.c
 # rc2/
-SRCS+= rc2_cbc.c
+SRCS+= rc2.c
-SRCS+= rc2_ecb.c
-SRCS+= rc2_skey.c
-SRCS+= rc2cfb64.c
-SRCS+= rc2ofb64.c
 # rc4/
 SRCS+= rc4.c
@@ -671,9 +669,11 @@ HDRS=\
        ${LCRYPTO_SRC}/lhash/lhash.h \
        ${LCRYPTO_SRC}/md4/md4.h \
        ${LCRYPTO_SRC}/md5/md5.h \
+        ${LCRYPTO_SRC}/mlkem/mlkem.h \
        ${LCRYPTO_SRC}/modes/modes.h \
        ${LCRYPTO_SRC}/objects/objects.h \
        ${LCRYPTO_SRC}/ocsp/ocsp.h \
+        ${LCRYPTO_SRC}/opensslconf.h \
        ${LCRYPTO_SRC}/opensslfeatures.h \
        ${LCRYPTO_SRC}/opensslv.h \
        ${LCRYPTO_SRC}/ossl_typ.h \
@@ -699,7 +699,6 @@ HDRS=\
        ${LCRYPTO_SRC}/x509/x509v3.h
 HDRS_GEN=\
-        ${.CURDIR}/arch/${MACHINE_CPU}/opensslconf.h \
        ${.OBJDIR}/obj_mac.h
 prereq: obj_mac.h
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index e259430bbf..d85922e12e 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -34,6 +34,7 @@ ASN1_BIT_STRING_set_bit
 ASN1_BMPSTRING_free
 ASN1_BMPSTRING_it
 ASN1_BMPSTRING_new
+ASN1_BOOLEAN_it
 ASN1_ENUMERATED_free
 ASN1_ENUMERATED_get
 ASN1_ENUMERATED_get_int64
@@ -42,6 +43,7 @@ ASN1_ENUMERATED_new
 ASN1_ENUMERATED_set
 ASN1_ENUMERATED_set_int64
 ASN1_ENUMERATED_to_BN
+ASN1_FBOOLEAN_it
 ASN1_GENERALIZEDTIME_adj
 ASN1_GENERALIZEDTIME_check
 ASN1_GENERALIZEDTIME_free
@@ -116,6 +118,7 @@ ASN1_STRING_type_new
 ASN1_T61STRING_free
 ASN1_T61STRING_it
 ASN1_T61STRING_new
+ASN1_TBOOLEAN_it
 ASN1_TIME_adj
 ASN1_TIME_check
 ASN1_TIME_cmp_time_t
@@ -308,7 +311,6 @@ BIO_s_connect
 BIO_s_datagram
 BIO_s_fd
 BIO_s_file
-BIO_s_log
 BIO_s_mem
 BIO_s_null
 BIO_s_socket
@@ -1447,6 +1449,23 @@ MD5_Final
 MD5_Init
 MD5_Transform
 MD5_Update
+MLKEM_decap
+MLKEM_encap
+MLKEM_generate_key
+MLKEM_marshal_private_key
+MLKEM_marshal_public_key
+MLKEM_parse_private_key
+MLKEM_parse_public_key
+MLKEM_private_key_ciphertext_length
+MLKEM_private_key_encoded_length
+MLKEM_private_key_free
+MLKEM_private_key_from_seed
+MLKEM_private_key_new
+MLKEM_public_from_private
+MLKEM_public_key_ciphertext_length
+MLKEM_public_key_encoded_length
+MLKEM_public_key_free
+MLKEM_public_key_new
 NAME_CONSTRAINTS_check
 NAME_CONSTRAINTS_free
 NAME_CONSTRAINTS_it
@@ -1664,9 +1683,7 @@ PEM_ASN1_write_bio
 PEM_SignFinal
 PEM_SignInit
 PEM_SignUpdate
-PEM_X509_INFO_read
 PEM_X509_INFO_read_bio
-PEM_X509_INFO_write_bio
 PEM_bytes_read_bio
 PEM_def_callback
 PEM_dek_info
@@ -2474,8 +2491,6 @@ X509_OBJECT_idx_by_subject
 X509_OBJECT_new
 X509_OBJECT_retrieve_by_subject
 X509_OBJECT_retrieve_match
-X509_PKEY_free
-X509_PKEY_new
 X509_PUBKEY_free
 X509_PUBKEY_get
 X509_PUBKEY_get0
@@ -2639,6 +2654,7 @@ X509_VERIFY_PARAM_get0_peername
 X509_VERIFY_PARAM_get_count
 X509_VERIFY_PARAM_get_depth
 X509_VERIFY_PARAM_get_flags
+X509_VERIFY_PARAM_get_hostflags
 X509_VERIFY_PARAM_get_time
 X509_VERIFY_PARAM_inherit
 X509_VERIFY_PARAM_lookup
diff --git a/src/lib/libcrypto/aes/aes.c b/src/lib/libcrypto/aes/aes.c
index d36a006360..9cffe6b7cd 100644
--- a/src/lib/libcrypto/aes/aes.c
+++ b/src/lib/libcrypto/aes/aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes.c,v 1.4 2024/08/11 13:02:39 jsing Exp $ */
+/* $OpenBSD: aes.c,v 1.17 2025/09/15 07:36:12 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2002-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -46,21 +46,101 @@
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
- *
 */
 #include <string.h>
 #include <openssl/aes.h>
 #include <openssl/bio.h>
+#include <openssl/crypto.h>
 #include <openssl/modes.h>
 #include "crypto_arch.h"
+#include "crypto_internal.h"
+#include "modes_local.h"
 static const unsigned char aes_wrap_default_iv[] = {
        0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
 };
+int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+void aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+static int
+aes_rounds_for_key_length(int bits)
+{
+        if (bits == 128)
+                return 10;
+        if (bits == 192)
+                return 12;
+        if (bits == 256)
+                return 14;
+        return 0;
+}
+int
+AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+{
+        if (userKey == NULL || key == NULL)
+                return -1;
+        explicit_bzero(key->rd_key, sizeof(key->rd_key));
+        if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)
+                return -2;
+        return aes_set_encrypt_key_internal(userKey, bits, key);
+}
+LCRYPTO_ALIAS(AES_set_encrypt_key);
+int
+AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+{
+        if (userKey == NULL || key == NULL)
+                return -1;
+        explicit_bzero(key->rd_key, sizeof(key->rd_key));
+        if ((key->rounds = aes_rounds_for_key_length(bits)) <= 0)
+                return -2;
+        return aes_set_decrypt_key_internal(userKey, bits, key);
+}
+LCRYPTO_ALIAS(AES_set_decrypt_key);
+void
+AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+{
+        aes_encrypt_internal(in, out, key);
+}
+LCRYPTO_ALIAS(AES_encrypt);
+void
+AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+{
+        aes_decrypt_internal(in, out, key);
+}
+LCRYPTO_ALIAS(AES_decrypt);
+void
+aes_encrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_encrypt_internal(in, out, key);
+}
+void
+aes_decrypt_block128(const unsigned char *in, unsigned char *out, const void *key)
+{
+        aes_decrypt_internal(in, out, key);
+}
 #ifdef HAVE_AES_CBC_ENCRYPT_INTERNAL
 void aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
@@ -72,10 +152,10 @@ aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
 {
        if (enc)
                CRYPTO_cbc128_encrypt(in, out, len, key, ivec,
-                    (block128_f)AES_encrypt);
+                    aes_encrypt_block128);
        else
                CRYPTO_cbc128_decrypt(in, out, len, key, ivec,
-                    (block128_f)AES_decrypt);
+                    aes_decrypt_block128);
 }
 #endif
@@ -98,7 +178,7 @@ AES_cfb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb128_encrypt);
@@ -108,7 +188,7 @@ AES_cfb1_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_1_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb1_encrypt);
@@ -117,17 +197,134 @@ AES_cfb8_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num, const int enc)
 {
        CRYPTO_cfb128_8_encrypt(in, out, length, key, ivec, num, enc,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_cfb8_encrypt);
 void
+aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint8_t in_mask;
+        uint64_t ctr;
+        int i;
+        in_mask = 0 - (encrypt != 0);
+        memcpy(iv, ivec, sizeof(iv));
+        ctr = crypto_load_be64toh(&iv[8]);
+        while (blocks > 0) {
+                crypto_store_htobe64(&iv[8], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+                for (i = 0; i < 16; i++) {
+                        out[i] = in[i] ^ buf[i];
+                        cmac[i] ^= (in[i] & in_mask) | (out[i] & ~in_mask);
+                }
+                aes_encrypt_internal(cmac, cmac, key);
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+#ifdef HAVE_AES_CCM64_ENCRYPT_INTERNAL
+void aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+#else
+static inline void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+#endif
+void
+aes_ccm64_encrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 1);
+}
+void
+aes_ccm64_decrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16])
+{
+        aes_ccm64_encrypt_internal(in, out, blocks, key, ivec, cmac, 0);
+}
+void
+aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        uint8_t iv[AES_BLOCK_SIZE], buf[AES_BLOCK_SIZE];
+        uint32_t ctr;
+        int i;
+        memcpy(iv, ivec, sizeof(iv));
+        ctr = crypto_load_be32toh(&iv[12]);
+        while (blocks > 0) {
+                crypto_store_htobe32(&iv[12], ctr);
+                aes_encrypt_internal(iv, buf, key);
+                ctr++;
+                for (i = 0; i < AES_BLOCK_SIZE; i++)
+                        out[i] = in[i] ^ buf[i];
+                in += 16;
+                out += 16;
+                blocks--;
+        }
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(iv, sizeof(iv));
+}
+#ifdef HAVE_AES_CTR32_ENCRYPT_INTERNAL
+void aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+#else
+static inline void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+#endif
+void
+aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out, size_t blocks,
+    const void *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        aes_ctr32_encrypt_internal(in, out, blocks, key, ivec);
+}
+void
 AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
    size_t length, const AES_KEY *key, unsigned char ivec[AES_BLOCK_SIZE],
    unsigned char ecount_buf[AES_BLOCK_SIZE], unsigned int *num)
 {
-        CRYPTO_ctr128_encrypt(in, out, length, key, ivec, ecount_buf, num,
+        CRYPTO_ctr128_encrypt_ctr32(in, out, length, key, ivec, ecount_buf,
-            (block128_f)AES_encrypt);
+            num, aes_ctr32_encrypt_ctr128f);
 }
 LCRYPTO_ALIAS(AES_ctr128_encrypt);
@@ -142,15 +339,121 @@ AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
 }
 LCRYPTO_ALIAS(AES_ecb_encrypt);
+#ifndef HAVE_AES_ECB_ENCRYPT_INTERNAL
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        while (len >= AES_BLOCK_SIZE) {
+                AES_ecb_encrypt(in, out, key, encrypt);
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+#endif
+#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
+typedef struct {
+        unsigned long data[N_WORDS];
+} aes_block_t;
+void
+AES_ige_encrypt(const unsigned char *in, unsigned char *out, size_t length,
+    const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        aes_block_t tmp, tmp2;
+        aes_block_t iv;
+        aes_block_t iv2;
+        size_t n;
+        size_t len;
+        /* N.B. The IV for this mode is _twice_ the block size */
+        OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
+        len = length / AES_BLOCK_SIZE;
+        memcpy(iv.data, ivec, AES_BLOCK_SIZE);
+        memcpy(iv2.data, ivec + AES_BLOCK_SIZE, AES_BLOCK_SIZE);
+        if (AES_ENCRYPT == enc) {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] = tmp.data[n] ^ iv.data[n];
+                        AES_encrypt((unsigned char *)tmp2.data,
+                            (unsigned char *)tmp2.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp2.data[n] ^= iv2.data[n];
+                        memcpy(out, tmp2.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        } else {
+                while (len) {
+                        memcpy(tmp.data, in, AES_BLOCK_SIZE);
+                        tmp2 = tmp;
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv2.data[n];
+                        AES_decrypt((unsigned char *)tmp.data,
+                            (unsigned char *)tmp.data, key);
+                        for (n = 0; n < N_WORDS; ++n)
+                                tmp.data[n] ^= iv.data[n];
+                        memcpy(out, tmp.data, AES_BLOCK_SIZE);
+                        iv = tmp2;
+                        iv2 = tmp;
+                        --len;
+                        in += AES_BLOCK_SIZE;
+                        out += AES_BLOCK_SIZE;
+                }
+        }
+        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
+        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
+}
+LCRYPTO_ALIAS(AES_ige_encrypt);
 void
 AES_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length,
    const AES_KEY *key, unsigned char *ivec, int *num)
 {
        CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num,
-            (block128_f)AES_encrypt);
+            aes_encrypt_block128);
 }
 LCRYPTO_ALIAS(AES_ofb128_encrypt);
+void
+aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        XTS128_CONTEXT xctx;
+        if (encrypt)
+                xctx.block1 = aes_encrypt_block128;
+        else 
+                xctx.block1 = aes_decrypt_block128;
+        xctx.block2 = aes_encrypt_block128;
+        xctx.key1 = key1;
+        xctx.key2 = key2;
+        CRYPTO_xts128_encrypt(&xctx, iv, in, out, len, encrypt);
+}
+#ifndef HAVE_AES_XTS_ENCRYPT_INTERNAL
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out, size_t len,
+    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16],
+    int encrypt)
+{
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
+#endif
 int
 AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
    const unsigned char *in, unsigned int inlen)
@@ -217,7 +520,7 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out,
        }
        if (!iv)
                iv = aes_wrap_default_iv;
-        if (memcmp(A, iv, 8)) {
+        if (timingsafe_memcmp(A, iv, 8) != 0) {
                explicit_bzero(out, inlen);
                return 0;
        }
diff --git a/src/lib/libcrypto/aes/aes_amd64.c b/src/lib/libcrypto/aes/aes_amd64.c
new file mode 100644
index 0000000000..183a5cce14
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_amd64.c
@@ -0,0 +1,201 @@
+/* $OpenBSD: aes_amd64.c,v 1.5 2025/07/22 09:13:49 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/aes.h>
+#include "crypto_arch.h"
+#include "modes_local.h"
+int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+void aes_encrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+void aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+void aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+void aesni_ccm64_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aesni_ccm64_decrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key, int enc);
+void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+int
+aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0)
+                return aesni_set_encrypt_key(userKey, bits, key);
+        return aes_set_encrypt_key_generic(userKey, bits, key);
+}
+int
+aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0)
+                return aesni_set_decrypt_key(userKey, bits, key);
+        return aes_set_decrypt_key_generic(userKey, bits, key);
+}
+void
+aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_encrypt(in, out, key);
+                return;
+        }
+        aes_encrypt_generic(in, out, key);
+}
+void
+aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_decrypt(in, out, key);
+                return;
+        }
+        aes_decrypt_generic(in, out, key);
+}
+void
+aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_cbc_encrypt(in, out, len, key, ivec, enc);
+                return;
+        }
+        aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
+}
+void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                if (encrypt)
+                        aesni_ccm64_encrypt_blocks(in, out, blocks, key, ivec, cmac);
+                else
+                        aesni_ccm64_decrypt_blocks(in, out, blocks, key, ivec, cmac);
+                return;
+        }
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+                return;
+        }
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                aesni_ecb_encrypt(in, out, len, key, encrypt);
+                return;
+        }
+        while (len >= AES_BLOCK_SIZE) {
+                if (encrypt)
+                        aes_encrypt_generic(in, out, key);
+                else
+                        aes_decrypt_generic(in, out, key);
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_AES) != 0) {
+                if (encrypt)
+                        aesni_xts_encrypt(in, out, len, key1, key2, iv);
+                else
+                        aesni_xts_decrypt(in, out, len, key1, key2, iv);
+                return;
+        }
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
diff --git a/src/lib/libcrypto/aes/aes_core.c b/src/lib/libcrypto/aes/aes_core.c
index 4383d74903..c4ca58a979 100644
--- a/src/lib/libcrypto/aes/aes_core.c
+++ b/src/lib/libcrypto/aes/aes_core.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_core.c,v 1.25 2024/11/13 21:00:57 tb Exp $ */
+/* $OpenBSD: aes_core.c,v 1.30 2025/09/08 13:37:39 jsing Exp $ */
 /**
 * rijndael-alg-fst.c
 *
@@ -30,7 +30,7 @@
 * compatible API.
 */
-#include <stdlib.h>
+#include <stdint.h>
 #include <openssl/aes.h>
@@ -51,11 +51,11 @@ Td3[x] = Si[x].[09, 0d, 0b, 0e];
 Td4[x] = Si[x].[01];
 */
-#if !defined(HAVE_AES_SET_ENCRYPT_KEY_INTERNAL) || \
+#if !defined(HAVE_AES_SET_ENCRYPT_KEY_GENERIC) || \
-    !defined(HAVE_AES_SET_DECRYPT_KEY_INTERNAL) || \
+    !defined(HAVE_AES_SET_DECRYPT_KEY_GENERIC) || \
-    !defined(HAVE_AES_ENCRYPT_INTERNAL) || \
+    !defined(HAVE_AES_ENCRYPT_GENERIC) || \
-    !defined(HAVE_AES_DECRYPT_INTERNAL)
+    !defined(HAVE_AES_DECRYPT_GENERIC)
-static const u32 Te0[256] = {
+static const uint32_t Te0[256] = {
        0xc66363a5U, 0xf87c7c84U, 0xee777799U, 0xf67b7b8dU,
        0xfff2f20dU, 0xd66b6bbdU, 0xde6f6fb1U, 0x91c5c554U,
        0x60303050U, 0x02010103U, 0xce6767a9U, 0x562b2b7dU,
@@ -121,7 +121,7 @@ static const u32 Te0[256] = {
        0x824141c3U, 0x299999b0U, 0x5a2d2d77U, 0x1e0f0f11U,
        0x7bb0b0cbU, 0xa85454fcU, 0x6dbbbbd6U, 0x2c16163aU,
 };
-static const u32 Te1[256] = {
+static const uint32_t Te1[256] = {
        0xa5c66363U, 0x84f87c7cU, 0x99ee7777U, 0x8df67b7bU,
        0x0dfff2f2U, 0xbdd66b6bU, 0xb1de6f6fU, 0x5491c5c5U,
        0x50603030U, 0x03020101U, 0xa9ce6767U, 0x7d562b2bU,
@@ -187,7 +187,7 @@ static const u32 Te1[256] = {
        0xc3824141U, 0xb0299999U, 0x775a2d2dU, 0x111e0f0fU,
        0xcb7bb0b0U, 0xfca85454U, 0xd66dbbbbU, 0x3a2c1616U,
 };
-static const u32 Te2[256] = {
+static const uint32_t Te2[256] = {
        0x63a5c663U, 0x7c84f87cU, 0x7799ee77U, 0x7b8df67bU,
        0xf20dfff2U, 0x6bbdd66bU, 0x6fb1de6fU, 0xc55491c5U,
        0x30506030U, 0x01030201U, 0x67a9ce67U, 0x2b7d562bU,
@@ -253,7 +253,7 @@ static const u32 Te2[256] = {
        0x41c38241U, 0x99b02999U, 0x2d775a2dU, 0x0f111e0fU,
        0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
 };
-static const u32 Te3[256] = {
+static const uint32_t Te3[256] = {
        0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
        0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
        0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
@@ -320,7 +320,7 @@ static const u32 Te3[256] = {
        0xb0b0cb7bU, 0x5454fca8U, 0xbbbbd66dU, 0x16163a2cU,
 };
-static const u32 Td0[256] = {
+static const uint32_t Td0[256] = {
        0x51f4a750U, 0x7e416553U, 0x1a17a4c3U, 0x3a275e96U,
        0x3bab6bcbU, 0x1f9d45f1U, 0xacfa58abU, 0x4be30393U,
        0x2030fa55U, 0xad766df6U, 0x88cc7691U, 0xf5024c25U,
@@ -386,7 +386,7 @@ static const u32 Td0[256] = {
        0x39a80171U, 0x080cb3deU, 0xd8b4e49cU, 0x6456c190U,
        0x7bcb8461U, 0xd532b670U, 0x486c5c74U, 0xd0b85742U,
 };
-static const u32 Td1[256] = {
+static const uint32_t Td1[256] = {
        0x5051f4a7U, 0x537e4165U, 0xc31a17a4U, 0x963a275eU,
        0xcb3bab6bU, 0xf11f9d45U, 0xabacfa58U, 0x934be303U,
        0x552030faU, 0xf6ad766dU, 0x9188cc76U, 0x25f5024cU,
@@ -452,7 +452,7 @@ static const u32 Td1[256] = {
        0x7139a801U, 0xde080cb3U, 0x9cd8b4e4U, 0x906456c1U,
        0x617bcb84U, 0x70d532b6U, 0x74486c5cU, 0x42d0b857U,
 };
-static const u32 Td2[256] = {
+static const uint32_t Td2[256] = {
        0xa75051f4U, 0x65537e41U, 0xa4c31a17U, 0x5e963a27U,
        0x6bcb3babU, 0x45f11f9dU, 0x58abacfaU, 0x03934be3U,
        0xfa552030U, 0x6df6ad76U, 0x769188ccU, 0x4c25f502U,
@@ -518,7 +518,7 @@ static const u32 Td2[256] = {
        0x017139a8U, 0xb3de080cU, 0xe49cd8b4U, 0xc1906456U,
        0x84617bcbU, 0xb670d532U, 0x5c74486cU, 0x5742d0b8U,
 };
-static const u32 Td3[256] = {
+static const uint32_t Td3[256] = {
        0xf4a75051U, 0x4165537eU, 0x17a4c31aU, 0x275e963aU,
        0xab6bcb3bU, 0x9d45f11fU, 0xfa58abacU, 0xe303934bU,
        0x30fa5520U, 0x766df6adU, 0xcc769188U, 0x024c25f5U,
@@ -586,9 +586,9 @@ static const u32 Td3[256] = {
 };
 #endif
-#if !defined(HAVE_AES_ENCRYPT_INTERNAL) || \
+#if !defined(HAVE_AES_ENCRYPT_GENERIC) || \
-    !defined(HAVE_AES_DECRYPT_INTERNAL)
+    !defined(HAVE_AES_DECRYPT_GENERIC)
-static const u8 Td4[256] = {
+static const uint8_t Td4[256] = {
        0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
        0xbfU, 0x40U, 0xa3U, 0x9eU, 0x81U, 0xf3U, 0xd7U, 0xfbU,
        0x7cU, 0xe3U, 0x39U, 0x82U, 0x9bU, 0x2fU, 0xffU, 0x87U,
@@ -624,46 +624,29 @@ static const u8 Td4[256] = {
 };
 #endif
-#if !defined(HAVE_AES_SET_ENCRYPT_KEY_INTERNAL) || \
+#if !defined(HAVE_AES_SET_ENCRYPT_KEY_GENERIC) || \
-    !defined(HAVE_AES_SET_DECRYPT_KEY_INTERNAL)
+    !defined(HAVE_AES_SET_DECRYPT_KEY_GENERIC)
-static const u32 rcon[] = {
+static const uint32_t rcon[] = {
        0x01000000, 0x02000000, 0x04000000, 0x08000000,
        0x10000000, 0x20000000, 0x40000000, 0x80000000,
        0x1B000000, 0x36000000, /* for 128-bit blocks, Rijndael never uses more than 10 rcon values */
 };
 #endif
-#ifdef HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
+#ifndef HAVE_AES_SET_ENCRYPT_KEY_GENERIC
-int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
-    AES_KEY *key);
-#else
 /*
 * Expand the cipher key into the encryption key schedule.
 */
-static inline int
+int
-aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
    AES_KEY *key)
 {
-        u32 *rk;
+        uint32_t *rk;
        int i = 0;
-        u32 temp;
+        uint32_t temp;
-        if (!userKey || !key)
-                return -1;
-        if (bits != 128 && bits != 192 && bits != 256)
-                return -2;
        rk = key->rd_key;
-        if (bits == 128)
-                key->rounds = 10;
-        else if (bits == 192)
-                key->rounds = 12;
-        else
-                key->rounds = 14;
        rk[0] = crypto_load_be32toh(&userKey[0 * 4]);
        rk[1] = crypto_load_be32toh(&userKey[1 * 4]);
        rk[2] = crypto_load_be32toh(&userKey[2 * 4]);
@@ -742,33 +725,30 @@ aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
 }
 #endif
+#ifndef HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 int
-AES_set_encrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
 {
-        return aes_set_encrypt_key_internal(userKey, bits, key);
+        return aes_set_encrypt_key_generic(userKey, bits, key);
 }
-LCRYPTO_ALIAS(AES_set_encrypt_key);
+#endif
-#ifdef HAVE_AES_SET_DECRYPT_KEY_INTERNAL
-int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
-    AES_KEY *key);
-#else
+#ifndef HAVE_AES_SET_DECRYPT_KEY_GENERIC
 /*
 * Expand the cipher key into the decryption key schedule.
 */
-static inline int
+int
-aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
    AES_KEY *key)
 {
-        u32 *rk;
+        uint32_t *rk;
-        int i, j, status;
+        uint32_t temp;
-        u32 temp;
+        int i, j, ret;
        /* first, start with an encryption schedule */
-        status = AES_set_encrypt_key(userKey, bits, key);
+        if ((ret = aes_set_encrypt_key_generic(userKey, bits, key)) < 0)
-        if (status < 0)
+                return ret;
-                return status;
        rk = key->rd_key;
@@ -815,27 +795,25 @@ aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
 }
 #endif
+#ifndef HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 int
-AES_set_decrypt_key(const unsigned char *userKey, const int bits, AES_KEY *key)
+aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
 {
-        return aes_set_decrypt_key_internal(userKey, bits, key);
+        return aes_set_decrypt_key_generic(userKey, bits, key);
 }
-LCRYPTO_ALIAS(AES_set_decrypt_key);
+#endif
-#ifdef HAVE_AES_ENCRYPT_INTERNAL
-void aes_encrypt_internal(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-#else
+#ifndef HAVE_AES_ENCRYPT_GENERIC
 /*
 * Encrypt a single block - in and out can overlap.
 */
-static inline void
+void
-aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+aes_encrypt_generic(const unsigned char *in, unsigned char *out,
    const AES_KEY *key)
 {
-        const u32 *rk;
+        const uint32_t *rk;
-        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+        uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
 #ifndef FULL_UNROLL
        int r;
 #endif /* ?FULL_UNROLL */
@@ -1018,27 +996,25 @@ aes_encrypt_internal(const unsigned char *in, unsigned char *out,
 }
 #endif
+#ifndef HAVE_AES_ENCRYPT_INTERNAL
 void
-AES_encrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
 {
-        aes_encrypt_internal(in, out, key);
+        aes_encrypt_generic(in, out, key);
 }
-LCRYPTO_ALIAS(AES_encrypt);
+#endif
-#ifdef HAVE_AES_DECRYPT_INTERNAL
-void aes_decrypt_internal(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-#else
+#ifndef HAVE_AES_DECRYPT_GENERIC
 /*
 * Decrypt a single block - in and out can overlap.
 */
-static inline void
+void
-aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+aes_decrypt_generic(const unsigned char *in, unsigned char *out,
    const AES_KEY *key)
 {
-        const u32 *rk;
+        const uint32_t *rk;
-        u32 s0, s1, s2, s3, t0, t1, t2, t3;
+        uint32_t s0, s1, s2, s3, t0, t1, t2, t3;
 #ifndef FULL_UNROLL
        int r;
 #endif /* ?FULL_UNROLL */
@@ -1221,9 +1197,11 @@ aes_decrypt_internal(const unsigned char *in, unsigned char *out,
 }
 #endif
+#ifndef HAVE_AES_DECRYPT_INTERNAL
 void
-AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
+aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
 {
-        aes_decrypt_internal(in, out, key);
+        aes_decrypt_generic(in, out, key);
 }
-LCRYPTO_ALIAS(AES_decrypt);
+#endif
diff --git a/src/lib/libcrypto/aes/aes_i386.c b/src/lib/libcrypto/aes/aes_i386.c
new file mode 100644
index 0000000000..85a14454da
--- /dev/null
+++ b/src/lib/libcrypto/aes/aes_i386.c
@@ -0,0 +1,201 @@
+/* $OpenBSD: aes_i386.c,v 1.5 2025/07/22 09:13:49 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/aes.h>
+#include "crypto_arch.h"
+#include "modes_local.h"
+int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
+    AES_KEY *key);
+void aes_encrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_decrypt_generic(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aes_cbc_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+void aes_ccm64_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt);
+void aes_ctr32_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+void aes_xts_encrypt_generic(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
+int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
+    AES_KEY *key);
+void aesni_encrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_decrypt(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key);
+void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc);
+void aesni_ccm64_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aesni_ccm64_decrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char *ivec);
+void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key, int enc);
+void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
+    size_t length, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16]);
+int
+aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0)
+                return aesni_set_encrypt_key(userKey, bits, key);
+        return aes_set_encrypt_key_generic(userKey, bits, key);
+}
+int
+aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+    AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0)
+                return aesni_set_decrypt_key(userKey, bits, key);
+        return aes_set_decrypt_key_generic(userKey, bits, key);
+}
+void
+aes_encrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_encrypt(in, out, key);
+                return;
+        }
+        aes_encrypt_generic(in, out, key);
+}
+void
+aes_decrypt_internal(const unsigned char *in, unsigned char *out,
+    const AES_KEY *key)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_decrypt(in, out, key);
+                return;
+        }
+        aes_decrypt_generic(in, out, key);
+}
+void
+aes_cbc_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, unsigned char *ivec, const int enc)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_cbc_encrypt(in, out, len, key, ivec, enc);
+                return;
+        }
+        aes_cbc_encrypt_generic(in, out, len, key, ivec, enc);
+}
+void
+aes_ccm64_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16], int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                if (encrypt)
+                        aesni_ccm64_encrypt_blocks(in, out, blocks, key, ivec, cmac);
+                else
+                        aesni_ccm64_decrypt_blocks(in, out, blocks, key, ivec, cmac);
+                return;
+        }
+        aes_ccm64_encrypt_generic(in, out, blocks, key, ivec, cmac, encrypt);
+}
+void
+aes_ctr32_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t blocks, const AES_KEY *key, const unsigned char ivec[AES_BLOCK_SIZE])
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_ctr32_encrypt_blocks(in, out, blocks, key, ivec);
+                return;
+        }
+        aes_ctr32_encrypt_generic(in, out, blocks, key, ivec);
+}
+void
+aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                aesni_ecb_encrypt(in, out, len, key, encrypt);
+                return;
+        }
+        while (len >= AES_BLOCK_SIZE) {
+                if (encrypt)
+                        aes_encrypt_generic(in, out, key);
+                else
+                        aes_decrypt_generic(in, out, key);
+                in += AES_BLOCK_SIZE;
+                out += AES_BLOCK_SIZE;
+                len -= AES_BLOCK_SIZE;
+        }
+}
+void
+aes_xts_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_AES) != 0) {
+                if (encrypt)
+                        aesni_xts_encrypt(in, out, len, key1, key2, iv);
+                else
+                        aesni_xts_decrypt(in, out, len, key1, key2, iv);
+                return;
+        }
+        aes_xts_encrypt_generic(in, out, len, key1, key2, iv, encrypt);
+}
diff --git a/src/lib/libcrypto/aes/aes_ige.c b/src/lib/libcrypto/aes/aes_ige.c
deleted file mode 100644
index 1a6fcfcfbf..0000000000
--- a/src/lib/libcrypto/aes/aes_ige.c
+++ /dev/null
@@ -1,195 +0,0 @@
-/* $OpenBSD: aes_ige.c,v 1.10 2024/03/30 05:14:12 joshua Exp $ */
-/* ====================================================================
- * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- */
-#include <openssl/aes.h>
-#include <openssl/crypto.h>
-#include "aes_local.h"
-#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
-typedef struct {
-        unsigned long data[N_WORDS];
-} aes_block_t;
-/* XXX: probably some better way to do this */
-#if defined(__i386__) || defined(__x86_64__)
-#define UNALIGNED_MEMOPS_ARE_FAST 1
-#else
-#define UNALIGNED_MEMOPS_ARE_FAST 0
-#endif
-#if UNALIGNED_MEMOPS_ARE_FAST
-#define load_block(d, s)        (d) = *(const aes_block_t *)(s)
-#define store_block(d, s)       *(aes_block_t *)(d) = (s)
-#else
-#define load_block(d, s)        memcpy((d).data, (s), AES_BLOCK_SIZE)
-#define store_block(d, s)       memcpy((d), (s).data, AES_BLOCK_SIZE)
-#endif
-/* N.B. The IV for this mode is _twice_ the block size */
-void
-AES_ige_encrypt(const unsigned char *in, unsigned char *out, size_t length,
-    const AES_KEY *key, unsigned char *ivec, const int enc)
-{
-        size_t n;
-        size_t len;
-        OPENSSL_assert((length % AES_BLOCK_SIZE) == 0);
-        len = length / AES_BLOCK_SIZE;
-        if (AES_ENCRYPT == enc) {
-                if (in != out && (UNALIGNED_MEMOPS_ARE_FAST ||
-                    ((size_t)in|(size_t)out|(size_t)ivec) %
-                    sizeof(long) == 0)) {
-                        aes_block_t *ivp = (aes_block_t *)ivec;
-                        aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
-                        while (len) {
-                                aes_block_t *inp = (aes_block_t *)in;
-                                aes_block_t *outp = (aes_block_t *)out;
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] = inp->data[n] ^ ivp->data[n];
-                                AES_encrypt((unsigned char *)outp->data, (unsigned char *)outp->data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] ^= iv2p->data[n];
-                                ivp = outp;
-                                iv2p = inp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memmove(ivec, ivp->data, AES_BLOCK_SIZE);
-                        memmove(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
-                } else {
-                        aes_block_t tmp, tmp2;
-                        aes_block_t iv;
-                        aes_block_t iv2;
-                        load_block(iv, ivec);
-                        load_block(iv2, ivec + AES_BLOCK_SIZE);
-                        while (len) {
-                                load_block(tmp, in);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp2.data[n] = tmp.data[n] ^ iv.data[n];
-                                AES_encrypt((unsigned char *)tmp2.data,
-                                    (unsigned char *)tmp2.data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp2.data[n] ^= iv2.data[n];
-                                store_block(out, tmp2);
-                                iv = tmp2;
-                                iv2 = tmp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
-                        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
-                }
-        } else {
-                if (in != out && (UNALIGNED_MEMOPS_ARE_FAST ||
-                    ((size_t)in|(size_t)out|(size_t)ivec) %
-                    sizeof(long) == 0)) {
-                        aes_block_t *ivp = (aes_block_t *)ivec;
-                        aes_block_t *iv2p = (aes_block_t *)(ivec + AES_BLOCK_SIZE);
-                        while (len) {
-                                aes_block_t tmp;
-                                aes_block_t *inp = (aes_block_t *)in;
-                                aes_block_t *outp = (aes_block_t *)out;
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] = inp->data[n] ^ iv2p->data[n];
-                                AES_decrypt((unsigned char *)tmp.data,
-                                    (unsigned char *)outp->data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        outp->data[n] ^= ivp->data[n];
-                                ivp = inp;
-                                iv2p = outp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memmove(ivec, ivp->data, AES_BLOCK_SIZE);
-                        memmove(ivec + AES_BLOCK_SIZE, iv2p->data, AES_BLOCK_SIZE);
-                } else {
-                        aes_block_t tmp, tmp2;
-                        aes_block_t iv;
-                        aes_block_t iv2;
-                        load_block(iv, ivec);
-                        load_block(iv2, ivec + AES_BLOCK_SIZE);
-                        while (len) {
-                                load_block(tmp, in);
-                                tmp2 = tmp;
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] ^= iv2.data[n];
-                                AES_decrypt((unsigned char *)tmp.data,
-                                    (unsigned char *)tmp.data, key);
-                                for (n = 0; n < N_WORDS; ++n)
-                                        tmp.data[n] ^= iv.data[n];
-                                store_block(out, tmp);
-                                iv = tmp2;
-                                iv2 = tmp;
-                                --len;
-                                in += AES_BLOCK_SIZE;
-                                out += AES_BLOCK_SIZE;
-                        }
-                        memcpy(ivec, iv.data, AES_BLOCK_SIZE);
-                        memcpy(ivec + AES_BLOCK_SIZE, iv2.data, AES_BLOCK_SIZE);
-                }
-        }
-}
-LCRYPTO_ALIAS(AES_ige_encrypt);
diff --git a/src/lib/libcrypto/aes/aes_local.h b/src/lib/libcrypto/aes/aes_local.h
index e0714df409..a265eaac1d 100644
--- a/src/lib/libcrypto/aes/aes_local.h
+++ b/src/lib/libcrypto/aes/aes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_local.h,v 1.4 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: aes_local.h,v 1.11 2025/07/22 09:29:31 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -60,17 +60,30 @@
 __BEGIN_HIDDEN_DECLS
-typedef unsigned int u32;
-typedef unsigned short u16;
-typedef unsigned char u8;
-#define MAXKC   (256/32)
-#define MAXKB   (256/8)
-#define MAXNR   14
 /* This controls loop-unrolling in aes_core.c */
 #undef FULL_UNROLL
+void aes_encrypt_block128(const unsigned char *in, unsigned char *out,
+   const void *key);
+void aes_ctr32_encrypt_ctr128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[AES_BLOCK_SIZE]);
+void aes_ccm64_encrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aes_ccm64_decrypt_ccm128f(const unsigned char *in, unsigned char *out,
+    size_t blocks, const void *key, const unsigned char ivec[16],
+    unsigned char cmac[16]);
+void aes_ecb_encrypt_internal(const unsigned char *in, unsigned char *out,
+    size_t len, const AES_KEY *key, int encrypt);
+void aes_xts_encrypt_internal(const char unsigned *in, char unsigned *out,
+    size_t len, const AES_KEY *key1, const AES_KEY *key2,
+    const unsigned char iv[16], int encrypt);
 __END_HIDDEN_DECLS
 #endif /* !HEADER_AES_LOCAL_H */
diff --git a/src/lib/libcrypto/aes/asm/aes-586.pl b/src/lib/libcrypto/aes/asm/aes-586.pl
index 364099d4d3..402a1a3c46 100644
--- a/src/lib/libcrypto/aes/asm/aes-586.pl
+++ b/src/lib/libcrypto/aes/asm/aes-586.pl
@@ -1158,8 +1158,8 @@ sub enclast()
        &data_word(0x00000000, 0x00000000, 0x00000000, 0x00000000);
        &previous();
-# void aes_encrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_encrypt_generic(const void *inp, void *out, const AES_KEY *key);
-&function_begin("aes_encrypt_internal");
+&function_begin("aes_encrypt_generic");
        &mov    ($acc,&wparam(0));              # load inp
        &mov    ($key,&wparam(2));              # load key
@@ -1213,7 +1213,7 @@ sub enclast()
        &mov    (&DWP(4,$acc),$s1);
        &mov    (&DWP(8,$acc),$s2);
        &mov    (&DWP(12,$acc),$s3);
-&function_end("aes_encrypt_internal");
+&function_end("aes_encrypt_generic");
 #--------------------------------------------------------------------#
@@ -1947,8 +1947,8 @@ sub declast()
        &data_byte(0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d);
        &previous();
-# void aes_decrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_decrypt_generic(const void *inp, void *out, const AES_KEY *key);
-&function_begin("aes_decrypt_internal");
+&function_begin("aes_decrypt_generic");
        &mov    ($acc,&wparam(0));              # load inp
        &mov    ($key,&wparam(2));              # load key
@@ -2002,9 +2002,9 @@ sub declast()
        &mov    (&DWP(4,$acc),$s1);
        &mov    (&DWP(8,$acc),$s2);
        &mov    (&DWP(12,$acc),$s3);
-&function_end("aes_decrypt_internal");
+&function_end("aes_decrypt_generic");
-# void aes_cbc_encrypt_internal(const void char *inp, unsigned char *out,
+# void aes_cbc_encrypt_generic(const void char *inp, unsigned char *out,
 #     size_t length, const AES_KEY *key, unsigned char *ivp,const int enc);
 {
 # stack frame layout
@@ -2028,7 +2028,7 @@ my $ivec=&DWP(60,"esp");	# ivec[16]
 my $aes_key=&DWP(76,"esp");     # copy of aes_key
 my $mark=&DWP(76+240,"esp");    # copy of aes_key->rounds
-&function_begin("aes_cbc_encrypt_internal");
+&function_begin("aes_cbc_encrypt_generic");
        &mov    ($s2 eq "ecx"? $s2 : "",&wparam(2));    # load len
        &cmp    ($s2,0);
        &je     (&label("drop_out"));
@@ -2616,7 +2616,7 @@ my $mark=&DWP(76+240,"esp");	# copy of aes_key->rounds
        &mov    ("esp",$_esp);
        &popf   ();
-&function_end("aes_cbc_encrypt_internal");
+&function_end("aes_cbc_encrypt_generic");
 }
 #------------------------------------------------------------------#
@@ -2849,12 +2849,12 @@ sub enckey()
    &set_label("exit");
 &function_end("_x86_AES_set_encrypt_key");
-# int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
 #      AES_KEY *key)
-&function_begin_B("aes_set_encrypt_key_internal");
+&function_begin_B("aes_set_encrypt_key_generic");
        &call   ("_x86_AES_set_encrypt_key");
        &ret    ();
-&function_end_B("aes_set_encrypt_key_internal");
+&function_end_B("aes_set_encrypt_key_generic");
 sub deckey()
 { my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
@@ -2911,9 +2911,9 @@ sub deckey()
        &mov    (&DWP(4*$i,$key),$tp1);
 }
-# int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
-&function_begin_B("aes_set_decrypt_key_internal");
+&function_begin_B("aes_set_decrypt_key_generic");
        &call   ("_x86_AES_set_encrypt_key");
        &cmp    ("eax",0);
        &je     (&label("proceed"));
@@ -2969,6 +2969,6 @@ sub deckey()
        &jb     (&label("permute"));
        &xor    ("eax","eax");                  # return success
-&function_end("aes_set_decrypt_key_internal");
+&function_end("aes_set_decrypt_key_generic");
 &asm_finish();
diff --git a/src/lib/libcrypto/aes/asm/aes-x86_64.pl b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
index 324c4a2be2..2c73627546 100755
--- a/src/lib/libcrypto/aes/asm/aes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
@@ -586,15 +586,15 @@ $code.=<<___;
 .size   _x86_64_AES_encrypt_compact,.-_x86_64_AES_encrypt_compact
 ___
-# void aes_encrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_encrypt_generic(const void *inp, void *out, const AES_KEY *key);
 $code.=<<___;
-.globl  aes_encrypt_internal
+.globl  aes_encrypt_generic
-.type   aes_encrypt_internal,\@function,3
+.type   aes_encrypt_generic,\@function,3
 .align  16
 .globl  asm_AES_encrypt
 .hidden asm_AES_encrypt
 asm_AES_encrypt:
-aes_encrypt_internal:
+aes_encrypt_generic:
        _CET_ENDBR
        push    %rbx
        push    %rbp
@@ -655,7 +655,7 @@ aes_encrypt_internal:
        lea     48(%rsi),%rsp
 .Lenc_epilogue:
        ret
-.size   aes_encrypt_internal,.-aes_encrypt_internal
+.size   aes_encrypt_generic,.-aes_encrypt_generic
 ___
 #------------------------------------------------------------------#
@@ -1188,15 +1188,15 @@ $code.=<<___;
 .size   _x86_64_AES_decrypt_compact,.-_x86_64_AES_decrypt_compact
 ___
-# void aes_decrypt_internal(const void *inp, void *out, const AES_KEY *key);
+# void aes_decrypt_generic(const void *inp, void *out, const AES_KEY *key);
 $code.=<<___;
-.globl  aes_decrypt_internal
+.globl  aes_decrypt_generic
-.type   aes_decrypt_internal,\@function,3
+.type   aes_decrypt_generic,\@function,3
 .align  16
 .globl  asm_AES_decrypt
 .hidden asm_AES_decrypt
 asm_AES_decrypt:
-aes_decrypt_internal:
+aes_decrypt_generic:
        _CET_ENDBR
        push    %rbx
        push    %rbp
@@ -1259,7 +1259,7 @@ aes_decrypt_internal:
        lea     48(%rsi),%rsp
 .Ldec_epilogue:
        ret
-.size   aes_decrypt_internal,.-aes_decrypt_internal
+.size   aes_decrypt_generic,.-aes_decrypt_generic
 ___
 #------------------------------------------------------------------#
@@ -1290,13 +1290,13 @@ $code.=<<___;
 ___
 }
-# int aes_set_encrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_encrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
 $code.=<<___;
-.globl  aes_set_encrypt_key_internal
+.globl  aes_set_encrypt_key_generic
-.type   aes_set_encrypt_key_internal,\@function,3
+.type   aes_set_encrypt_key_generic,\@function,3
 .align  16
-aes_set_encrypt_key_internal:
+aes_set_encrypt_key_generic:
        _CET_ENDBR
        push    %rbx
        push    %rbp
@@ -1318,7 +1318,7 @@ aes_set_encrypt_key_internal:
        add     \$56,%rsp
 .Lenc_key_epilogue:
        ret
-.size   aes_set_encrypt_key_internal,.-aes_set_encrypt_key_internal
+.size   aes_set_encrypt_key_generic,.-aes_set_encrypt_key_generic
 .type   _x86_64_AES_set_encrypt_key,\@abi-omnipotent
 .align  16
@@ -1562,13 +1562,13 @@ $code.=<<___;
 ___
 }
-# int aes_set_decrypt_key_internal(const unsigned char *userKey, const int bits,
+# int aes_set_decrypt_key_generic(const unsigned char *userKey, const int bits,
 #     AES_KEY *key)
 $code.=<<___;
-.globl  aes_set_decrypt_key_internal
+.globl  aes_set_decrypt_key_generic
-.type   aes_set_decrypt_key_internal,\@function,3
+.type   aes_set_decrypt_key_generic,\@function,3
 .align  16
-aes_set_decrypt_key_internal:
+aes_set_decrypt_key_generic:
        _CET_ENDBR
        push    %rbx
        push    %rbp
@@ -1638,10 +1638,10 @@ $code.=<<___;
        add     \$56,%rsp
 .Ldec_key_epilogue:
        ret
-.size   aes_set_decrypt_key_internal,.-aes_set_decrypt_key_internal
+.size   aes_set_decrypt_key_generic,.-aes_set_decrypt_key_generic
 ___
-# void aes_cbc_encrypt_internal(const void char *inp, unsigned char *out,
+# void aes_cbc_encrypt_generic(const void char *inp, unsigned char *out,
 #     size_t length, const AES_KEY *key, unsigned char *ivp,const int enc);
 {
 # stack frame layout
@@ -1659,15 +1659,15 @@ my $aes_key="80(%rsp)";		# copy of aes_key
 my $mark="80+240(%rsp)";        # copy of aes_key->rounds
 $code.=<<___;
-.globl  aes_cbc_encrypt_internal
+.globl  aes_cbc_encrypt_generic
-.type   aes_cbc_encrypt_internal,\@function,6
+.type   aes_cbc_encrypt_generic,\@function,6
 .align  16
 .extern OPENSSL_ia32cap_P
 .hidden OPENSSL_ia32cap_P
 .globl  asm_AES_cbc_encrypt
 .hidden asm_AES_cbc_encrypt
 asm_AES_cbc_encrypt:
-aes_cbc_encrypt_internal:
+aes_cbc_encrypt_generic:
        _CET_ENDBR
        cmp     \$0,%rdx        # check length
        je      .Lcbc_epilogue
@@ -2117,7 +2117,7 @@ aes_cbc_encrypt_internal:
        popfq
 .Lcbc_epilogue:
        ret
-.size   aes_cbc_encrypt_internal,.-aes_cbc_encrypt_internal
+.size   aes_cbc_encrypt_generic,.-aes_cbc_encrypt_generic
 ___
 }
@@ -2782,45 +2782,45 @@ cbc_se_handler:
 .section        .pdata
 .align  4
-        .rva    .LSEH_begin_aes_encrypt_internal
+        .rva    .LSEH_begin_aes_encrypt_generic
-        .rva    .LSEH_end_aes_encrypt_internal
+        .rva    .LSEH_end_aes_encrypt_generic
-        .rva    .LSEH_info_aes_encrypt_internal
+        .rva    .LSEH_info_aes_encrypt_generic
-        .rva    .LSEH_begin_aes_decrypt_internal
+        .rva    .LSEH_begin_aes_decrypt_generic
-        .rva    .LSEH_end_aes_decrypt_internal
+        .rva    .LSEH_end_aes_decrypt_generic
-        .rva    .LSEH_info_aes_decrypt_internal
+        .rva    .LSEH_info_aes_decrypt_generic
-        .rva    .LSEH_begin_aes_set_encrypt_key_internal
+        .rva    .LSEH_begin_aes_set_encrypt_key_generic
-        .rva    .LSEH_end_aes_set_encrypt_key_internal
+        .rva    .LSEH_end_aes_set_encrypt_key_generic
-        .rva    .LSEH_info_aes_set_encrypt_key_internal
+        .rva    .LSEH_info_aes_set_encrypt_key_generic
-        .rva    .LSEH_begin_aes_set_decrypt_key_internal
+        .rva    .LSEH_begin_aes_set_decrypt_key_generic
-        .rva    .LSEH_end_aes_set_decrypt_key_internal
+        .rva    .LSEH_end_aes_set_decrypt_key_generic
-        .rva    .LSEH_info_aes_set_decrypt_key_internal
+        .rva    .LSEH_info_aes_set_decrypt_key_generic
-        .rva    .LSEH_begin_aes_cbc_encrypt_internal
+        .rva    .LSEH_begin_aes_cbc_encrypt_generic
-        .rva    .LSEH_end_aes_cbc_encrypt_internal
+        .rva    .LSEH_end_aes_cbc_encrypt_generic
-        .rva    .LSEH_info_aes_cbc_encrypt_internal
+        .rva    .LSEH_info_aes_cbc_encrypt_generic
 .section        .xdata
 .align  8
-.LSEH_info_aes_encrypt_internal:
+.LSEH_info_aes_encrypt_generic:
        .byte   9,0,0,0
        .rva    block_se_handler
        .rva    .Lenc_prologue,.Lenc_epilogue   # HandlerData[]
-.LSEH_info_aes_decrypt_internal:
+.LSEH_info_aes_decrypt_generic:
        .byte   9,0,0,0
        .rva    block_se_handler
        .rva    .Ldec_prologue,.Ldec_epilogue   # HandlerData[]
-.LSEH_info_aes_set_encrypt_key_internal:
+.LSEH_info_aes_set_encrypt_key_generic:
        .byte   9,0,0,0
        .rva    key_se_handler
        .rva    .Lenc_key_prologue,.Lenc_key_epilogue   # HandlerData[]
-.LSEH_info_aes_set_decrypt_key_internal:
+.LSEH_info_aes_set_decrypt_key_generic:
        .byte   9,0,0,0
        .rva    key_se_handler
        .rva    .Ldec_key_prologue,.Ldec_key_epilogue   # HandlerData[]
-.LSEH_info_aes_cbc_encrypt_internal:
+.LSEH_info_aes_cbc_encrypt_generic:
        .byte   9,0,0,0
        .rva    cbc_se_handler
 ___
diff --git a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
deleted file mode 100644
index c44a338114..0000000000
--- a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
+++ /dev/null
@@ -1,3123 +0,0 @@
-#!/usr/bin/env perl
-###################################################################
-### AES-128 [originally in CTR mode]                            ###
-### bitsliced implementation for Intel Core 2 processors        ###
-### requires support of SSE extensions up to SSSE3              ###
-### Author: Emilia Käsper and Peter Schwabe                    ###
-### Date: 2009-03-19                                            ###
-### Public domain                                               ###
-###                                                             ###
-### See http://homes.esat.kuleuven.be/~ekasper/#software for    ###
-### further information.                                        ###
-###################################################################
-#
-# September 2011.
-#
-# Started as transliteration to "perlasm" the original code has
-# undergone following changes:
-#
-# - code was made position-independent;
-# - rounds were folded into a loop resulting in >5x size reduction
-#   from 12.5KB to 2.2KB;
-# - above was possible thanks to mixcolumns() modification that
-#   allowed to feed its output back to aesenc[last], this was
-#   achieved at cost of two additional inter-registers moves;
-# - some instruction reordering and interleaving;
-# - this module doesn't implement key setup subroutine, instead it
-#   relies on conversion of "conventional" key schedule as returned
-#   by AES_set_encrypt_key (see discussion below);
-# - first and last round keys are treated differently, which allowed
-#   to skip one shiftrows(), reduce bit-sliced key schedule and
-#   speed-up conversion by 22%;
-# - support for 192- and 256-bit keys was added;
-#
-# Resulting performance in CPU cycles spent to encrypt one byte out
-# of 4096-byte buffer with 128-bit key is:
-#
-#               Emilia's        this(*)         difference
-#
-# Core 2        9.30            8.69            +7%
-# Nehalem(**)   7.63            6.98            +9%
-# Atom          17.1            17.4            -2%(***)
-#
-# (*)   Comparison is not completely fair, because "this" is ECB,
-#       i.e. no extra processing such as counter values calculation
-#       and xor-ing input as in Emilia's CTR implementation is
-#       performed. However, the CTR calculations stand for not more
-#       than 1% of total time, so comparison is *rather* fair.
-#
-# (**)  Results were collected on Westmere, which is considered to
-#       be equivalent to Nehalem for this code.
-#
-# (***) Slowdown on Atom is rather strange per se, because original
-#       implementation has a number of 9+-bytes instructions, which
-#       are bad for Atom front-end, and which I eliminated completely.
-#       In attempt to address deterioration sbox() was tested in FP
-#       SIMD "domain" (movaps instead of movdqa, xorps instead of
-#       pxor, etc.). While it resulted in nominal 4% improvement on
-#       Atom, it hurted Westmere by more than 2x factor.
-#
-# As for key schedule conversion subroutine. Interface to OpenSSL
-# relies on per-invocation on-the-fly conversion. This naturally
-# has impact on performance, especially for short inputs. Conversion
-# time in CPU cycles and its ratio to CPU cycles spent in 8x block
-# function is:
-#
-#               conversion      conversion/8x block
-# Core 2        240             0.22
-# Nehalem       180             0.20
-# Atom          430             0.19
-#
-# The ratio values mean that 128-byte blocks will be processed
-# 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%,
-# etc. Then keep in mind that input sizes not divisible by 128 are
-# *effectively* slower, especially shortest ones, e.g. consecutive
-# 144-byte blocks are processed 44% slower than one would expect,
-# 272 - 29%, 400 - 22%, etc. Yet, despite all these "shortcomings"
-# it's still faster than ["hyper-threading-safe" code path in]
-# aes-x86_64.pl on all lengths above 64 bytes...
-#
-# October 2011.
-#
-# Add decryption procedure. Performance in CPU cycles spent to decrypt
-# one byte out of 4096-byte buffer with 128-bit key is:
-#
-# Core 2        9.83
-# Nehalem       7.74
-# Atom          19.0
-#
-# November 2011.
-#
-# Add bsaes_xts_[en|de]crypt. Less-than-80-bytes-block performance is
-# suboptimal, but XTS is meant to be used with larger blocks...
-#
-#                                               <appro@openssl.org>
-$flavour = shift;
-$output  = shift;
-if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
-my @XMM=map("%xmm$_",(15,0..14));       # best on Atom, +10% over (0..15)
-my $ecb=0;      # suppress unreferenced ECB subroutines, spare some space...
-{
-my ($key,$rounds,$const)=("%rax","%r10d","%r11");
-sub Sbox {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b0, b1, b4, b6, b3, b7, b2, b5] < msb
-my @b=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-        &InBasisChange  (@b);
-        &Inv_GF256      (@b[6,5,0,3,7,1,4,2],@t,@s);
-        &OutBasisChange (@b[7,1,4,2,6,5,0,3]);
-}
-sub InBasisChange {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b6, b5, b0, b3, b7, b1, b4, b2] < msb 
-my @b=@_[0..7];
-$code.=<<___;
-        pxor    @b[6], @b[5]
-        pxor    @b[1], @b[2]
-        pxor    @b[0], @b[3]
-        pxor    @b[2], @b[6]
-        pxor    @b[0], @b[5]
-        pxor    @b[3], @b[6]
-        pxor    @b[7], @b[3]
-        pxor    @b[5], @b[7]
-        pxor    @b[4], @b[3]
-        pxor    @b[5], @b[4]
-        pxor    @b[1], @b[3]
-        pxor    @b[7], @b[2]
-        pxor    @b[5], @b[1]
-___
-}
-sub OutBasisChange {
-# input in  lsb > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b6, b1, b2, b4, b7, b0, b3, b5] < msb
-my @b=@_[0..7];
-$code.=<<___;
-        pxor    @b[6], @b[0]
-        pxor    @b[4], @b[1]
-        pxor    @b[0], @b[2]
-        pxor    @b[6], @b[4]
-        pxor    @b[1], @b[6]
-        pxor    @b[5], @b[1]
-        pxor    @b[3], @b[5]
-        pxor    @b[7], @b[3]
-        pxor    @b[5], @b[7]
-        pxor    @b[5], @b[2]
-        pxor    @b[7], @b[4]
-___
-}
-sub InvSbox {
-# input in lsb  > [b0, b1, b2, b3, b4, b5, b6, b7] < msb
-# output in lsb > [b0, b1, b6, b4, b2, b7, b3, b5] < msb
-my @b=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-        &InvInBasisChange       (@b);
-        &Inv_GF256              (@b[5,1,2,6,3,7,0,4],@t,@s);
-        &InvOutBasisChange      (@b[3,7,0,4,5,1,2,6]);
-}
-sub InvInBasisChange {          # OutBasisChange in reverse
-my @b=@_[5,1,2,6,3,7,0,4];
-$code.=<<___
-        pxor    @b[7], @b[4]
-        pxor    @b[5], @b[7]
-        pxor    @b[5], @b[2]
-        pxor    @b[7], @b[3]
-        pxor    @b[3], @b[5]
-        pxor    @b[5], @b[1]
-        pxor    @b[1], @b[6]
-        pxor    @b[0], @b[2]
-        pxor    @b[6], @b[4]
-        pxor    @b[6], @b[0]
-        pxor    @b[4], @b[1]
-___
-}
-sub InvOutBasisChange {         # InBasisChange in reverse
-my @b=@_[2,5,7,3,6,1,0,4];
-$code.=<<___;
-        pxor    @b[5], @b[1]
-        pxor    @b[7], @b[2]
-        pxor    @b[1], @b[3]
-        pxor    @b[5], @b[4]
-        pxor    @b[5], @b[7]
-        pxor    @b[4], @b[3]
-         pxor   @b[0], @b[5]
-        pxor    @b[7], @b[3]
-         pxor   @b[2], @b[6]
-         pxor   @b[1], @b[2]
-        pxor    @b[3], @b[6]
-        pxor    @b[0], @b[3]
-        pxor    @b[6], @b[5]
-___
-}
-sub Mul_GF4 {
-#;*************************************************************
-#;* Mul_GF4: Input x0-x1,y0-y1 Output x0-x1 Temp t0 (8) *
-#;*************************************************************
-my ($x0,$x1,$y0,$y1,$t0)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-        pxor    $y1, $t0
-        pand    $x0, $t0
-        pxor    $x1, $x0
-        pand    $y0, $x1
-        pand    $y1, $x0
-        pxor    $x1, $x0
-        pxor    $t0, $x1
-___
-}
-sub Mul_GF4_N {                         # not used, see next subroutine
-# multiply and scale by N
-my ($x0,$x1,$y0,$y1,$t0)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-        pxor    $y1, $t0
-        pand    $x0, $t0
-        pxor    $x1, $x0
-        pand    $y0, $x1
-        pand    $y1, $x0
-        pxor    $x0, $x1
-        pxor    $t0, $x0
-___
-}
-sub Mul_GF4_N_GF4 {
-# interleaved Mul_GF4_N and Mul_GF4
-my ($x0,$x1,$y0,$y1,$t0,
-    $x2,$x3,$y2,$y3,$t1)=@_;
-$code.=<<___;
-        movdqa  $y0, $t0
-         movdqa $y2, $t1
-        pxor    $y1, $t0
-         pxor   $y3, $t1
-        pand    $x0, $t0
-         pand   $x2, $t1
-        pxor    $x1, $x0
-         pxor   $x3, $x2
-        pand    $y0, $x1
-         pand   $y2, $x3
-        pand    $y1, $x0
-         pand   $y3, $x2
-        pxor    $x0, $x1
-         pxor   $x3, $x2
-        pxor    $t0, $x0
-         pxor   $t1, $x3
-___
-}
-sub Mul_GF16_2 {
-my @x=@_[0..7];
-my @y=@_[8..11];
-my @t=@_[12..15];
-$code.=<<___;
-        movdqa  @x[0], @t[0]
-        movdqa  @x[1], @t[1]
-___
-        &Mul_GF4        (@x[0], @x[1], @y[0], @y[1], @t[2]);
-$code.=<<___;
-        pxor    @x[2], @t[0]
-        pxor    @x[3], @t[1]
-        pxor    @y[2], @y[0]
-        pxor    @y[3], @y[1]
-___
-        Mul_GF4_N_GF4   (@t[0], @t[1], @y[0], @y[1], @t[3],
-                         @x[2], @x[3], @y[2], @y[3], @t[2]);
-$code.=<<___;
-        pxor    @t[0], @x[0]
-        pxor    @t[0], @x[2]
-        pxor    @t[1], @x[1]
-        pxor    @t[1], @x[3]
-        movdqa  @x[4], @t[0]
-        movdqa  @x[5], @t[1]
-        pxor    @x[6], @t[0]
-        pxor    @x[7], @t[1]
-___
-        &Mul_GF4_N_GF4  (@t[0], @t[1], @y[0], @y[1], @t[3],
-                         @x[6], @x[7], @y[2], @y[3], @t[2]);
-$code.=<<___;
-        pxor    @y[2], @y[0]
-        pxor    @y[3], @y[1]
-___
-        &Mul_GF4        (@x[4], @x[5], @y[0], @y[1], @t[3]);
-$code.=<<___;
-        pxor    @t[0], @x[4]
-        pxor    @t[0], @x[6]
-        pxor    @t[1], @x[5]
-        pxor    @t[1], @x[7]
-___
-}
-sub Inv_GF256 {
-#;********************************************************************
-#;* Inv_GF256: Input x0-x7 Output x0-x7 Temp t0-t3,s0-s3 (144)       *
-#;********************************************************************
-my @x=@_[0..7];
-my @t=@_[8..11];
-my @s=@_[12..15];
-# direct optimizations from hardware
-$code.=<<___;
-        movdqa  @x[4], @t[3]
-        movdqa  @x[5], @t[2]
-        movdqa  @x[1], @t[1]
-        movdqa  @x[7], @s[1]
-        movdqa  @x[0], @s[0]
-        pxor    @x[6], @t[3]
-        pxor    @x[7], @t[2]
-        pxor    @x[3], @t[1]
-         movdqa @t[3], @s[2]
-        pxor    @x[6], @s[1]
-         movdqa @t[2], @t[0]
-        pxor    @x[2], @s[0]
-         movdqa @t[3], @s[3]
-        por     @t[1], @t[2]
-        por     @s[0], @t[3]
-        pxor    @t[0], @s[3]
-        pand    @s[0], @s[2]
-        pxor    @t[1], @s[0]
-        pand    @t[1], @t[0]
-        pand    @s[0], @s[3]
-        movdqa  @x[3], @s[0]
-        pxor    @x[2], @s[0]
-        pand    @s[0], @s[1]
-        pxor    @s[1], @t[3]
-        pxor    @s[1], @t[2]
-        movdqa  @x[4], @s[1]
-        movdqa  @x[1], @s[0]
-        pxor    @x[5], @s[1]
-        pxor    @x[0], @s[0]
-        movdqa  @s[1], @t[1]
-        pand    @s[0], @s[1]
-        por     @s[0], @t[1]
-        pxor    @s[1], @t[0]
-        pxor    @s[3], @t[3]
-        pxor    @s[2], @t[2]
-        pxor    @s[3], @t[1]
-        movdqa  @x[7], @s[0]
-        pxor    @s[2], @t[0]
-        movdqa  @x[6], @s[1]
-        pxor    @s[2], @t[1]
-        movdqa  @x[5], @s[2]
-        pand    @x[3], @s[0]
-        movdqa  @x[4], @s[3]
-        pand    @x[2], @s[1]
-        pand    @x[1], @s[2]
-        por     @x[0], @s[3]
-        pxor    @s[0], @t[3]
-        pxor    @s[1], @t[2]
-        pxor    @s[2], @t[1]
-        pxor    @s[3], @t[0] 
-        #Inv_GF16 \t0, \t1, \t2, \t3, \s0, \s1, \s2, \s3
-        # new smaller inversion
-        movdqa  @t[3], @s[0]
-        pand    @t[1], @t[3]
-        pxor    @t[2], @s[0]
-        movdqa  @t[0], @s[2]
-        movdqa  @s[0], @s[3]
-        pxor    @t[3], @s[2]
-        pand    @s[2], @s[3]
-        movdqa  @t[1], @s[1]
-        pxor    @t[2], @s[3]
-        pxor    @t[0], @s[1]
-        pxor    @t[2], @t[3]
-        pand    @t[3], @s[1]
-        movdqa  @s[2], @t[2]
-        pxor    @t[0], @s[1]
-        pxor    @s[1], @t[2]
-        pxor    @s[1], @t[1]
-        pand    @t[0], @t[2]
-        pxor    @t[2], @s[2]
-        pxor    @t[2], @t[1]
-        pand    @s[3], @s[2]
-        pxor    @s[0], @s[2]
-___
-# output in s3, s2, s1, t1
-# Mul_GF16_2 \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \t2, \t3, \t0, \t1, \s0, \s1, \s2, \s3
-# Mul_GF16_2 \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \s3, \s2, \s1, \t1, \s0, \t0, \t2, \t3
-        &Mul_GF16_2(@x,@s[3,2,1],@t[1],@s[0],@t[0,2,3]);
-### output msb > [x3,x2,x1,x0,x7,x6,x5,x4] < lsb
-}
-# AES linear components
-sub ShiftRows {
-my @x=@_[0..7];
-my $mask=pop;
-$code.=<<___;
-        pxor    0x00($key),@x[0]
-        pxor    0x10($key),@x[1]
-        pshufb  $mask,@x[0]
-        pxor    0x20($key),@x[2]
-        pshufb  $mask,@x[1]
-        pxor    0x30($key),@x[3]
-        pshufb  $mask,@x[2]
-        pxor    0x40($key),@x[4]
-        pshufb  $mask,@x[3]
-        pxor    0x50($key),@x[5]
-        pshufb  $mask,@x[4]
-        pxor    0x60($key),@x[6]
-        pshufb  $mask,@x[5]
-        pxor    0x70($key),@x[7]
-        pshufb  $mask,@x[6]
-        lea     0x80($key),$key
-        pshufb  $mask,@x[7]
-___
-}
-sub MixColumns {
-# modified to emit output in order suitable for feeding back to aesenc[last]
-my @x=@_[0..7];
-my @t=@_[8..15];
-my $inv=@_[16]; # optional
-$code.=<<___;
-        pshufd  \$0x93, @x[0], @t[0]    # x0 <<< 32
-        pshufd  \$0x93, @x[1], @t[1]
-         pxor   @t[0], @x[0]            # x0 ^ (x0 <<< 32)
-        pshufd  \$0x93, @x[2], @t[2]
-         pxor   @t[1], @x[1]
-        pshufd  \$0x93, @x[3], @t[3]
-         pxor   @t[2], @x[2]
-        pshufd  \$0x93, @x[4], @t[4]
-         pxor   @t[3], @x[3]
-        pshufd  \$0x93, @x[5], @t[5]
-         pxor   @t[4], @x[4]
-        pshufd  \$0x93, @x[6], @t[6]
-         pxor   @t[5], @x[5]
-        pshufd  \$0x93, @x[7], @t[7]
-         pxor   @t[6], @x[6]
-         pxor   @t[7], @x[7]
-        pxor    @x[0], @t[1]
-        pxor    @x[7], @t[0]
-        pxor    @x[7], @t[1]
-         pshufd \$0x4E, @x[0], @x[0]    # (x0 ^ (x0 <<< 32)) <<< 64)
-        pxor    @x[1], @t[2]
-         pshufd \$0x4E, @x[1], @x[1]
-        pxor    @x[4], @t[5]
-         pxor   @t[0], @x[0]
-        pxor    @x[5], @t[6]
-         pxor   @t[1], @x[1]
-        pxor    @x[3], @t[4]
-         pshufd \$0x4E, @x[4], @t[0]
-        pxor    @x[6], @t[7]
-         pshufd \$0x4E, @x[5], @t[1]
-        pxor    @x[2], @t[3]
-         pshufd \$0x4E, @x[3], @x[4]
-        pxor    @x[7], @t[3]
-         pshufd \$0x4E, @x[7], @x[5]
-        pxor    @x[7], @t[4]
-         pshufd \$0x4E, @x[6], @x[3]
-        pxor    @t[4], @t[0]
-         pshufd \$0x4E, @x[2], @x[6]
-        pxor    @t[5], @t[1]
-___
-$code.=<<___ if (!$inv);
-        pxor    @t[3], @x[4]
-        pxor    @t[7], @x[5]
-        pxor    @t[6], @x[3]
-         movdqa @t[0], @x[2]
-        pxor    @t[2], @x[6]
-         movdqa @t[1], @x[7]
-___
-$code.=<<___ if ($inv);
-        pxor    @x[4], @t[3]
-        pxor    @t[7], @x[5]
-        pxor    @x[3], @t[6]
-         movdqa @t[0], @x[3]
-        pxor    @t[2], @x[6]
-         movdqa @t[6], @x[2]
-         movdqa @t[1], @x[7]
-         movdqa @x[6], @x[4]
-         movdqa @t[3], @x[6]
-___
-}
-sub InvMixColumns_orig {
-my @x=@_[0..7];
-my @t=@_[8..15];
-$code.=<<___;
-        # multiplication by 0x0e
-        pshufd  \$0x93, @x[7], @t[7]
-        movdqa  @x[2], @t[2]
-        pxor    @x[5], @x[7]            # 7 5
-        pxor    @x[5], @x[2]            # 2 5
-        pshufd  \$0x93, @x[0], @t[0]
-        movdqa  @x[5], @t[5]
-        pxor    @x[0], @x[5]            # 5 0           [1]
-        pxor    @x[1], @x[0]            # 0 1
-        pshufd  \$0x93, @x[1], @t[1]
-        pxor    @x[2], @x[1]            # 1 25
-        pxor    @x[6], @x[0]            # 01 6          [2]
-        pxor    @x[3], @x[1]            # 125 3         [4]
-        pshufd  \$0x93, @x[3], @t[3]
-        pxor    @x[0], @x[2]            # 25 016        [3]
-        pxor    @x[7], @x[3]            # 3 75
-        pxor    @x[6], @x[7]            # 75 6          [0]
-        pshufd  \$0x93, @x[6], @t[6]
-        movdqa  @x[4], @t[4]
-        pxor    @x[4], @x[6]            # 6 4
-        pxor    @x[3], @x[4]            # 4 375         [6]
-        pxor    @x[7], @x[3]            # 375 756=36
-        pxor    @t[5], @x[6]            # 64 5          [7]
-        pxor    @t[2], @x[3]            # 36 2
-        pxor    @t[4], @x[3]            # 362 4         [5]
-        pshufd  \$0x93, @t[5], @t[5]
-___
-                                        my @y = @x[7,5,0,2,1,3,4,6];
-$code.=<<___;
-        # multiplication by 0x0b
-        pxor    @y[0], @y[1]
-        pxor    @t[0], @y[0]
-        pxor    @t[1], @y[1]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[5], @y[0]
-        pxor    @t[6], @y[1]
-        pxor    @t[7], @y[0]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[6], @t[7]            # clobber t[7]
-        pxor    @y[0], @y[1]
-        pxor    @t[0], @y[3]
-        pshufd  \$0x93, @t[0], @t[0]
-        pxor    @t[1], @y[2]
-        pxor    @t[1], @y[4]
-        pxor    @t[2], @y[2]
-        pshufd  \$0x93, @t[1], @t[1]
-        pxor    @t[2], @y[3]
-        pxor    @t[2], @y[5]
-        pxor    @t[7], @y[2]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[3], @y[3]
-        pxor    @t[3], @y[6]
-        pxor    @t[3], @y[4]
-        pshufd  \$0x93, @t[3], @t[3]
-        pxor    @t[4], @y[7]
-        pxor    @t[4], @y[5]
-        pxor    @t[7], @y[7]
-        pxor    @t[5], @y[3]
-        pxor    @t[4], @y[4]
-        pxor    @t[5], @t[7]            # clobber t[7] even more
-        pxor    @t[7], @y[5]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[7], @y[6]
-        pxor    @t[7], @y[4]
-        pxor    @t[5], @t[7]
-        pshufd  \$0x93, @t[5], @t[5]
-        pxor    @t[6], @t[7]            # restore t[7]
-        # multiplication by 0x0d
-        pxor    @y[7], @y[4]
-        pxor    @t[4], @y[7]
-        pshufd  \$0x93, @t[6], @t[6]
-        pxor    @t[0], @y[2]
-        pxor    @t[5], @y[7]
-        pxor    @t[2], @y[2]
-        pshufd  \$0x93, @t[7], @t[7]
-        pxor    @y[1], @y[3]
-        pxor    @t[1], @y[1]
-        pxor    @t[0], @y[0]
-        pxor    @t[0], @y[3]
-        pxor    @t[5], @y[1]
-        pxor    @t[5], @y[0]
-        pxor    @t[7], @y[1]
-        pshufd  \$0x93, @t[0], @t[0]
-        pxor    @t[6], @y[0]
-        pxor    @y[1], @y[3]
-        pxor    @t[1], @y[4]
-        pshufd  \$0x93, @t[1], @t[1]
-        pxor    @t[7], @y[7]
-        pxor    @t[2], @y[4]
-        pxor    @t[2], @y[5]
-        pshufd  \$0x93, @t[2], @t[2]
-        pxor    @t[6], @y[2]
-        pxor    @t[3], @t[6]            # clobber t[6]
-        pxor    @y[7], @y[4]
-        pxor    @t[6], @y[3]
-        pxor    @t[6], @y[6]
-        pxor    @t[5], @y[5]
-        pxor    @t[4], @y[6]
-        pshufd  \$0x93, @t[4], @t[4]
-        pxor    @t[6], @y[5]
-        pxor    @t[7], @y[6]
-        pxor    @t[3], @t[6]            # restore t[6]
-        pshufd  \$0x93, @t[5], @t[5]
-        pshufd  \$0x93, @t[6], @t[6]
-        pshufd  \$0x93, @t[7], @t[7]
-        pshufd  \$0x93, @t[3], @t[3]
-        # multiplication by 0x09
-        pxor    @y[1], @y[4]
-        pxor    @y[1], @t[1]            # t[1]=y[1]
-        pxor    @t[5], @t[0]            # clobber t[0]
-        pxor    @t[5], @t[1]
-        pxor    @t[0], @y[3]
-        pxor    @y[0], @t[0]            # t[0]=y[0]
-        pxor    @t[6], @t[1]
-        pxor    @t[7], @t[6]            # clobber t[6]
-        pxor    @t[1], @y[4]
-        pxor    @t[4], @y[7]
-        pxor    @y[4], @t[4]            # t[4]=y[4]
-        pxor    @t[3], @y[6]
-        pxor    @y[3], @t[3]            # t[3]=y[3]
-        pxor    @t[2], @y[5]
-        pxor    @y[2], @t[2]            # t[2]=y[2]
-        pxor    @t[7], @t[3]
-        pxor    @y[5], @t[5]            # t[5]=y[5]
-        pxor    @t[6], @t[2]
-        pxor    @t[6], @t[5]
-        pxor    @y[6], @t[6]            # t[6]=y[6]
-        pxor    @y[7], @t[7]            # t[7]=y[7]
-        movdqa  @t[0],@XMM[0]
-        movdqa  @t[1],@XMM[1]
-        movdqa  @t[2],@XMM[2]
-        movdqa  @t[3],@XMM[3]
-        movdqa  @t[4],@XMM[4]
-        movdqa  @t[5],@XMM[5]
-        movdqa  @t[6],@XMM[6]
-        movdqa  @t[7],@XMM[7]
-___
-}
-sub InvMixColumns {
-my @x=@_[0..7];
-my @t=@_[8..15];
-# Thanks to Jussi Kivilinna for providing pointer to
-#
-# | 0e 0b 0d 09 |   | 02 03 01 01 |   | 05 00 04 00 |
-# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
-# | 0d 09 0e 0b |   | 01 01 02 03 |   | 04 00 05 00 |
-# | 0b 0d 09 0e |   | 03 01 01 02 |   | 00 04 00 05 |
-$code.=<<___;
-        # multiplication by 0x05-0x00-0x04-0x00
-        pshufd  \$0x4E, @x[0], @t[0]
-        pshufd  \$0x4E, @x[6], @t[6]
-        pxor    @x[0], @t[0]
-        pshufd  \$0x4E, @x[7], @t[7]
-        pxor    @x[6], @t[6]
-        pshufd  \$0x4E, @x[1], @t[1]
-        pxor    @x[7], @t[7]
-        pshufd  \$0x4E, @x[2], @t[2]
-        pxor    @x[1], @t[1]
-        pshufd  \$0x4E, @x[3], @t[3]
-        pxor    @x[2], @t[2]
-         pxor   @t[6], @x[0]
-         pxor   @t[6], @x[1]
-        pshufd  \$0x4E, @x[4], @t[4]
-        pxor    @x[3], @t[3]
-         pxor   @t[0], @x[2]
-         pxor   @t[1], @x[3]
-        pshufd  \$0x4E, @x[5], @t[5]
-        pxor    @x[4], @t[4]
-         pxor   @t[7], @x[1]
-         pxor   @t[2], @x[4]
-        pxor    @x[5], @t[5]
-         pxor   @t[7], @x[2]
-         pxor   @t[6], @x[3]
-         pxor   @t[6], @x[4]
-         pxor   @t[3], @x[5]
-         pxor   @t[4], @x[6]
-         pxor   @t[7], @x[4]
-         pxor   @t[7], @x[5]
-         pxor   @t[5], @x[7]
-___
-        &MixColumns     (@x,@t,1);      # flipped 2<->3 and 4<->6
-}
-sub aesenc {                            # not used
-my @b=@_[0..7];
-my @t=@_[8..15];
-$code.=<<___;
-        movdqa  0x30($const),@t[0]      # .LSR
-___
-        &ShiftRows      (@b,@t[0]);
-        &Sbox           (@b,@t);
-        &MixColumns     (@b[0,1,4,6,3,7,2,5],@t);
-}
-sub aesenclast {                        # not used
-my @b=@_[0..7];
-my @t=@_[8..15];
-$code.=<<___;
-        movdqa  0x40($const),@t[0]      # .LSRM0
-___
-        &ShiftRows      (@b,@t[0]);
-        &Sbox           (@b,@t);
-$code.=<<___
-        pxor    0x00($key),@b[0]
-        pxor    0x10($key),@b[1]
-        pxor    0x20($key),@b[4]
-        pxor    0x30($key),@b[6]
-        pxor    0x40($key),@b[3]
-        pxor    0x50($key),@b[7]
-        pxor    0x60($key),@b[2]
-        pxor    0x70($key),@b[5]
-___
-}
-sub swapmove {
-my ($a,$b,$n,$mask,$t)=@_;
-$code.=<<___;
-        movdqa  $b,$t
-        psrlq   \$$n,$b
-        pxor    $a,$b
-        pand    $mask,$b
-        pxor    $b,$a
-        psllq   \$$n,$b
-        pxor    $t,$b
-___
-}
-sub swapmove2x {
-my ($a0,$b0,$a1,$b1,$n,$mask,$t0,$t1)=@_;
-$code.=<<___;
-        movdqa  $b0,$t0
-        psrlq   \$$n,$b0
-         movdqa $b1,$t1
-         psrlq  \$$n,$b1
-        pxor    $a0,$b0
-         pxor   $a1,$b1
-        pand    $mask,$b0
-         pand   $mask,$b1
-        pxor    $b0,$a0
-        psllq   \$$n,$b0
-         pxor   $b1,$a1
-         psllq  \$$n,$b1
-        pxor    $t0,$b0
-         pxor   $t1,$b1
-___
-}
-sub bitslice {
-my @x=reverse(@_[0..7]);
-my ($t0,$t1,$t2,$t3)=@_[8..11];
-$code.=<<___;
-        movdqa  0x00($const),$t0        # .LBS0
-        movdqa  0x10($const),$t1        # .LBS1
-___
-        &swapmove2x(@x[0,1,2,3],1,$t0,$t2,$t3);
-        &swapmove2x(@x[4,5,6,7],1,$t0,$t2,$t3);
-$code.=<<___;
-        movdqa  0x20($const),$t0        # .LBS2
-___
-        &swapmove2x(@x[0,2,1,3],2,$t1,$t2,$t3);
-        &swapmove2x(@x[4,6,5,7],2,$t1,$t2,$t3);
-        &swapmove2x(@x[0,4,1,5],4,$t0,$t2,$t3);
-        &swapmove2x(@x[2,6,3,7],4,$t0,$t2,$t3);
-}
-$code.=<<___;
-.text
-.extern asm_AES_encrypt
-.extern asm_AES_decrypt
-.type   _bsaes_encrypt8,\@abi-omnipotent
-.align  64
-_bsaes_encrypt8:
-        _CET_ENDBR
-        lea     .LBS0(%rip), $const     # constants table
-        movdqa  ($key), @XMM[9]         # round 0 key
-        lea     0x10($key), $key
-        movdqa  0x50($const), @XMM[8]   # .LM0SR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-         pshufb @XMM[8], @XMM[7]
-_bsaes_encrypt8_bitslice:
-___
-        &bitslice       (@XMM[0..7, 8..11]);
-$code.=<<___;
-        dec     $rounds
-        jmp     .Lenc_sbox
-.align  16
-.Lenc_loop:
-___
-        &ShiftRows      (@XMM[0..7, 8]);
-$code.=".Lenc_sbox:\n";
-        &Sbox           (@XMM[0..7, 8..15]);
-$code.=<<___;
-        dec     $rounds
-        jl      .Lenc_done
-___
-        &MixColumns     (@XMM[0,1,4,6,3,7,2,5, 8..15]);
-$code.=<<___;
-        movdqa  0x30($const), @XMM[8]   # .LSR
-        jnz     .Lenc_loop
-        movdqa  0x40($const), @XMM[8]   # .LSRM0
-        jmp     .Lenc_loop
-.align  16
-.Lenc_done:
-___
-        # output in lsb > [t0, t1, t4, t6, t3, t7, t2, t5] < msb
-        &bitslice       (@XMM[0,1,4,6,3,7,2,5, 8..11]);
-$code.=<<___;
-        movdqa  ($key), @XMM[8]         # last round key
-        pxor    @XMM[8], @XMM[4]
-        pxor    @XMM[8], @XMM[6]
-        pxor    @XMM[8], @XMM[3]
-        pxor    @XMM[8], @XMM[7]
-        pxor    @XMM[8], @XMM[2]
-        pxor    @XMM[8], @XMM[5]
-        pxor    @XMM[8], @XMM[0]
-        pxor    @XMM[8], @XMM[1]
-        ret
-.size   _bsaes_encrypt8,.-_bsaes_encrypt8
-.type   _bsaes_decrypt8,\@abi-omnipotent
-.align  64
-_bsaes_decrypt8:
-        _CET_ENDBR
-        lea     .LBS0(%rip), $const     # constants table
-        movdqa  ($key), @XMM[9]         # round 0 key
-        lea     0x10($key), $key
-        movdqa  -0x30($const), @XMM[8]  # .LM0ISR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-         pshufb @XMM[8], @XMM[7]
-___
-        &bitslice       (@XMM[0..7, 8..11]);
-$code.=<<___;
-        dec     $rounds
-        jmp     .Ldec_sbox
-.align  16
-.Ldec_loop:
-___
-        &ShiftRows      (@XMM[0..7, 8]);
-$code.=".Ldec_sbox:\n";
-        &InvSbox        (@XMM[0..7, 8..15]);
-$code.=<<___;
-        dec     $rounds
-        jl      .Ldec_done
-___
-        &InvMixColumns  (@XMM[0,1,6,4,2,7,3,5, 8..15]);
-$code.=<<___;
-        movdqa  -0x10($const), @XMM[8]  # .LISR
-        jnz     .Ldec_loop
-        movdqa  -0x20($const), @XMM[8]  # .LISRM0
-        jmp     .Ldec_loop
-.align  16
-.Ldec_done:
-___
-        &bitslice       (@XMM[0,1,6,4,2,7,3,5, 8..11]);
-$code.=<<___;
-        movdqa  ($key), @XMM[8]         # last round key
-        pxor    @XMM[8], @XMM[6]
-        pxor    @XMM[8], @XMM[4]
-        pxor    @XMM[8], @XMM[2]
-        pxor    @XMM[8], @XMM[7]
-        pxor    @XMM[8], @XMM[3]
-        pxor    @XMM[8], @XMM[5]
-        pxor    @XMM[8], @XMM[0]
-        pxor    @XMM[8], @XMM[1]
-        ret
-.size   _bsaes_decrypt8,.-_bsaes_decrypt8
-___
-}
-{
-my ($out,$inp,$rounds,$const)=("%rax","%rcx","%r10d","%r11");
-sub bitslice_key {
-my @x=reverse(@_[0..7]);
-my ($bs0,$bs1,$bs2,$t2,$t3)=@_[8..12];
-        &swapmove       (@x[0,1],1,$bs0,$t2,$t3);
-$code.=<<___;
-        #&swapmove(@x[2,3],1,$t0,$t2,$t3);
-        movdqa  @x[0], @x[2]
-        movdqa  @x[1], @x[3]
-___
-        #&swapmove2x(@x[4,5,6,7],1,$t0,$t2,$t3);
-        &swapmove2x     (@x[0,2,1,3],2,$bs1,$t2,$t3);
-$code.=<<___;
-        #&swapmove2x(@x[4,6,5,7],2,$t1,$t2,$t3);
-        movdqa  @x[0], @x[4]
-        movdqa  @x[2], @x[6]
-        movdqa  @x[1], @x[5]
-        movdqa  @x[3], @x[7]
-___
-        &swapmove2x     (@x[0,4,1,5],4,$bs2,$t2,$t3);
-        &swapmove2x     (@x[2,6,3,7],4,$bs2,$t2,$t3);
-}
-$code.=<<___;
-.type   _bsaes_key_convert,\@abi-omnipotent
-.align  16
-_bsaes_key_convert:
-        _CET_ENDBR
-        lea     .Lmasks(%rip), $const
-        movdqu  ($inp), %xmm7           # load round 0 key
-        lea     0x10($inp), $inp
-        movdqa  0x00($const), %xmm0     # 0x01...
-        movdqa  0x10($const), %xmm1     # 0x02...
-        movdqa  0x20($const), %xmm2     # 0x04...
-        movdqa  0x30($const), %xmm3     # 0x08...
-        movdqa  0x40($const), %xmm4     # .LM0
-        pcmpeqd %xmm5, %xmm5            # .LNOT
-        movdqu  ($inp), %xmm6           # load round 1 key
-        movdqa  %xmm7, ($out)           # save round 0 key
-        lea     0x10($out), $out
-        dec     $rounds
-        jmp     .Lkey_loop
-.align  16
-.Lkey_loop:
-        pshufb  %xmm4, %xmm6            # .LM0
-        movdqa  %xmm0,  %xmm8
-        movdqa  %xmm1,  %xmm9
-        pand    %xmm6,  %xmm8
-        pand    %xmm6,  %xmm9
-        movdqa  %xmm2,  %xmm10
-        pcmpeqb %xmm0,  %xmm8
-        psllq   \$4,    %xmm0           # 0x10...
-        movdqa  %xmm3,  %xmm11
-        pcmpeqb %xmm1,  %xmm9
-        psllq   \$4,    %xmm1           # 0x20...
-        pand    %xmm6,  %xmm10
-        pand    %xmm6,  %xmm11
-        movdqa  %xmm0,  %xmm12
-        pcmpeqb %xmm2,  %xmm10
-        psllq   \$4,    %xmm2           # 0x40...
-        movdqa  %xmm1,  %xmm13
-        pcmpeqb %xmm3,  %xmm11
-        psllq   \$4,    %xmm3           # 0x80...
-        movdqa  %xmm2,  %xmm14
-        movdqa  %xmm3,  %xmm15
-         pxor   %xmm5,  %xmm8           # "pnot"
-         pxor   %xmm5,  %xmm9
-        pand    %xmm6,  %xmm12
-        pand    %xmm6,  %xmm13
-         movdqa %xmm8, 0x00($out)       # write bit-sliced round key
-        pcmpeqb %xmm0,  %xmm12
-        psrlq   \$4,    %xmm0           # 0x01...
-         movdqa %xmm9, 0x10($out)
-        pcmpeqb %xmm1,  %xmm13
-        psrlq   \$4,    %xmm1           # 0x02...
-         lea    0x10($inp), $inp
-        pand    %xmm6,  %xmm14
-        pand    %xmm6,  %xmm15
-         movdqa %xmm10, 0x20($out)
-        pcmpeqb %xmm2,  %xmm14
-        psrlq   \$4,    %xmm2           # 0x04...
-         movdqa %xmm11, 0x30($out)
-        pcmpeqb %xmm3,  %xmm15
-        psrlq   \$4,    %xmm3           # 0x08...
-         movdqu ($inp), %xmm6           # load next round key
-        pxor    %xmm5, %xmm13           # "pnot"
-        pxor    %xmm5, %xmm14
-        movdqa  %xmm12, 0x40($out)
-        movdqa  %xmm13, 0x50($out)
-        movdqa  %xmm14, 0x60($out)
-        movdqa  %xmm15, 0x70($out)
-        lea     0x80($out),$out
-        dec     $rounds
-        jnz     .Lkey_loop
-        movdqa  0x50($const), %xmm7     # .L63
-        #movdqa %xmm6, ($out)           # don't save last round key
-        ret
-.size   _bsaes_key_convert,.-_bsaes_key_convert
-___
-}
-if (0 && !$win64) {     # following four functions are unsupported interface
-                        # used for benchmarking...
-$code.=<<___;
-.globl  bsaes_enc_key_convert
-.type   bsaes_enc_key_convert,\@function,2
-.align  16
-bsaes_enc_key_convert:
-        _CET_ENDBR
-        mov     240($inp),%r10d         # pass rounds
-        mov     $inp,%rcx               # pass key
-        mov     $out,%rax               # pass key schedule
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-        ret
-.size   bsaes_enc_key_convert,.-bsaes_enc_key_convert
-.globl  bsaes_encrypt_128
-.type   bsaes_encrypt_128,\@function,4
-.align  16
-bsaes_encrypt_128:
-.Lenc128_loop:
-        _CET_ENDBR
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        movdqu  0x60($inp), @XMM[6]
-        movdqu  0x70($inp), @XMM[7]
-        mov     $key, %rax              # pass the $key
-        lea     0x80($inp), $inp
-        mov     \$10,%r10d
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$0x80,$len
-        ja      .Lenc128_loop
-        ret
-.size   bsaes_encrypt_128,.-bsaes_encrypt_128
-.globl  bsaes_dec_key_convert
-.type   bsaes_dec_key_convert,\@function,2
-.align  16
-bsaes_dec_key_convert:
-        _CET_ENDBR
-        mov     240($inp),%r10d         # pass rounds
-        mov     $inp,%rcx               # pass key
-        mov     $out,%rax               # pass key schedule
-        call    _bsaes_key_convert
-        pxor    ($out),%xmm7            # fix up round 0 key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,($out)
-        ret
-.size   bsaes_dec_key_convert,.-bsaes_dec_key_convert
-.globl  bsaes_decrypt_128
-.type   bsaes_decrypt_128,\@function,4
-.align  16
-bsaes_decrypt_128:
-        _CET_ENDBR
-.Ldec128_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        movdqu  0x60($inp), @XMM[6]
-        movdqu  0x70($inp), @XMM[7]
-        mov     $key, %rax              # pass the $key
-        lea     0x80($inp), $inp
-        mov     \$10,%r10d
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$0x80,$len
-        ja      .Ldec128_loop
-        ret
-.size   bsaes_decrypt_128,.-bsaes_decrypt_128
-___
-}
-{
-######################################################################
-#
-# OpenSSL interface
-#
-my ($arg1,$arg2,$arg3,$arg4,$arg5,$arg6)=$win64 ? ("%rcx","%rdx","%r8","%r9","%r10","%r11d")
-                                                : ("%rdi","%rsi","%rdx","%rcx","%r8","%r9d");
-my ($inp,$out,$len,$key)=("%r12","%r13","%r14","%r15");
-if ($ecb) {
-$code.=<<___;
-.globl  bsaes_ecb_encrypt_blocks
-.type   bsaes_ecb_encrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ecb_encrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lecb_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp),%rsp
-___
-$code.=<<___ if ($win64);
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lecb_enc_body:
-___
-$code.=<<___;
-        mov     %rsp,%rbp               # backup %rsp
-        mov     240($arg4),%eax         # rounds
-        mov     $arg1,$inp              # backup arguments
-        mov     $arg2,$out
-        mov     $arg3,$len
-        mov     $arg4,$key
-        cmp     \$8,$arg3
-        jb      .Lecb_enc_short
-        mov     %eax,%ebx               # backup rounds
-        shl     \$7,%rax                # 128 bytes per inner round key
-        sub     \$`128-32`,%rax         # size of bit-sliced key schedule
-        sub     %rax,%rsp
-        mov     %rsp,%rax               # pass key schedule
-        mov     $key,%rcx               # pass key
-        mov     %ebx,%r10d              # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-        sub     \$8,$len
-.Lecb_enc_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %ebx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        lea     0x80($inp), $inp
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lecb_enc_loop
-        add     \$8,$len
-        jz      .Lecb_enc_done
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %ebx,%r10d              # pass rounds
-        cmp     \$2,$len
-        jb      .Lecb_enc_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lecb_enc_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lecb_enc_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lecb_enc_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lecb_enc_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lecb_enc_six
-        movdqu  0x60($inp), @XMM[6]
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_six:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_five:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_four:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_three:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_two:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_one:
-        call    _bsaes_encrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        jmp     .Lecb_enc_done
-.align  16
-.Lecb_enc_short:
-        lea     ($inp), $arg1
-        lea     ($out), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt
-        lea     16($inp), $inp
-        lea     16($out), $out
-        dec     $len
-        jnz     .Lecb_enc_short
-.Lecb_enc_done:
-        lea     (%rsp),%rax
-        pxor    %xmm0, %xmm0
-.Lecb_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        jb      .Lecb_enc_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lecb_enc_epilogue:
-        ret
-.size   bsaes_ecb_encrypt_blocks,.-bsaes_ecb_encrypt_blocks
-.globl  bsaes_ecb_decrypt_blocks
-.type   bsaes_ecb_decrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ecb_decrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lecb_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp),%rsp
-___
-$code.=<<___ if ($win64);
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lecb_dec_body:
-___
-$code.=<<___;
-        mov     %rsp,%rbp               # backup %rsp
-        mov     240($arg4),%eax         # rounds
-        mov     $arg1,$inp              # backup arguments
-        mov     $arg2,$out
-        mov     $arg3,$len
-        mov     $arg4,$key
-        cmp     \$8,$arg3
-        jb      .Lecb_dec_short
-        mov     %eax,%ebx               # backup rounds
-        shl     \$7,%rax                # 128 bytes per inner round key
-        sub     \$`128-32`,%rax         # size of bit-sliced key schedule
-        sub     %rax,%rsp
-        mov     %rsp,%rax               # pass key schedule
-        mov     $key,%rcx               # pass key
-        mov     %ebx,%r10d              # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp),%xmm7            # fix up 0 round key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,(%rsp)
-        sub     \$8,$len
-.Lecb_dec_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %ebx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        lea     0x80($inp), $inp
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lecb_dec_loop
-        add     \$8,$len
-        jz      .Lecb_dec_done
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %ebx,%r10d              # pass rounds
-        cmp     \$2,$len
-        jb      .Lecb_dec_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lecb_dec_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lecb_dec_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lecb_dec_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lecb_dec_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lecb_dec_six
-        movdqu  0x60($inp), @XMM[6]
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_six:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_five:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_four:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_three:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_two:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_one:
-        call    _bsaes_decrypt8
-        movdqu  @XMM[0], 0x00($out)     # write output
-        jmp     .Lecb_dec_done
-.align  16
-.Lecb_dec_short:
-        lea     ($inp), $arg1
-        lea     ($out), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_decrypt
-        lea     16($inp), $inp
-        lea     16($out), $out
-        dec     $len
-        jnz     .Lecb_dec_short
-.Lecb_dec_done:
-        lea     (%rsp),%rax
-        pxor    %xmm0, %xmm0
-.Lecb_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        jb      .Lecb_dec_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lecb_dec_epilogue:
-        ret
-.size   bsaes_ecb_decrypt_blocks,.-bsaes_ecb_decrypt_blocks
-___
-}
-$code.=<<___;
-.extern asm_AES_cbc_encrypt
-.globl  bsaes_cbc_encrypt
-.type   bsaes_cbc_encrypt,\@abi-omnipotent
-.align  16
-bsaes_cbc_encrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        mov     48(%rsp),$arg6          # pull direction flag
-___
-$code.=<<___;
-        cmp     \$0,$arg6
-        jne     asm_AES_cbc_encrypt
-        cmp     \$128,$arg3
-        jb      asm_AES_cbc_encrypt
-        mov     %rsp, %rax
-.Lcbc_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lcbc_dec_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     240($arg4), %eax        # rounds
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        mov     $arg5, %rbx
-        shr     \$4, $len               # bytes to blocks
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp),%xmm7            # fix up 0 round key
-        movdqa  %xmm6,(%rax)            # save last round key
-        movdqa  %xmm7,(%rsp)
-        movdqu  (%rbx), @XMM[15]        # load IV
-        sub     \$8,$len
-.Lcbc_dec_loop:
-        movdqu  0x00($inp), @XMM[0]     # load input
-        movdqu  0x10($inp), @XMM[1]
-        movdqu  0x20($inp), @XMM[2]
-        movdqu  0x30($inp), @XMM[3]
-        movdqu  0x40($inp), @XMM[4]
-        movdqu  0x50($inp), @XMM[5]
-        mov     %rsp, %rax              # pass key schedule
-        movdqu  0x60($inp), @XMM[6]
-        mov     %edx,%r10d              # pass rounds
-        movdqu  0x70($inp), @XMM[7]
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[12], @XMM[7]
-        movdqu  0x60($inp), @XMM[14]
-        pxor    @XMM[13], @XMM[3]
-        movdqu  0x70($inp), @XMM[15]    # IV
-        pxor    @XMM[14], @XMM[5]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x80($inp), $inp
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        sub     \$8,$len
-        jnc     .Lcbc_dec_loop
-        add     \$8,$len
-        jz      .Lcbc_dec_done
-        movdqu  0x00($inp), @XMM[0]     # load input
-        mov     %rsp, %rax              # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        cmp     \$2,$len
-        jb      .Lcbc_dec_one
-        movdqu  0x10($inp), @XMM[1]
-        je      .Lcbc_dec_two
-        movdqu  0x20($inp), @XMM[2]
-        cmp     \$4,$len
-        jb      .Lcbc_dec_three
-        movdqu  0x30($inp), @XMM[3]
-        je      .Lcbc_dec_four
-        movdqu  0x40($inp), @XMM[4]
-        cmp     \$6,$len
-        jb      .Lcbc_dec_five
-        movdqu  0x50($inp), @XMM[5]
-        je      .Lcbc_dec_six
-        movdqu  0x60($inp), @XMM[6]
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[12], @XMM[7]
-        movdqu  0x60($inp), @XMM[15]    # IV
-        pxor    @XMM[13], @XMM[3]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_six:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[11], @XMM[2]
-        movdqu  0x50($inp), @XMM[15]    # IV
-        pxor    @XMM[12], @XMM[7]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_five:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  0x40($inp), @XMM[15]    # IV
-        pxor    @XMM[11], @XMM[2]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_four:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[9], @XMM[6]
-        movdqu  0x30($inp), @XMM[15]    # IV
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_three:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[8], @XMM[1]
-        movdqu  0x20($inp), @XMM[15]    # IV
-        pxor    @XMM[9], @XMM[6]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_two:
-        movdqa  @XMM[15], 0x20(%rbp)    # put aside IV
-        call    _bsaes_decrypt8
-        pxor    0x20(%rbp), @XMM[0]     # ^= IV
-        movdqu  0x00($inp), @XMM[8]     # re-load input
-        movdqu  0x10($inp), @XMM[15]    # IV
-        pxor    @XMM[8], @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        jmp     .Lcbc_dec_done
-.align  16
-.Lcbc_dec_one:
-        lea     ($inp), $arg1
-        lea     0x20(%rbp), $arg2       # buffer output
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[15]    # ^= IV
-        movdqu  @XMM[15], ($out)        # write output
-        movdqa  @XMM[0], @XMM[15]       # IV
-.Lcbc_dec_done:
-        movdqu  @XMM[15], (%rbx)        # return IV
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lcbc_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lcbc_dec_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lcbc_dec_epilogue:
-        ret
-.size   bsaes_cbc_encrypt,.-bsaes_cbc_encrypt
-.globl  bsaes_ctr32_encrypt_blocks
-.type   bsaes_ctr32_encrypt_blocks,\@abi-omnipotent
-.align  16
-bsaes_ctr32_encrypt_blocks:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lctr_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lctr_enc_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        movdqu  ($arg5), %xmm0          # load counter
-        mov     240($arg4), %eax        # rounds
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        movdqa  %xmm0, 0x20(%rbp)       # copy counter
-        cmp     \$8, $arg3
-        jb      .Lctr_enc_short
-        mov     %eax, %ebx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %ebx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6,%xmm7             # fix up last round key
-        movdqa  %xmm7,(%rax)            # save last round key
-        movdqa  (%rsp), @XMM[9]         # load round0 key
-        lea     .LADD1(%rip), %r11
-        movdqa  0x20(%rbp), @XMM[0]     # counter copy
-        movdqa  -0x20(%r11), @XMM[8]    # .LSWPUP
-        pshufb  @XMM[8], @XMM[9]        # byte swap upper part
-        pshufb  @XMM[8], @XMM[0]
-        movdqa  @XMM[9], (%rsp)         # save adjusted round0 key
-        jmp     .Lctr_enc_loop
-.align  16
-.Lctr_enc_loop:
-        movdqa  @XMM[0], 0x20(%rbp)     # save counter
-        movdqa  @XMM[0], @XMM[1]        # prepare 8 counter values
-        movdqa  @XMM[0], @XMM[2]
-        paddd   0x00(%r11), @XMM[1]     # .LADD1
-        movdqa  @XMM[0], @XMM[3]
-        paddd   0x10(%r11), @XMM[2]     # .LADD2
-        movdqa  @XMM[0], @XMM[4]
-        paddd   0x20(%r11), @XMM[3]     # .LADD3
-        movdqa  @XMM[0], @XMM[5]
-        paddd   0x30(%r11), @XMM[4]     # .LADD4
-        movdqa  @XMM[0], @XMM[6]
-        paddd   0x40(%r11), @XMM[5]     # .LADD5
-        movdqa  @XMM[0], @XMM[7]
-        paddd   0x50(%r11), @XMM[6]     # .LADD6
-        paddd   0x60(%r11), @XMM[7]     # .LADD7
-        # Borrow prologue from _bsaes_encrypt8 to use the opportunity
-        # to flip byte order in 32-bit counter
-        movdqa  (%rsp), @XMM[9]         # round 0 key
-        lea     0x10(%rsp), %rax        # pass key schedule
-        movdqa  -0x10(%r11), @XMM[8]    # .LSWPUPM0SR
-        pxor    @XMM[9], @XMM[0]        # xor with round0 key
-        pxor    @XMM[9], @XMM[1]
-         pshufb @XMM[8], @XMM[0]
-        pxor    @XMM[9], @XMM[2]
-         pshufb @XMM[8], @XMM[1]
-        pxor    @XMM[9], @XMM[3]
-         pshufb @XMM[8], @XMM[2]
-        pxor    @XMM[9], @XMM[4]
-         pshufb @XMM[8], @XMM[3]
-        pxor    @XMM[9], @XMM[5]
-         pshufb @XMM[8], @XMM[4]
-        pxor    @XMM[9], @XMM[6]
-         pshufb @XMM[8], @XMM[5]
-        pxor    @XMM[9], @XMM[7]
-         pshufb @XMM[8], @XMM[6]
-        lea     .LBS0(%rip), %r11       # constants table
-         pshufb @XMM[8], @XMM[7]
-        mov     %ebx,%r10d              # pass rounds
-        call    _bsaes_encrypt8_bitslice
-        sub     \$8,$len
-        jc      .Lctr_enc_loop_done
-        movdqu  0x00($inp), @XMM[8]     # load input
-        movdqu  0x10($inp), @XMM[9]
-        movdqu  0x20($inp), @XMM[10]
-        movdqu  0x30($inp), @XMM[11]
-        movdqu  0x40($inp), @XMM[12]
-        movdqu  0x50($inp), @XMM[13]
-        movdqu  0x60($inp), @XMM[14]
-        movdqu  0x70($inp), @XMM[15]
-        lea     0x80($inp),$inp
-        pxor    @XMM[0], @XMM[8]
-        movdqa  0x20(%rbp), @XMM[0]     # load counter
-        pxor    @XMM[9], @XMM[1]
-        movdqu  @XMM[8], 0x00($out)     # write output
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    @XMM[11], @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    @XMM[12], @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    @XMM[13], @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    @XMM[14], @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    @XMM[15], @XMM[5]
-        movdqu  @XMM[2], 0x60($out)
-        lea     .LADD1(%rip), %r11
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        paddd   0x70(%r11), @XMM[0]     # .LADD8
-        jnz     .Lctr_enc_loop
-        jmp     .Lctr_enc_done
-.align  16
-.Lctr_enc_loop_done:
-        add     \$8, $len
-        movdqu  0x00($inp), @XMM[8]     # load input
-        pxor    @XMM[8], @XMM[0]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        cmp     \$2,$len
-        jb      .Lctr_enc_done
-        movdqu  0x10($inp), @XMM[9]
-        pxor    @XMM[9], @XMM[1]
-        movdqu  @XMM[1], 0x10($out)
-        je      .Lctr_enc_done
-        movdqu  0x20($inp), @XMM[10]
-        pxor    @XMM[10], @XMM[4]
-        movdqu  @XMM[4], 0x20($out)
-        cmp     \$4,$len
-        jb      .Lctr_enc_done
-        movdqu  0x30($inp), @XMM[11]
-        pxor    @XMM[11], @XMM[6]
-        movdqu  @XMM[6], 0x30($out)
-        je      .Lctr_enc_done
-        movdqu  0x40($inp), @XMM[12]
-        pxor    @XMM[12], @XMM[3]
-        movdqu  @XMM[3], 0x40($out)
-        cmp     \$6,$len
-        jb      .Lctr_enc_done
-        movdqu  0x50($inp), @XMM[13]
-        pxor    @XMM[13], @XMM[7]
-        movdqu  @XMM[7], 0x50($out)
-        je      .Lctr_enc_done
-        movdqu  0x60($inp), @XMM[14]
-        pxor    @XMM[14], @XMM[2]
-        movdqu  @XMM[2], 0x60($out)
-        jmp     .Lctr_enc_done
-.align  16
-.Lctr_enc_short:
-        lea     0x20(%rbp), $arg1
-        lea     0x30(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt
-        movdqu  ($inp), @XMM[1]
-        lea     16($inp), $inp
-        mov     0x2c(%rbp), %eax        # load 32-bit counter
-        bswap   %eax
-        pxor    0x30(%rbp), @XMM[1]
-        inc     %eax                    # increment
-        movdqu  @XMM[1], ($out)
-        bswap   %eax
-        lea     16($out), $out
-        mov     %eax, 0x2c(%rsp)        # save 32-bit counter
-        dec     $len
-        jnz     .Lctr_enc_short
-.Lctr_enc_done:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lctr_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lctr_enc_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lctr_enc_epilogue:
-        ret
-.size   bsaes_ctr32_encrypt_blocks,.-bsaes_ctr32_encrypt_blocks
-___
-######################################################################
-# void bsaes_xts_[en|de]crypt(const char *inp,char *out,size_t len,
-#       const AES_KEY *key1, const AES_KEY *key2,
-#       const unsigned char iv[16]);
-#
-my ($twmask,$twres,$twtmp)=@XMM[13..15];
-$arg6=~s/d$//;
-$code.=<<___;
-.globl  bsaes_xts_encrypt
-.type   bsaes_xts_encrypt,\@abi-omnipotent
-.align  16
-bsaes_xts_encrypt:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lxts_enc_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull key2
-        mov     0xa8(%rsp),$arg6        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lxts_enc_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        lea     ($arg6), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($arg5), $arg3
-        call    asm_AES_encrypt         # generate initial tweak
-        mov     240($key), %eax         # rounds
-        mov     $len, %rbx              # backup $len
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    %xmm6, %xmm7            # fix up last round key
-        movdqa  %xmm7, (%rax)           # save last round key
-        and     \$-16, $len
-        sub     \$0x80, %rsp            # place for tweak[8]
-        movdqa  0x20(%rbp), @XMM[7]     # initial tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        sub     \$0x80, $len
-        jc      .Lxts_enc_short
-        jmp     .Lxts_enc_loop
-.align  16
-.Lxts_enc_loop:
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqu  0x70($inp), @XMM[8+7]
-        lea     0x80($inp), $inp
-        movdqa  @XMM[7], 0x70(%rsp)
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        pxor    @XMM[8+7], @XMM[7]
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    0x60(%rsp), @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    0x70(%rsp), @XMM[5]
-        movdqu  @XMM[2], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        movdqa  0x70(%rsp), @XMM[7]     # prepare next iteration tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-        sub     \$0x80,$len
-        jnc     .Lxts_enc_loop
-.Lxts_enc_short:
-        add     \$0x80, $len
-        jz      .Lxts_enc_done
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-        cmp     \$`0x10*$i`,$len
-        je      .Lxts_enc_$i
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqa  @XMM[7], 0x70(%rsp)
-        lea     0x70($inp), $inp
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        pxor    0x60(%rsp), @XMM[2]
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[2], 0x60($out)
-        lea     0x70($out), $out
-        movdqa  0x70(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_6:
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x60($inp), $inp
-        pxor    @XMM[8+5], @XMM[5]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[3], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        lea     0x60($out), $out
-        movdqa  0x60(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_5:
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x50($inp), $inp
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        pxor    0x40(%rsp), @XMM[3]
-        movdqu  @XMM[6], 0x30($out)
-        movdqu  @XMM[3], 0x40($out)
-        lea     0x50($out), $out
-        movdqa  0x50(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_4:
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x40($inp), $inp
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[6]
-        movdqu  @XMM[4], 0x20($out)
-        movdqu  @XMM[6], 0x30($out)
-        lea     0x40($out), $out
-        movdqa  0x40(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_3:
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x30($inp), $inp
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[4]
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[4], 0x20($out)
-        lea     0x30($out), $out
-        movdqa  0x30(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_2:
-        pxor    @XMM[8+0], @XMM[0]
-        lea     0x20($inp), $inp
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_encrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        lea     0x20($out), $out
-        movdqa  0x20(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_enc_done
-.align  16
-.Lxts_enc_1:
-        pxor    @XMM[0], @XMM[8]
-        lea     0x10($inp), $inp
-        movdqa  @XMM[8], 0x20(%rbp)
-        lea     0x20(%rbp), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_encrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[0]     # ^= tweak[]
-        #pxor   @XMM[8], @XMM[0]
-        #lea    0x80(%rsp), %rax        # pass key schedule
-        #mov    %edx, %r10d             # pass rounds
-        #call   _bsaes_encrypt8
-        #pxor   0x00(%rsp), @XMM[0]     # ^= tweak[]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x10($out), $out
-        movdqa  0x10(%rsp), @XMM[7]     # next iteration tweak
-.Lxts_enc_done:
-        and     \$15, %ebx
-        jz      .Lxts_enc_ret
-        mov     $out, %rdx
-.Lxts_enc_steal:
-        movzb   ($inp), %eax
-        movzb   -16(%rdx), %ecx
-        lea     1($inp), $inp
-        mov     %al, -16(%rdx)
-        mov     %cl, 0(%rdx)
-        lea     1(%rdx), %rdx
-        sub     \$1,%ebx
-        jnz     .Lxts_enc_steal
-        movdqu  -16($out), @XMM[0]
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[7], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_encrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[7]
-        movdqu  @XMM[7], -16($out)
-.Lxts_enc_ret:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lxts_enc_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lxts_enc_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lxts_enc_epilogue:
-        ret
-.size   bsaes_xts_encrypt,.-bsaes_xts_encrypt
-.globl  bsaes_xts_decrypt
-.type   bsaes_xts_decrypt,\@abi-omnipotent
-.align  16
-bsaes_xts_decrypt:
-        _CET_ENDBR
-        mov     %rsp, %rax
-.Lxts_dec_prologue:
-        push    %rbp
-        push    %rbx
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        lea     -0x48(%rsp), %rsp
-___
-$code.=<<___ if ($win64);
-        mov     0xa0(%rsp),$arg5        # pull key2
-        mov     0xa8(%rsp),$arg6        # pull ivp
-        lea     -0xa0(%rsp), %rsp
-        movaps  %xmm6, 0x40(%rsp)
-        movaps  %xmm7, 0x50(%rsp)
-        movaps  %xmm8, 0x60(%rsp)
-        movaps  %xmm9, 0x70(%rsp)
-        movaps  %xmm10, 0x80(%rsp)
-        movaps  %xmm11, 0x90(%rsp)
-        movaps  %xmm12, 0xa0(%rsp)
-        movaps  %xmm13, 0xb0(%rsp)
-        movaps  %xmm14, 0xc0(%rsp)
-        movaps  %xmm15, 0xd0(%rsp)
-.Lxts_dec_body:
-___
-$code.=<<___;
-        mov     %rsp, %rbp              # backup %rsp
-        mov     $arg1, $inp             # backup arguments
-        mov     $arg2, $out
-        mov     $arg3, $len
-        mov     $arg4, $key
-        lea     ($arg6), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($arg5), $arg3
-        call    asm_AES_encrypt         # generate initial tweak
-        mov     240($key), %eax         # rounds
-        mov     $len, %rbx              # backup $len
-        mov     %eax, %edx              # rounds
-        shl     \$7, %rax               # 128 bytes per inner round key
-        sub     \$`128-32`, %rax        # size of bit-sliced key schedule
-        sub     %rax, %rsp
-        mov     %rsp, %rax              # pass key schedule
-        mov     $key, %rcx              # pass key
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_key_convert
-        pxor    (%rsp), %xmm7           # fix up round 0 key
-        movdqa  %xmm6, (%rax)           # save last round key
-        movdqa  %xmm7, (%rsp)
-        xor     %eax, %eax              # if ($len%16) len-=16;
-        and     \$-16, $len
-        test    \$15, %ebx
-        setnz   %al
-        shl     \$4, %rax
-        sub     %rax, $len
-        sub     \$0x80, %rsp            # place for tweak[8]
-        movdqa  0x20(%rbp), @XMM[7]     # initial tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        sub     \$0x80, $len
-        jc      .Lxts_dec_short
-        jmp     .Lxts_dec_loop
-.align  16
-.Lxts_dec_loop:
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqu  0x70($inp), @XMM[8+7]
-        lea     0x80($inp), $inp
-        movdqa  @XMM[7], 0x70(%rsp)
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        pxor    @XMM[8+7], @XMM[7]
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        pxor    0x60(%rsp), @XMM[3]
-        movdqu  @XMM[7], 0x50($out)
-        pxor    0x70(%rsp), @XMM[5]
-        movdqu  @XMM[3], 0x60($out)
-        movdqu  @XMM[5], 0x70($out)
-        lea     0x80($out), $out
-        movdqa  0x70(%rsp), @XMM[7]     # prepare next iteration tweak
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-        sub     \$0x80,$len
-        jnc     .Lxts_dec_loop
-.Lxts_dec_short:
-        add     \$0x80, $len
-        jz      .Lxts_dec_done
-___
-    for ($i=0;$i<7;$i++) {
-    $code.=<<___;
-        pshufd  \$0x13, $twtmp, $twres
-        pxor    $twtmp, $twtmp
-        movdqa  @XMM[7], @XMM[$i]
-        movdqa  @XMM[7], `0x10*$i`(%rsp)# save tweak[$i]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        pcmpgtd @XMM[7], $twtmp         # broadcast upper bits
-        pxor    $twres, @XMM[7]
-___
-    $code.=<<___ if ($i>=1);
-        movdqu  `0x10*($i-1)`($inp), @XMM[8+$i-1]
-        cmp     \$`0x10*$i`,$len
-        je      .Lxts_dec_$i
-___
-    $code.=<<___ if ($i>=2);
-        pxor    @XMM[8+$i-2], @XMM[$i-2]# input[] ^ tweak[]
-___
-    }
-$code.=<<___;
-        movdqu  0x60($inp), @XMM[8+6]
-        pxor    @XMM[8+5], @XMM[5]
-        movdqa  @XMM[7], 0x70(%rsp)
-        lea     0x70($inp), $inp
-        pxor    @XMM[8+6], @XMM[6]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        pxor    0x60(%rsp), @XMM[3]
-        movdqu  @XMM[7], 0x50($out)
-        movdqu  @XMM[3], 0x60($out)
-        lea     0x70($out), $out
-        movdqa  0x70(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_6:
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x60($inp), $inp
-        pxor    @XMM[8+5], @XMM[5]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        pxor    0x50(%rsp), @XMM[7]
-        movdqu  @XMM[2], 0x40($out)
-        movdqu  @XMM[7], 0x50($out)
-        lea     0x60($out), $out
-        movdqa  0x60(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_5:
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x50($inp), $inp
-        pxor    @XMM[8+4], @XMM[4]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        pxor    0x40(%rsp), @XMM[2]
-        movdqu  @XMM[4], 0x30($out)
-        movdqu  @XMM[2], 0x40($out)
-        lea     0x50($out), $out
-        movdqa  0x50(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_4:
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x40($inp), $inp
-        pxor    @XMM[8+3], @XMM[3]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        pxor    0x30(%rsp), @XMM[4]
-        movdqu  @XMM[6], 0x20($out)
-        movdqu  @XMM[4], 0x30($out)
-        lea     0x40($out), $out
-        movdqa  0x40(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_3:
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x30($inp), $inp
-        pxor    @XMM[8+2], @XMM[2]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        pxor    0x20(%rsp), @XMM[6]
-        movdqu  @XMM[1], 0x10($out)
-        movdqu  @XMM[6], 0x20($out)
-        lea     0x30($out), $out
-        movdqa  0x30(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_2:
-        pxor    @XMM[8+0], @XMM[0]
-        lea     0x20($inp), $inp
-        pxor    @XMM[8+1], @XMM[1]
-        lea     0x80(%rsp), %rax        # pass key schedule
-        mov     %edx, %r10d             # pass rounds
-        call    _bsaes_decrypt8
-        pxor    0x00(%rsp), @XMM[0]     # ^= tweak[]
-        pxor    0x10(%rsp), @XMM[1]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        movdqu  @XMM[1], 0x10($out)
-        lea     0x20($out), $out
-        movdqa  0x20(%rsp), @XMM[7]     # next iteration tweak
-        jmp     .Lxts_dec_done
-.align  16
-.Lxts_dec_1:
-        pxor    @XMM[0], @XMM[8]
-        lea     0x10($inp), $inp
-        movdqa  @XMM[8], 0x20(%rbp)
-        lea     0x20(%rbp), $arg1
-        lea     0x20(%rbp), $arg2
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[0]     # ^= tweak[]
-        #pxor   @XMM[8], @XMM[0]
-        #lea    0x80(%rsp), %rax        # pass key schedule
-        #mov    %edx, %r10d             # pass rounds
-        #call   _bsaes_decrypt8
-        #pxor   0x00(%rsp), @XMM[0]     # ^= tweak[]
-        movdqu  @XMM[0], 0x00($out)     # write output
-        lea     0x10($out), $out
-        movdqa  0x10(%rsp), @XMM[7]     # next iteration tweak
-.Lxts_dec_done:
-        and     \$15, %ebx
-        jz      .Lxts_dec_ret
-        pxor    $twtmp, $twtmp
-        movdqa  .Lxts_magic(%rip), $twmask
-        pcmpgtd @XMM[7], $twtmp
-        pshufd  \$0x13, $twtmp, $twres
-        movdqa  @XMM[7], @XMM[6]
-        paddq   @XMM[7], @XMM[7]        # psllq 1,$tweak
-        pand    $twmask, $twres         # isolate carry and residue
-        movdqu  ($inp), @XMM[0]
-        pxor    $twres, @XMM[7]
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[7], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[7]
-        mov     $out, %rdx
-        movdqu  @XMM[7], ($out)
-.Lxts_dec_steal:
-        movzb   16($inp), %eax
-        movzb   (%rdx), %ecx
-        lea     1($inp), $inp
-        mov     %al, (%rdx)
-        mov     %cl, 16(%rdx)
-        lea     1(%rdx), %rdx
-        sub     \$1,%ebx
-        jnz     .Lxts_dec_steal
-        movdqu  ($out), @XMM[0]
-        lea     0x20(%rbp), $arg1
-        pxor    @XMM[6], @XMM[0]
-        lea     0x20(%rbp), $arg2
-        movdqa  @XMM[0], 0x20(%rbp)
-        lea     ($key), $arg3
-        call    asm_AES_decrypt         # doesn't touch %xmm
-        pxor    0x20(%rbp), @XMM[6]
-        movdqu  @XMM[6], ($out)
-.Lxts_dec_ret:
-        lea     (%rsp), %rax
-        pxor    %xmm0, %xmm0
-.Lxts_dec_bzero:                        # wipe key schedule [if any]
-        movdqa  %xmm0, 0x00(%rax)
-        movdqa  %xmm0, 0x10(%rax)
-        lea     0x20(%rax), %rax
-        cmp     %rax, %rbp
-        ja      .Lxts_dec_bzero
-        lea     (%rbp),%rsp             # restore %rsp
-___
-$code.=<<___ if ($win64);
-        movaps  0x40(%rbp), %xmm6
-        movaps  0x50(%rbp), %xmm7
-        movaps  0x60(%rbp), %xmm8
-        movaps  0x70(%rbp), %xmm9
-        movaps  0x80(%rbp), %xmm10
-        movaps  0x90(%rbp), %xmm11
-        movaps  0xa0(%rbp), %xmm12
-        movaps  0xb0(%rbp), %xmm13
-        movaps  0xc0(%rbp), %xmm14
-        movaps  0xd0(%rbp), %xmm15
-        lea     0xa0(%rbp), %rsp
-___
-$code.=<<___;
-        mov     0x48(%rsp), %r15
-        mov     0x50(%rsp), %r14
-        mov     0x58(%rsp), %r13
-        mov     0x60(%rsp), %r12
-        mov     0x68(%rsp), %rbx
-        mov     0x70(%rsp), %rax
-        lea     0x78(%rsp), %rsp
-        mov     %rax, %rbp
-.Lxts_dec_epilogue:
-        ret
-.size   bsaes_xts_decrypt,.-bsaes_xts_decrypt
-___
-}
-$code.=<<___;
-.section .rodata
-.type   _bsaes_const,\@object
-.align  64
-_bsaes_const:
-.LM0ISR:        # InvShiftRows constants
-        .quad   0x0a0e0206070b0f03, 0x0004080c0d010509
-.LISRM0:
-        .quad   0x01040b0e0205080f, 0x0306090c00070a0d
-.LISR:
-        .quad   0x0504070602010003, 0x0f0e0d0c080b0a09
-.LBS0:          # bit-slice constants
-        .quad   0x5555555555555555, 0x5555555555555555
-.LBS1:
-        .quad   0x3333333333333333, 0x3333333333333333
-.LBS2:
-        .quad   0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f
-.LSR:           # shiftrows constants
-        .quad   0x0504070600030201, 0x0f0e0d0c0a09080b
-.LSRM0:
-        .quad   0x0304090e00050a0f, 0x01060b0c0207080d
-.LM0SR:
-        .quad   0x0a0e02060f03070b, 0x0004080c05090d01
-.LSWPUP:        # byte-swap upper dword
-        .quad   0x0706050403020100, 0x0c0d0e0f0b0a0908
-.LSWPUPM0SR:
-        .quad   0x0a0d02060c03070b, 0x0004080f05090e01
-.LADD1:         # counter increment constants
-        .quad   0x0000000000000000, 0x0000000100000000
-.LADD2:
-        .quad   0x0000000000000000, 0x0000000200000000
-.LADD3:
-        .quad   0x0000000000000000, 0x0000000300000000
-.LADD4:
-        .quad   0x0000000000000000, 0x0000000400000000
-.LADD5:
-        .quad   0x0000000000000000, 0x0000000500000000
-.LADD6:
-        .quad   0x0000000000000000, 0x0000000600000000
-.LADD7:
-        .quad   0x0000000000000000, 0x0000000700000000
-.LADD8:
-        .quad   0x0000000000000000, 0x0000000800000000
-.Lxts_magic:
-        .long   0x87,0,1,0
-.Lmasks:
-        .quad   0x0101010101010101, 0x0101010101010101
-        .quad   0x0202020202020202, 0x0202020202020202
-        .quad   0x0404040404040404, 0x0404040404040404
-        .quad   0x0808080808080808, 0x0808080808080808
-.LM0:
-        .quad   0x02060a0e03070b0f, 0x0004080c0105090d
-.L63:
-        .quad   0x6363636363636363, 0x6363636363636363
-.align  64
-.size   _bsaes_const,.-_bsaes_const
-.text
-___
-# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
-#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
-if ($win64) {
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-$code.=<<___;
-.extern __imp_RtlVirtualUnwind
-.type   se_handler,\@abi-omnipotent
-.align  16
-se_handler:
-        _CET_ENDBR
-        push    %rsi
-        push    %rdi
-        push    %rbx
-        push    %rbp
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        pushfq
-        sub     \$64,%rsp
-        mov     120($context),%rax      # pull context->Rax
-        mov     248($context),%rbx      # pull context->Rip
-        mov     8($disp),%rsi           # disp->ImageBase
-        mov     56($disp),%r11          # disp->HandlerData
-        mov     0(%r11),%r10d           # HandlerData[0]
-        lea     (%rsi,%r10),%r10        # prologue label
-        cmp     %r10,%rbx               # context->Rip<prologue label
-        jb      .Lin_prologue
-        mov     152($context),%rax      # pull context->Rsp
-        mov     4(%r11),%r10d           # HandlerData[1]
-        lea     (%rsi,%r10),%r10        # epilogue label
-        cmp     %r10,%rbx               # context->Rip>=epilogue label
-        jae     .Lin_prologue
-        mov     160($context),%rax      # pull context->Rbp
-        lea     0x40(%rax),%rsi         # %xmm save area
-        lea     512($context),%rdi      # &context.Xmm6
-        mov     \$20,%ecx               # 10*sizeof(%xmm0)/sizeof(%rax)
-        .long   0xa548f3fc              # cld; rep movsq
-        lea     0xa0(%rax),%rax         # adjust stack pointer
-        mov     0x70(%rax),%rbp
-        mov     0x68(%rax),%rbx
-        mov     0x60(%rax),%r12
-        mov     0x58(%rax),%r13
-        mov     0x50(%rax),%r14
-        mov     0x48(%rax),%r15
-        lea     0x78(%rax),%rax         # adjust stack pointer
-        mov     %rbx,144($context)      # restore context->Rbx
-        mov     %rbp,160($context)      # restore context->Rbp
-        mov     %r12,216($context)      # restore context->R12
-        mov     %r13,224($context)      # restore context->R13
-        mov     %r14,232($context)      # restore context->R14
-        mov     %r15,240($context)      # restore context->R15
-.Lin_prologue:
-        mov     %rax,152($context)      # restore context->Rsp
-        mov     40($disp),%rdi          # disp->ContextRecord
-        mov     $context,%rsi           # context
-        mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
-        .long   0xa548f3fc              # cld; rep movsq
-        mov     $disp,%rsi
-        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
-        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
-        mov     0(%rsi),%r8             # arg3, disp->ControlPc
-        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
-        mov     40(%rsi),%r10           # disp->ContextRecord
-        lea     56(%rsi),%r11           # &disp->HandlerData
-        lea     24(%rsi),%r12           # &disp->EstablisherFrame
-        mov     %r10,32(%rsp)           # arg5
-        mov     %r11,40(%rsp)           # arg6
-        mov     %r12,48(%rsp)           # arg7
-        mov     %rcx,56(%rsp)           # arg8, (NULL)
-        call    *__imp_RtlVirtualUnwind(%rip)
-        mov     \$1,%eax                # ExceptionContinueSearch
-        add     \$64,%rsp
-        popfq
-        pop     %r15
-        pop     %r14
-        pop     %r13
-        pop     %r12
-        pop     %rbp
-        pop     %rbx
-        pop     %rdi
-        pop     %rsi
-        ret
-.size   se_handler,.-se_handler
-.section        .pdata
-.align  4
-___
-$code.=<<___ if ($ecb);
-        .rva    .Lecb_enc_prologue
-        .rva    .Lecb_enc_epilogue
-        .rva    .Lecb_enc_info
-        .rva    .Lecb_dec_prologue
-        .rva    .Lecb_dec_epilogue
-        .rva    .Lecb_dec_info
-___
-$code.=<<___;
-        .rva    .Lcbc_dec_prologue
-        .rva    .Lcbc_dec_epilogue
-        .rva    .Lcbc_dec_info
-        .rva    .Lctr_enc_prologue
-        .rva    .Lctr_enc_epilogue
-        .rva    .Lctr_enc_info
-        .rva    .Lxts_enc_prologue
-        .rva    .Lxts_enc_epilogue
-        .rva    .Lxts_enc_info
-        .rva    .Lxts_dec_prologue
-        .rva    .Lxts_dec_epilogue
-        .rva    .Lxts_dec_info
-.section        .xdata
-.align  8
-___
-$code.=<<___ if ($ecb);
-.Lecb_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lecb_enc_body,.Lecb_enc_epilogue       # HandlerData[]
-.Lecb_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lecb_dec_body,.Lecb_dec_epilogue       # HandlerData[]
-___
-$code.=<<___;
-.Lcbc_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lcbc_dec_body,.Lcbc_dec_epilogue       # HandlerData[]
-.Lctr_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lctr_enc_body,.Lctr_enc_epilogue       # HandlerData[]
-.Lxts_enc_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lxts_enc_body,.Lxts_enc_epilogue       # HandlerData[]
-.Lxts_dec_info:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lxts_dec_body,.Lxts_dec_epilogue       # HandlerData[]
-___
-}
-$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-print $code;
-close STDOUT;
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86.pl b/src/lib/libcrypto/aes/asm/vpaes-x86.pl
deleted file mode 100644
index 6e7bd36d05..0000000000
--- a/src/lib/libcrypto/aes/asm/vpaes-x86.pl
+++ /dev/null
@@ -1,911 +0,0 @@
-#!/usr/bin/env perl
-######################################################################
-## Constant-time SSSE3 AES core implementation.
-## version 0.1
-##
-## By Mike Hamburg (Stanford University), 2009
-## Public domain.
-##
-## For details see http://shiftleft.org/papers/vector_aes/ and
-## http://crypto.stanford.edu/vpaes/.
-######################################################################
-# September 2011.
-#
-# Port vpaes-x86_64.pl as 32-bit "almost" drop-in replacement for
-# aes-586.pl. "Almost" refers to the fact that AES_cbc_encrypt
-# doesn't handle partial vectors (doesn't have to if called from
-# EVP only). "Drop-in" implies that this module doesn't share key
-# schedule structure with the original nor does it make assumption
-# about its alignment...
-#
-# Performance summary. aes-586.pl column lists large-block CBC
-# encrypt/decrypt/with-hyper-threading-off(*) results in cycles per
-# byte processed with 128-bit key, and vpaes-x86.pl column - [also
-# large-block CBC] encrypt/decrypt.
-#
-#               aes-586.pl              vpaes-x86.pl
-#
-# Core 2(**)    29.1/42.3/18.3          22.0/25.6(***)
-# Nehalem       27.9/40.4/18.1          10.3/12.0
-# Atom          102./119./60.1          64.5/85.3(***)
-#
-# (*)   "Hyper-threading" in the context refers rather to cache shared
-#       among multiple cores, than to specifically Intel HTT. As vast
-#       majority of contemporary cores share cache, slower code path
-#       is common place. In other words "with-hyper-threading-off"
-#       results are presented mostly for reference purposes.
-#
-# (**)  "Core 2" refers to initial 65nm design, a.k.a. Conroe.
-#
-# (***) Less impressive improvement on Core 2 and Atom is due to slow
-#       pshufb, yet it's respectable +32%/65%  improvement on Core 2
-#       and +58%/40% on Atom (as implied, over "hyper-threading-safe"
-#       code path).
-#
-#                                               <appro@openssl.org>
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-push(@INC,"${dir}","${dir}../../perlasm");
-require "x86asm.pl";
-&asm_init($ARGV[0],"vpaes-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
-$PREFIX="vpaes";
-my  ($round, $base, $magic, $key, $const, $inp, $out)=
-    ("eax",  "ebx", "ecx",  "edx","ebp",  "esi","edi");
-        &rodataseg();
-&static_label("_vpaes_consts");
-&static_label("_vpaes_schedule_low_round");
-&set_label("_vpaes_consts",64);
-$k_inv=-0x30;           # inv, inva
-        &data_word(0x0D080180,0x0E05060F,0x0A0B0C02,0x04070309);
-        &data_word(0x0F0B0780,0x01040A06,0x02050809,0x030D0E0C);
-$k_s0F=-0x10;           # s0F
-        &data_word(0x0F0F0F0F,0x0F0F0F0F,0x0F0F0F0F,0x0F0F0F0F);
-$k_ipt=0x00;            # input transform (lo, hi)
-        &data_word(0x5A2A7000,0xC2B2E898,0x52227808,0xCABAE090);
-        &data_word(0x317C4D00,0x4C01307D,0xB0FDCC81,0xCD80B1FC);
-$k_sb1=0x20;            # sb1u, sb1t
-        &data_word(0xCB503E00,0xB19BE18F,0x142AF544,0xA5DF7A6E);
-        &data_word(0xFAE22300,0x3618D415,0x0D2ED9EF,0x3BF7CCC1);
-$k_sb2=0x40;            # sb2u, sb2t
-        &data_word(0x0B712400,0xE27A93C6,0xBC982FCD,0x5EB7E955);
-        &data_word(0x0AE12900,0x69EB8840,0xAB82234A,0xC2A163C8);
-$k_sbo=0x60;            # sbou, sbot
-        &data_word(0x6FBDC700,0xD0D26D17,0xC502A878,0x15AABF7A);
-        &data_word(0x5FBB6A00,0xCFE474A5,0x412B35FA,0x8E1E90D1);
-$k_mc_forward=0x80;     # mc_forward
-        &data_word(0x00030201,0x04070605,0x080B0A09,0x0C0F0E0D);
-        &data_word(0x04070605,0x080B0A09,0x0C0F0E0D,0x00030201);
-        &data_word(0x080B0A09,0x0C0F0E0D,0x00030201,0x04070605);
-        &data_word(0x0C0F0E0D,0x00030201,0x04070605,0x080B0A09);
-$k_mc_backward=0xc0;    # mc_backward
-        &data_word(0x02010003,0x06050407,0x0A09080B,0x0E0D0C0F);
-        &data_word(0x0E0D0C0F,0x02010003,0x06050407,0x0A09080B);
-        &data_word(0x0A09080B,0x0E0D0C0F,0x02010003,0x06050407);
-        &data_word(0x06050407,0x0A09080B,0x0E0D0C0F,0x02010003);
-$k_sr=0x100;            # sr
-        &data_word(0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C);
-        &data_word(0x0F0A0500,0x030E0904,0x07020D08,0x0B06010C);
-        &data_word(0x0B020900,0x0F060D04,0x030A0108,0x070E050C);
-        &data_word(0x070A0D00,0x0B0E0104,0x0F020508,0x0306090C);
-$k_rcon=0x140;          # rcon
-        &data_word(0xAF9DEEB6,0x1F8391B9,0x4D7C7D81,0x702A9808);
-$k_s63=0x150;           # s63: all equal to 0x63 transformed
-        &data_word(0x5B5B5B5B,0x5B5B5B5B,0x5B5B5B5B,0x5B5B5B5B);
-$k_opt=0x160;           # output transform
-        &data_word(0xD6B66000,0xFF9F4929,0xDEBE6808,0xF7974121);
-        &data_word(0x50BCEC00,0x01EDBD51,0xB05C0CE0,0xE10D5DB1);
-$k_deskew=0x180;        # deskew tables: inverts the sbox's "skew"
-        &data_word(0x47A4E300,0x07E4A340,0x5DBEF91A,0x1DFEB95A);
-        &data_word(0x83EA6900,0x5F36B5DC,0xF49D1E77,0x2841C2AB);
-##
-##  Decryption stuff
-##  Key schedule constants
-##
-$k_dksd=0x1a0;          # decryption key schedule: invskew x*D
-        &data_word(0xA3E44700,0xFEB91A5D,0x5A1DBEF9,0x0740E3A4);
-        &data_word(0xB5368300,0x41C277F4,0xAB289D1E,0x5FDC69EA);
-$k_dksb=0x1c0;          # decryption key schedule: invskew x*B
-        &data_word(0x8550D500,0x9A4FCA1F,0x1CC94C99,0x03D65386);
-        &data_word(0xB6FC4A00,0x115BEDA7,0x7E3482C8,0xD993256F);
-$k_dkse=0x1e0;          # decryption key schedule: invskew x*E + 0x63
-        &data_word(0x1FC9D600,0xD5031CCA,0x994F5086,0x53859A4C);
-        &data_word(0x4FDC7BE8,0xA2319605,0x20B31487,0xCD5EF96A);
-$k_dks9=0x200;          # decryption key schedule: invskew x*9
-        &data_word(0x7ED9A700,0xB6116FC8,0x82255BFC,0x4AED9334);
-        &data_word(0x27143300,0x45765162,0xE9DAFDCE,0x8BB89FAC);
-##
-##  Decryption stuff
-##  Round function constants
-##
-$k_dipt=0x220;          # decryption input transform
-        &data_word(0x0B545F00,0x0F505B04,0x114E451A,0x154A411E);
-        &data_word(0x60056500,0x86E383E6,0xF491F194,0x12771772);
-$k_dsb9=0x240;          # decryption sbox output *9*u, *9*t
-        &data_word(0x9A86D600,0x851C0353,0x4F994CC9,0xCAD51F50);
-        &data_word(0xECD74900,0xC03B1789,0xB2FBA565,0x725E2C9E);
-$k_dsbd=0x260;          # decryption sbox output *D*u, *D*t
-        &data_word(0xE6B1A200,0x7D57CCDF,0x882A4439,0xF56E9B13);
-        &data_word(0x24C6CB00,0x3CE2FAF7,0x15DEEFD3,0x2931180D);
-$k_dsbb=0x280;          # decryption sbox output *B*u, *B*t
-        &data_word(0x96B44200,0xD0226492,0xB0F2D404,0x602646F6);
-        &data_word(0xCD596700,0xC19498A6,0x3255AA6B,0xF3FF0C3E);
-$k_dsbe=0x2a0;          # decryption sbox output *E*u, *E*t
-        &data_word(0x26D4D000,0x46F29296,0x64B4F6B0,0x22426004);
-        &data_word(0xFFAAC100,0x0C55A6CD,0x98593E32,0x9467F36B);
-$k_dsbo=0x2c0;          # decryption sbox final output
-        &data_word(0x7EF94000,0x1387EA53,0xD4943E2D,0xC7AA6DB9);
-        &data_word(0x93441D00,0x12D7560F,0xD8C58E9C,0xCA4B8159);
-        &previous();
-&function_begin_B("_vpaes_preheat");
-        &movdqa ("xmm7",&QWP($k_inv,$const));
-        &movdqa ("xmm6",&QWP($k_s0F,$const));
-        &ret    ();
-&function_end_B("_vpaes_preheat");
-##
-##  _aes_encrypt_core
-##
-##  AES-encrypt %xmm0.
-##
-##  Inputs:
-##     %xmm0 = input
-##     %xmm6-%xmm7 as in _vpaes_preheat
-##    (%edx) = scheduled keys
-##
-##  Output in %xmm0
-##  Clobbers  %xmm1-%xmm5, %eax, %ebx, %ecx, %edx
-##
-##
-&function_begin_B("_vpaes_encrypt_core");
-        &mov    ($magic,16);
-        &mov    ($round,&DWP(240,$key));
-        &movdqa ("xmm1","xmm6")
-        &movdqa ("xmm2",&QWP($k_ipt,$const));
-        &pandn  ("xmm1","xmm0");
-        &movdqu ("xmm5",&QWP(0,$key));
-        &psrld  ("xmm1",4);
-        &pand   ("xmm0","xmm6");
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP($k_ipt+16,$const));
-        &pshufb ("xmm0","xmm1");
-        &pxor   ("xmm2","xmm5");
-        &pxor   ("xmm0","xmm2");
-        &add    ($key,16);
-        &lea    ($base,&DWP($k_mc_backward,$const));
-        &jmp    (&label("enc_entry"));
-&set_label("enc_loop",16);
-        # middle of middle round
-        &movdqa ("xmm4",&QWP($k_sb1,$const));   # 4 : sb1u
-        &pshufb ("xmm4","xmm2");                # 4 = sb1u
-        &pxor   ("xmm4","xmm5");                # 4 = sb1u + k
-        &movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sb1t
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &movdqa ("xmm5",&QWP($k_sb2,$const));   # 4 : sb2u
-        &pshufb ("xmm5","xmm2");                # 4 = sb2u
-        &movdqa ("xmm1",&QWP(-0x40,$base,$magic));# .Lk_mc_forward[]
-        &movdqa ("xmm2",&QWP($k_sb2+16,$const));# 2 : sb2t
-        &pshufb ("xmm2","xmm3");                # 2 = sb2t
-        &pxor   ("xmm2","xmm5");                # 2 = 2A
-        &movdqa ("xmm4",&QWP(0,$base,$magic));  # .Lk_mc_backward[]
-        &movdqa ("xmm3","xmm0");                # 3 = A
-        &pshufb ("xmm0","xmm1");                # 0 = B
-        &add    ($key,16);                      # next key
-        &pxor   ("xmm0","xmm2");                # 0 = 2A+B
-        &pshufb ("xmm3","xmm4");                # 3 = D
-        &add    ($magic,16);                    # next mc
-        &pxor   ("xmm3","xmm0");                # 3 = 2A+B+D
-        &pshufb ("xmm0","xmm1");                # 0 = 2B+C
-        &and    ($magic,0x30);                  # ... mod 4
-        &pxor   ("xmm0","xmm3");                # 0 = 2A+3B+C+D
-        &sub    ($round,1);                     # nr--
-&set_label("enc_entry");
-        # top of round
-        &movdqa ("xmm1","xmm6");                # 1 : i
-        &pandn  ("xmm1","xmm0");                # 1 = i<<4
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm6");                # 0 = k
-        &movdqa ("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm5","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm7");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm5");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm7");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm5");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm7");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm7");                # 3 : 1/jak
-        &movdqu ("xmm5",&QWP(0,$key));
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &jnz    (&label("enc_loop"));
-        # middle of last round
-        &movdqa ("xmm4",&QWP($k_sbo,$const));   # 3 : sbou      .Lk_sbo
-        &movdqa ("xmm0",&QWP($k_sbo+16,$const));# 3 : sbot      .Lk_sbo+16
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &pxor   ("xmm4","xmm5");                # 4 = sb1u + k
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &movdqa ("xmm1",&QWP(0x40,$base,$magic));# .Lk_sr[]
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &pshufb ("xmm0","xmm1");
-        &ret    ();
-&function_end_B("_vpaes_encrypt_core");
-##
-##  Decryption core
-##
-##  Same API as encryption core.
-##
-&function_begin_B("_vpaes_decrypt_core");
-        &mov    ($round,&DWP(240,$key));
-        &lea    ($base,&DWP($k_dsbd,$const));
-        &movdqa ("xmm1","xmm6");
-        &movdqa ("xmm2",&QWP($k_dipt-$k_dsbd,$base));
-        &pandn  ("xmm1","xmm0");
-        &mov    ($magic,$round);
-        &psrld  ("xmm1",4)
-        &movdqu ("xmm5",&QWP(0,$key));
-        &shl    ($magic,4);
-        &pand   ("xmm0","xmm6");
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP($k_dipt-$k_dsbd+16,$base));
-        &xor    ($magic,0x30);
-        &pshufb ("xmm0","xmm1");
-        &and    ($magic,0x30);
-        &pxor   ("xmm2","xmm5");
-        &movdqa ("xmm5",&QWP($k_mc_forward+48,$const));
-        &pxor   ("xmm0","xmm2");
-        &add    ($key,16);
-        &lea    ($magic,&DWP($k_sr-$k_dsbd,$base,$magic));
-        &jmp    (&label("dec_entry"));
-&set_label("dec_loop",16);
-##
-##  Inverse mix columns
-##
-        &movdqa ("xmm4",&QWP(-0x20,$base));     # 4 : sb9u
-        &pshufb ("xmm4","xmm2");                # 4 = sb9u
-        &pxor   ("xmm4","xmm0");
-        &movdqa ("xmm0",&QWP(-0x10,$base));     # 0 : sb9t
-        &pshufb ("xmm0","xmm3");                # 0 = sb9t
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &add    ($key,16);                      # next round key
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0,$base));         # 4 : sbdu
-        &pshufb ("xmm4","xmm2");                # 4 = sbdu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x10,$base));      # 0 : sbdt
-        &pshufb ("xmm0","xmm3");                # 0 = sbdt
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &sub    ($round,1);                     # nr--
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0x20,$base));      # 4 : sbbu
-        &pshufb ("xmm4","xmm2");                # 4 = sbbu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x30,$base));      # 0 : sbbt
-        &pshufb ("xmm0","xmm3");                # 0 = sbbt
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &pshufb ("xmm0","xmm5");                # MC ch
-        &movdqa ("xmm4",&QWP(0x40,$base));      # 4 : sbeu
-        &pshufb ("xmm4","xmm2");                # 4 = sbeu
-        &pxor   ("xmm4","xmm0");                # 4 = ch
-        &movdqa ("xmm0",&QWP(0x50,$base));      # 0 : sbet
-        &pshufb ("xmm0","xmm3");                # 0 = sbet
-        &pxor   ("xmm0","xmm4");                # 0 = ch
-        &palignr("xmm5","xmm5",12);
-&set_label("dec_entry");
-        # top of round
-        &movdqa ("xmm1","xmm6");                # 1 : i
-        &pandn  ("xmm1","xmm0");                # 1 = i<<4
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm6");                # 0 = k
-        &movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm2","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm7");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm2");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm7");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm2");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm7");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm7");                # 3 : 1/jak
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &movdqu ("xmm0",&QWP(0,$key));
-        &jnz    (&label("dec_loop"));
-        # middle of last round
-        &movdqa ("xmm4",&QWP(0x60,$base));      # 3 : sbou
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &pxor   ("xmm4","xmm0");                # 4 = sb1u + k
-        &movdqa ("xmm0",&QWP(0x70,$base));      # 0 : sbot
-        &movdqa ("xmm2",&QWP(0,$magic));
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = A
-        &pshufb ("xmm0","xmm2");
-        &ret    ();
-&function_end_B("_vpaes_decrypt_core");
-########################################################
-##                                                    ##
-##                  AES key schedule                  ##
-##                                                    ##
-########################################################
-&function_begin_B("_vpaes_schedule_core");
-        &movdqu ("xmm0",&QWP(0,$inp));          # load key (unaligned)
-        &movdqa ("xmm2",&QWP($k_rcon,$const));  # load rcon
-        # input transform
-        &movdqa ("xmm3","xmm0");
-        &lea    ($base,&DWP($k_ipt,$const));
-        &movdqa (&QWP(4,"esp"),"xmm2");         # xmm8
-        &call   ("_vpaes_schedule_transform");
-        &movdqa ("xmm7","xmm0");
-        &test   ($out,$out);
-        &jnz    (&label("schedule_am_decrypting"));
-        # encrypting, output zeroth round key after transform
-        &movdqu (&QWP(0,$key),"xmm0");
-        &jmp    (&label("schedule_go"));
-&set_label("schedule_am_decrypting");
-        # decrypting, output zeroth round key after shiftrows
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm3","xmm1");
-        &movdqu (&QWP(0,$key),"xmm3");
-        &xor    ($magic,0x30);
-&set_label("schedule_go");
-        &cmp    ($round,192);
-        &ja     (&label("schedule_256"));
-        &je     (&label("schedule_192"));
-        # 128: fall though
-##
-##  .schedule_128
-##
-##  128-bit specific part of key schedule.
-##
-##  This schedule is really simple, because all its parts
-##  are accomplished by the subroutines.
-##
-&set_label("schedule_128");
-        &mov    ($round,10);
-&set_label("loop_schedule_128");
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     # write output
-        &jmp    (&label("loop_schedule_128"));
-##
-##  .aes_schedule_192
-##
-##  192-bit specific part of key schedule.
-##
-##  The main body of this schedule is the same as the 128-bit
-##  schedule, but with more smearing.  The long, high side is
-##  stored in %xmm7 as before, and the short, low side is in
-##  the high bits of %xmm6.
-##
-##  This schedule is somewhat nastier, however, because each
-##  round produces 192 bits of key material, or 1.5 round keys.
-##  Therefore, on each cycle we do 2 rounds and produce 3 round
-##  keys.
-##
-&set_label("schedule_192",16);
-        &movdqu ("xmm0",&QWP(8,$inp));          # load key part 2 (very unaligned)
-        &call   ("_vpaes_schedule_transform");  # input transform       
-        &movdqa ("xmm6","xmm0");                # save short part
-        &pxor   ("xmm4","xmm4");                # clear 4
-        &movhlps("xmm6","xmm4");                # clobber low side with zeros
-        &mov    ($round,4);
-&set_label("loop_schedule_192");
-        &call   ("_vpaes_schedule_round");
-        &palignr("xmm0","xmm6",8);
-        &call   ("_vpaes_schedule_mangle");     # save key n
-        &call   ("_vpaes_schedule_192_smear");
-        &call   ("_vpaes_schedule_mangle");     # save key n+1
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     # save key n+2
-        &call   ("_vpaes_schedule_192_smear");
-        &jmp    (&label("loop_schedule_192"));
-##
-##  .aes_schedule_256
-##
-##  256-bit specific part of key schedule.
-##
-##  The structure here is very similar to the 128-bit
-##  schedule, but with an additional "low side" in
-##  %xmm6.  The low side's rounds are the same as the
-##  high side's, except no rcon and no rotation.
-##
-&set_label("schedule_256",16);
-        &movdqu ("xmm0",&QWP(16,$inp));         # load key part 2 (unaligned)
-        &call   ("_vpaes_schedule_transform");  # input transform       
-        &mov    ($round,7);
-&set_label("loop_schedule_256");
-        &call   ("_vpaes_schedule_mangle");     # output low result
-        &movdqa ("xmm6","xmm0");                # save cur_lo in xmm6
-        # high round
-        &call   ("_vpaes_schedule_round");
-        &dec    ($round);
-        &jz     (&label("schedule_mangle_last"));
-        &call   ("_vpaes_schedule_mangle");     
-        # low round. swap xmm7 and xmm6
-        &pshufd ("xmm0","xmm0",0xFF);
-        &movdqa (&QWP(20,"esp"),"xmm7");
-        &movdqa ("xmm7","xmm6");
-        &call   ("_vpaes_schedule_low_round");
-        &movdqa ("xmm7",&QWP(20,"esp"));
-        &jmp    (&label("loop_schedule_256"));
-##
-##  .aes_schedule_mangle_last
-##
-##  Mangler for last round of key schedule
-##  Mangles %xmm0
-##    when encrypting, outputs out(%xmm0) ^ 63
-##    when decrypting, outputs unskew(%xmm0)
-##
-##  Always called right before return... jumps to cleanup and exits
-##
-&set_label("schedule_mangle_last",16);
-        # schedule last round key from xmm0
-        &lea    ($base,&DWP($k_deskew,$const));
-        &test   ($out,$out);
-        &jnz    (&label("schedule_mangle_last_dec"));
-        # encrypting
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm0","xmm1");                # output permute
-        &lea    ($base,&DWP($k_opt,$const));    # prepare to output transform
-        &add    ($key,32);
-&set_label("schedule_mangle_last_dec");
-        &add    ($key,-16);
-        &pxor   ("xmm0",&QWP($k_s63,$const));
-        &call   ("_vpaes_schedule_transform");  # output transform
-        &movdqu (&QWP(0,$key),"xmm0");          # save last key
-        # cleanup
-        &pxor   ("xmm0","xmm0");
-        &pxor   ("xmm1","xmm1");
-        &pxor   ("xmm2","xmm2");
-        &pxor   ("xmm3","xmm3");
-        &pxor   ("xmm4","xmm4");
-        &pxor   ("xmm5","xmm5");
-        &pxor   ("xmm6","xmm6");
-        &pxor   ("xmm7","xmm7");
-        &ret    ();
-&function_end_B("_vpaes_schedule_core");
-##
-##  .aes_schedule_192_smear
-##
-##  Smear the short, low side in the 192-bit key schedule.
-##
-##  Inputs:
-##    %xmm7: high side, b  a  x  y
-##    %xmm6:  low side, d  c  0  0
-##    %xmm13: 0
-##
-##  Outputs:
-##    %xmm6: b+c+d  b+c  0  0
-##    %xmm0: b+c+d  b+c  b  a
-##
-&function_begin_B("_vpaes_schedule_192_smear");
-        &pshufd ("xmm0","xmm6",0x80);           # d c 0 0 -> c 0 0 0
-        &pxor   ("xmm6","xmm0");                # -> c+d c 0 0
-        &pshufd ("xmm0","xmm7",0xFE);           # b a _ _ -> b b b a
-        &pxor   ("xmm6","xmm0");                # -> b+c+d b+c b a
-        &movdqa ("xmm0","xmm6");
-        &pxor   ("xmm1","xmm1");
-        &movhlps("xmm6","xmm1");                # clobber low side with zeros
-        &ret    ();
-&function_end_B("_vpaes_schedule_192_smear");
-##
-##  .aes_schedule_round
-##
-##  Runs one main round of the key schedule on %xmm0, %xmm7
-##
-##  Specifically, runs subbytes on the high dword of %xmm0
-##  then rotates it by one byte and xors into the low dword of
-##  %xmm7.
-##
-##  Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-##  next rcon.
-##
-##  Smears the dwords of %xmm7 by xoring the low into the
-##  second low, result into third, result into highest.
-##
-##  Returns results in %xmm7 = %xmm0.
-##  Clobbers %xmm1-%xmm5.
-##
-&function_begin_B("_vpaes_schedule_round");
-        # extract rcon from xmm8
-        &movdqa ("xmm2",&QWP(8,"esp"));         # xmm8
-        &pxor   ("xmm1","xmm1");
-        &palignr("xmm1","xmm2",15);
-        &palignr("xmm2","xmm2",15);
-        &pxor   ("xmm7","xmm1");
-        # rotate
-        &pshufd ("xmm0","xmm0",0xFF);
-        &palignr("xmm0","xmm0",1);
-        # fall through...
-        &movdqa (&QWP(8,"esp"),"xmm2");         # xmm8
-        # low round: same as high round, but no rotation and no rcon.
-&set_label("_vpaes_schedule_low_round");
-        # smear xmm7
-        &movdqa ("xmm1","xmm7");
-        &pslldq ("xmm7",4);
-        &pxor   ("xmm7","xmm1");
-        &movdqa ("xmm1","xmm7");
-        &pslldq ("xmm7",8);
-        &pxor   ("xmm7","xmm1");
-        &pxor   ("xmm7",&QWP($k_s63,$const));
-        # subbyte
-        &movdqa ("xmm4",&QWP($k_s0F,$const));
-        &movdqa ("xmm5",&QWP($k_inv,$const));   # 4 : 1/j
-        &movdqa ("xmm1","xmm4");        
-        &pandn  ("xmm1","xmm0");
-        &psrld  ("xmm1",4);                     # 1 = i
-        &pand   ("xmm0","xmm4");                # 0 = k
-        &movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
-        &pshufb ("xmm2","xmm0");                # 2 = a/k
-        &pxor   ("xmm0","xmm1");                # 0 = j
-        &movdqa ("xmm3","xmm5");                # 3 : 1/i
-        &pshufb ("xmm3","xmm1");                # 3 = 1/i
-        &pxor   ("xmm3","xmm2");                # 3 = iak = 1/i + a/k
-        &movdqa ("xmm4","xmm5");                # 4 : 1/j
-        &pshufb ("xmm4","xmm0");                # 4 = 1/j
-        &pxor   ("xmm4","xmm2");                # 4 = jak = 1/j + a/k
-        &movdqa ("xmm2","xmm5");                # 2 : 1/iak
-        &pshufb ("xmm2","xmm3");                # 2 = 1/iak
-        &pxor   ("xmm2","xmm0");                # 2 = io
-        &movdqa ("xmm3","xmm5");                # 3 : 1/jak
-        &pshufb ("xmm3","xmm4");                # 3 = 1/jak
-        &pxor   ("xmm3","xmm1");                # 3 = jo
-        &movdqa ("xmm4",&QWP($k_sb1,$const));   # 4 : sbou
-        &pshufb ("xmm4","xmm2");                # 4 = sbou
-        &movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sbot
-        &pshufb ("xmm0","xmm3");                # 0 = sb1t
-        &pxor   ("xmm0","xmm4");                # 0 = sbox output
-        # add in smeared stuff
-        &pxor   ("xmm0","xmm7");
-        &movdqa ("xmm7","xmm0");
-        &ret    ();
-&function_end_B("_vpaes_schedule_round");
-##
-##  .aes_schedule_transform
-##
-##  Linear-transform %xmm0 according to tables at (%ebx)
-##
-##  Output in %xmm0
-##  Clobbers %xmm1, %xmm2
-##
-&function_begin_B("_vpaes_schedule_transform");
-        &movdqa ("xmm2",&QWP($k_s0F,$const));
-        &movdqa ("xmm1","xmm2");
-        &pandn  ("xmm1","xmm0");
-        &psrld  ("xmm1",4);
-        &pand   ("xmm0","xmm2");
-        &movdqa ("xmm2",&QWP(0,$base));
-        &pshufb ("xmm2","xmm0");
-        &movdqa ("xmm0",&QWP(16,$base));
-        &pshufb ("xmm0","xmm1");
-        &pxor   ("xmm0","xmm2");
-        &ret    ();
-&function_end_B("_vpaes_schedule_transform");
-##
-##  .aes_schedule_mangle
-##
-##  Mangle xmm0 from (basis-transformed) standard version
-##  to our version.
-##
-##  On encrypt,
-##    xor with 0x63
-##    multiply by circulant 0,1,1,1
-##    apply shiftrows transform
-##
-##  On decrypt,
-##    xor with 0x63
-##    multiply by "inverse mixcolumns" circulant E,B,D,9
-##    deskew
-##    apply shiftrows transform
-##
-##
-##  Writes out to (%edx), and increments or decrements it
-##  Keeps track of round number mod 4 in %ecx
-##  Preserves xmm0
-##  Clobbers xmm1-xmm5
-##
-&function_begin_B("_vpaes_schedule_mangle");
-        &movdqa ("xmm4","xmm0");        # save xmm0 for later
-        &movdqa ("xmm5",&QWP($k_mc_forward,$const));
-        &test   ($out,$out);
-        &jnz    (&label("schedule_mangle_dec"));
-        # encrypting
-        &add    ($key,16);
-        &pxor   ("xmm4",&QWP($k_s63,$const));
-        &pshufb ("xmm4","xmm5");
-        &movdqa ("xmm3","xmm4");
-        &pshufb ("xmm4","xmm5");
-        &pxor   ("xmm3","xmm4");
-        &pshufb ("xmm4","xmm5");
-        &pxor   ("xmm3","xmm4");
-        &jmp    (&label("schedule_mangle_both"));
-&set_label("schedule_mangle_dec",16);
-        # inverse mix columns
-        &movdqa ("xmm2",&QWP($k_s0F,$const));
-        &lea    ($inp,&DWP($k_dksd,$const));
-        &movdqa ("xmm1","xmm2");
-        &pandn  ("xmm1","xmm4");
-        &psrld  ("xmm1",4);                     # 1 = hi
-        &pand   ("xmm4","xmm2");                # 4 = lo
-        &movdqa ("xmm2",&QWP(0,$inp));
-        &pshufb ("xmm2","xmm4");
-        &movdqa ("xmm3",&QWP(0x10,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-        &movdqa ("xmm2",&QWP(0x20,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x30,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-        &movdqa ("xmm2",&QWP(0x40,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x50,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &pshufb ("xmm3","xmm5");
-        &movdqa ("xmm2",&QWP(0x60,$inp));
-        &pshufb ("xmm2","xmm4");
-        &pxor   ("xmm2","xmm3");
-        &movdqa ("xmm3",&QWP(0x70,$inp));
-        &pshufb ("xmm3","xmm1");
-        &pxor   ("xmm3","xmm2");
-        &add    ($key,-16);
-&set_label("schedule_mangle_both");
-        &movdqa ("xmm1",&QWP($k_sr,$const,$magic));
-        &pshufb ("xmm3","xmm1");
-        &add    ($magic,-16);
-        &and    ($magic,0x30);
-        &movdqu (&QWP(0,$key),"xmm3");
-        &ret    ();
-&function_end_B("_vpaes_schedule_mangle");
-#
-# Interface to OpenSSL
-#
-&function_begin("${PREFIX}_set_encrypt_key");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($round,&wparam(1));            # bits
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-        &mov    ($base,$round);
-        &shr    ($base,5);
-        &add    ($base,5);
-        &mov    (&DWP(240,$key),$base);         # AES_KEY->rounds = nbits/32+5;
-        &mov    ($magic,0x30);
-        &mov    ($out,0);
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-        &call   ("_vpaes_schedule_core");
-        &mov    ("esp",&DWP(48,"esp"));
-        &xor    ("eax","eax");
-&function_end("${PREFIX}_set_encrypt_key");
-&function_begin("${PREFIX}_set_decrypt_key");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($round,&wparam(1));            # bits
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-        &mov    ($base,$round);
-        &shr    ($base,5);
-        &add    ($base,5);
-        &mov    (&DWP(240,$key),$base); # AES_KEY->rounds = nbits/32+5;
-        &shl    ($base,4);
-        &lea    ($key,&DWP(16,$key,$base));
-        &mov    ($out,1);
-        &mov    ($magic,$round);
-        &shr    ($magic,1);
-        &and    ($magic,32);
-        &xor    ($magic,32);                    # nbist==192?0:32;
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-        &call   ("_vpaes_schedule_core");
-        &mov    ("esp",&DWP(48,"esp"));
-        &xor    ("eax","eax");
-&function_end("${PREFIX}_set_decrypt_key");
-&function_begin("${PREFIX}_encrypt");
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-        &call   ("_vpaes_preheat");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($out,&wparam(1));              # out
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-        &movdqu ("xmm0",&QWP(0,$inp));
-        &call   ("_vpaes_encrypt_core");
-        &movdqu (&QWP(0,$out),"xmm0");
-        &mov    ("esp",&DWP(48,"esp"));
-&function_end("${PREFIX}_encrypt");
-&function_begin("${PREFIX}_decrypt");
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-        &call   ("_vpaes_preheat");
-        &mov    ($inp,&wparam(0));              # inp
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($out,&wparam(1));              # out
-        &and    ($base,-16);
-        &mov    ($key,&wparam(2));              # key
-        &xchg   ($base,"esp");                  # alloca
-        &mov    (&DWP(48,"esp"),$base);
-        &movdqu ("xmm0",&QWP(0,$inp));
-        &call   ("_vpaes_decrypt_core");
-        &movdqu (&QWP(0,$out),"xmm0");
-        &mov    ("esp",&DWP(48,"esp"));
-&function_end("${PREFIX}_decrypt");
-&function_begin("${PREFIX}_cbc_encrypt");
-        &mov    ($inp,&wparam(0));              # inp
-        &mov    ($out,&wparam(1));              # out
-        &mov    ($round,&wparam(2));            # len
-        &mov    ($key,&wparam(3));              # key
-        &sub    ($round,16);
-        &jc     (&label("cbc_abort"));
-        &lea    ($base,&DWP(-56,"esp"));
-        &mov    ($const,&wparam(4));            # ivp
-        &and    ($base,-16);
-        &mov    ($magic,&wparam(5));            # enc
-        &xchg   ($base,"esp");                  # alloca
-        &movdqu ("xmm1",&QWP(0,$const));        # load IV
-        &sub    ($out,$inp);
-        &mov    (&DWP(48,"esp"),$base);
-        &mov    (&DWP(0,"esp"),$out);           # save out
-        &mov    (&DWP(4,"esp"),$key)            # save key
-        &mov    (&DWP(8,"esp"),$const);         # save ivp
-        &mov    ($out,$round);                  # $out works as $len
-        &picsetup($const);
-        &picsymbol($const, &label("_vpaes_consts"), $const);
-        &lea    ($const,&DWP(0x30,$const))
-        &call   ("_vpaes_preheat");
-        &cmp    ($magic,0);
-        &je     (&label("cbc_dec_loop"));
-        &jmp    (&label("cbc_enc_loop"));
-&set_label("cbc_enc_loop",16);
-        &movdqu ("xmm0",&QWP(0,$inp));          # load input
-        &pxor   ("xmm0","xmm1");                # inp^=iv
-        &call   ("_vpaes_encrypt_core");
-        &mov    ($base,&DWP(0,"esp"));          # restore out
-        &mov    ($key,&DWP(4,"esp"));           # restore key
-        &movdqa ("xmm1","xmm0");
-        &movdqu (&QWP(0,$base,$inp),"xmm0");    # write output
-        &lea    ($inp,&DWP(16,$inp));
-        &sub    ($out,16);
-        &jnc    (&label("cbc_enc_loop"));
-        &jmp    (&label("cbc_done"));
-&set_label("cbc_dec_loop",16);
-        &movdqu ("xmm0",&QWP(0,$inp));          # load input
-        &movdqa (&QWP(16,"esp"),"xmm1");        # save IV
-        &movdqa (&QWP(32,"esp"),"xmm0");        # save future IV
-        &call   ("_vpaes_decrypt_core");
-        &mov    ($base,&DWP(0,"esp"));          # restore out
-        &mov    ($key,&DWP(4,"esp"));           # restore key
-        &pxor   ("xmm0",&QWP(16,"esp"));        # out^=iv
-        &movdqa ("xmm1",&QWP(32,"esp"));        # load next IV
-        &movdqu (&QWP(0,$base,$inp),"xmm0");    # write output
-        &lea    ($inp,&DWP(16,$inp));
-        &sub    ($out,16);
-        &jnc    (&label("cbc_dec_loop"));
-&set_label("cbc_done");
-        &mov    ($base,&DWP(8,"esp"));          # restore ivp
-        &mov    ("esp",&DWP(48,"esp"));
-        &movdqu (&QWP(0,$base),"xmm1");         # write IV
-&set_label("cbc_abort");
-&function_end("${PREFIX}_cbc_encrypt");
-&asm_finish();
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
deleted file mode 100644
index 7d92e8d8ca..0000000000
--- a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
+++ /dev/null
@@ -1,1222 +0,0 @@
-#!/usr/bin/env perl
-######################################################################
-## Constant-time SSSE3 AES core implementation.
-## version 0.1
-##
-## By Mike Hamburg (Stanford University), 2009
-## Public domain.
-##
-## For details see http://shiftleft.org/papers/vector_aes/ and
-## http://crypto.stanford.edu/vpaes/.
-######################################################################
-# September 2011.
-#
-# Interface to OpenSSL as "almost" drop-in replacement for
-# aes-x86_64.pl. "Almost" refers to the fact that AES_cbc_encrypt
-# doesn't handle partial vectors (doesn't have to if called from
-# EVP only). "Drop-in" implies that this module doesn't share key
-# schedule structure with the original nor does it make assumption
-# about its alignment...
-#
-# Performance summary. aes-x86_64.pl column lists large-block CBC
-# encrypt/decrypt/with-hyper-threading-off(*) results in cycles per
-# byte processed with 128-bit key, and vpaes-x86_64.pl column -
-# [also large-block CBC] encrypt/decrypt.
-#
-#               aes-x86_64.pl           vpaes-x86_64.pl
-#
-# Core 2(**)    30.5/43.7/14.3          21.8/25.7(***)
-# Nehalem       30.5/42.2/14.6           9.8/11.8
-# Atom          63.9/79.0/32.1          64.0/84.8(***)
-#
-# (*)   "Hyper-threading" in the context refers rather to cache shared
-#       among multiple cores, than to specifically Intel HTT. As vast
-#       majority of contemporary cores share cache, slower code path
-#       is common place. In other words "with-hyper-threading-off"
-#       results are presented mostly for reference purposes.
-#
-# (**)  "Core 2" refers to initial 65nm design, a.k.a. Conroe.
-#
-# (***) Less impressive improvement on Core 2 and Atom is due to slow
-#       pshufb, yet it's respectable +40%/78% improvement on Core 2
-#       (as implied, over "hyper-threading-safe" code path).
-#
-#                                               <appro@openssl.org>
-$flavour = shift;
-$output  = shift;
-if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-$PREFIX="vpaes";
-$code.=<<___;
-.text
-##
-##  _aes_encrypt_core
-##
-##  AES-encrypt %xmm0.
-##
-##  Inputs:
-##     %xmm0 = input
-##     %xmm9-%xmm15 as in _vpaes_preheat
-##    (%rdx) = scheduled keys
-##
-##  Output in %xmm0
-##  Clobbers  %xmm1-%xmm5, %r9, %r10, %r11, %rax
-##  Preserves %xmm6 - %xmm8 so you get some local vectors
-##
-##
-.type   _vpaes_encrypt_core,\@abi-omnipotent
-.align 16
-_vpaes_encrypt_core:
-        _CET_ENDBR
-        mov     %rdx,   %r9
-        mov     \$16,   %r11
-        mov     240(%rdx),%eax
-        movdqa  %xmm9,  %xmm1
-        movdqa  .Lk_ipt(%rip), %xmm2    # iptlo
-        pandn   %xmm0,  %xmm1
-        movdqu  (%r9),  %xmm5           # round0 key
-        psrld   \$4,    %xmm1
-        pand    %xmm9,  %xmm0
-        pshufb  %xmm0,  %xmm2
-        movdqa  .Lk_ipt+16(%rip), %xmm0 # ipthi
-        pshufb  %xmm1,  %xmm0
-        pxor    %xmm5,  %xmm2
-        pxor    %xmm2,  %xmm0
-        add     \$16,   %r9
-        lea     .Lk_mc_backward(%rip),%r10
-        jmp     .Lenc_entry
-.align 16
-.Lenc_loop:
-        # middle of middle round
-        movdqa  %xmm13, %xmm4   # 4 : sb1u
-        pshufb  %xmm2,  %xmm4   # 4 = sb1u
-        pxor    %xmm5,  %xmm4   # 4 = sb1u + k
-        movdqa  %xmm12, %xmm0   # 0 : sb1t
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        pxor    %xmm4,  %xmm0   # 0 = A
-        movdqa  %xmm15, %xmm5   # 4 : sb2u
-        pshufb  %xmm2,  %xmm5   # 4 = sb2u
-        movdqa  -0x40(%r11,%r10), %xmm1         # .Lk_mc_forward[]
-        movdqa  %xmm14, %xmm2   # 2 : sb2t
-        pshufb  %xmm3,  %xmm2   # 2 = sb2t
-        pxor    %xmm5,  %xmm2   # 2 = 2A
-        movdqa  (%r11,%r10), %xmm4              # .Lk_mc_backward[]
-        movdqa  %xmm0,  %xmm3   # 3 = A
-        pshufb  %xmm1,  %xmm0   # 0 = B
-        add     \$16,   %r9     # next key
-        pxor    %xmm2,  %xmm0   # 0 = 2A+B
-        pshufb  %xmm4,  %xmm3   # 3 = D
-        add     \$16,   %r11    # next mc
-        pxor    %xmm0,  %xmm3   # 3 = 2A+B+D
-        pshufb  %xmm1,  %xmm0   # 0 = 2B+C
-        and     \$0x30, %r11    # ... mod 4
-        pxor    %xmm3,  %xmm0   # 0 = 2A+3B+C+D
-        sub     \$1,%rax        # nr--
-.Lenc_entry:
-        # top of round
-        movdqa  %xmm9,  %xmm1   # 1 : i
-        pandn   %xmm0,  %xmm1   # 1 = i<<4
-        psrld   \$4,    %xmm1   # 1 = i
-        pand    %xmm9,  %xmm0   # 0 = k
-        movdqa  %xmm11, %xmm5   # 2 : a/k
-        pshufb  %xmm0,  %xmm5   # 2 = a/k
-        pxor    %xmm1,  %xmm0   # 0 = j
-        movdqa  %xmm10, %xmm3   # 3 : 1/i
-        pshufb  %xmm1,  %xmm3   # 3 = 1/i
-        pxor    %xmm5,  %xmm3   # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4   # 4 : 1/j
-        pshufb  %xmm0,  %xmm4   # 4 = 1/j
-        pxor    %xmm5,  %xmm4   # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2   # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2   # 2 = 1/iak
-        pxor    %xmm0,  %xmm2   # 2 = io
-        movdqa  %xmm10, %xmm3   # 3 : 1/jak
-        movdqu  (%r9),  %xmm5
-        pshufb  %xmm4,  %xmm3   # 3 = 1/jak
-        pxor    %xmm1,  %xmm3   # 3 = jo
-        jnz     .Lenc_loop
-        # middle of last round
-        movdqa  -0x60(%r10), %xmm4      # 3 : sbou      .Lk_sbo
-        movdqa  -0x50(%r10), %xmm0      # 0 : sbot      .Lk_sbo+16
-        pshufb  %xmm2,  %xmm4   # 4 = sbou
-        pxor    %xmm5,  %xmm4   # 4 = sb1u + k
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        movdqa  0x40(%r11,%r10), %xmm1          # .Lk_sr[]
-        pxor    %xmm4,  %xmm0   # 0 = A
-        pshufb  %xmm1,  %xmm0
-        ret
-.size   _vpaes_encrypt_core,.-_vpaes_encrypt_core
-        
-##
-##  Decryption core
-##
-##  Same API as encryption core.
-##
-.type   _vpaes_decrypt_core,\@abi-omnipotent
-.align  16
-_vpaes_decrypt_core:
-        _CET_ENDBR
-        mov     %rdx,   %r9             # load key
-        mov     240(%rdx),%eax
-        movdqa  %xmm9,  %xmm1
-        movdqa  .Lk_dipt(%rip), %xmm2   # iptlo
-        pandn   %xmm0,  %xmm1
-        mov     %rax,   %r11
-        psrld   \$4,    %xmm1
-        movdqu  (%r9),  %xmm5           # round0 key
-        shl     \$4,    %r11
-        pand    %xmm9,  %xmm0
-        pshufb  %xmm0,  %xmm2
-        movdqa  .Lk_dipt+16(%rip), %xmm0 # ipthi
-        xor     \$0x30, %r11
-        lea     .Lk_dsbd(%rip),%r10
-        pshufb  %xmm1,  %xmm0
-        and     \$0x30, %r11
-        pxor    %xmm5,  %xmm2
-        movdqa  .Lk_mc_forward+48(%rip), %xmm5
-        pxor    %xmm2,  %xmm0
-        add     \$16,   %r9
-        add     %r10,   %r11
-        jmp     .Ldec_entry
-.align 16
-.Ldec_loop:
-##
-##  Inverse mix columns
-##
-        movdqa  -0x20(%r10),%xmm4       # 4 : sb9u
-        pshufb  %xmm2,  %xmm4           # 4 = sb9u
-        pxor    %xmm0,  %xmm4
-        movdqa  -0x10(%r10),%xmm0       # 0 : sb9t
-        pshufb  %xmm3,  %xmm0           # 0 = sb9t
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        add     \$16, %r9               # next round key
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x00(%r10),%xmm4        # 4 : sbdu
-        pshufb  %xmm2,  %xmm4           # 4 = sbdu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x10(%r10),%xmm0        # 0 : sbdt
-        pshufb  %xmm3,  %xmm0           # 0 = sbdt
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        sub     \$1,%rax                # nr--
-        
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x20(%r10),%xmm4        # 4 : sbbu
-        pshufb  %xmm2,  %xmm4           # 4 = sbbu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x30(%r10),%xmm0        # 0 : sbbt
-        pshufb  %xmm3,  %xmm0           # 0 = sbbt
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        
-        pshufb  %xmm5,  %xmm0           # MC ch
-        movdqa  0x40(%r10),%xmm4        # 4 : sbeu
-        pshufb  %xmm2,  %xmm4           # 4 = sbeu
-        pxor    %xmm0,  %xmm4           # 4 = ch
-        movdqa  0x50(%r10),%xmm0        # 0 : sbet
-        pshufb  %xmm3,  %xmm0           # 0 = sbet
-        pxor    %xmm4,  %xmm0           # 0 = ch
-        palignr \$12,   %xmm5,  %xmm5
-        
-.Ldec_entry:
-        # top of round
-        movdqa  %xmm9,  %xmm1   # 1 : i
-        pandn   %xmm0,  %xmm1   # 1 = i<<4
-        psrld   \$4,    %xmm1   # 1 = i
-        pand    %xmm9,  %xmm0   # 0 = k
-        movdqa  %xmm11, %xmm2   # 2 : a/k
-        pshufb  %xmm0,  %xmm2   # 2 = a/k
-        pxor    %xmm1,  %xmm0   # 0 = j
-        movdqa  %xmm10, %xmm3   # 3 : 1/i
-        pshufb  %xmm1,  %xmm3   # 3 = 1/i
-        pxor    %xmm2,  %xmm3   # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4   # 4 : 1/j
-        pshufb  %xmm0,  %xmm4   # 4 = 1/j
-        pxor    %xmm2,  %xmm4   # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2   # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2   # 2 = 1/iak
-        pxor    %xmm0,  %xmm2   # 2 = io
-        movdqa  %xmm10, %xmm3   # 3 : 1/jak
-        pshufb  %xmm4,  %xmm3   # 3 = 1/jak
-        pxor    %xmm1,  %xmm3   # 3 = jo
-        movdqu  (%r9),  %xmm0
-        jnz     .Ldec_loop
-        # middle of last round
-        movdqa  0x60(%r10), %xmm4       # 3 : sbou
-        pshufb  %xmm2,  %xmm4   # 4 = sbou
-        pxor    %xmm0,  %xmm4   # 4 = sb1u + k
-        movdqa  0x70(%r10), %xmm0       # 0 : sbot
-        movdqa  -0x160(%r11), %xmm2     # .Lk_sr-.Lk_dsbd=-0x160
-        pshufb  %xmm3,  %xmm0   # 0 = sb1t
-        pxor    %xmm4,  %xmm0   # 0 = A
-        pshufb  %xmm2,  %xmm0
-        ret
-.size   _vpaes_decrypt_core,.-_vpaes_decrypt_core
-########################################################
-##                                                    ##
-##                  AES key schedule                  ##
-##                                                    ##
-########################################################
-.type   _vpaes_schedule_core,\@abi-omnipotent
-.align  16
-_vpaes_schedule_core:
-        _CET_ENDBR
-        # rdi = key
-        # rsi = size in bits
-        # rdx = buffer
-        # rcx = direction.  0=encrypt, 1=decrypt
-        call    _vpaes_preheat          # load the tables
-        movdqa  .Lk_rcon(%rip), %xmm8   # load rcon
-        movdqu  (%rdi), %xmm0           # load key (unaligned)
-        # input transform
-        movdqa  %xmm0,  %xmm3
-        lea     .Lk_ipt(%rip), %r11
-        call    _vpaes_schedule_transform
-        movdqa  %xmm0,  %xmm7
-        lea     .Lk_sr(%rip),%r10
-        test    %rcx,   %rcx
-        jnz     .Lschedule_am_decrypting
-        # encrypting, output zeroth round key after transform
-        movdqu  %xmm0,  (%rdx)
-        jmp     .Lschedule_go
-.Lschedule_am_decrypting:
-        # decrypting, output zeroth round key after shiftrows
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,  %xmm3
-        movdqu  %xmm3,  (%rdx)
-        xor     \$0x30, %r8
-.Lschedule_go:
-        cmp     \$192,  %esi
-        ja      .Lschedule_256
-        je      .Lschedule_192
-        # 128: fall though
-##
-##  .schedule_128
-##
-##  128-bit specific part of key schedule.
-##
-##  This schedule is really simple, because all its parts
-##  are accomplished by the subroutines.
-##
-.Lschedule_128:
-        mov     \$10, %esi
-        
-.Loop_schedule_128:
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  # write output
-        jmp     .Loop_schedule_128
-##
-##  .aes_schedule_192
-##
-##  192-bit specific part of key schedule.
-##
-##  The main body of this schedule is the same as the 128-bit
-##  schedule, but with more smearing.  The long, high side is
-##  stored in %xmm7 as before, and the short, low side is in
-##  the high bits of %xmm6.
-##
-##  This schedule is somewhat nastier, however, because each
-##  round produces 192 bits of key material, or 1.5 round keys.
-##  Therefore, on each cycle we do 2 rounds and produce 3 round
-##  keys.
-##
-.align  16
-.Lschedule_192:
-        movdqu  8(%rdi),%xmm0           # load key part 2 (very unaligned)
-        call    _vpaes_schedule_transform       # input transform
-        movdqa  %xmm0,  %xmm6           # save short part
-        pxor    %xmm4,  %xmm4           # clear 4
-        movhlps %xmm4,  %xmm6           # clobber low side with zeros
-        mov     \$4,    %esi
-.Loop_schedule_192:
-        call    _vpaes_schedule_round
-        palignr \$8,%xmm6,%xmm0 
-        call    _vpaes_schedule_mangle  # save key n
-        call    _vpaes_schedule_192_smear
-        call    _vpaes_schedule_mangle  # save key n+1
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  # save key n+2
-        call    _vpaes_schedule_192_smear
-        jmp     .Loop_schedule_192
-##
-##  .aes_schedule_256
-##
-##  256-bit specific part of key schedule.
-##
-##  The structure here is very similar to the 128-bit
-##  schedule, but with an additional "low side" in
-##  %xmm6.  The low side's rounds are the same as the
-##  high side's, except no rcon and no rotation.
-##
-.align  16
-.Lschedule_256:
-        movdqu  16(%rdi),%xmm0          # load key part 2 (unaligned)
-        call    _vpaes_schedule_transform       # input transform
-        mov     \$7, %esi
-        
-.Loop_schedule_256:
-        call    _vpaes_schedule_mangle  # output low result
-        movdqa  %xmm0,  %xmm6           # save cur_lo in xmm6
-        # high round
-        call    _vpaes_schedule_round
-        dec     %rsi
-        jz      .Lschedule_mangle_last
-        call    _vpaes_schedule_mangle  
-        # low round. swap xmm7 and xmm6
-        pshufd  \$0xFF, %xmm0,  %xmm0
-        movdqa  %xmm7,  %xmm5
-        movdqa  %xmm6,  %xmm7
-        call    _vpaes_schedule_low_round
-        movdqa  %xmm5,  %xmm7
-        
-        jmp     .Loop_schedule_256
-        
-##
-##  .aes_schedule_mangle_last
-##
-##  Mangler for last round of key schedule
-##  Mangles %xmm0
-##    when encrypting, outputs out(%xmm0) ^ 63
-##    when decrypting, outputs unskew(%xmm0)
-##
-##  Always called right before return... jumps to cleanup and exits
-##
-.align  16
-.Lschedule_mangle_last:
-        # schedule last round key from xmm0
-        lea     .Lk_deskew(%rip),%r11   # prepare to deskew
-        test    %rcx,   %rcx
-        jnz     .Lschedule_mangle_last_dec
-        # encrypting
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,  %xmm0           # output permute
-        lea     .Lk_opt(%rip),  %r11    # prepare to output transform
-        add     \$32,   %rdx
-.Lschedule_mangle_last_dec:
-        add     \$-16,  %rdx
-        pxor    .Lk_s63(%rip),  %xmm0
-        call    _vpaes_schedule_transform # output transform
-        movdqu  %xmm0,  (%rdx)          # save last key
-        # cleanup
-        pxor    %xmm0,  %xmm0
-        pxor    %xmm1,  %xmm1
-        pxor    %xmm2,  %xmm2
-        pxor    %xmm3,  %xmm3
-        pxor    %xmm4,  %xmm4
-        pxor    %xmm5,  %xmm5
-        pxor    %xmm6,  %xmm6
-        pxor    %xmm7,  %xmm7
-        ret
-.size   _vpaes_schedule_core,.-_vpaes_schedule_core
-##
-##  .aes_schedule_192_smear
-##
-##  Smear the short, low side in the 192-bit key schedule.
-##
-##  Inputs:
-##    %xmm7: high side, b  a  x  y
-##    %xmm6:  low side, d  c  0  0
-##    %xmm13: 0
-##
-##  Outputs:
-##    %xmm6: b+c+d  b+c  0  0
-##    %xmm0: b+c+d  b+c  b  a
-##
-.type   _vpaes_schedule_192_smear,\@abi-omnipotent
-.align  16
-_vpaes_schedule_192_smear:
-        _CET_ENDBR
-        pshufd  \$0x80, %xmm6,  %xmm0   # d c 0 0 -> c 0 0 0
-        pxor    %xmm0,  %xmm6           # -> c+d c 0 0
-        pshufd  \$0xFE, %xmm7,  %xmm0   # b a _ _ -> b b b a
-        pxor    %xmm0,  %xmm6           # -> b+c+d b+c b a
-        movdqa  %xmm6,  %xmm0
-        pxor    %xmm1,  %xmm1
-        movhlps %xmm1,  %xmm6           # clobber low side with zeros
-        ret
-.size   _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear
-##
-##  .aes_schedule_round
-##
-##  Runs one main round of the key schedule on %xmm0, %xmm7
-##
-##  Specifically, runs subbytes on the high dword of %xmm0
-##  then rotates it by one byte and xors into the low dword of
-##  %xmm7.
-##
-##  Adds rcon from low byte of %xmm8, then rotates %xmm8 for
-##  next rcon.
-##
-##  Smears the dwords of %xmm7 by xoring the low into the
-##  second low, result into third, result into highest.
-##
-##  Returns results in %xmm7 = %xmm0.
-##  Clobbers %xmm1-%xmm4, %r11.
-##
-.type   _vpaes_schedule_round,\@abi-omnipotent
-.align  16
-_vpaes_schedule_round:
-        _CET_ENDBR
-        # extract rcon from xmm8
-        pxor    %xmm1,  %xmm1
-        palignr \$15,   %xmm8,  %xmm1
-        palignr \$15,   %xmm8,  %xmm8
-        pxor    %xmm1,  %xmm7
-        # rotate
-        pshufd  \$0xFF, %xmm0,  %xmm0
-        palignr \$1,    %xmm0,  %xmm0
-        
-        # fall through...
-        
-        # low round: same as high round, but no rotation and no rcon.
-_vpaes_schedule_low_round:
-        # smear xmm7
-        movdqa  %xmm7,  %xmm1
-        pslldq  \$4,    %xmm7
-        pxor    %xmm1,  %xmm7
-        movdqa  %xmm7,  %xmm1
-        pslldq  \$8,    %xmm7
-        pxor    %xmm1,  %xmm7
-        pxor    .Lk_s63(%rip), %xmm7
-        # subbytes
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm0,  %xmm1
-        psrld   \$4,    %xmm1           # 1 = i
-        pand    %xmm9,  %xmm0           # 0 = k
-        movdqa  %xmm11, %xmm2           # 2 : a/k
-        pshufb  %xmm0,  %xmm2           # 2 = a/k
-        pxor    %xmm1,  %xmm0           # 0 = j
-        movdqa  %xmm10, %xmm3           # 3 : 1/i
-        pshufb  %xmm1,  %xmm3           # 3 = 1/i
-        pxor    %xmm2,  %xmm3           # 3 = iak = 1/i + a/k
-        movdqa  %xmm10, %xmm4           # 4 : 1/j
-        pshufb  %xmm0,  %xmm4           # 4 = 1/j
-        pxor    %xmm2,  %xmm4           # 4 = jak = 1/j + a/k
-        movdqa  %xmm10, %xmm2           # 2 : 1/iak
-        pshufb  %xmm3,  %xmm2           # 2 = 1/iak
-        pxor    %xmm0,  %xmm2           # 2 = io
-        movdqa  %xmm10, %xmm3           # 3 : 1/jak
-        pshufb  %xmm4,  %xmm3           # 3 = 1/jak
-        pxor    %xmm1,  %xmm3           # 3 = jo
-        movdqa  %xmm13, %xmm4           # 4 : sbou
-        pshufb  %xmm2,  %xmm4           # 4 = sbou
-        movdqa  %xmm12, %xmm0           # 0 : sbot
-        pshufb  %xmm3,  %xmm0           # 0 = sb1t
-        pxor    %xmm4,  %xmm0           # 0 = sbox output
-        # add in smeared stuff
-        pxor    %xmm7,  %xmm0   
-        movdqa  %xmm0,  %xmm7
-        ret
-.size   _vpaes_schedule_round,.-_vpaes_schedule_round
-##
-##  .aes_schedule_transform
-##
-##  Linear-transform %xmm0 according to tables at (%r11)
-##
-##  Requires that %xmm9 = 0x0F0F... as in preheat
-##  Output in %xmm0
-##  Clobbers %xmm1, %xmm2
-##
-.type   _vpaes_schedule_transform,\@abi-omnipotent
-.align  16
-_vpaes_schedule_transform:
-        _CET_ENDBR
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm0,  %xmm1
-        psrld   \$4,    %xmm1
-        pand    %xmm9,  %xmm0
-        movdqa  (%r11), %xmm2   # lo
-        pshufb  %xmm0,  %xmm2
-        movdqa  16(%r11), %xmm0 # hi
-        pshufb  %xmm1,  %xmm0
-        pxor    %xmm2,  %xmm0
-        ret
-.size   _vpaes_schedule_transform,.-_vpaes_schedule_transform
-##
-##  .aes_schedule_mangle
-##
-##  Mangle xmm0 from (basis-transformed) standard version
-##  to our version.
-##
-##  On encrypt,
-##    xor with 0x63
-##    multiply by circulant 0,1,1,1
-##    apply shiftrows transform
-##
-##  On decrypt,
-##    xor with 0x63
-##    multiply by "inverse mixcolumns" circulant E,B,D,9
-##    deskew
-##    apply shiftrows transform
-##
-##
-##  Writes out to (%rdx), and increments or decrements it
-##  Keeps track of round number mod 4 in %r8
-##  Preserves xmm0
-##  Clobbers xmm1-xmm5
-##
-.type   _vpaes_schedule_mangle,\@abi-omnipotent
-.align  16
-_vpaes_schedule_mangle:
-        _CET_ENDBR
-        movdqa  %xmm0,  %xmm4   # save xmm0 for later
-        movdqa  .Lk_mc_forward(%rip),%xmm5
-        test    %rcx,   %rcx
-        jnz     .Lschedule_mangle_dec
-        # encrypting
-        add     \$16,   %rdx
-        pxor    .Lk_s63(%rip),%xmm4
-        pshufb  %xmm5,  %xmm4
-        movdqa  %xmm4,  %xmm3
-        pshufb  %xmm5,  %xmm4
-        pxor    %xmm4,  %xmm3
-        pshufb  %xmm5,  %xmm4
-        pxor    %xmm4,  %xmm3
-        jmp     .Lschedule_mangle_both
-.align  16
-.Lschedule_mangle_dec:
-        # inverse mix columns
-        lea     .Lk_dksd(%rip),%r11
-        movdqa  %xmm9,  %xmm1
-        pandn   %xmm4,  %xmm1
-        psrld   \$4,    %xmm1   # 1 = hi
-        pand    %xmm9,  %xmm4   # 4 = lo
-        movdqa  0x00(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        movdqa  0x10(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-        movdqa  0x20(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x30(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-        movdqa  0x40(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x50(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        pshufb  %xmm5,  %xmm3
-        movdqa  0x60(%r11), %xmm2
-        pshufb  %xmm4,  %xmm2
-        pxor    %xmm3,  %xmm2
-        movdqa  0x70(%r11), %xmm3
-        pshufb  %xmm1,  %xmm3
-        pxor    %xmm2,  %xmm3
-        add     \$-16,  %rdx
-.Lschedule_mangle_both:
-        movdqa  (%r8,%r10),%xmm1
-        pshufb  %xmm1,%xmm3
-        add     \$-16,  %r8
-        and     \$0x30, %r8
-        movdqu  %xmm3,  (%rdx)
-        ret
-.size   _vpaes_schedule_mangle,.-_vpaes_schedule_mangle
-#
-# Interface to OpenSSL
-#
-.globl  ${PREFIX}_set_encrypt_key
-.type   ${PREFIX}_set_encrypt_key,\@function,3
-.align  16
-${PREFIX}_set_encrypt_key:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lenc_key_body:
-___
-$code.=<<___;
-        mov     %esi,%eax
-        shr     \$5,%eax
-        add     \$5,%eax
-        mov     %eax,240(%rdx)  # AES_KEY->rounds = nbits/32+5;
-        mov     \$0,%ecx
-        mov     \$0x30,%r8d
-        call    _vpaes_schedule_core
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lenc_key_epilogue:
-___
-$code.=<<___;
-        xor     %eax,%eax
-        ret
-.size   ${PREFIX}_set_encrypt_key,.-${PREFIX}_set_encrypt_key
-.globl  ${PREFIX}_set_decrypt_key
-.type   ${PREFIX}_set_decrypt_key,\@function,3
-.align  16
-${PREFIX}_set_decrypt_key:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Ldec_key_body:
-___
-$code.=<<___;
-        mov     %esi,%eax
-        shr     \$5,%eax
-        add     \$5,%eax
-        mov     %eax,240(%rdx)  # AES_KEY->rounds = nbits/32+5;
-        shl     \$4,%eax
-        lea     16(%rdx,%rax),%rdx
-        mov     \$1,%ecx
-        mov     %esi,%r8d
-        shr     \$1,%r8d
-        and     \$32,%r8d
-        xor     \$32,%r8d       # nbits==192?0:32
-        call    _vpaes_schedule_core
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Ldec_key_epilogue:
-___
-$code.=<<___;
-        xor     %eax,%eax
-        ret
-.size   ${PREFIX}_set_decrypt_key,.-${PREFIX}_set_decrypt_key
-.globl  ${PREFIX}_encrypt
-.type   ${PREFIX}_encrypt,\@function,3
-.align  16
-${PREFIX}_encrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lenc_body:
-___
-$code.=<<___;
-        movdqu  (%rdi),%xmm0
-        call    _vpaes_preheat
-        call    _vpaes_encrypt_core
-        movdqu  %xmm0,(%rsi)
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lenc_epilogue:
-___
-$code.=<<___;
-        ret
-.size   ${PREFIX}_encrypt,.-${PREFIX}_encrypt
-.globl  ${PREFIX}_decrypt
-.type   ${PREFIX}_decrypt,\@function,3
-.align  16
-${PREFIX}_decrypt:
-        _CET_ENDBR
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Ldec_body:
-___
-$code.=<<___;
-        movdqu  (%rdi),%xmm0
-        call    _vpaes_preheat
-        call    _vpaes_decrypt_core
-        movdqu  %xmm0,(%rsi)
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Ldec_epilogue:
-___
-$code.=<<___;
-        ret
-.size   ${PREFIX}_decrypt,.-${PREFIX}_decrypt
-___
-{
-my ($inp,$out,$len,$key,$ivp,$enc)=("%rdi","%rsi","%rdx","%rcx","%r8","%r9");
-# void AES_cbc_encrypt (const void char *inp, unsigned char *out,
-#                       size_t length, const AES_KEY *key,
-#                       unsigned char *ivp,const int enc);
-$code.=<<___;
-.globl  ${PREFIX}_cbc_encrypt
-.type   ${PREFIX}_cbc_encrypt,\@function,6
-.align  16
-${PREFIX}_cbc_encrypt:
-        _CET_ENDBR
-        xchg    $key,$len
-___
-($len,$key)=($key,$len);
-$code.=<<___;
-        sub     \$16,$len
-        jc      .Lcbc_abort
-___
-$code.=<<___ if ($win64);
-        lea     -0xb8(%rsp),%rsp
-        movaps  %xmm6,0x10(%rsp)
-        movaps  %xmm7,0x20(%rsp)
-        movaps  %xmm8,0x30(%rsp)
-        movaps  %xmm9,0x40(%rsp)
-        movaps  %xmm10,0x50(%rsp)
-        movaps  %xmm11,0x60(%rsp)
-        movaps  %xmm12,0x70(%rsp)
-        movaps  %xmm13,0x80(%rsp)
-        movaps  %xmm14,0x90(%rsp)
-        movaps  %xmm15,0xa0(%rsp)
-.Lcbc_body:
-___
-$code.=<<___;
-        movdqu  ($ivp),%xmm6            # load IV
-        sub     $inp,$out
-        call    _vpaes_preheat
-        cmp     \$0,${enc}d
-        je      .Lcbc_dec_loop
-        jmp     .Lcbc_enc_loop
-.align  16
-.Lcbc_enc_loop:
-        movdqu  ($inp),%xmm0
-        pxor    %xmm6,%xmm0
-        call    _vpaes_encrypt_core
-        movdqa  %xmm0,%xmm6
-        movdqu  %xmm0,($out,$inp)
-        lea     16($inp),$inp
-        sub     \$16,$len
-        jnc     .Lcbc_enc_loop
-        jmp     .Lcbc_done
-.align  16
-.Lcbc_dec_loop:
-        movdqu  ($inp),%xmm0
-        movdqa  %xmm0,%xmm7
-        call    _vpaes_decrypt_core
-        pxor    %xmm6,%xmm0
-        movdqa  %xmm7,%xmm6
-        movdqu  %xmm0,($out,$inp)
-        lea     16($inp),$inp
-        sub     \$16,$len
-        jnc     .Lcbc_dec_loop
-.Lcbc_done:
-        movdqu  %xmm6,($ivp)            # save IV
-___
-$code.=<<___ if ($win64);
-        movaps  0x10(%rsp),%xmm6
-        movaps  0x20(%rsp),%xmm7
-        movaps  0x30(%rsp),%xmm8
-        movaps  0x40(%rsp),%xmm9
-        movaps  0x50(%rsp),%xmm10
-        movaps  0x60(%rsp),%xmm11
-        movaps  0x70(%rsp),%xmm12
-        movaps  0x80(%rsp),%xmm13
-        movaps  0x90(%rsp),%xmm14
-        movaps  0xa0(%rsp),%xmm15
-        lea     0xb8(%rsp),%rsp
-.Lcbc_epilogue:
-___
-$code.=<<___;
-.Lcbc_abort:
-        ret
-.size   ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
-___
-}
-$code.=<<___;
-##
-##  _aes_preheat
-##
-##  Fills register %r10 -> .aes_consts (so you can -fPIC)
-##  and %xmm9-%xmm15 as specified below.
-##
-.type   _vpaes_preheat,\@abi-omnipotent
-.align  16
-_vpaes_preheat:
-        _CET_ENDBR
-        lea     .Lk_s0F(%rip), %r10
-        movdqa  -0x20(%r10), %xmm10     # .Lk_inv
-        movdqa  -0x10(%r10), %xmm11     # .Lk_inv+16
-        movdqa  0x00(%r10), %xmm9       # .Lk_s0F
-        movdqa  0x30(%r10), %xmm13      # .Lk_sb1
-        movdqa  0x40(%r10), %xmm12      # .Lk_sb1+16
-        movdqa  0x50(%r10), %xmm15      # .Lk_sb2
-        movdqa  0x60(%r10), %xmm14      # .Lk_sb2+16
-        ret
-.size   _vpaes_preheat,.-_vpaes_preheat
-########################################################
-##                                                    ##
-##                     Constants                      ##
-##                                                    ##
-########################################################
-.section .rodata
-.type   _vpaes_consts,\@object
-.align  64
-_vpaes_consts:
-.Lk_inv:        # inv, inva
-        .quad   0x0E05060F0D080180, 0x040703090A0B0C02
-        .quad   0x01040A060F0B0780, 0x030D0E0C02050809
-.Lk_s0F:        # s0F
-        .quad   0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F
-.Lk_ipt:        # input transform (lo, hi)
-        .quad   0xC2B2E8985A2A7000, 0xCABAE09052227808
-        .quad   0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81
-.Lk_sb1:        # sb1u, sb1t
-        .quad   0xB19BE18FCB503E00, 0xA5DF7A6E142AF544
-        .quad   0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF
-.Lk_sb2:        # sb2u, sb2t
-        .quad   0xE27A93C60B712400, 0x5EB7E955BC982FCD
-        .quad   0x69EB88400AE12900, 0xC2A163C8AB82234A
-.Lk_sbo:        # sbou, sbot
-        .quad   0xD0D26D176FBDC700, 0x15AABF7AC502A878
-        .quad   0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA
-.Lk_mc_forward: # mc_forward
-        .quad   0x0407060500030201, 0x0C0F0E0D080B0A09
-        .quad   0x080B0A0904070605, 0x000302010C0F0E0D
-        .quad   0x0C0F0E0D080B0A09, 0x0407060500030201
-        .quad   0x000302010C0F0E0D, 0x080B0A0904070605
-.Lk_mc_backward:# mc_backward
-        .quad   0x0605040702010003, 0x0E0D0C0F0A09080B
-        .quad   0x020100030E0D0C0F, 0x0A09080B06050407
-        .quad   0x0E0D0C0F0A09080B, 0x0605040702010003
-        .quad   0x0A09080B06050407, 0x020100030E0D0C0F
-.Lk_sr:         # sr
-        .quad   0x0706050403020100, 0x0F0E0D0C0B0A0908
-        .quad   0x030E09040F0A0500, 0x0B06010C07020D08
-        .quad   0x0F060D040B020900, 0x070E050C030A0108
-        .quad   0x0B0E0104070A0D00, 0x0306090C0F020508
-.Lk_rcon:       # rcon
-        .quad   0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81
-.Lk_s63:        # s63: all equal to 0x63 transformed
-        .quad   0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B
-.Lk_opt:        # output transform
-        .quad   0xFF9F4929D6B66000, 0xF7974121DEBE6808
-        .quad   0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0
-.Lk_deskew:     # deskew tables: inverts the sbox's "skew"
-        .quad   0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A
-        .quad   0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77
-##
-##  Decryption stuff
-##  Key schedule constants
-##
-.Lk_dksd:       # decryption key schedule: invskew x*D
-        .quad   0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9
-        .quad   0x41C277F4B5368300, 0x5FDC69EAAB289D1E
-.Lk_dksb:       # decryption key schedule: invskew x*B
-        .quad   0x9A4FCA1F8550D500, 0x03D653861CC94C99
-        .quad   0x115BEDA7B6FC4A00, 0xD993256F7E3482C8
-.Lk_dkse:       # decryption key schedule: invskew x*E + 0x63
-        .quad   0xD5031CCA1FC9D600, 0x53859A4C994F5086
-        .quad   0xA23196054FDC7BE8, 0xCD5EF96A20B31487
-.Lk_dks9:       # decryption key schedule: invskew x*9
-        .quad   0xB6116FC87ED9A700, 0x4AED933482255BFC
-        .quad   0x4576516227143300, 0x8BB89FACE9DAFDCE
-##
-##  Decryption stuff
-##  Round function constants
-##
-.Lk_dipt:       # decryption input transform
-        .quad   0x0F505B040B545F00, 0x154A411E114E451A
-        .quad   0x86E383E660056500, 0x12771772F491F194
-.Lk_dsb9:       # decryption sbox output *9*u, *9*t
-        .quad   0x851C03539A86D600, 0xCAD51F504F994CC9
-        .quad   0xC03B1789ECD74900, 0x725E2C9EB2FBA565
-.Lk_dsbd:       # decryption sbox output *D*u, *D*t
-        .quad   0x7D57CCDFE6B1A200, 0xF56E9B13882A4439
-        .quad   0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3
-.Lk_dsbb:       # decryption sbox output *B*u, *B*t
-        .quad   0xD022649296B44200, 0x602646F6B0F2D404
-        .quad   0xC19498A6CD596700, 0xF3FF0C3E3255AA6B
-.Lk_dsbe:       # decryption sbox output *E*u, *E*t
-        .quad   0x46F2929626D4D000, 0x2242600464B4F6B0
-        .quad   0x0C55A6CDFFAAC100, 0x9467F36B98593E32
-.Lk_dsbo:       # decryption sbox final output
-        .quad   0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
-        .quad   0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.align  64
-.size   _vpaes_consts,.-_vpaes_consts
-.text
-___
-if ($win64) {
-# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame,
-#               CONTEXT *context,DISPATCHER_CONTEXT *disp)
-$rec="%rcx";
-$frame="%rdx";
-$context="%r8";
-$disp="%r9";
-$code.=<<___;
-.extern __imp_RtlVirtualUnwind
-.type   se_handler,\@abi-omnipotent
-.align  16
-se_handler:
-        _CET_ENDBR
-        push    %rsi
-        push    %rdi
-        push    %rbx
-        push    %rbp
-        push    %r12
-        push    %r13
-        push    %r14
-        push    %r15
-        pushfq
-        sub     \$64,%rsp
-        mov     120($context),%rax      # pull context->Rax
-        mov     248($context),%rbx      # pull context->Rip
-        mov     8($disp),%rsi           # disp->ImageBase
-        mov     56($disp),%r11          # disp->HandlerData
-        mov     0(%r11),%r10d           # HandlerData[0]
-        lea     (%rsi,%r10),%r10        # prologue label
-        cmp     %r10,%rbx               # context->Rip<prologue label
-        jb      .Lin_prologue
-        mov     152($context),%rax      # pull context->Rsp
-        mov     4(%r11),%r10d           # HandlerData[1]
-        lea     (%rsi,%r10),%r10        # epilogue label
-        cmp     %r10,%rbx               # context->Rip>=epilogue label
-        jae     .Lin_prologue
-        lea     16(%rax),%rsi           # %xmm save area
-        lea     512($context),%rdi      # &context.Xmm6
-        mov     \$20,%ecx               # 10*sizeof(%xmm0)/sizeof(%rax)
-        .long   0xa548f3fc              # cld; rep movsq
-        lea     0xb8(%rax),%rax         # adjust stack pointer
-.Lin_prologue:
-        mov     8(%rax),%rdi
-        mov     16(%rax),%rsi
-        mov     %rax,152($context)      # restore context->Rsp
-        mov     %rsi,168($context)      # restore context->Rsi
-        mov     %rdi,176($context)      # restore context->Rdi
-        mov     40($disp),%rdi          # disp->ContextRecord
-        mov     $context,%rsi           # context
-        mov     \$`1232/8`,%ecx         # sizeof(CONTEXT)
-        .long   0xa548f3fc              # cld; rep movsq
-        mov     $disp,%rsi
-        xor     %rcx,%rcx               # arg1, UNW_FLAG_NHANDLER
-        mov     8(%rsi),%rdx            # arg2, disp->ImageBase
-        mov     0(%rsi),%r8             # arg3, disp->ControlPc
-        mov     16(%rsi),%r9            # arg4, disp->FunctionEntry
-        mov     40(%rsi),%r10           # disp->ContextRecord
-        lea     56(%rsi),%r11           # &disp->HandlerData
-        lea     24(%rsi),%r12           # &disp->EstablisherFrame
-        mov     %r10,32(%rsp)           # arg5
-        mov     %r11,40(%rsp)           # arg6
-        mov     %r12,48(%rsp)           # arg7
-        mov     %rcx,56(%rsp)           # arg8, (NULL)
-        call    *__imp_RtlVirtualUnwind(%rip)
-        mov     \$1,%eax                # ExceptionContinueSearch
-        add     \$64,%rsp
-        popfq
-        pop     %r15
-        pop     %r14
-        pop     %r13
-        pop     %r12
-        pop     %rbp
-        pop     %rbx
-        pop     %rdi
-        pop     %rsi
-        ret
-.size   se_handler,.-se_handler
-.section        .pdata
-.align  4
-        .rva    .LSEH_begin_${PREFIX}_set_encrypt_key
-        .rva    .LSEH_end_${PREFIX}_set_encrypt_key
-        .rva    .LSEH_info_${PREFIX}_set_encrypt_key
-        .rva    .LSEH_begin_${PREFIX}_set_decrypt_key
-        .rva    .LSEH_end_${PREFIX}_set_decrypt_key
-        .rva    .LSEH_info_${PREFIX}_set_decrypt_key
-        .rva    .LSEH_begin_${PREFIX}_encrypt
-        .rva    .LSEH_end_${PREFIX}_encrypt
-        .rva    .LSEH_info_${PREFIX}_encrypt
-        .rva    .LSEH_begin_${PREFIX}_decrypt
-        .rva    .LSEH_end_${PREFIX}_decrypt
-        .rva    .LSEH_info_${PREFIX}_decrypt
-        .rva    .LSEH_begin_${PREFIX}_cbc_encrypt
-        .rva    .LSEH_end_${PREFIX}_cbc_encrypt
-        .rva    .LSEH_info_${PREFIX}_cbc_encrypt
-.section        .xdata
-.align  8
-.LSEH_info_${PREFIX}_set_encrypt_key:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lenc_key_body,.Lenc_key_epilogue       # HandlerData[]
-.LSEH_info_${PREFIX}_set_decrypt_key:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Ldec_key_body,.Ldec_key_epilogue       # HandlerData[]
-.LSEH_info_${PREFIX}_encrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lenc_body,.Lenc_epilogue               # HandlerData[]
-.LSEH_info_${PREFIX}_decrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Ldec_body,.Ldec_epilogue               # HandlerData[]
-.LSEH_info_${PREFIX}_cbc_encrypt:
-        .byte   9,0,0,0
-        .rva    se_handler
-        .rva    .Lcbc_body,.Lcbc_epilogue               # HandlerData[]
-___
-}
-$code =~ s/\`([^\`]*)\`/eval($1)/gem;
-print $code;
-close STDOUT;
diff --git a/src/lib/libcrypto/arch/aarch64/Makefile.inc b/src/lib/libcrypto/arch/aarch64/Makefile.inc
index d93cb815ef..596e98fe69 100644
--- a/src/lib/libcrypto/arch/aarch64/Makefile.inc
+++ b/src/lib/libcrypto/arch/aarch64/Makefile.inc
@@ -1,9 +1,12 @@
-# $OpenBSD: Makefile.inc,v 1.16 2025/03/12 14:13:41 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.18 2026/01/17 16:18:31 jsing Exp $
 # aarch64-specific libcrypto build rules
 SRCS += crypto_cpu_caps.c
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
+SRCS += sha1_aarch64.c
+SRCS += sha1_aarch64_ce.S
 SRCS += sha256_aarch64.c
 SRCS += sha256_aarch64_ce.S
 SRCS += sha512_aarch64.c
diff --git a/src/lib/libcrypto/arch/aarch64/crypto_arch.h b/src/lib/libcrypto/arch/aarch64/crypto_arch.h
index 35ecba9394..8b5d83311e 100644
--- a/src/lib/libcrypto/arch/aarch64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/aarch64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.4 2025/03/12 14:13:41 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.6 2026/01/17 16:18:31 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -35,8 +35,11 @@ extern uint64_t crypto_cpu_caps_aarch64;
 #ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
+#define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_DATA_ORDER
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/aarch64/opensslconf.h b/src/lib/libcrypto/arch/aarch64/opensslconf.h
deleted file mode 100644
index 731b06aecc..0000000000
--- a/src/lib/libcrypto/arch/aarch64/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/alpha/Makefile.inc b/src/lib/libcrypto/arch/alpha/Makefile.inc
index 1073ac3c1e..b2358a8494 100644
--- a/src/lib/libcrypto/arch/alpha/Makefile.inc
+++ b/src/lib/libcrypto/arch/alpha/Makefile.inc
@@ -1,14 +1,18 @@
-# $OpenBSD: Makefile.inc,v 1.15 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.17 2026/01/17 16:18:31 jsing Exp $
 # alpha-specific libcrypto build rules
 # bn
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SSLASM+= bn alpha-mont
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 # modes
-CFLAGS+= -DGHASH_ASM
+CFLAGS+= -DLIBRESSL_USE_GCM_ASSEMBLY
 SSLASM+= modes ghash-alpha
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-alpha
 .for dir f in ${SSLASM}
diff --git a/src/lib/libcrypto/arch/alpha/crypto_arch.h b/src/lib/libcrypto/arch/alpha/crypto_arch.h
index 1d553b7e07..ba1803ddf8 100644
--- a/src/lib/libcrypto/arch/alpha/crypto_arch.h
+++ b/src/lib/libcrypto/arch/alpha/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.4 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -18,7 +18,18 @@
 #ifndef HEADER_CRYPTO_ARCH_H
 #define HEADER_CRYPTO_ARCH_H
+#ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_GCM_ASSEMBLY
+#define HAVE_GCM_GHASH_4BIT
+#define HAVE_GCM_GMULT_4BIT
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
+#endif
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/alpha/opensslconf.h b/src/lib/libcrypto/arch/alpha/opensslconf.h
deleted file mode 100644
index 0ec9c25891..0000000000
--- a/src/lib/libcrypto/arch/alpha/opensslconf.h
+++ /dev/null
@@ -1,152 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/amd64/Makefile.inc b/src/lib/libcrypto/arch/amd64/Makefile.inc
index b1a6563931..ea03944273 100644
--- a/src/lib/libcrypto/arch/amd64/Makefile.inc
+++ b/src/lib/libcrypto/arch/amd64/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.37 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.46 2026/01/17 16:18:32 jsing Exp $
 # amd64-specific libcrypto build rules
@@ -8,16 +8,12 @@ EXTRA_PL =	${LCRYPTO_SRC}/perlasm/x86_64-xlate.pl
 SRCS += crypto_cpu_caps.c
 # aes
-CFLAGS+= -DAES_ASM
+CFLAGS+= -DLIBRESSL_USE_AES_ASSEMBLY
 SSLASM+= aes aes-x86_64
-CFLAGS+= -DBSAES_ASM
-SSLASM+= aes bsaes-x86_64
-CFLAGS+= -DVPAES_ASM
-SSLASM+= aes vpaes-x86_64
 SSLASM+= aes aesni-x86_64
+SRCS += aes_amd64.c
 # bn
-CFLAGS+= -DOPENSSL_IA32_SSE2
-CFLAGS+= -DRSA_ASM
 SSLASM+= bn modexp512-x86_64
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 SSLASM+= bn x86_64-mont
@@ -25,29 +21,45 @@ CFLAGS+= -DOPENSSL_BN_ASM_MONT5
 SSLASM+= bn x86_64-mont5
 # bn s2n-bignum
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SRCS += bn_arch.c
 SRCS += bignum_add.S
 SRCS += bignum_cmadd.S
 SRCS += bignum_cmul.S
+SRCS += bignum_modadd.S
+SRCS += bignum_modsub.S
 SRCS += bignum_mul.S
+SRCS += bignum_mul_4_8.S
 SRCS += bignum_mul_4_8_alt.S
+SRCS += bignum_mul_6_12.S
+SRCS += bignum_mul_6_12_alt.S
+SRCS += bignum_mul_8_16.S
 SRCS += bignum_mul_8_16_alt.S
 SRCS += bignum_sqr.S
+SRCS += bignum_sqr_4_8.S
 SRCS += bignum_sqr_4_8_alt.S
+SRCS += bignum_sqr_6_12.S
+SRCS += bignum_sqr_6_12_alt.S
+SRCS += bignum_sqr_8_16.S
 SRCS += bignum_sqr_8_16_alt.S
 SRCS += bignum_sub.S
 SRCS += word_clz.S
 # md5
-CFLAGS+= -DMD5_ASM
+CFLAGS+= -DLIBRESSL_USE_MD5_ASSEMBLY
 SRCS+= md5_amd64_generic.S
 # modes
-CFLAGS+= -DGHASH_ASM
+CFLAGS+= -DLIBRESSL_USE_GCM_ASSEMBLY
 SSLASM+= modes ghash-x86_64
+SRCS += gcm128_amd64.c
 # rc4
+CFLAGS+= -DLIBRESSL_USE_RC4_ASSEMBLY
 SSLASM+= rc4 rc4-x86_64
-# ripemd
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SRCS+= sha1_amd64.c
 SRCS+= sha1_amd64_generic.S
 SRCS+= sha1_amd64_shani.S
diff --git a/src/lib/libcrypto/arch/amd64/crypto_arch.h b/src/lib/libcrypto/arch/amd64/crypto_arch.h
index 951374250d..09f771b6c6 100644
--- a/src/lib/libcrypto/arch/amd64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/amd64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.5 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.18 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -21,33 +21,57 @@
 #define HEADER_CRYPTO_ARCH_H
 #define HAVE_CRYPTO_CPU_CAPS_INIT
-#define HAVE_CRYPTO_CPU_CAPS_IA32
 #ifndef __ASSEMBLER__
 extern uint64_t crypto_cpu_caps_amd64;
 #endif
-#define CRYPTO_CPU_CAPS_AMD64_SHA       (1ULL << 0)
+#define CRYPTO_CPU_CAPS_AMD64_ADX       (1ULL << 0)
+#define CRYPTO_CPU_CAPS_AMD64_AES       (1ULL << 1)
+#define CRYPTO_CPU_CAPS_AMD64_CLMUL     (1ULL << 2)
+#define CRYPTO_CPU_CAPS_AMD64_SHA       (1ULL << 3)
 #ifndef OPENSSL_NO_ASM
-#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#ifdef LIBRESSL_USE_AES_ASSEMBLY
+#define HAVE_AES_SET_ENCRYPT_KEY_GENERIC
+#define HAVE_AES_SET_DECRYPT_KEY_GENERIC
+#define HAVE_AES_ENCRYPT_GENERIC
+#define HAVE_AES_DECRYPT_GENERIC
 #define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 #define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#define HAVE_AES_CCM64_ENCRYPT_INTERNAL
+#define HAVE_AES_CTR32_ENCRYPT_INTERNAL
+#define HAVE_AES_ECB_ENCRYPT_INTERNAL
+#define HAVE_AES_XTS_ENCRYPT_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_GCM_ASSEMBLY
+#define HAVE_GCM128_INIT
+#define HAVE_GCM_GHASH_4BIT
+#define HAVE_GCM_GMULT_4BIT
+#endif
+#ifdef LIBRESSL_USE_MD5_ASSEMBLY
+#define HAVE_MD5_BLOCK_DATA_ORDER
+#endif
+#ifdef LIBRESSL_USE_RC4_ASSEMBLY
 #define HAVE_RC4_INTERNAL
 #define HAVE_RC4_SET_KEY_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
 #define HAVE_SHA512_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c b/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
index 63b7b64cda..51a2da4616 100644
--- a/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
+++ b/src/lib/libcrypto/arch/amd64/crypto_cpu_caps.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_cpu_caps.c,v 1.4 2024/11/16 13:05:35 jsing Exp $ */
+/*      $OpenBSD: crypto_cpu_caps.c,v 1.8 2025/08/14 15:11:01 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -98,10 +98,14 @@ crypto_cpu_caps_init(void)
        if ((edx & IA32CAP_MASK0_SSE2) != 0)
                caps |= CPUCAP_MASK_SSE2;
-        if ((ecx & IA32CAP_MASK1_AESNI) != 0)
+        if ((ecx & IA32CAP_MASK1_AESNI) != 0) {
                caps |= CPUCAP_MASK_AESNI;
-        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0)
+                crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_AES;
+        }
+        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0) {
                caps |= CPUCAP_MASK_PCLMUL;
+                crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_CLMUL;
+        }
        if ((ecx & IA32CAP_MASK1_SSSE3) != 0)
                caps |= CPUCAP_MASK_SSSE3;
@@ -115,6 +119,10 @@ crypto_cpu_caps_init(void)
        if (max_cpuid >= 7) {
                cpuid(7, NULL, &ebx, NULL, NULL);
+                /* Intel ADX feature bit - ebx[19]. */
+                if (((ebx >> 19) & 1) != 0)
+                        crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_ADX;
                /* Intel SHA extensions feature bit - ebx[29]. */
                if (((ebx >> 29) & 1) != 0)
                        crypto_cpu_caps_amd64 |= CRYPTO_CPU_CAPS_AMD64_SHA;
@@ -126,9 +134,3 @@ crypto_cpu_caps_init(void)
        OPENSSL_ia32cap_P = caps;
 }
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return OPENSSL_ia32cap_P;
-}
diff --git a/src/lib/libcrypto/arch/amd64/opensslconf.h b/src/lib/libcrypto/arch/amd64/opensslconf.h
deleted file mode 100644
index cc193762f1..0000000000
--- a/src/lib/libcrypto/arch/amd64/opensslconf.h
+++ /dev/null
@@ -1,149 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/arm/Makefile.inc b/src/lib/libcrypto/arch/arm/Makefile.inc
index e078c51d98..271dff04f6 100644
--- a/src/lib/libcrypto/arch/arm/Makefile.inc
+++ b/src/lib/libcrypto/arch/arm/Makefile.inc
@@ -1,28 +1,3 @@
-# $oPenBSD: Makefile.inc,v 1.2 2014/05/02 18:21:39 miod Exp $
+# $OpenBSD: Makefile.inc,v 1.20 2025/05/24 07:07:18 jsing Exp $
 # arm-specific libcrypto build rules
-# aes
-CFLAGS+= -DAES_ASM
-SSLASM+= aes aes-armv4
-# bn
-CFLAGS+= -DOPENSSL_BN_ASM_MONT
-SSLASM+= bn armv4-mont
-# modes
-CFLAGS+= -DGHASH_ASM
-SSLASM+= modes ghash-armv4
-# sha
-SSLASM+= sha sha1-armv4-large
-SSLASM+= sha sha256-armv4
-SSLASM+= sha sha512-armv4
-.for dir f in ${SSLASM}
-SRCS+=  ${f}.S
-GENERATED+=${f}.S
-${f}.S: ${LCRYPTO_SRC}/${dir}/asm/${f}.pl
-        /usr/bin/perl \
-                ${LCRYPTO_SRC}/${dir}/asm/${f}.pl void ${.TARGET} > ${.TARGET}
-.endfor
-CFLAGS+= -DOPENSSL_CPUID_OBJ
-SRCS+=  armv4cpuid.S armcap.c
diff --git a/src/lib/libcrypto/arch/arm/arm_arch.h b/src/lib/libcrypto/arch/arm/arm_arch.h
deleted file mode 100644
index 5ac3b935f1..0000000000
--- a/src/lib/libcrypto/arch/arm/arm_arch.h
+++ /dev/null
@@ -1,59 +0,0 @@
-/* $OpenBSD: arm_arch.h,v 1.1 2022/03/23 15:13:31 tb Exp $ */
-#ifndef __ARM_ARCH_H__
-#define __ARM_ARCH_H__
-#if !defined(__ARM_ARCH__)
-# if defined(__CC_ARM)
-#  define __ARM_ARCH__ __TARGET_ARCH_ARM
-#  if defined(__BIG_ENDIAN)
-#   define __ARMEB__
-#  else
-#   define __ARMEL__
-#  endif
-# elif defined(__GNUC__)
-  /*
-   * Why doesn't gcc define __ARM_ARCH__? Instead it defines
-   * bunch of below macros. See all_architectures[] table in
-   * gcc/config/arm/arm.c. On a side note it defines
-   * __ARMEL__/__ARMEB__ for little-/big-endian.
-   */
-#  if   defined(__ARM_ARCH)
-#   define __ARM_ARCH__ __ARM_ARCH
-#  elif defined(__ARM_ARCH_8A__)
-#   define __ARM_ARCH__ 8
-#  elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__)     || \
-        defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__)     || \
-        defined(__ARM_ARCH_7EM__)
-#   define __ARM_ARCH__ 7
-#  elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__)     || \
-        defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__)     || \
-        defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__)    || \
-        defined(__ARM_ARCH_6T2__)
-#   define __ARM_ARCH__ 6
-#  elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__)     || \
-        defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__)    || \
-        defined(__ARM_ARCH_5TEJ__)
-#   define __ARM_ARCH__ 5
-#  elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__)
-#   define __ARM_ARCH__ 4
-#  else
-#   error "unsupported ARM architecture"
-#  endif
-# endif
-#endif
-#if !defined(__ASSEMBLER__)
-extern unsigned int OPENSSL_armcap_P;
-#define ARMV7_NEON      (1<<0)
-#define ARMV8_AES       (1<<1)
-#define ARMV8_SHA1      (1<<2)
-#define ARMV8_SHA256    (1<<3)
-#define ARMV8_PMULL     (1<<4)
-#endif
-#if defined(__OpenBSD__)
-#define __STRICT_ALIGNMENT
-#endif
-#endif
diff --git a/src/lib/libcrypto/arch/arm/armcap.c b/src/lib/libcrypto/arch/arm/armcap.c
deleted file mode 100644
index 0238195397..0000000000
--- a/src/lib/libcrypto/arch/arm/armcap.c
+++ /dev/null
@@ -1,88 +0,0 @@
-/* $OpenBSD: armcap.c,v 1.3 2024/08/29 03:30:05 deraadt Exp $ */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <setjmp.h>
-#include <signal.h>
-#include <openssl/crypto.h>
-#include "arm_arch.h"
-unsigned int OPENSSL_armcap_P;
-#if __ARM_ARCH__ >= 7
-static sigset_t all_masked;
-static sigjmp_buf ill_jmp;
-static void
-ill_handler(int sig)
-{
-        siglongjmp(ill_jmp, sig);
-}
-/*
- * Following subroutines could have been inlined, but it's not all
- * ARM compilers support inline assembler...
- */
-void _armv7_neon_probe(void);
-void _armv8_aes_probe(void);
-void _armv8_sha1_probe(void);
-void _armv8_sha256_probe(void);
-void _armv8_pmull_probe(void);
-#endif
-void
-OPENSSL_cpuid_setup(void)
-{
-#if __ARM_ARCH__ >= 7
-        struct sigaction        ill_oact, ill_act;
-        sigset_t                oset;
-#endif
-        static int trigger = 0;
-        if (trigger)
-                return;
-        trigger = 1;
-        OPENSSL_armcap_P = 0;
-#if __ARM_ARCH__ >= 7
-        sigfillset(&all_masked);
-        sigdelset(&all_masked, SIGILL);
-        sigdelset(&all_masked, SIGTRAP);
-        sigdelset(&all_masked, SIGFPE);
-        sigdelset(&all_masked, SIGBUS);
-        sigdelset(&all_masked, SIGSEGV);
-        memset(&ill_act, 0, sizeof(ill_act));
-        ill_act.sa_handler = ill_handler;
-        ill_act.sa_mask = all_masked;
-        sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
-        sigaction(SIGILL, &ill_act, &ill_oact);
-        if (sigsetjmp(ill_jmp, 1) == 0) {
-                _armv7_neon_probe();
-                OPENSSL_armcap_P |= ARMV7_NEON;
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_pmull_probe();
-                        OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES;
-                } else if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_aes_probe();
-                        OPENSSL_armcap_P |= ARMV8_AES;
-                }
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_sha1_probe();
-                        OPENSSL_armcap_P |= ARMV8_SHA1;
-                }
-                if (sigsetjmp(ill_jmp, 1) == 0) {
-                        _armv8_sha256_probe();
-                        OPENSSL_armcap_P |= ARMV8_SHA256;
-                }
-        }
-        sigaction (SIGILL, &ill_oact, NULL);
-        sigprocmask(SIG_SETMASK, &oset, NULL);
-#endif
-}
diff --git a/src/lib/libcrypto/arch/arm/armv4cpuid.S b/src/lib/libcrypto/arch/arm/armv4cpuid.S
deleted file mode 100644
index db0b54e496..0000000000
--- a/src/lib/libcrypto/arch/arm/armv4cpuid.S
+++ /dev/null
@@ -1,69 +0,0 @@
-#include "arm_arch.h"
-.text
-#if defined(__thumb2__) && !defined(__APPLE__)
-.syntax unified
-.thumb
-#else
-.code   32
-#undef  __thumb2__
-#endif
-#if __ARM_ARCH__>=7
-.arch   armv7-a
-.fpu    neon
-.align  5
-.globl  _armv7_neon_probe
-.type   _armv7_neon_probe,%function
-_armv7_neon_probe:
-        vorr    q0,q0,q0
-        bx      lr
-.size   _armv7_neon_probe,.-_armv7_neon_probe
-.globl  _armv8_aes_probe
-.type   _armv8_aes_probe,%function
-_armv8_aes_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0xb0,0xff,0x00,0x03     @ aese.8        q0,q0
-#else
-.byte   0x00,0x03,0xb0,0xf3     @ aese.8        q0,q0
-#endif
-        bx      lr
-.size   _armv8_aes_probe,.-_armv8_aes_probe
-.globl  _armv8_sha1_probe
-.type   _armv8_sha1_probe,%function
-_armv8_sha1_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0x00,0xef,0x40,0x0c     @ sha1c.32      q0,q0,q0
-#else
-.byte   0x40,0x0c,0x00,0xf2     @ sha1c.32      q0,q0,q0
-#endif
-        bx      lr
-.size   _armv8_sha1_probe,.-_armv8_sha1_probe
-.globl  _armv8_sha256_probe
-.type   _armv8_sha256_probe,%function
-_armv8_sha256_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0x00,0xff,0x40,0x0c     @ sha256h.32    q0,q0,q0
-#else
-.byte   0x40,0x0c,0x00,0xf3     @ sha256h.32    q0,q0,q0
-#endif
-        bx      lr
-.size   _armv8_sha256_probe,.-_armv8_sha256_probe
-.globl  _armv8_pmull_probe
-.type   _armv8_pmull_probe,%function
-_armv8_pmull_probe:
-#if defined(__thumb2__) && !defined(__APPLE__)
-.byte   0xa0,0xef,0x00,0x0e     @ vmull.p64     q0,d0,d0
-#else
-.byte   0x00,0x0e,0xa0,0xf2     @ vmull.p64     q0,d0,d0
-#endif
-        bx      lr
-.size   _armv8_pmull_probe,.-_armv8_pmull_probe
-#endif
-.comm   OPENSSL_armcap_P,4,4
-.hidden OPENSSL_armcap_P
diff --git a/src/lib/libcrypto/arch/arm/crypto_arch.h b/src/lib/libcrypto/arch/arm/crypto_arch.h
index 07d7829fe3..732a59cf72 100644
--- a/src/lib/libcrypto/arch/arm/crypto_arch.h
+++ b/src/lib/libcrypto/arch/arm/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.3 2025/05/24 07:07:18 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -20,20 +20,6 @@
 #ifndef OPENSSL_NO_ASM
-#define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
-#define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
-#define HAVE_AES_ENCRYPT_INTERNAL
-#define HAVE_AES_DECRYPT_INTERNAL
-#define HAVE_SHA1_BLOCK_DATA_ORDER
-#define HAVE_SHA1_BLOCK_GENERIC
-#define HAVE_SHA256_BLOCK_DATA_ORDER
-#define HAVE_SHA256_BLOCK_GENERIC
-#define HAVE_SHA512_BLOCK_DATA_ORDER
-#define HAVE_SHA512_BLOCK_GENERIC
 #endif
 #endif
diff --git a/src/lib/libcrypto/arch/arm/opensslconf.h b/src/lib/libcrypto/arch/arm/opensslconf.h
deleted file mode 100644
index a5d26b6fdc..0000000000
--- a/src/lib/libcrypto/arch/arm/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/hppa/Makefile.inc b/src/lib/libcrypto/arch/hppa/Makefile.inc
index 11bfa4a5d3..c18e68d21c 100644
--- a/src/lib/libcrypto/arch/hppa/Makefile.inc
+++ b/src/lib/libcrypto/arch/hppa/Makefile.inc
@@ -1,17 +1,22 @@
-# $OpenBSD: Makefile.inc,v 1.26 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.30 2026/01/17 16:18:32 jsing Exp $
 # hppa-specific libcrypto build rules
 # aes
-CFLAGS+= -DAES_ASM
+CFLAGS+= -DLIBRESSL_USE_AES_ASSEMBLY
 SSLASM+= aes aes-parisc aes-parisc
 # bn
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SSLASM+= bn parisc-mont parisc-mont
-CFLAGS+= -DOPENSSL_BN_ASM_MONT -DBN_DIV2W
+CFLAGS+= -DOPENSSL_BN_ASM_MONT
 # modes
-CFLAGS+= -DGHASH_ASM
+CFLAGS+= -DLIBRESSL_USE_GCM_ASSEMBLY
 SSLASM+= modes ghash-parisc ghash-parisc
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-parisc sha1-parisc
 SSLASM+= sha sha512-parisc sha256-parisc
diff --git a/src/lib/libcrypto/arch/hppa/crypto_arch.h b/src/lib/libcrypto/arch/hppa/crypto_arch.h
index 08fcaca045..f1e7d2dcbf 100644
--- a/src/lib/libcrypto/arch/hppa/crypto_arch.h
+++ b/src/lib/libcrypto/arch/hppa/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.4 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -20,14 +20,22 @@
 #ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_AES_ASSEMBLY
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_GCM_ASSEMBLY
+#define HAVE_GCM_GHASH_4BIT
+#define HAVE_GCM_GMULT_4BIT
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/hppa/opensslconf.h b/src/lib/libcrypto/arch/hppa/opensslconf.h
deleted file mode 100644
index a5d26b6fdc..0000000000
--- a/src/lib/libcrypto/arch/hppa/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/i386/Makefile.inc b/src/lib/libcrypto/arch/i386/Makefile.inc
index 6989b35686..a81b18880d 100644
--- a/src/lib/libcrypto/arch/i386/Makefile.inc
+++ b/src/lib/libcrypto/arch/i386/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.27 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.35 2026/01/17 16:18:32 jsing Exp $
 # i386-specific libcrypto build rules
@@ -8,26 +8,33 @@ EXTRA_PL =  ${LCRYPTO_SRC}/perlasm/x86gas.pl ${LCRYPTO_SRC}/perlasm/x86asm.pl
 SRCS += crypto_cpu_caps.c
 # aes
-CFLAGS+= -DAES_ASM
+CFLAGS+= -DLIBRESSL_USE_AES_ASSEMBLY
 SSLASM+= aes aes-586
-CFLAGS+= -DVPAES_ASM
-SSLASM+= aes vpaes-x86
 SSLASM+= aes aesni-x86
+SRCS += aes_i386.c
 # bn
-CFLAGS+= -DOPENSSL_IA32_SSE2
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SSLASM+= bn bn-586
 SSLASM+= bn co-586
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 SSLASM+= bn x86-mont
 # md5
-CFLAGS+= -DMD5_ASM
+CFLAGS+= -DLIBRESSL_USE_MD5_ASSEMBLY
 SSLASM+= md5 md5-586
 # modes
-CFLAGS+= -DGHASH_ASM
+CFLAGS+= -DLIBRESSL_USE_GCM_ASSEMBLY
 SSLASM+= modes ghash-x86
+SRCS += gcm128_i386.c
 # rc4
+CFLAGS+= -DLIBRESSL_USE_RC4_ASSEMBLY
 SSLASM+= rc4 rc4-586
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-586
 SSLASM+= sha sha256-586
 SSLASM+= sha sha512-586
diff --git a/src/lib/libcrypto/arch/i386/crypto_arch.h b/src/lib/libcrypto/arch/i386/crypto_arch.h
index 3df3963d0b..dc3c591b0d 100644
--- a/src/lib/libcrypto/arch/i386/crypto_arch.h
+++ b/src/lib/libcrypto/arch/i386/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.4 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.17 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -15,31 +15,63 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
+#include <stdint.h>
 #ifndef HEADER_CRYPTO_ARCH_H
 #define HEADER_CRYPTO_ARCH_H
 #define HAVE_CRYPTO_CPU_CAPS_INIT
-#define HAVE_CRYPTO_CPU_CAPS_IA32
+#ifndef __ASSEMBLER__
+extern uint64_t crypto_cpu_caps_i386;
+#endif
+#define CRYPTO_CPU_CAPS_I386_AES        (1ULL << 0)
+#define CRYPTO_CPU_CAPS_I386_CLMUL      (1ULL << 1)
+#define CRYPTO_CPU_CAPS_I386_MMX        (1ULL << 2)
+#define CRYPTO_CPU_CAPS_I386_SSE        (1ULL << 3)
 #ifndef OPENSSL_NO_ASM
-#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#ifdef LIBRESSL_USE_AES_ASSEMBLY
+#define HAVE_AES_SET_ENCRYPT_KEY_GENERIC
+#define HAVE_AES_SET_DECRYPT_KEY_GENERIC
+#define HAVE_AES_ENCRYPT_GENERIC
+#define HAVE_AES_DECRYPT_GENERIC
 #define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 #define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#define HAVE_AES_CBC_ENCRYPT_INTERNAL
+#define HAVE_AES_CCM64_ENCRYPT_INTERNAL
+#define HAVE_AES_CTR32_ENCRYPT_INTERNAL
+#define HAVE_AES_ECB_ENCRYPT_INTERNAL
+#define HAVE_AES_XTS_ENCRYPT_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_GCM_ASSEMBLY
+#define HAVE_GCM128_INIT
+#define HAVE_GCM_GHASH_4BIT
+#define HAVE_GCM_GMULT_4BIT
+#endif
+#ifdef LIBRESSL_USE_MD5_ASSEMBLY
+#define HAVE_MD5_BLOCK_DATA_ORDER
+#endif
+#ifdef LIBRESSL_USE_RC4_ASSEMBLY
 #define HAVE_RC4_INTERNAL
 #define HAVE_RC4_SET_KEY_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
 #define HAVE_SHA512_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c b/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
index 6bb77411af..b136f39478 100644
--- a/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
+++ b/src/lib/libcrypto/arch/i386/crypto_cpu_caps.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_cpu_caps.c,v 1.3 2024/11/12 13:14:57 jsing Exp $ */
+/*      $OpenBSD: crypto_cpu_caps.c,v 1.7 2025/12/31 10:06:41 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -19,11 +19,15 @@
 #include <openssl/crypto.h>
+#include "crypto_arch.h"
 #include "x86_arch.h"
 /* Legacy architecture specific capabilities, used by perlasm. */
 uint64_t OPENSSL_ia32cap_P;
+/* Machine dependent CPU capabilities. */
+uint64_t crypto_cpu_caps_i386;
 /* Machine independent CPU capabilities. */
 extern uint64_t crypto_cpu_caps;
@@ -85,17 +89,25 @@ crypto_cpu_caps_init(void)
                caps |= CPUCAP_MASK_FXSR;
        if ((edx & IA32CAP_MASK0_HT) != 0)
                caps |= CPUCAP_MASK_HT;
-        if ((edx & IA32CAP_MASK0_MMX) != 0)
+        if ((edx & IA32CAP_MASK0_MMX) != 0) {
                caps |= CPUCAP_MASK_MMX;
-        if ((edx & IA32CAP_MASK0_SSE) != 0)
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_MMX;
+        }
+        if ((edx & IA32CAP_MASK0_SSE) != 0) {
                caps |= CPUCAP_MASK_SSE;
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_SSE;
+        }
        if ((edx & IA32CAP_MASK0_SSE2) != 0)
                caps |= CPUCAP_MASK_SSE2;
-        if ((ecx & IA32CAP_MASK1_AESNI) != 0)
+        if ((ecx & IA32CAP_MASK1_AESNI) != 0) {
                caps |= CPUCAP_MASK_AESNI;
-        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0)
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_AES;
+        }
+        if ((ecx & IA32CAP_MASK1_PCLMUL) != 0) {
                caps |= CPUCAP_MASK_PCLMUL;
+                crypto_cpu_caps_i386 |= CRYPTO_CPU_CAPS_I386_CLMUL;
+        }
        if ((ecx & IA32CAP_MASK1_SSSE3) != 0)
                caps |= CPUCAP_MASK_SSSE3;
@@ -112,9 +124,3 @@ crypto_cpu_caps_init(void)
        OPENSSL_ia32cap_P = caps;
 }
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return OPENSSL_ia32cap_P;
-}
diff --git a/src/lib/libcrypto/arch/i386/opensslconf.h b/src/lib/libcrypto/arch/i386/opensslconf.h
deleted file mode 100644
index 03cf31b940..0000000000
--- a/src/lib/libcrypto/arch/i386/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned long
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#define DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/m88k/opensslconf.h b/src/lib/libcrypto/arch/m88k/opensslconf.h
deleted file mode 100644
index a5d26b6fdc..0000000000
--- a/src/lib/libcrypto/arch/m88k/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/mips64/Makefile.inc b/src/lib/libcrypto/arch/mips64/Makefile.inc
index 64e806289d..f82d0dc59a 100644
--- a/src/lib/libcrypto/arch/mips64/Makefile.inc
+++ b/src/lib/libcrypto/arch/mips64/Makefile.inc
@@ -1,15 +1,19 @@
-# $OpenBSD: Makefile.inc,v 1.19 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.21 2026/01/17 16:18:32 jsing Exp $
 # mips64-specific libcrypto build rules
 # aes
-CFLAGS+= -DAES_ASM
+CFLAGS+= -DLIBRESSL_USE_AES_ASSEMBLY
 SSLASM+= aes aes-mips aes-mips
 # bn
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SSLASM+= bn mips bn-mips
 SSLASM+= bn mips-mont mips-mont
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-mips sha1-mips
 SSLASM+= sha sha512-mips sha256-mips
 SSLASM+= sha sha512-mips sha512-mips
diff --git a/src/lib/libcrypto/arch/mips64/crypto_arch.h b/src/lib/libcrypto/arch/mips64/crypto_arch.h
index 07d7829fe3..156311837f 100644
--- a/src/lib/libcrypto/arch/mips64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/mips64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.3 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -20,19 +20,21 @@
 #ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_AES_ASSEMBLY
 #define HAVE_AES_SET_ENCRYPT_KEY_INTERNAL
 #define HAVE_AES_SET_DECRYPT_KEY_INTERNAL
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
 #define HAVE_SHA512_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/mips64/opensslconf.h b/src/lib/libcrypto/arch/mips64/opensslconf.h
deleted file mode 100644
index 36cdd2840b..0000000000
--- a/src/lib/libcrypto/arch/mips64/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/powerpc/Makefile.inc b/src/lib/libcrypto/arch/powerpc/Makefile.inc
index c5218e53f4..c62c90f753 100644
--- a/src/lib/libcrypto/arch/powerpc/Makefile.inc
+++ b/src/lib/libcrypto/arch/powerpc/Makefile.inc
@@ -1,15 +1,19 @@
-# $OpenBSD: Makefile.inc,v 1.14 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.16 2026/01/17 16:18:32 jsing Exp $
 # powerpc-specific libcrypto build rules
+# aes
 # slower than C code
-#CFLAGS+= -DAES_ASM
 #SSLASM+= aes aes-ppc aes-ppc
 # bn
+CFLAGS+= -DLIBRESSL_USE_BN_ASSEMBLY
 SSLASM+= bn ppc bn-ppc
 SSLASM+= bn ppc-mont ppc-mont
 CFLAGS+= -DOPENSSL_BN_ASM_MONT
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-ppc sha1-ppc
 SSLASM+= sha sha512-ppc sha256-ppc
diff --git a/src/lib/libcrypto/arch/powerpc/crypto_arch.h b/src/lib/libcrypto/arch/powerpc/crypto_arch.h
index d2730af0fb..63aa840ae8 100644
--- a/src/lib/libcrypto/arch/powerpc/crypto_arch.h
+++ b/src/lib/libcrypto/arch/powerpc/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.3 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -20,11 +20,12 @@
 #ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/powerpc/opensslconf.h b/src/lib/libcrypto/arch/powerpc/opensslconf.h
deleted file mode 100644
index a5d26b6fdc..0000000000
--- a/src/lib/libcrypto/arch/powerpc/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/powerpc64/Makefile.inc b/src/lib/libcrypto/arch/powerpc64/Makefile.inc
index c309ab8b40..4a72726eab 100644
--- a/src/lib/libcrypto/arch/powerpc64/Makefile.inc
+++ b/src/lib/libcrypto/arch/powerpc64/Makefile.inc
@@ -1,14 +1,16 @@
-# $OpenBSD: Makefile.inc,v 1.16 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.18 2026/01/17 16:18:32 jsing Exp $
 # powerpc-specific libcrypto build rules
+# aes
 # slower than C code
-#CFLAGS+= -DAES_ASM
 #SSLASM+= aes aes-ppc aes-ppc
 # bn
 #SSLASM+= bn ppc bn-ppc
 #SSLASM+= bn ppc-mont ppc-mont
 #CFLAGS+= -DOPENSSL_BN_ASM_MONT
 # sha
 #SSLASM+= sha sha1-ppc sha1-ppc
 #SSLASM+= sha sha512-ppc sha256-ppc
diff --git a/src/lib/libcrypto/arch/powerpc64/opensslconf.h b/src/lib/libcrypto/arch/powerpc64/opensslconf.h
deleted file mode 100644
index cc193762f1..0000000000
--- a/src/lib/libcrypto/arch/powerpc64/opensslconf.h
+++ /dev/null
@@ -1,149 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/riscv64/opensslconf.h b/src/lib/libcrypto/arch/riscv64/opensslconf.h
deleted file mode 100644
index 731b06aecc..0000000000
--- a/src/lib/libcrypto/arch/riscv64/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/sh/opensslconf.h b/src/lib/libcrypto/arch/sh/opensslconf.h
deleted file mode 100644
index a5d26b6fdc..0000000000
--- a/src/lib/libcrypto/arch/sh/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#undef RC4_CHUNK
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#define BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#undef SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#define THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#undef BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#undef DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#undef DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#define DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/arch/sparc64/Makefile.inc b/src/lib/libcrypto/arch/sparc64/Makefile.inc
index cbf63e033e..3a83ac6282 100644
--- a/src/lib/libcrypto/arch/sparc64/Makefile.inc
+++ b/src/lib/libcrypto/arch/sparc64/Makefile.inc
@@ -1,15 +1,17 @@
-# $OpenBSD: Makefile.inc,v 1.21 2025/02/14 12:01:58 jsing Exp $
+# $OpenBSD: Makefile.inc,v 1.24 2026/01/17 16:18:32 jsing Exp $
 # sparc64-specific libcrypto build rules
 # aes
-CFLAGS+= -DAES_ASM
+CFLAGS+= -DLIBRESSL_USE_AES_ASSEMBLY
 SSLASM+= aes aes-sparcv9 aes-sparcv9
-# bn
 # modes
-CFLAGS+= -DGHASH_ASM
+CFLAGS+= -DLIBRESSL_USE_GCM_ASSEMBLY
 SSLASM+= modes ghash-sparcv9 ghash-sparcv9
 # sha
+CFLAGS+= -DLIBRESSL_USE_SHA_ASSEMBLY
 SSLASM+= sha sha1-sparcv9 sha1-sparcv9
 SSLASM+= sha sha512-sparcv9 sha256-sparcv9
 SSLASM+= sha sha512-sparcv9 sha512-sparcv9
diff --git a/src/lib/libcrypto/arch/sparc64/crypto_arch.h b/src/lib/libcrypto/arch/sparc64/crypto_arch.h
index 251957a5bc..1f160b625c 100644
--- a/src/lib/libcrypto/arch/sparc64/crypto_arch.h
+++ b/src/lib/libcrypto/arch/sparc64/crypto_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_arch.h,v 1.2 2025/02/14 12:01:58 jsing Exp $ */
+/*      $OpenBSD: crypto_arch.h,v 1.4 2026/01/17 16:18:32 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -20,17 +20,24 @@
 #ifndef OPENSSL_NO_ASM
+#ifdef LIBRESSL_USE_AES_ASSEMBLY
 #define HAVE_AES_ENCRYPT_INTERNAL
 #define HAVE_AES_DECRYPT_INTERNAL
+#endif
+#ifdef LIBRESSL_USE_GCM_ASSEMBLY
+#define HAVE_GCM_GHASH_4BIT
+#define HAVE_GCM_GMULT_4BIT
+#endif
+#ifdef LIBRESSL_USE_SHA_ASSEMBLY
 #define HAVE_SHA1_BLOCK_DATA_ORDER
 #define HAVE_SHA1_BLOCK_GENERIC
 #define HAVE_SHA256_BLOCK_DATA_ORDER
 #define HAVE_SHA256_BLOCK_GENERIC
 #define HAVE_SHA512_BLOCK_DATA_ORDER
 #define HAVE_SHA512_BLOCK_GENERIC
+#endif
 #endif
diff --git a/src/lib/libcrypto/arch/sparc64/opensslconf.h b/src/lib/libcrypto/arch/sparc64/opensslconf.h
deleted file mode 100644
index 36cdd2840b..0000000000
--- a/src/lib/libcrypto/arch/sparc64/opensslconf.h
+++ /dev/null
@@ -1,154 +0,0 @@
-#include <openssl/opensslfeatures.h>
-/* crypto/opensslconf.h.in */
-#if defined(HEADER_CRYPTO_LOCAL_H) && !defined(OPENSSLDIR)
-#define OPENSSLDIR "/etc/ssl"
-#endif
-#undef OPENSSL_EXPORT_VAR_AS_FUNCTION
-#ifndef OPENSSL_FILE
-#ifdef OPENSSL_NO_FILENAMES
-#define OPENSSL_FILE ""
-#define OPENSSL_LINE 0
-#else
-#define OPENSSL_FILE __FILE__
-#define OPENSSL_LINE __LINE__
-#endif
-#endif
-#if defined(HEADER_IDEA_H) && !defined(IDEA_INT)
-#define IDEA_INT unsigned int
-#endif
-#if defined(HEADER_MD2_H) && !defined(MD2_INT)
-#define MD2_INT unsigned int
-#endif
-#if defined(HEADER_RC2_H) && !defined(RC2_INT)
-/* I need to put in a mod for the alpha - eay */
-#define RC2_INT unsigned int
-#endif
-#if defined(HEADER_RC4_H)
-#if !defined(RC4_INT)
-/* using int types make the structure larger but make the code faster
- * on most boxes I have tested - up to %20 faster. */
-/*
- * I don't know what does "most" mean, but declaring "int" is a must on:
- * - Intel P6 because partial register stalls are very expensive;
- * - elder Alpha because it lacks byte load/store instructions;
- */
-#define RC4_INT unsigned int
-#endif
-#if !defined(RC4_CHUNK)
-/*
- * This enables code handling data aligned at natural CPU word
- * boundary. See crypto/rc4/rc4_enc.c for further details.
- */
-#define RC4_CHUNK unsigned long
-#endif
-#endif
-#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG)
-/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
- * %20 speed up (longs are 8 bytes, int's are 4). */
-#ifndef DES_LONG
-#define DES_LONG unsigned int
-#endif
-#endif
-#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
-#define CONFIG_HEADER_BN_H
-#undef BN_LLONG
-/* Should we define BN_DIV2W here? */
-/* Only one for the following should be defined */
-/* The prime number generation stuff may not work when
- * EIGHT_BIT but I don't care since I've only used this mode
- * for debugging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
-#undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
-#undef SIXTEEN_BIT
-#undef EIGHT_BIT
-#endif
-#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
-#define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR
-#endif /* HEADER_BF_LOCL_H */
-#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
-#define CONFIG_HEADER_DES_LOCL_H
-#ifndef DES_DEFAULT_OPTIONS
-/* the following is tweaked from a config script, that is why it is a
- * protected undef/define */
-#ifndef DES_PTR
-#define DES_PTR
-#endif
-/* This helps C compiler generate the correct code for multiple functional
- * units.  It reduces register dependencies at the expense of 2 more
- * registers */
-#ifndef DES_RISC1
-#undef DES_RISC1
-#endif
-#ifndef DES_RISC2
-#define DES_RISC2
-#endif
-#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
-#endif
-/* Unroll the inner loop, this sometimes helps, sometimes hinders.
- * Very much CPU dependent */
-#ifndef DES_UNROLL
-#undef DES_UNROLL
-#endif
-/* These default values were supplied by
- * Peter Gutman <pgut001@cs.auckland.ac.nz>
- * They are only used if nothing else has been defined */
-#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL)
-/* Special defines which change the way the code is built depending on the
-   CPU and OS.  For SGI machines you can use _MIPS_SZLONG (32 or 64) to find
-   even newer MIPS CPU's, but at the moment one size fits all for
-   optimization options.  Older Sparc's work better with only UNROLL, but
-   there's no way to tell at compile time what it is you're running on */
- 
-#if defined( sun )              /* Newer Sparc's */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#elif defined( __ultrix )       /* Older MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined( __osf1__ )       /* Alpha */
-#  define DES_PTR
-#  define DES_RISC2
-#elif defined ( _AIX )          /* RS6000 */
-  /* Unknown */
-#elif defined( __hpux )         /* HP-PA */
-  /* Unknown */
-#elif defined( __aux )          /* 68K */
-  /* Unknown */
-#elif defined( __dgux )         /* 88K (but P6 in latest boxes) */
-#  define DES_UNROLL
-#elif defined( __sgi )          /* Newer MIPS */
-#  define DES_PTR
-#  define DES_RISC2
-#  define DES_UNROLL
-#elif defined(i386) || defined(__i386__)        /* x86 boxes, should be gcc */
-#  define DES_PTR
-#  define DES_RISC1
-#  define DES_UNROLL
-#endif /* Systems-specific speed defines */
-#endif
-#endif /* DES_DEFAULT_OPTIONS */
-#endif /* HEADER_DES_LOCL_H */
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index d5d00c4d44..e656c43f0c 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.43 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.48 2026/01/04 09:54:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "bytestring.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_BIT_STRING_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
@@ -182,18 +182,9 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
        unsigned char *p, *d;
        if (a == NULL)
-                return (0);
+                return 0;
-        if (a->length == INT_MAX)
-                return (0);
-        ret = a->length + 1;
-        if (pp == NULL)
-                return (ret);
        len = a->length;
        if (len > 0) {
                if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) {
                        bits = (int)a->flags & 0x07;
@@ -222,12 +213,20 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
                        else if (j & 0x80)
                                bits = 7;
                        else
-                                bits = 0; /* should not happen */
+                                bits = 0;
                }
        } else
                bits = 0;
-        p= *pp;
+        if (len > INT_MAX - 1)
+                return 0;
+        ret = len + 1;
+        if (pp == NULL)
+                return ret;
+        p = *pp;
        *(p++) = (unsigned char)bits;
        d = a->data;
@@ -237,7 +236,7 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
                p[-1] &= 0xff << bits;
        }
        *pp = p;
-        return (ret);
+        return ret;
 }
 int
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index 5d3a3dd0c7..ac5033ea8a 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_enum.c,v 1.30 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_enum.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 /*
 * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 0d9b6577d7..f171e330f6 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_int.c,v 1.48 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_int.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,9 +64,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bytestring.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_INTEGER_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index f050f97539..38398ad1d1 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_mbstr.c,v 1.27 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: a_mbstr.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int traverse_string(const unsigned char *p, int len, int inform,
    int (*rfunc)(unsigned long value, void *in), void *arg);
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 2f3ca1398f..333ac60348 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.55 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_object.c,v 1.56 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,11 +62,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_OBJECT_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_pkey.c b/src/lib/libcrypto/asn1/a_pkey.c
index a730728076..636b602377 100644
--- a/src/lib/libcrypto/asn1/a_pkey.c
+++ b/src/lib/libcrypto/asn1/a_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pkey.c,v 1.8 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pkey.c,v 1.9 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,12 +62,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_pubkey.c b/src/lib/libcrypto/asn1/a_pubkey.c
index 544f3d2cf0..f846b6cda5 100644
--- a/src/lib/libcrypto/asn1/a_pubkey.c
+++ b/src/lib/libcrypto/asn1/a_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pubkey.c,v 1.7 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pubkey.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -76,6 +75,7 @@
 #include <openssl/rsa.h>
 #endif
+#include "err_local.h"
 #include "evp_local.h"
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_string.c b/src/lib/libcrypto/asn1/a_string.c
index ec492e71f0..70e9c95f22 100644
--- a/src/lib/libcrypto/asn1/a_string.c
+++ b/src/lib/libcrypto/asn1/a_string.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_string.c,v 1.17 2023/08/15 18:05:15 tb Exp $ */
+/* $OpenBSD: a_string.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 ASN1_STRING *
 ASN1_STRING_new(void)
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 5fa60b9ce7..3519d6725d 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strnid.c,v 1.31 2024/03/02 08:54:02 tb Exp $ */
+/* $OpenBSD: a_strnid.c,v 1.32 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,7 +62,6 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 /*
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 15ac1af5c4..3deff56eda 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time.c,v 1.38 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_time.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
@@ -65,7 +65,6 @@
 #include <time.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index a1f329be96..dd2893167f 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.42 2024/05/03 18:33:27 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
@@ -22,10 +22,10 @@
 #include <time.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
-#include "bytestring.h"
 #include "asn1_local.h"
+#include "bytestring.h"
+#include "err_local.h"
 #define RFC5280 0
 #define GENTIME_LENGTH 15
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index ef0a76e810..0615de1ccb 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_type.c,v 1.27 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: a_type.c,v 1.29 2025/12/05 14:19:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,10 +59,10 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 typedef struct {
        ASN1_INTEGER *num;
@@ -227,14 +227,14 @@ int
 ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len)
 {
        int ret, num;
-        unsigned char *p;
+        const unsigned char *p;
        if ((a->type != V_ASN1_OCTET_STRING) ||
            (a->value.octet_string == NULL)) {
                ASN1error(ASN1_R_DATA_IS_WRONG);
                return (-1);
        }
-        p = ASN1_STRING_data(a->value.octet_string);
+        p = ASN1_STRING_get0_data(a->value.octet_string);
        ret = ASN1_STRING_length(a->value.octet_string);
        if (ret < max_len)
                num = ret;
@@ -298,7 +298,7 @@ ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *at, long *num, unsigned char *dat
                len = ASN1_STRING_length(ios->value);
                if (len > max_len)
                        len = max_len;
-                memcpy(data, ASN1_STRING_data(ios->value), len);
+                memcpy(data, ASN1_STRING_get0_data(ios->value), len);
        }
        ret = ASN1_STRING_length(ios->value);
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index aeabbc0a28..2b19f58717 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.92 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1.h,v 1.95 2026/01/02 08:03:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -85,7 +85,6 @@ extern "C" {
 #define V_ASN1_PRIMITIVE_TAG            0x1f
 #define V_ASN1_PRIMATIVE_TAG            0x1f
-#define V_ASN1_APP_CHOOSE               -2      /* let the recipient choose */
 #define V_ASN1_OTHER                    -3      /* used in ASN1_TYPE */
 #define V_ASN1_ANY                      -4      /* used in ASN1 template code */
@@ -200,11 +199,9 @@ typedef struct ASN1_ENCODING_st {
        int modified;            /* set to 1 if 'enc' is invalid */
 } ASN1_ENCODING;
-/* Used with ASN1 LONG type: if a long is set to this it is omitted */
+/* Used by security/xca */
-#define ASN1_LONG_UNDEF 0x7fffffffL
-#define STABLE_FLAGS_MALLOC     0x01
 #define STABLE_NO_MASK          0x02
 #define DIRSTRING_TYPE  \
 (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
 #define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
diff --git a/src/lib/libcrypto/asn1/asn1_gen.c b/src/lib/libcrypto/asn1/asn1_gen.c
index edd6743993..b409e83c7d 100644
--- a/src/lib/libcrypto/asn1/asn1_gen.c
+++ b/src/lib/libcrypto/asn1/asn1_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_gen.c,v 1.27 2025/03/06 07:25:01 tb Exp $ */
+/* $OpenBSD: asn1_gen.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2002.
 */
@@ -59,11 +59,11 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 #define ASN1_GEN_FLAG           0x10000
diff --git a/src/lib/libcrypto/asn1/asn1_item.c b/src/lib/libcrypto/asn1/asn1_item.c
index 86c800e3ad..621d65711b 100644
--- a/src/lib/libcrypto/asn1/asn1_item.c
+++ b/src/lib/libcrypto/asn1/asn1_item.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_item.c,v 1.21 2024/04/09 13:55:02 beck Exp $ */
+/* $OpenBSD: asn1_item.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,11 +112,11 @@
 #include <limits.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/asn1/asn1_local.h b/src/lib/libcrypto/asn1/asn1_local.h
index 19de978772..d61cfaa7b9 100644
--- a/src/lib/libcrypto/asn1/asn1_local.h
+++ b/src/lib/libcrypto/asn1/asn1_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_local.h,v 1.10 2024/03/02 09:10:42 tb Exp $ */
+/* $OpenBSD: asn1_local.h,v 1.11 2025/11/26 10:19:57 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -56,6 +56,9 @@
 *
 */
+#ifndef HEADER_ASN1_LOCAL_H
+#define HEADER_ASN1_LOCAL_H
 #include "bytestring.h"
 __BEGIN_HIDDEN_DECLS
@@ -191,3 +194,5 @@ int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode);
 int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2);
 __END_HIDDEN_DECLS
+#endif /* HEADER_ASN1_LOCAL_H */
diff --git a/src/lib/libcrypto/asn1/asn1_old.c b/src/lib/libcrypto/asn1/asn1_old.c
index 7992fccdef..c47ea8e74a 100644
--- a/src/lib/libcrypto/asn1/asn1_old.c
+++ b/src/lib/libcrypto/asn1/asn1_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old.c,v 1.6 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1_old.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #ifndef NO_OLD_ASN1
diff --git a/src/lib/libcrypto/asn1/asn1_old_lib.c b/src/lib/libcrypto/asn1/asn1_old_lib.c
index 80362ae689..541ac7b615 100644
--- a/src/lib/libcrypto/asn1/asn1_old_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_old_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old_lib.c,v 1.6 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_old_lib.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static void asn1_put_length(unsigned char **pp, int length);
diff --git a/src/lib/libcrypto/asn1/asn1t.h b/src/lib/libcrypto/asn1/asn1t.h
index 22cde48669..b3fb1cf838 100644
--- a/src/lib/libcrypto/asn1/asn1t.h
+++ b/src/lib/libcrypto/asn1/asn1t.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1t.h,v 1.24 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: asn1t.h,v 1.31 2026/01/16 09:25:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -78,44 +78,43 @@ extern "C" {
 /* Macros for start and end of ASN1_ITEM definition */
-#define ASN1_ITEM_start(itname) \
+#define ASN1_ITEM_start(itname)                                         \
        const ASN1_ITEM itname##_it = {
-#define static_ASN1_ITEM_start(itname) \
+#define static_ASN1_ITEM_start(itname)                                  \
        static const ASN1_ITEM itname##_it = {
-#define ASN1_ITEM_end(itname) \
+#define ASN1_ITEM_end(itname)                                           \
-                };
+        };
 /* Macros to aid ASN1 template writing */
-#define ASN1_ITEM_TEMPLATE(tname) \
+#define ASN1_ITEM_TEMPLATE(tname)                                       \
        static const ASN1_TEMPLATE tname##_item_tt
-#define ASN1_ITEM_TEMPLATE_END(tname) \
+#define ASN1_ITEM_TEMPLATE_END(tname)                                   \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_PRIMITIVE,\
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                -1,\
+                .utype = -1,                                            \
-                &tname##_item_tt,\
+                .templates = &tname##_item_tt,                          \
-                0,\
+                .tcount = 0,                                            \
-                NULL,\
+                .funcs = NULL,                                          \
-                0,\
+                .size = 0,                                              \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define static_ASN1_ITEM_TEMPLATE_END(tname) \
+#define static_ASN1_ITEM_TEMPLATE_END(tname)                            \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_PRIMITIVE,\
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                -1,\
+                .utype = -1,                                            \
-                &tname##_item_tt,\
+                .templates = &tname##_item_tt,                          \
-                0,\
+                .tcount = 0,                                            \
-                NULL,\
+                .funcs = NULL,                                          \
-                0,\
+                .size = 0,                                              \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
@@ -142,119 +141,145 @@ extern "C" {
 *      a structure called stname.
 */
-#define ASN1_SEQUENCE(tname) \
+#define ASN1_SEQUENCE(tname)                                            \
        static const ASN1_TEMPLATE tname##_seq_tt[]
-#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
+#define ASN1_SEQUENCE_END(stname)                                       \
+        ASN1_SEQUENCE_END_name(stname, stname)
-#define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname)
+#define static_ASN1_SEQUENCE_END(stname)                                \
-#define ASN1_SEQUENCE_END_name(stname, tname) \
+        static_ASN1_SEQUENCE_END_name(stname, stname)
-        ;\
-        ASN1_ITEM_start(tname) \
+#define ASN1_SEQUENCE_END_name(stname, tname)                           \
-                ASN1_ITYPE_SEQUENCE,\
+        ;                                                               \
-                V_ASN1_SEQUENCE,\
+        ASN1_ITEM_start(tname)                                          \
-                tname##_seq_tt,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .utype = V_ASN1_SEQUENCE,                               \
-                NULL,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(stname),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                #stname \
+                .funcs = NULL,                                          \
+                .size = sizeof(stname),                                 \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_SEQUENCE_END_name(stname, tname) \
+#define static_ASN1_SEQUENCE_END_name(stname, tname)                    \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_SEQUENCE,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_NDEF_SEQUENCE(tname) \
+#define ASN1_NDEF_SEQUENCE(tname)                                       \
        ASN1_SEQUENCE(tname)
-#define ASN1_NDEF_SEQUENCE_cb(tname, cb) \
+#define ASN1_NDEF_SEQUENCE_cb(tname, cb)                                \
        ASN1_SEQUENCE_cb(tname, cb)
-#define ASN1_SEQUENCE_cb(tname, cb) \
+#define ASN1_SEQUENCE_cb(tname, cb)                                     \
-        static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = 0,                                             \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_SEQUENCE_ref(tname, cb, lck) \
+#define ASN1_SEQUENCE_ref(tname, cb, lck)                               \
-        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = ASN1_AFLG_REFCOUNT,                            \
+                .ref_offset = offsetof(tname, references),              \
+                .ref_lock = lck,                                        \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_SEQUENCE_enc(tname, enc, cb) \
+#define ASN1_SEQUENCE_enc(tname, enc, cb)                               \
-        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = ASN1_AFLG_ENCODING,                            \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = offsetof(tname, enc),                     \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_NDEF_SEQUENCE_END(tname) \
+#define ASN1_NDEF_SEQUENCE_END(tname)                                   \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(tname),\
+                .size = sizeof(tname),                                  \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define static_ASN1_NDEF_SEQUENCE_END(tname) \
+#define static_ASN1_NDEF_SEQUENCE_END(tname)                            \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(tname),\
+                .size = sizeof(tname),                                  \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+#define ASN1_SEQUENCE_END_enc(stname, tname)                            \
+        ASN1_SEQUENCE_END_ref(stname, tname)
-#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+#define ASN1_SEQUENCE_END_cb(stname, tname)                             \
-#define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname)
+        ASN1_SEQUENCE_END_ref(stname, tname)
-#define ASN1_SEQUENCE_END_ref(stname, tname) \
+#define static_ASN1_SEQUENCE_END_cb(stname, tname)                      \
-        ;\
+        static_ASN1_SEQUENCE_END_ref(stname, tname)
-        ASN1_ITEM_start(tname) \
-                ASN1_ITYPE_SEQUENCE,\
+#define ASN1_SEQUENCE_END_ref(stname, tname)                            \
-                V_ASN1_SEQUENCE,\
+        ;                                                               \
-                tname##_seq_tt,\
+        ASN1_ITEM_start(tname)                                          \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                &tname##_aux,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                sizeof(stname),\
+                .templates = tname##_seq_tt,                            \
-                #stname \
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .funcs = &tname##_aux,                                  \
+                .size = sizeof(stname),                                 \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_SEQUENCE_END_ref(stname, tname) \
+#define static_ASN1_SEQUENCE_END_ref(stname, tname)                     \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_SEQUENCE,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \
+#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname)                        \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
@@ -281,170 +306,214 @@ extern "C" {
 *      ASN1_CHOICE_END_selector() version.
 */
-#define ASN1_CHOICE(tname) \
+#define ASN1_CHOICE(tname)                                              \
        static const ASN1_TEMPLATE tname##_ch_tt[]
-#define ASN1_CHOICE_cb(tname, cb) \
+#define ASN1_CHOICE_cb(tname, cb)                                       \
-        static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = 0,                                             \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_CHOICE(tname)
-#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
+#define ASN1_CHOICE_END(stname)                                         \
+        ASN1_CHOICE_END_name(stname, stname)
-#define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname)
+#define static_ASN1_CHOICE_END(stname)                                  \
+        static_ASN1_CHOICE_END_name(stname, stname)
-#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type)
+#define ASN1_CHOICE_END_name(stname, tname)                             \
+        ASN1_CHOICE_END_selector(stname, tname, type)
-#define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type)
+#define static_ASN1_CHOICE_END_name(stname, tname)                      \
+        static_ASN1_CHOICE_END_selector(stname, tname, type)
-#define ASN1_CHOICE_END_selector(stname, tname, selname) \
+#define ASN1_CHOICE_END_selector(stname, tname, selname)                \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_CHOICE_END_selector(stname, tname, selname) \
+#define static_ASN1_CHOICE_END_selector(stname, tname, selname)         \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_CHOICE_END_cb(stname, tname, selname) \
+#define ASN1_CHOICE_END_cb(stname, tname, selname)                      \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
 /* This helps with the template wrapper form of ASN1_ITEM */
-#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \
+#define ASN1_EX_TEMPLATE_TYPE(flagsval, tagval, name, type)             \
-        (flags), (tag), 0,\
+        {                                                               \
-        #name, ASN1_ITEM_ref(type) }
+                .flags = (flagsval),                                    \
+                .tag = (tagval),                                        \
+                .offset = 0,                                            \
+                .field_name = #name,                                    \
+                .item = ASN1_ITEM_ref(type),                            \
+        }
 /* These help with SEQUENCE or CHOICE components */
 /* used to declare other types */
-#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \
+#define ASN1_EX_TYPE(flagsval, tagval, stname, field, type)             \
-        (flags), (tag), offsetof(stname, field),\
+        {                                                               \
-        #field, ASN1_ITEM_ref(type) }
+                .flags = (flagsval),                                    \
+                .tag = (tagval),                                        \
+                .offset = offsetof(stname, field),                      \
+                .field_name = #field,                                   \
+                .item = ASN1_ITEM_ref(type),                            \
+        }
 /* implicit and explicit helper macros */
-#define ASN1_IMP_EX(stname, field, type, tag, ex) \
+#define ASN1_IMP_EX(stname, field, type, tag, ex)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
-#define ASN1_EXP_EX(stname, field, type, tag, ex) \
+#define ASN1_EXP_EX(stname, field, type, tag, ex)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
 /* Any defined by macros: the field used is in the table itself */
-#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#define ASN1_ADB_OBJECT(tblname)                                        \
-#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+        {                                                               \
+                .flags = ASN1_TFLG_ADB_OID,                             \
+                .tag = -1,                                              \
+                .offset = 0,                                            \
+                .field_name = #tblname,                                 \
+                .item = (const ASN1_ITEM *)&(tblname##_adb),            \
+        }
+#define ASN1_ADB_INTEGER(tblname)                                       \
+        {                                                               \
+                .flags = ASN1_TFLG_ADB_INT,                             \
+                .tag = -1,                                              \
+                .offset = 0,                                            \
+                .field_name = #tblname,                                 \
+                .item = (const ASN1_ITEM *)&(tblname##_adb),            \
+        }
 /* Plain simple type */
-#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type)
+#define ASN1_SIMPLE(stname, field, type)                                \
+        ASN1_EX_TYPE(0, 0, stname, field, type)
 /* OPTIONAL simple type */
-#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+#define ASN1_OPT(stname, field, type)                                   \
+        ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* IMPLICIT tagged simple type */
-#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0)
+#define ASN1_IMP(stname, field, type, tag)                              \
+        ASN1_IMP_EX(stname, field, type, tag, 0)
 /* IMPLICIT tagged OPTIONAL simple type */
-#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+#define ASN1_IMP_OPT(stname, field, type, tag)                          \
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
 /* Same as above but EXPLICIT */
-#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP(stname, field, type, tag)                              \
-#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP_OPT(stname, field, type, tag)                          \
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
 /* SEQUENCE OF type */
-#define ASN1_SEQUENCE_OF(stname, field, type) \
+#define ASN1_SEQUENCE_OF(stname, field, type)                           \
-                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
 /* OPTIONAL SEQUENCE OF */
-#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \
+#define ASN1_SEQUENCE_OF_OPT(stname, field, type)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* Same as above but for SET OF */
-#define ASN1_SET_OF(stname, field, type) \
+#define ASN1_SET_OF(stname, field, type)                                \
-                ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
-#define ASN1_SET_OF_OPT(stname, field, type) \
+#define ASN1_SET_OF_OPT(stname, field, type)                            \
-                ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */
-#define ASN1_IMP_SET_OF(stname, field, type, tag) \
+#define ASN1_IMP_SET_OF(stname, field, type, tag)                       \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
-#define ASN1_EXP_SET_OF(stname, field, type, tag) \
+#define ASN1_EXP_SET_OF(stname, field, type, tag)                       \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
-#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \
+#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag)                   \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \
+#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag)                   \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \
+#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag)                  \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
-#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag)              \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \
+#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag)                  \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
-#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag)              \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
 /* EXPLICIT using indefinite length constructed form */
-#define ASN1_NDEF_EXP(stname, field, type, tag) \
+#define ASN1_NDEF_EXP(stname, field, type, tag)                         \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF)
 /* EXPLICIT OPTIONAL using indefinite length constructed form */
-#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \
+#define ASN1_NDEF_EXP_OPT(stname, field, type, tag)                     \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
 /* Macros for the ASN1_ADB structure */
-#define ASN1_ADB(name) \
+#define ASN1_ADB(name)                                                  \
        static const ASN1_ADB_TABLE name##_adbtbl[]
+/* In 5b70372d OpenSSL added adb_cb. Ignore this until someone complains. */
-#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+#define ASN1_ADB_END(name, flagsval, field, adb_cb, def, none)          \
-        ;\
+        ;                                                               \
-        static const ASN1_ADB name##_adb = {\
+        static const ASN1_ADB name##_adb = {                            \
-                flags,\
+                .flags = flagsval,                                      \
-                offsetof(name, field),\
+                .offset = offsetof(name, field),                        \
-                app_table,\
+                .tbl = name##_adbtbl,                                   \
-                name##_adbtbl,\
+                .tblcount = sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
-                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                .default_tt = def,                                      \
-                def,\
+                .null_tt = none,                                        \
-                none\
        }
+#define ADB_ENTRY(val, template)                                        \
-#define ADB_ENTRY(val, template) {val, template}
+        {                                                               \
+                .value = val,                                           \
+                .tt = template,                                         \
+        }
 #define ASN1_ADB_TEMPLATE(name) \
        static const ASN1_TEMPLATE name##_tt
@@ -474,16 +543,16 @@ typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;
 typedef struct ASN1_ADB_st ASN1_ADB;
 struct ASN1_ADB_st {
-        unsigned long flags;    /* Various flags */
+        unsigned long flags;            /* Various flags */
-        unsigned long offset;   /* Offset of selector field */
+        unsigned long offset;           /* Offset of selector field */
        const ASN1_ADB_TABLE *tbl;      /* Table of possible types */
-        long tblcount;          /* Number of entries in tbl */
+        long tblcount;                  /* Number of entries in tbl */
        const ASN1_TEMPLATE *default_tt;  /* Type to use if no match */
-        const ASN1_TEMPLATE *null_tt;  /* Type to use if selector is NULL */
+        const ASN1_TEMPLATE *null_tt;   /* Type to use if selector is NULL */
 };
 struct ASN1_ADB_TABLE_st {
-        long value;             /* NID for an object or value for an int */
+        long value;                     /* NID for an object or value for an int */
        const ASN1_TEMPLATE tt;         /* item for this value */
 };
@@ -498,9 +567,9 @@ struct ASN1_ADB_TABLE_st {
 /* Field is a SEQUENCE OF */
 #define ASN1_TFLG_SEQUENCE_OF   (0x2 << 1)
-/* Special case: this refers to a SET OF that
+/*
- * will be sorted into DER order when encoded *and*
+ * Special case: this refers to a SET OF that will be sorted into DER order
- * the corresponding STACK will be modified to match
+ * when encoded *and* the corresponding STACK will be modified to match
 * the new order.
 */
 #define ASN1_TFLG_SET_ORDER     (0x3 << 1)
@@ -508,9 +577,9 @@ struct ASN1_ADB_TABLE_st {
 /* Mask for SET OF or SEQUENCE OF */
 #define ASN1_TFLG_SK_MASK       (0x3 << 1)
-/* These flags mean the tag should be taken from the
+/*
- * tag field. If EXPLICIT then the underlying type
+ * These flags mean the tag should be taken from the tag field. If EXPLICIT
- * is used for the inner tag.
+ * then the underlying type is used for the inner tag.
 */
 /* IMPLICIT tagging */
@@ -529,7 +598,7 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_EXPLICIT      ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT
 /*
- * If tagging is in force these determine the type of tag to use. Otherwiser
+ * If tagging is in force these determine the type of tag to use. Otherwise
 * the tag is determined by the underlying type. These values reflect the
 * actual octet format.
 */
@@ -546,10 +615,9 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_TAG_CLASS     (0x3<<6)
 /*
- * These are for ANY DEFINED BY type. In this case
+ * These are for ANY DEFINED BY type. In this case the 'item' field points
- * the 'item' field points to an ASN1_ADB structure
+ * to an ASN1_ADB structure which contains a table of values to decode the
- * which contains a table of values to decode the
+ * relevant type.
- * relevant type
 */
 #define ASN1_TFLG_ADB_MASK      (0x3<<8)
@@ -559,9 +627,8 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_ADB_INT       (0x1<<9)
 /*
- * This flag when present in a SEQUENCE OF, SET OF
+ * This flag when present in a SEQUENCE OF, SET OF or EXPLICIT causes
- * or EXPLICIT causes indefinite length constructed
+ * indefinite length constructed encoding to be used if required.
- * encoding to be used if required.
 */
 #define ASN1_TFLG_NDEF          (0x1<<11)
@@ -569,52 +636,43 @@ struct ASN1_ADB_TABLE_st {
 /* This is the actual ASN1 item itself */
 struct ASN1_ITEM_st {
-        char itype;                     /* The item type, primitive, SEQUENCE, CHOICE or extern */
+        char itype; /* The item type, primitive, SEQUENCE, CHOICE or extern */
        long utype;                     /* underlying type */
-        const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */
+        const ASN1_TEMPLATE *templates; /* contents for SEQUENCE or CHOICE */
        long tcount;                    /* Number of templates if SEQUENCE or CHOICE */
        const void *funcs;              /* functions that handle this type */
-        long size;                      /* Structure size (usually)*/
+        long size;                      /* Structure size (usually) */
        const char *sname;              /* Structure name */
 };
-/* These are values for the itype field and
+/*
- * determine how the type is interpreted.
+ * These are values for the itype field and determine how the type is
+ * interpreted.
 *
- * For PRIMITIVE types the underlying type
+ * For PRIMITIVE types the underlying type determines the behaviour if
- * determines the behaviour if items is NULL.
+ * items is NULL.
 *
- * Otherwise templates must contain a single
+ * Otherwise templates must contain a single template and the type is
- * template and the type is treated in the
+ * treated in the same way as the type specified in the template.
- * same way as the type specified in the template.
 *
- * For SEQUENCE types the templates field points
+ * For SEQUENCE types the templates field points to the members, the
- * to the members, the size field is the
+ * size field is the structure size.
- * structure size.
 *
- * For CHOICE types the templates field points
+ * For CHOICE types the templates field points to each possible member
- * to each possible member (typically a union)
+ * (typically a union) and the 'size' field is the offset of the selector.
- * and the 'size' field is the offset of the
- * selector.
 *
- * The 'funcs' field is used for application
+ * The 'funcs' field is used for application specific functions.
- * specific functions.
 *
- * The EXTERN type uses a new style d2i/i2d.
+ * The EXTERN type uses a new style d2i/i2d.  The new style should be used
- * The new style should be used where possible
+ * where possible because it avoids things like the d2i IMPLICIT hack.
- * because it avoids things like the d2i IMPLICIT
- * hack.
 *
- * MSTRING is a multiple string type, it is used
+ * MSTRING is a multiple string type, it is used for a CHOICE of character
- * for a CHOICE of character strings where the
+ * strings where the actual strings all occupy an ASN1_STRING structure.
- * actual strings all occupy an ASN1_STRING
+ * In this case the 'utype' field has a special meaning, it is used as a
- * structure. In this case the 'utype' field
+ * mask of acceptable types using the B_ASN1 constants.
- * has a special meaning, it is used as a mask
- * of acceptable types using the B_ASN1 constants.
 *
- * NDEF_SEQUENCE is the same as SEQUENCE except
+ * NDEF_SEQUENCE is the same as SEQUENCE except that it will use
- * that it will use indefinite length constructed
+ * indefinite length constructed encoding if requested.
- * encoding if requested.
 *
 */
@@ -648,23 +706,27 @@ struct ASN1_TLC_st {
 typedef ASN1_VALUE * ASN1_new_func(void);
 typedef void ASN1_free_func(ASN1_VALUE *a);
-typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in, long length);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in,
+    long length);
 typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
-typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
+    const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
-typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
+    const ASN1_ITEM *it, int tag, int aclass);
 typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
 typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
-typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval,
+typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval, int indent,
-                                                int indent, const char *fname,
+    const char *fname, const ASN1_PCTX *pctx);
-                                                const ASN1_PCTX *pctx);
-typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont,
-typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+    int *putype, const ASN1_ITEM *it);
-typedef int ASN1_primitive_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont,
+    int len, int utype, char *free_cont, const ASN1_ITEM *it);
+typedef int ASN1_primitive_print(BIO *out, ASN1_VALUE **pval,
+    const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx);
 typedef struct ASN1_EXTERN_FUNCS_st {
        void *app_data;
@@ -687,25 +749,25 @@ typedef struct ASN1_PRIMITIVE_FUNCS_st {
        ASN1_primitive_print *prim_print;
 } ASN1_PRIMITIVE_FUNCS;
-/* This is the ASN1_AUX structure: it handles various
+/*
- * miscellaneous requirements. For example the use of
+ * This is the ASN1_AUX structure: it handles various miscellaneous
- * reference counts and an informational callback.
+ * requirements. For example the use of reference counts and an
+ * informational callback.
 *
- * The "informational callback" is called at various
+ * The "informational callback" is called at various points during
- * points during the ASN1 encoding and decoding. It can
+ * the ASN1 encoding and decoding. It can be used to provide minor
- * be used to provide minor customisation of the structures
+ * customisation of the structures used. This is most useful where
- * used. This is most useful where the supplied routines
+ * the supplied routines *almost* do the right thing but need some
- * *almost* do the right thing but need some extra help
+ * extra help at a few points. If the callback returns zero then it
- * at a few points. If the callback returns zero then
+ * is assumed a fatal error has occurred and the main operation
- * it is assumed a fatal error has occurred and the
+ * should be abandoned.
- * main operation should be abandoned.
 *
- * If major changes in the default behaviour are required
+ * If major changes in the default behaviour are required then an
- * then an external type is more appropriate.
+ * external type is more appropriate.
 */
 typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it,
-                                void *exarg);
+    void *exarg);
 typedef struct ASN1_AUX_st {
        void *app_data;
@@ -761,116 +823,146 @@ typedef struct ASN1_STREAM_ARG_st {
 /* Macro to implement a primitive type */
 #define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)
-#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \
+#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex)                       \
-                                ASN1_ITEM_start(itname) \
+        ASN1_ITEM_start(itname)                                         \
-                                        ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                                ASN1_ITEM_end(itname)
+                .utype = V_##vname,                                     \
+                .templates = NULL,                                      \
+                .tcount = 0,                                            \
+                .funcs = NULL,                                          \
+                .size = ex,                                             \
+                .sname = #itname,                                       \
+        ASN1_ITEM_end(itname)
 /* Macro to implement a multi string type */
-#define IMPLEMENT_ASN1_MSTRING(itname, mask) \
+#define IMPLEMENT_ASN1_MSTRING(itname, mask)                            \
-                                ASN1_ITEM_start(itname) \
+        ASN1_ITEM_start(itname)                                         \
-                                        ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \
+                .itype = ASN1_ITYPE_MSTRING,                            \
-                                ASN1_ITEM_end(itname)
+                .utype = mask,                                          \
-#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \
+                .templates = NULL,                                      \
-        ASN1_ITEM_start(sname) \
+                .tcount = 0,                                            \
-                ASN1_ITYPE_EXTERN, \
+                .funcs = NULL,                                          \
-                tag, \
+                .size = sizeof(ASN1_STRING),                            \
-                NULL, \
+                .sname = #itname,                                       \
-                0, \
+        ASN1_ITEM_end(itname)
-                &fptrs, \
+#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs)                        \
-                0, \
+        ASN1_ITEM_start(sname)                                          \
-                #sname \
+                .itype = ASN1_ITYPE_EXTERN,                             \
+                .utype = tag,                                           \
+                .templates = NULL,                                      \
+                .tcount = 0,                                            \
+                .funcs = &fptrs,                                        \
+                .size = 0,                                              \
+                .sname = #sname,                                        \
        ASN1_ITEM_end(sname)
 /* Macro to implement standard functions in terms of ASN1_ITEM structures */
-#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
+#define IMPLEMENT_ASN1_FUNCTIONS(stname)                                \
+        IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
-#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
+#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname)                   \
+        IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
-#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname)            \
-                        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
+        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
-#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \
+#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname)                   \
-                IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname)
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname)
-#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname)                          \
-                IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)
 #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \
-        pre stname *fname##_new(void) \
+        pre stname *                                                    \
-        { \
+        fname##_new(void)                                               \
-                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
-        pre void fname##_free(stname *a) \
+        }                                                               \
-        { \
+        pre void                                                        \
+        fname##_free(stname *a)                                         \
+        {                                                               \
                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
        }
-#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)     \
-        stname *fname##_new(void) \
+        stname *                                                        \
-        { \
+        fname##_new(void)                                               \
-                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
-        void fname##_free(stname *a) \
+        }                                                               \
-        { \
+        void                                                            \
+        fname##_free(stname *a)                                         \
+        {                                                               \
                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
        }
-#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname)           \
-        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname)    \
        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
-#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname)    \
-        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        stname *                                                        \
-        { \
+        d2i_##fname(stname **a, const unsigned char **in, long len)     \
-                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in,    \
-        int i2d_##fname(stname *a, unsigned char **out) \
+                    len, ASN1_ITEM_rptr(itname));                       \
-        { \
+        }                                                               \
-                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        int                                                             \
+        i2d_##fname(stname *a, unsigned char **out)                     \
+        {                                                               \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out,              \
+                    ASN1_ITEM_rptr(itname));                            \
        }
-#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname)                            \
-        int i2d_##stname##_NDEF(stname *a, unsigned char **out) \
+        int                                                             \
-        { \
+        i2d_##stname##_NDEF(stname *a, unsigned char **out)             \
-                return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\
+        {                                                               \
+                return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out,         \
+                    ASN1_ITEM_rptr(stname));                            \
        }
 /* This includes evil casts to remove const: they will go away when full
 * ASN1 constification is done.
 */
 #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
-        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        stname *                                                        \
-        { \
+        d2i_##fname(stname **a, const unsigned char **in, long len)     \
-                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in,    \
-        int i2d_##fname(const stname *a, unsigned char **out) \
+                    len, ASN1_ITEM_rptr(itname));                       \
-        { \
+        }                                                               \
-                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        int                                                             \
+        i2d_##fname(const stname *a, unsigned char **out)               \
+        {                                                               \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out,              \
+                    ASN1_ITEM_rptr(itname));                            \
        }
-#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_DUP_FUNCTION(stname)                             \
-        stname * stname##_dup(stname *x) \
+        stname *                                                        \
-        { \
+        stname##_dup(stname *x)                                         \
-        return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \
+        {                                                               \
-        }
+                return ASN1_item_dup(ASN1_ITEM_rptr(stname), x);        \
+        }
-#define IMPLEMENT_ASN1_PRINT_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_PRINT_FUNCTION(stname)                           \
        IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, stname, stname)
-#define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname)      \
-        int fname##_print_ctx(BIO *out, stname *x, int indent, \
+        int                                                             \
-                                                const ASN1_PCTX *pctx) \
+        fname##_print_ctx(BIO *out, stname *x, int indent,              \
-        { \
+            const ASN1_PCTX *pctx)                                      \
-                return ASN1_item_print(out, (ASN1_VALUE *)x, indent, \
+        {                                                               \
-                        ASN1_ITEM_rptr(itname), pctx); \
+                return ASN1_item_print(out, (ASN1_VALUE *)x, indent,    \
+                    ASN1_ITEM_rptr(itname), pctx);                      \
        }
-#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \
+#define IMPLEMENT_ASN1_FUNCTIONS_const(name)                            \
-                IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
+        IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
-#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname)     \
        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
@@ -893,10 +985,10 @@ DECLARE_STACK_OF(ASN1_VALUE)
 int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                                int tag, int aclass, char opt, ASN1_TLC *ctx);
+    const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
-int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+    const ASN1_ITEM *it, int tag, int aclass);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index 3995fc547c..d42dd8663e 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.35 2025/01/17 05:02:18 tb Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.37 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -59,10 +59,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* Generalised MIME like utilities for streaming ASN1. Although many
@@ -507,8 +507,9 @@ SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
                        *bcont = sk_BIO_value(parts, 0);
                        BIO_free(asnin);
                        sk_BIO_free(parts);
-                } else sk_BIO_pop_free(parts, BIO_vfree);
+                } else
-                        return val;
+                        sk_BIO_pop_free(parts, BIO_vfree);
+                return val;
        }
        /* OK, if not multipart/signed try opaque signature */
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index e3c7d09446..a9a752cc38 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_moid.c,v 1.18 2024/08/31 09:26:18 tb Exp $ */
+/* $OpenBSD: asn_moid.c,v 1.20 2025/05/10 11:51:01 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -60,13 +60,13 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 /* Simple ASN1 OID module: add all objects in a given section */
diff --git a/src/lib/libcrypto/asn1/bio_ndef.c b/src/lib/libcrypto/asn1/bio_ndef.c
index 98bb1cd197..d001ffb0ae 100644
--- a/src/lib/libcrypto/asn1/bio_ndef.c
+++ b/src/lib/libcrypto/asn1/bio_ndef.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ndef.c,v 1.24 2023/07/28 09:58:30 tb Exp $ */
+/* $OpenBSD: bio_ndef.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -57,9 +57,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 int BIO_asn1_set_prefix(BIO *b, asn1_ps_func *prefix, asn1_ps_func *prefix_free);
 int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix, asn1_ps_func *suffix_free);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 582d2d9a9b..feccf8af58 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.28 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.31 2025/12/07 09:27:02 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,11 +61,14 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
+/* RFC 8018, section 6.1 specifies an eight-octet salt for PBES1. */
+#define PKCS5_PBE1_SALT_LEN     8
 /* PKCS#5 password based encryption structure */
 static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = {
@@ -126,7 +129,6 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
 {
        PBEPARAM *pbe = NULL;
        ASN1_STRING *pbe_str = NULL;
-        unsigned char *sstr;
        if ((pbe = PBEPARAM_new()) == NULL) {
                ASN1error(ERR_R_MALLOC_FAILURE);
@@ -138,17 +140,24 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                ASN1error(ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        if (!saltlen)
+        if (saltlen < 0)
-                saltlen = PKCS5_SALT_LEN;
-        if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
                goto err;
-        }
+        if (saltlen == 0)
-        sstr = ASN1_STRING_data(pbe->salt);
+                saltlen = PKCS5_PBE1_SALT_LEN;
-        if (salt)
+        if (salt != NULL) {
-                memcpy(sstr, salt, saltlen);
+                if (!ASN1_STRING_set(pbe->salt, salt, saltlen))
-        else
+                        goto err;
+        } else {
+                unsigned char *sstr = NULL;
+                if ((sstr = malloc(saltlen)) == NULL) {
+                        ASN1error(ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                arc4random_buf(sstr, saltlen);
+                ASN1_STRING_set0(pbe->salt, sstr, saltlen);
+                sstr = NULL;
+        }
        if (!ASN1_item_pack(pbe, &PBEPARAM_it, &pbe_str)) {
                ASN1error(ERR_R_MALLOC_FAILURE);
@@ -162,9 +171,9 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                return 1;
 err:
-        if (pbe != NULL)
+        PBEPARAM_free(pbe);
-                PBEPARAM_free(pbe);
        ASN1_STRING_free(pbe_str);
        return 0;
 }
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 76872a8dec..64924d9b38 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.35 2024/03/26 07:03:10 tb Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.38 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999-2004.
 */
@@ -61,12 +61,18 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
+/*
+ * RFC 8018, sections 6.2 and 4 specify at least 64 bits for PBES2, apparently
+ * FIPS will require at least 128 bits in the future, OpenSSL does that.
+ */
+#define PKCS5_PBE2_SALT_LEN     16
 /* PKCS#5 v2.0 password based encryption structures */
 static const ASN1_TEMPLATE PBE2PARAM_seq_tt[] = {
@@ -187,7 +193,7 @@ PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
    int saltlen)
 {
        X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-        int prf_nid = NID_hmacWithSHA1;
+        int prf_nid = NID_hmacWithSHA256;
        int alg_nid, keylen;
        EVP_CIPHER_CTX ctx;
        unsigned char iv[EVP_MAX_IV_LENGTH];
@@ -292,7 +298,7 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
        kdf->salt->type = V_ASN1_OCTET_STRING;
        if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE2_SALT_LEN;
        if (!(osalt->data = malloc (saltlen)))
                goto merr;
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index bdb0c39ad5..a5e82ef7ff 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p8_pkey.c,v 1.25 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p8_pkey.c,v 1.26 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -168,7 +168,7 @@ PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg, const unsigned char **pk,
        if (ppkalg != NULL)
                *ppkalg = p8->pkeyalg->algorithm;
        if (pk != NULL) {
-                *pk = ASN1_STRING_data(p8->pkey);
+                *pk = ASN1_STRING_get0_data(p8->pkey);
                *ppklen = ASN1_STRING_length(p8->pkey);
        }
        if (pa != NULL)
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 6449e7f199..295ab6c050 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_crl.c,v 1.26 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_crl.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,11 +61,11 @@
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index 1d4be9865d..51e4b4f651 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_req.c,v 1.28 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_req.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -74,6 +73,7 @@
 #include <openssl/rsa.h>
 #endif
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 7cf4557314..71f97a8214 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.51 2025/02/08 03:41:36 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.54 2025/07/01 06:46:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,13 +65,13 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -106,6 +106,28 @@ X509_print(BIO *bp, X509 *x)
 }
 LCRYPTO_ALIAS(X509_print);
+static int
+x509_print_uids(BIO *bp, const X509 *x, int indent)
+{
+        const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
+        X509_get0_uids(x, &issuerUID, &subjectUID);
+        if (issuerUID != NULL) {
+                if (BIO_printf(bp, "%*sIssuer Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, issuerUID, indent + 4))
+                        return 0;
+        }
+        if (subjectUID != NULL) {
+                if (BIO_printf(bp, "%*sSubject Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, subjectUID, indent + 4))
+                        return 0;
+        }
+        return 1;
+}
 int
 X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 {
@@ -127,9 +149,9 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
        ci = x->cert_info;
        if (!(cflag & X509_FLAG_NO_HEADER)) {
-                if (BIO_write(bp, "Certificate:\n", 13) <= 0)
+                if (BIO_printf(bp, "Certificate:\n") <= 0)
                        goto err;
-                if (BIO_write(bp, "    Data:\n", 10) <= 0)
+                if (BIO_printf(bp, "    Data:\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_VERSION)) {
@@ -145,7 +167,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                }
        }
        if (!(cflag & X509_FLAG_NO_SERIAL)) {
-                if (BIO_write(bp, "        Serial Number:", 22) <= 0)
+                if (BIO_printf(bp, "        Serial Number:") <= 0)
                        goto err;
                bs = X509_get_serialNumber(x);
@@ -196,21 +218,21 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                if (X509_NAME_print_ex(bp, X509_get_issuer_name(x),
                    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_VALIDITY)) {
-                if (BIO_write(bp, "        Validity\n", 17) <= 0)
+                if (BIO_printf(bp, "        Validity\n") <= 0)
                        goto err;
-                if (BIO_write(bp, "            Not Before: ", 24) <= 0)
+                if (BIO_printf(bp, "            Not Before: ") <= 0)
                        goto err;
                if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
                        goto err;
-                if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
+                if (BIO_printf(bp, "\n            Not After : ") <= 0)
                        goto err;
                if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_SUBJECT)) {
@@ -219,12 +241,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                if (X509_NAME_print_ex(bp, X509_get_subject_name(x),
                    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-                if (BIO_write(bp, "        Subject Public Key Info:\n",
+                if (BIO_printf(bp, "        Subject Public Key Info:\n") <= 0)
-                    33) <= 0)
                        goto err;
                if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
                        goto err;
@@ -243,6 +264,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                }
        }
+        if (!(cflag & X509_FLAG_NO_IDS)) {
+                if (!x509_print_uids(bp, x, 8))
+                        goto err;
+        }
        if (!(cflag & X509_FLAG_NO_EXTENSIONS))
                X509V3_extensions_print(bp, "X509v3 extensions",
                    ci->extensions, cflag, 8);
@@ -325,7 +351,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
        s = sig->data;
        for (i = 0; i < n; i++) {
                if ((i % 18) == 0) {
-                        if (BIO_write(bp, "\n", 1) <= 0)
+                        if (BIO_printf(bp, "\n") <= 0)
                                return 0;
                        if (BIO_indent(bp, indent, indent) <= 0)
                                return 0;
@@ -334,7 +360,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
                    ((i + 1) == n) ? "" : ":") <= 0)
                        return 0;
        }
-        if (BIO_write(bp, "\n", 1) != 1)
+        if (BIO_printf(bp, "\n") != 1)
                return 0;
        return 1;
@@ -375,7 +401,7 @@ ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
                return ASN1_UTCTIME_print(bp, tm);
        if (tm->type == V_ASN1_GENERALIZEDTIME)
                return ASN1_GENERALIZEDTIME_print(bp, tm);
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_TIME_print);
@@ -435,7 +461,7 @@ ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
                return (1);
 err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_print);
@@ -479,7 +505,7 @@ ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
                return (1);
 err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_UTCTIME_print);
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 31b9efee54..1bffae8a94 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.88 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.89 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 /*
 * Constructed types with a recursive definition (such as can be found in PKCS7)
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index b71993a139..a65fb5b7e7 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.33 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,10 +61,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
    const ASN1_ITEM *it, int tag, int aclass);
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index 0e259a13ab..c3de668483 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
+/* $OpenBSD: tasn_fre.c,v 1.25 2025/08/14 19:02:17 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -147,8 +147,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
                                return;
                }
                asn1_enc_cleanup(pval, it);
-                /* If we free up as normal we will invalidate any
+                /*
-                 * ANY DEFINED BY field and we wont be able to
+                 * If we free up as normal, we will invalidate any
+                 * ANY DEFINED BY field and we won't be able to
                 * determine the type of the field it defines. So
                 * free up in reverse order.
                 */
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index 10c1137dbf..e17810b832 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_new.c,v 1.25 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_new.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -60,11 +60,11 @@
 #include <stddef.h>
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <string.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 07764fc091..4db6d61111 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_prn.c,v 1.27 2024/03/02 09:04:07 tb Exp $ */
+/* $OpenBSD: tasn_prn.c,v 1.29 2025/06/07 09:28:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,7 +61,6 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
@@ -411,7 +410,7 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it,
        if (!asn1_print_fsname(out, indent, fname, sname, pctx))
                return 0;
-        if (it != NULL && it->funcs != NULL) {
+        if (it->funcs != NULL) {
                const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
                if (pf->prim_print == NULL)
diff --git a/src/lib/libcrypto/asn1/tasn_typ.c b/src/lib/libcrypto/asn1/tasn_typ.c
index 0f7fcb0e03..64faad7240 100644
--- a/src/lib/libcrypto/asn1/tasn_typ.c
+++ b/src/lib/libcrypto/asn1/tasn_typ.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_typ.c,v 1.20 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: tasn_typ.c,v 1.21 2025/08/22 14:07:34 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -623,6 +623,7 @@ const ASN1_ITEM ASN1_BOOLEAN_it = {
        .size = -1,
        .sname = "ASN1_BOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_BOOLEAN_it);
 int
 i2d_ASN1_BOOLEAN(int a, unsigned char **out)
@@ -652,6 +653,7 @@ const ASN1_ITEM ASN1_TBOOLEAN_it = {
        .size = 1,
        .sname = "ASN1_TBOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_TBOOLEAN_it);
 const ASN1_ITEM ASN1_FBOOLEAN_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
@@ -659,6 +661,7 @@ const ASN1_ITEM ASN1_FBOOLEAN_it = {
        .size = 0,
        .sname = "ASN1_FBOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_FBOOLEAN_it);
 /* Special, OCTET STRING with indefinite length constructed support */
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
index ae546edd4b..178a364c89 100644
--- a/src/lib/libcrypto/asn1/tasn_utl.c
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_utl.c,v 1.18 2022/12/26 07:18:51 jmc Exp $ */
+/* $OpenBSD: tasn_utl.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -63,9 +63,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include "bytestring.h"
+#include "err_local.h"
 /* Utility functions for manipulating fields and offsets */
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 7ad8350f3d..59f867bc12 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.48 2025/02/27 20:13:41 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.51 2025/08/19 21:54:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,11 +61,11 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
@@ -105,8 +105,9 @@ X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b)
        return ASN1_INTEGER_cmp((*a)->serialNumber, (*b)->serialNumber);
 }
-/* The X509_CRL_INFO structure needs a bit of customisation.
+/*
- * Since we cache the original encoding the signature wont be affected by
+ * The X509_CRL_INFO structure needs a bit of customisation.
+ * Since we cache the original encoding, the signature won't be affected by
 * reordering of the revoked field.
 */
 static int
@@ -540,6 +541,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+        /*
+         * The CertificateList's signature AlgorithmIdentifier must match
+         * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+         */
+        if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+                return 0;
        return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
            crl->crl, pkey);
 }
diff --git a/src/lib/libcrypto/asn1/x_info.c b/src/lib/libcrypto/asn1/x_info.c
deleted file mode 100644
index d2c4bcfe7a..0000000000
--- a/src/lib/libcrypto/asn1/x_info.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* $OpenBSD: x_info.c,v 1.22 2024/12/11 10:28:03 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-X509_INFO *
-X509_INFO_new(void)
-{
-        X509_INFO *ret;
-        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        ret->references = 1;
-        return ret;
-}
-LCRYPTO_ALIAS(X509_INFO_new);
-void
-X509_INFO_free(X509_INFO *x)
-{
-        if (x == NULL)
-                return;
-        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
-                return;
-        X509_free(x->x509);
-        X509_CRL_free(x->crl);
-        X509_PKEY_free(x->x_pkey);
-        free(x->enc_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_INFO_free);
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index 5e673f4521..ed463bf7c5 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_long.c,v 1.21 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: x_long.c,v 1.23 2026/01/02 08:03:02 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,15 +61,18 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 /*
 * Custom primitive type for long handling. This converts between an
 * ASN1_INTEGER and a long directly.
 */
+/* Used with ASN1 LONG type: if a long is set to this it is omitted */
+#define ASN1_LONG_UNDEF 0x7fffffffL
 static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void long_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
@@ -159,8 +162,9 @@ long_i2c(ASN1_VALUE **pval, unsigned char *content, int *putype,
        long_get(pval, &val);
        /*
-         * The zero value for this type (stored in the overloaded it->size
+         * Omit this field if it has the zero value for this type (stored
-         * field) is considered to be invalid.
+         * in the overloaded it->size field) - asn1_i2d_ex_primitive()
+         * specifically checks for a -1 return value.
         */
        if (val == it->size)
                return -1;
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index c60714b74f..eab14ad503 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.45 2025/03/20 09:41:47 tb Exp $ */
+/* $OpenBSD: x_name.c,v 1.47 2026/01/05 05:22:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,10 +61,10 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
@@ -194,7 +194,7 @@ static const ASN1_ITEM X509_NAME_INTERNAL_it = {
 * to the external form.
 */
-const ASN1_EXTERN_FUNCS x509_name_ff = {
+static const ASN1_EXTERN_FUNCS x509_name_ff = {
        .app_data = NULL,
        .asn1_ex_new = x509_name_ex_new,
        .asn1_ex_free = x509_name_ex_free,
diff --git a/src/lib/libcrypto/asn1/x_pkey.c b/src/lib/libcrypto/asn1/x_pkey.c
deleted file mode 100644
index 5c96c13ab9..0000000000
--- a/src/lib/libcrypto/asn1/x_pkey.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* $OpenBSD: x_pkey.c,v 1.24 2024/04/09 13:55:02 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-X509_PKEY *
-X509_PKEY_new(void)
-{
-        X509_PKEY *ret = NULL;
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
- err:
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
-}
-LCRYPTO_ALIAS(X509_PKEY_new);
-void
-X509_PKEY_free(X509_PKEY *x)
-{
-        int i;
-        if (x == NULL)
-                return;
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
-        if (i > 0)
-                return;
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_PKEY_free);
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 1e772a3458..895b4da4d0 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_pubkey.c,v 1.37 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: x_pubkey.c,v 1.40 2026/01/05 05:23:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #ifndef OPENSSL_NO_DSA
@@ -72,6 +71,7 @@
 #endif
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -385,7 +385,7 @@ pkey_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_NONE, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = pkey_pubkey_ex_new,
        .asn1_ex_free = pkey_pubkey_ex_free,
@@ -395,7 +395,7 @@ const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM EVP_PKEY_PUBKEY_it = {
+static const ASN1_ITEM EVP_PKEY_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -485,7 +485,7 @@ rsa_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_RSA, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = rsa_pubkey_ex_new,
        .asn1_ex_free = rsa_pubkey_ex_free,
@@ -495,7 +495,7 @@ const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM RSA_PUBKEY_it = {
+static const ASN1_ITEM RSA_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -581,7 +581,7 @@ dsa_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_DSA, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = dsa_pubkey_ex_new,
        .asn1_ex_free = dsa_pubkey_ex_free,
@@ -591,7 +591,7 @@ const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM DSA_PUBKEY_it = {
+static const ASN1_ITEM DSA_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -678,7 +678,7 @@ ec_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_EC, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = ec_pubkey_ex_new,
        .asn1_ex_free = ec_pubkey_ex_free,
@@ -688,7 +688,7 @@ const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM EC_PUBKEY_it = {
+static const ASN1_ITEM EC_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
diff --git a/src/lib/libcrypto/bf/bf_local.h b/src/lib/libcrypto/bf/bf_local.h
index 8fc5a5dbd8..2fe65eb85c 100644
--- a/src/lib/libcrypto/bf/bf_local.h
+++ b/src/lib/libcrypto/bf/bf_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_local.h,v 1.3 2024/03/27 11:54:29 jsing Exp $ */
+/* $OpenBSD: bf_local.h,v 1.4 2025/06/11 04:08:16 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,11 +56,11 @@
 * [including the GNU Public Licence.]
 */
-#include <openssl/opensslconf.h> /* BF_PTR */
 #ifndef HEADER_BF_LOCL_H
 #define HEADER_BF_LOCL_H
+#include <openssl/opensslconf.h>
 /* NOTE - c is not incremented as per n2l */
 #define n2ln(c,l1,l2,n) { \
                        c+=n; \
@@ -104,46 +104,6 @@
                         *((c)++)=(unsigned char)(((l)>> 8L)&0xff), \
                         *((c)++)=(unsigned char)(((l)     )&0xff))
-/* This is actually a big endian algorithm, the most significant byte
- * is used to lookup array 0 */
-#if defined(BF_PTR)
-#ifndef BF_LONG_LOG2
-#define BF_LONG_LOG2  2       /* default to BF_LONG being 32 bits */
-#endif
-#define BF_M  (0xFF<<BF_LONG_LOG2)
-#define BF_0  (24-BF_LONG_LOG2)
-#define BF_1  (16-BF_LONG_LOG2)
-#define BF_2  ( 8-BF_LONG_LOG2)
-#define BF_3  BF_LONG_LOG2 /* left shift */
-/*
- * This is normally very good on RISC platforms where normally you
- * have to explicitly "multiply" array index by sizeof(BF_LONG)
- * in order to calculate the effective address. This implementation
- * excuses CPU from this extra work. Power[PC] uses should have most
- * fun as (R>>BF_i)&BF_M gets folded into a single instruction, namely
- * rlwinm. So let'em double-check if their compiler does it.
- */
-#define BF_ENC(LL,R,S,P) ( \
-        LL^=P, \
-        LL^= (((*(BF_LONG *)((unsigned char *)&(S[  0])+((R>>BF_0)&BF_M))+ \
-                *(BF_LONG *)((unsigned char *)&(S[256])+((R>>BF_1)&BF_M)))^ \
-                *(BF_LONG *)((unsigned char *)&(S[512])+((R>>BF_2)&BF_M)))+ \
-                *(BF_LONG *)((unsigned char *)&(S[768])+((R<<BF_3)&BF_M))) \
-        )
-#else
-/*
- * This is a *generic* version. Seem to perform best on platforms that
- * offer explicit support for extraction of 8-bit nibbles preferably
- * complemented with "multiplying" of array index by sizeof(BF_LONG).
- * For the moment of this writing the list comprises Alpha CPU featuring
- * extbl and s[48]addq instructions.
- */
 #define BF_ENC(LL,R,S,P) ( \
        LL^=P, \
        LL^=((( S[       ((int)(R>>24)&0xff)] + \
@@ -151,6 +111,5 @@
                S[0x0200+((int)(R>> 8)&0xff)])+ \
                S[0x0300+((int)(R    )&0xff)])&0xffffffffL \
        )
-#endif
 #endif
diff --git a/src/lib/libcrypto/bio/b_dump.c b/src/lib/libcrypto/bio/b_dump.c
index 4dcf710bbe..3f673205c1 100644
--- a/src/lib/libcrypto/bio/b_dump.c
+++ b/src/lib/libcrypto/bio/b_dump.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: b_dump.c,v 1.30 2024/03/02 09:21:24 tb Exp $ */
+/* $OpenBSD: b_dump.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <string.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include "bytestring.h"
diff --git a/src/lib/libcrypto/bio/b_sock.c b/src/lib/libcrypto/bio/b_sock.c
index 00bbe9c37e..9ef9953b95 100644
--- a/src/lib/libcrypto/bio/b_sock.c
+++ b/src/lib/libcrypto/bio/b_sock.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: b_sock.c,v 1.71 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: b_sock.c,v 1.72 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 *
@@ -32,7 +32,8 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
+#include "err_local.h"
 int
 BIO_get_host_ip(const char *str, unsigned char *ip)
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index 226c16835a..36b6fabde3 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_buff.c,v 1.28 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bf_buff.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include "bio_local.h"
+#include "err_local.h"
 static int buffer_write(BIO *h, const char *buf, int num);
 static int buffer_read(BIO *h, char *buf, int size);
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index 8327ffc071..a8108054e7 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -1,25 +1,25 @@
-/* $OpenBSD: bio.h,v 1.64 2024/05/19 07:12:50 jsg Exp $ */
+/* $OpenBSD: bio.h,v 1.65 2025/07/16 18:12:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -34,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- * 
+ *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -96,8 +96,8 @@ extern "C" {
 #define BIO_TYPE_BIO            (19|0x0400)             /* (half a) BIO pair */
 #define BIO_TYPE_LINEBUFFER     (20|0x0200)             /* filter */
 #define BIO_TYPE_DGRAM          (21|0x0400|0x0100)
-#define BIO_TYPE_ASN1           (22|0x0200)             /* filter */
+#define BIO_TYPE_ASN1           (22|0x0200)             /* filter */
-#define BIO_TYPE_COMP           (23|0x0200)             /* filter */
+#define BIO_TYPE_COMP           (23|0x0200)             /* filter */
 #define BIO_TYPE_DESCRIPTOR     0x0100  /* socket, fd, connect or accept */
 #define BIO_TYPE_FILTER         0x0200
@@ -139,14 +139,14 @@ extern "C" {
 #define BIO_CTRL_DGRAM_CONNECT       31  /* BIO dgram special */
 #define BIO_CTRL_DGRAM_SET_CONNECTED 32  /* allow for an externally
                                          * connected socket to be
-                                          * passed in */ 
+                                          * passed in */
 #define BIO_CTRL_DGRAM_SET_RECV_TIMEOUT 33 /* setsockopt, essentially */
 #define BIO_CTRL_DGRAM_GET_RECV_TIMEOUT 34 /* getsockopt, essentially */
 #define BIO_CTRL_DGRAM_SET_SEND_TIMEOUT 35 /* setsockopt, essentially */
 #define BIO_CTRL_DGRAM_GET_SEND_TIMEOUT 36 /* getsockopt, essentially */
 #define BIO_CTRL_DGRAM_GET_RECV_TIMER_EXP 37 /* flag whether the last */
-#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation tiemd out */
+#define BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP 38 /* I/O operation timed out */
 /* #ifdef IP_MTU_DISCOVER */
 #define BIO_CTRL_DGRAM_MTU_DISCOVER       39 /* set DF bit on egress packets */
@@ -232,7 +232,7 @@ void BIO_clear_flags(BIO *b, int flags);
 /* The next three are used in conjunction with the
 * BIO_should_io_special() condition.  After this returns true,
- * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO 
+ * BIO *BIO_get_retry_BIO(BIO *bio, int *reason); will walk the BIO
 * stack and return the 'reason' for the special and the offending BIO.
 * Given a BIO, BIO_get_retry_reason(bio) will return the code. */
 /* Returned from the SSL bio when the certificate retrieval code had an error */
@@ -380,7 +380,7 @@ int BIO_meth_set_callback_ctrl(BIO_METHOD *biom,
 #define BIO_set_conn_int_port(b,port) BIO_ctrl(b,BIO_C_SET_CONNECT,3,(char *)port)
 #define BIO_get_conn_hostname(b)  BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0)
 #define BIO_get_conn_port(b)      BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1)
-#define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
+#define BIO_get_conn_ip(b)               BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2)
 #define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0)
@@ -571,7 +571,6 @@ const BIO_METHOD *BIO_s_socket(void);
 const BIO_METHOD *BIO_s_connect(void);
 const BIO_METHOD *BIO_s_accept(void);
 const BIO_METHOD *BIO_s_fd(void);
-const BIO_METHOD *BIO_s_log(void);
 const BIO_METHOD *BIO_s_bio(void);
 const BIO_METHOD *BIO_s_null(void);
 const BIO_METHOD *BIO_f_null(void);
diff --git a/src/lib/libcrypto/bio/bio_cb.c b/src/lib/libcrypto/bio/bio_cb.c
index 18e9be8d68..990cb20708 100644
--- a/src/lib/libcrypto/bio/bio_cb.c
+++ b/src/lib/libcrypto/bio/bio_cb.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_cb.c,v 1.19 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bio_cb.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,7 +60,6 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/bio.h>
 #include "bio_local.h"
diff --git a/src/lib/libcrypto/bio/bio_lib.c b/src/lib/libcrypto/bio/bio_lib.c
index 463d2ad23a..04e8f4c295 100644
--- a/src/lib/libcrypto/bio/bio_lib.c
+++ b/src/lib/libcrypto/bio/bio_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_lib.c,v 1.54 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio_lib.c,v 1.55 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,10 +62,10 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/stack.h>
 #include "bio_local.h"
+#include "err_local.h"
 /*
 * Helper function to work out whether to call the new style callback or the old
diff --git a/src/lib/libcrypto/bio/bss_acpt.c b/src/lib/libcrypto/bio/bss_acpt.c
index d74c710a7f..60e61100b1 100644
--- a/src/lib/libcrypto/bio/bss_acpt.c
+++ b/src/lib/libcrypto/bio/bss_acpt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_acpt.c,v 1.31 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_acpt.c,v 1.33 2025/06/02 12:18:21 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,9 +65,9 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bio_local.h"
+#include "err_local.h"
 #define SOCKET_PROTOCOL IPPROTO_TCP
@@ -261,11 +261,12 @@ again:
                if (c->bio_chain != NULL) {
                        if ((dbio = BIO_dup_chain(c->bio_chain)) == NULL)
                                goto err;
-                        if (!BIO_push(dbio, bio)) goto err;
+                        if (!BIO_push(dbio, bio))
-                                bio = dbio;
+                                goto err;
+                        bio = dbio;
                }
-                if (BIO_push(b, bio)
+                if (BIO_push(b, bio) == NULL)
-                        == NULL) goto err;
+                        goto err;
                c->state = ACPT_S_OK;
                return (1);
diff --git a/src/lib/libcrypto/bio/bss_bio.c b/src/lib/libcrypto/bio/bss_bio.c
index 39d8d1e46c..f1d1bbeecd 100644
--- a/src/lib/libcrypto/bio/bss_bio.c
+++ b/src/lib/libcrypto/bio/bss_bio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_bio.c,v 1.29 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bss_bio.c,v 1.30 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
@@ -81,10 +81,10 @@
 #include <sys/types.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/crypto.h>
 #include "bio_local.h"
+#include "err_local.h"
 static int bio_new(BIO *bio);
 static int bio_free(BIO *bio);
diff --git a/src/lib/libcrypto/bio/bss_conn.c b/src/lib/libcrypto/bio/bss_conn.c
index 3b0e3d3bdd..14f410f59d 100644
--- a/src/lib/libcrypto/bio/bss_conn.c
+++ b/src/lib/libcrypto/bio/bss_conn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_conn.c,v 1.41 2024/04/19 09:54:36 tb Exp $ */
+/* $OpenBSD: bss_conn.c,v 1.43 2025/06/02 12:18:21 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -68,9 +68,9 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bio_local.h"
+#include "err_local.h"
 #define SOCKET_PROTOCOL IPPROTO_TCP
@@ -141,7 +141,7 @@ conn_state(BIO *b, BIO_CONNECT *c)
                        }
                        for (; *p != '\0'; p++) {
                                if ((*p == ':') || (*p == '/'))
-                                break;
+                                        break;
                        }
                        i= *p;
diff --git a/src/lib/libcrypto/bio/bss_file.c b/src/lib/libcrypto/bio/bss_file.c
index 9b6ca2bdd8..21f71718bb 100644
--- a/src/lib/libcrypto/bio/bss_file.c
+++ b/src/lib/libcrypto/bio/bss_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_file.c,v 1.35 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_file.c,v 1.36 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -88,9 +88,9 @@
 #include <string.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include "bio_local.h"
+#include "err_local.h"
 static int file_write(BIO *h, const char *buf, int num);
 static int file_read(BIO *h, char *buf, int size);
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
deleted file mode 100644
index 9e2e882646..0000000000
--- a/src/lib/libcrypto/bio/bss_log.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/* $OpenBSD: bss_log.c,v 1.24 2023/07/05 21:23:37 beck Exp $ */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/*
-        Why BIO_s_log?
-        BIO_s_log is useful for system daemons (or services under NT).
-        It is one-way BIO, it sends all stuff to syslogd (on system that
-        commonly use that), or event log (on NT), or OPCOM (on OpenVMS).
-*/
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <syslog.h>
-#include <openssl/buffer.h>
-#include <openssl/err.h>
-#include "bio_local.h"
-#ifndef NO_SYSLOG
-static int slg_write(BIO *h, const char *buf, int num);
-static int slg_puts(BIO *h, const char *str);
-static long slg_ctrl(BIO *h, int cmd, long arg1, void *arg2);
-static int slg_new(BIO *h);
-static int slg_free(BIO *data);
-static void xopenlog(BIO* bp, char* name, int level);
-static void xsyslog(BIO* bp, int priority, const char* string);
-static void xcloselog(BIO* bp);
-static const BIO_METHOD methods_slg = {
-        .type = BIO_TYPE_MEM,
-        .name = "syslog",
-        .bwrite = slg_write,
-        .bputs = slg_puts,
-        .ctrl = slg_ctrl,
-        .create = slg_new,
-        .destroy = slg_free
-};
-const BIO_METHOD *
-BIO_s_log(void)
-{
-        return (&methods_slg);
-}
-LCRYPTO_ALIAS(BIO_s_log);
-static int
-slg_new(BIO *bi)
-{
-        bi->init = 1;
-        bi->num = 0;
-        bi->ptr = NULL;
-        xopenlog(bi, "application", LOG_DAEMON);
-        return (1);
-}
-static int
-slg_free(BIO *a)
-{
-        if (a == NULL)
-                return (0);
-        xcloselog(a);
-        return (1);
-}
-static int
-slg_write(BIO *b, const char *in, int inl)
-{
-        int ret = inl;
-        char* buf;
-        char* pp;
-        int priority, i;
-        static const struct {
-                int strl;
-                char str[10];
-                int log_level;
-        }
-        mapping[] = {
-                { 6, "PANIC ", LOG_EMERG },
-                { 6, "EMERG ", LOG_EMERG },
-                { 4, "EMR ", LOG_EMERG },
-                { 6, "ALERT ", LOG_ALERT },
-                { 4, "ALR ", LOG_ALERT },
-                { 5, "CRIT ", LOG_CRIT },
-                { 4, "CRI ", LOG_CRIT },
-                { 6, "ERROR ", LOG_ERR },
-                { 4, "ERR ", LOG_ERR },
-                { 8, "WARNING ", LOG_WARNING },
-                { 5, "WARN ", LOG_WARNING },
-                { 4, "WAR ", LOG_WARNING },
-                { 7, "NOTICE ", LOG_NOTICE },
-                { 5, "NOTE ", LOG_NOTICE },
-                { 4, "NOT ", LOG_NOTICE },
-                { 5, "INFO ", LOG_INFO },
-                { 4, "INF ", LOG_INFO },
-                { 6, "DEBUG ", LOG_DEBUG },
-                { 4, "DBG ", LOG_DEBUG },
-                { 0, "", LOG_ERR } /* The default */
-        };
-        if ((buf = malloc(inl + 1)) == NULL) {
-                return (0);
-        }
-        strlcpy(buf, in, inl + 1);
-        i = 0;
-        while (strncmp(buf, mapping[i].str, mapping[i].strl) != 0)
-                i++;
-        priority = mapping[i].log_level;
-        pp = buf + mapping[i].strl;
-        xsyslog(b, priority, pp);
-        free(buf);
-        return (ret);
-}
-static long
-slg_ctrl(BIO *b, int cmd, long num, void *ptr)
-{
-        switch (cmd) {
-        case BIO_CTRL_SET:
-                xcloselog(b);
-                xopenlog(b, ptr, num);
-                break;
-        default:
-                break;
-        }
-        return (0);
-}
-static int
-slg_puts(BIO *bp, const char *str)
-{
-        int n, ret;
-        n = strlen(str);
-        ret = slg_write(bp, str, n);
-        return (ret);
-}
-static void
-xopenlog(BIO* bp, char* name, int level)
-{
-        openlog(name, LOG_PID|LOG_CONS, level);
-}
-static void
-xsyslog(BIO *bp, int priority, const char *string)
-{
-        syslog(priority, "%s", string);
-}
-static void
-xcloselog(BIO* bp)
-{
-        closelog();
-}
-#endif /* NO_SYSLOG */
diff --git a/src/lib/libcrypto/bio/bss_mem.c b/src/lib/libcrypto/bio/bss_mem.c
index 6d0d54db84..0fa6317a2b 100644
--- a/src/lib/libcrypto/bio/bss_mem.c
+++ b/src/lib/libcrypto/bio/bss_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bss_mem.c,v 1.22 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bss_mem.c,v 1.27 2025/05/31 11:31:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,10 +62,10 @@
 #include <string.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include "bio_local.h"
+#include "err_local.h"
 struct bio_mem {
        BUF_MEM *buf;
@@ -140,6 +140,7 @@ BIO_new_mem_buf(const void *buf, int buf_len)
                return NULL;
        bm = bio->ptr;
+        free(bm->buf->data);
        bm->buf->data = (void *)buf; /* Trust in the BIO_FLAGS_MEM_RDONLY flag. */
        bm->buf->length = buf_len;
        bm->buf->max = buf_len;
@@ -162,6 +163,12 @@ mem_new(BIO *bio)
                free(bm);
                return 0;
        }
+        if (BUF_MEM_grow_clean(bm->buf, 64) != 64) {
+                BUF_MEM_free(bm->buf);
+                free(bm);
+                return 0;
+        }
+        bm->buf->length = 0;
        bio->shutdown = 1;
        bio->init = 1;
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S b/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
index 5fe4aae7a1..1d4e6d08ef 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_add.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_add.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Add, z := x + y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
 //
-//    extern uint64_t bignum_add
+//    extern uint64_t bignum_add(uint64_t p, uint64_t *z, uint64_t m,
-//     (uint64_t p, uint64_t *z,
+//                               const uint64_t *x, uint64_t n, const uint64_t *y);
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
 //
 // Does the z := x + y operation, truncating modulo p words in general and
 // returning a top carry (0 or 1) in the p'th place, only adding the input
@@ -49,7 +50,7 @@
 S2N_BN_SYMBOL(bignum_add):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -75,7 +76,7 @@ S2N_BN_SYMBOL(bignum_add):
        cmp     p, n
        cmovc   n, p
        cmp     m, n
-        jc      ylonger
+        jc      bignum_add_ylonger
 // The case where x is longer or of the same size (p >= m >= n)
@@ -83,27 +84,27 @@ S2N_BN_SYMBOL(bignum_add):
        sub     m, n
        inc     m
        test    n, n
-        jz      xtest
+        jz      bignum_add_xtest
-xmainloop:
+bignum_add_xmainloop:
        mov     a, [x+8*i]
        adc     a, [y+8*i]
        mov     [z+8*i],a
        inc     i
        dec     n
-        jnz     xmainloop
+        jnz     bignum_add_xmainloop
-        jmp     xtest
+        jmp     bignum_add_xtest
-xtoploop:
+bignum_add_xtoploop:
        mov     a, [x+8*i]
        adc     a, 0
        mov     [z+8*i],a
        inc     i
-xtest:
+bignum_add_xtest:
        dec     m
-        jnz     xtoploop
+        jnz     bignum_add_xtoploop
        mov     ashort, 0
        adc     a, 0
        test    p, p
-        jnz     tails
+        jnz     bignum_add_tails
 #if WINDOWS_ABI
        pop    rsi
        pop    rdi
@@ -112,30 +113,30 @@ xtest:
 // The case where y is longer (p >= n > m)
-ylonger:
+bignum_add_ylonger:
        sub     p, n
        sub     n, m
        test    m, m
-        jz      ytoploop
+        jz      bignum_add_ytoploop
-ymainloop:
+bignum_add_ymainloop:
        mov     a, [x+8*i]
        adc     a, [y+8*i]
        mov     [z+8*i],a
        inc     i
        dec     m
-        jnz     ymainloop
+        jnz     bignum_add_ymainloop
-ytoploop:
+bignum_add_ytoploop:
        mov     a, [y+8*i]
        adc     a, 0
        mov     [z+8*i],a
        inc     i
        dec     n
-        jnz     ytoploop
+        jnz     bignum_add_ytoploop
        mov     ashort, 0
        adc     a, 0
        test    p, p
-        jnz     tails
+        jnz     bignum_add_tails
 #if WINDOWS_ABI
        pop    rsi
        pop    rdi
@@ -144,16 +145,16 @@ ytoploop:
 // Adding a non-trivial tail, when p > max(m,n)
-tails:
+bignum_add_tails:
        mov     [z+8*i],a
        xor     a, a
-        jmp     tail
+        jmp     bignum_add_tail
-tailloop:
+bignum_add_tailloop:
        mov     [z+8*i],a
-tail:
+bignum_add_tail:
        inc     i
        dec     p
-        jnz     tailloop
+        jnz     bignum_add_tailloop
 #if WINDOWS_ABI
        pop    rsi
        pop    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
index 25ba17bce2..a611919603 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_cmadd.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_cmadd.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply-add with single-word multiplier, z := z + c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
 //
-//    extern uint64_t bignum_cmadd
+//    extern uint64_t bignum_cmadd(uint64_t k, uint64_t *z, uint64_t c, uint64_t n,
-//     (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+//                                 const uint64_t *y);
 //
 // Does the "z := z + c * y" operation where y is n digits, result z is p.
 // Truncates the result in general.
@@ -54,7 +56,7 @@
 S2N_BN_SYMBOL(bignum_cmadd):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -82,7 +84,7 @@ S2N_BN_SYMBOL(bignum_cmadd):
        xor     h, h
        test    n, n
-        jz      end
+        jz      bignum_cmadd_end
 // Move c into a safer register as multiplies overwrite rdx
@@ -96,11 +98,11 @@ S2N_BN_SYMBOL(bignum_cmadd):
        mov     h, rdx
        mov     ishort, 1
        dec     n
-        jz      hightail
+        jz      bignum_cmadd_hightail
 // Main loop, where we always have CF + previous high part h to add in
-loop:
+bignum_cmadd_loop:
        adc     h, [z+8*i]
        sbb     r, r
        mov     rax, [x+8*i]
@@ -111,36 +113,36 @@ loop:
        mov     h, rdx
        inc     i
        dec     n
-        jnz     loop
+        jnz     bignum_cmadd_loop
-hightail:
+bignum_cmadd_hightail:
        adc     h, 0
 // Propagate the carry all the way to the end with h as extra carry word
-tail:
+bignum_cmadd_tail:
        test    p, p
-        jz      end
+        jz      bignum_cmadd_end
        add     [z+8*i], h
        mov     hshort, 0
        inc     i
        dec     p
-        jz      highend
+        jz      bignum_cmadd_highend
-tloop:
+bignum_cmadd_tloop:
        adc     [z+8*i], h
        inc     i
        dec     p
-        jnz     tloop
+        jnz     bignum_cmadd_tloop
-highend:
+bignum_cmadd_highend:
        adc     h, 0
 // Return the high/carry word
-end:
+bignum_cmadd_end:
        mov     rax, h
        pop     rbx
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
index 12f785d63a..eb71d9da44 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_cmul.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_cmul.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply by a single word, z := c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
 //
-//    extern uint64_t bignum_cmul
+//    extern uint64_t bignum_cmul(uint64_t k, uint64_t *z, uint64_t c, uint64_t n,
-//     (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+//                                const uint64_t *y);
 //
 // Does the "z := c * y" operation where y is n digits, result z is p.
 // Truncates the result in general unless p >= n + 1.
@@ -51,7 +53,7 @@
 S2N_BN_SYMBOL(bignum_cmul):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -76,7 +78,7 @@ S2N_BN_SYMBOL(bignum_cmul):
        xor     h, h
        xor     i, i
        test    n, n
-        jz      tail
+        jz      bignum_cmul_tail
 // Move c into a safer register as multiplies overwrite rdx
@@ -90,11 +92,11 @@ S2N_BN_SYMBOL(bignum_cmul):
        mov     h, rdx
        inc     i
        cmp     i, n
-        jz      tail
+        jz      bignum_cmul_tail
 // Main loop doing the multiplications
-loop:
+bignum_cmul_loop:
        mov     rax, [x+8*i]
        mul     c
        add     rax, h
@@ -103,28 +105,28 @@ loop:
        mov     h, rdx
        inc     i
        cmp     i, n
-        jc      loop
+        jc      bignum_cmul_loop
 // Add a tail when the destination is longer
-tail:
+bignum_cmul_tail:
        cmp     i, p
-        jnc     end
+        jnc     bignum_cmul_end
        mov     [z+8*i], h
        xor     h, h
        inc     i
        cmp     i, p
-        jnc     end
+        jnc     bignum_cmul_end
-tloop:
+bignum_cmul_tloop:
        mov     [z+8*i], h
        inc     i
        cmp     i, p
-        jc      tloop
+        jc      bignum_cmul_tloop
 // Return the high/carry word
-end:
+bignum_cmul_end:
        mov     rax, h
 #if WINDOWS_ABI
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S b/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S
new file mode 100644
index 0000000000..baf27fdc7f
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_modadd.S
@@ -0,0 +1,112 @@
+// $OpenBSD: bignum_modadd.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Add modulo m, z := (x + y) mod m, assuming x and y reduced
+// Inputs x[k], y[k], m[k]; output z[k]
+//
+//    extern void bignum_modadd(uint64_t k, uint64_t *z, const uint64_t *x,
+//                              const uint64_t *y, const uint64_t *m);
+//
+// Standard x86-64 ABI: RDI = k, RSI = z, RDX = x, RCX = y, R8 = m
+// Microsoft x64 ABI:   RCX = k, RDX = z, R8 = x, R9 = y, [RSP+40] = m
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_modadd)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_modadd)
+        .text
+#define k rdi
+#define z rsi
+#define x rdx
+#define y rcx
+#define m r8
+#define i r9
+#define j r10
+#define a rax
+#define c r11
+S2N_BN_SYMBOL(bignum_modadd):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+        mov     rcx, r9
+        mov     r8, [rsp+56]
+#endif
+// If k = 0 do nothing
+        test    k, k
+        jz      bignum_modadd_end
+// First just add (c::z) := x + y
+        xor     c, c
+        mov     j, k
+        xor     i, i
+bignum_modadd_addloop:
+        mov     a, [x+8*i]
+        adc     a, [y+8*i]
+        mov     [z+8*i], a
+        inc     i
+        dec     j
+        jnz     bignum_modadd_addloop
+        adc     c, 0
+// Now do a comparison subtraction (c::z) - m, recording mask for (c::z) >= m
+        mov     j, k
+        xor     i, i
+bignum_modadd_cmploop:
+        mov     a, [z+8*i]
+        sbb     a, [m+8*i]
+        inc     i
+        dec     j
+        jnz     bignum_modadd_cmploop
+        sbb     c, 0
+        not     c
+// Now do a masked subtraction z := z - [c] * m
+        xor     i, i
+bignum_modadd_subloop:
+        mov     a, [m+8*i]
+        and     a, c
+        neg     j
+        sbb     [z+8*i], a
+        sbb     j, j
+        inc     i
+        cmp     i, k
+        jc      bignum_modadd_subloop
+bignum_modadd_end:
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S b/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S
new file mode 100644
index 0000000000..63b3230e35
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_modsub.S
@@ -0,0 +1,99 @@
+// $OpenBSD: bignum_modsub.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Subtract modulo m, z := (x - y) mod m, assuming x and y reduced
+// Inputs x[k], y[k], m[k]; output z[k]
+//
+//    extern void bignum_modsub(uint64_t k, uint64_t *z, const uint64_t *x,
+//                              const uint64_t *y, const uint64_t *m);
+//
+// Standard x86-64 ABI: RDI = k, RSI = z, RDX = x, RCX = y, R8 = m
+// Microsoft x64 ABI:   RCX = k, RDX = z, R8 = x, R9 = y, [RSP+40] = m
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_modsub)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_modsub)
+        .text
+#define k rdi
+#define z rsi
+#define x rdx
+#define y rcx
+#define m r8
+#define i r9
+#define j r10
+#define a rax
+#define c r11
+S2N_BN_SYMBOL(bignum_modsub):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+        mov     rcx, r9
+        mov     r8, [rsp+56]
+#endif
+// If k = 0 do nothing
+        test    k, k
+        jz      bignum_modsub_end
+// Subtract z := x - y and record a mask for the carry x - y < 0
+        xor     c, c
+        mov     j, k
+        xor     i, i
+bignum_modsub_subloop:
+        mov     a, [x+8*i]
+        sbb     a, [y+8*i]
+        mov     [z+8*i], a
+        inc     i
+        dec     j
+        jnz     bignum_modsub_subloop
+        sbb     c, c
+// Now do a masked addition z := z + [c] * m
+        xor     i, i
+bignum_modsub_addloop:
+        mov     a, [m+8*i]
+        and     a, c
+        neg     j
+        adc     [z+8*i], a
+        sbb     j, j
+        inc     i
+        cmp     i, k
+        jc      bignum_modsub_addloop
+bignum_modsub_end:
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
index a3552679a2..538cce9af7 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Multiply z := x * y
 // Inputs x[m], y[n]; output z[k]
 //
-//    extern void bignum_mul
+//    extern void bignum_mul(uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x,
-//     (uint64_t k, uint64_t *z,
+//                           uint64_t n, const uint64_t *y);
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
 //
 // Does the "z := x * y" operation where x is m digits, y is n, result z is k.
 // Truncates the result in general unless k >= m + n
@@ -59,7 +60,7 @@
 S2N_BN_SYMBOL(bignum_mul):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -88,7 +89,7 @@ S2N_BN_SYMBOL(bignum_mul):
 // If we did a multiply-add variant, however, then we could
        test    p, p
-        jz      end
+        jz      bignum_mul_end
 // Set initial 2-part sum to zero (we zero c inside the body)
@@ -99,7 +100,7 @@ S2N_BN_SYMBOL(bignum_mul):
        xor     k, k
-outerloop:
+bignum_mul_outerloop:
 // Zero our carry term first; we eventually want it and a zero is useful now
 // Set a =  max 0 (k + 1 - n), i = min (k + 1) m
@@ -125,11 +126,11 @@ outerloop:
        mov     d, k
        sub     d, i
        sub     i, a
-        jbe     innerend
+        jbe     bignum_mul_innerend
        lea     x,[rcx+8*a]
        lea     y,[r9+8*d-8]
-innerloop:
+bignum_mul_innerloop:
        mov     rax, [y+8*i]
        mul     QWORD PTR  [x]
        add     x, 8
@@ -137,9 +138,9 @@ innerloop:
        adc     h, rdx
        adc     c, 0
        dec     i
-        jnz     innerloop
+        jnz     bignum_mul_innerloop
-innerend:
+bignum_mul_innerend:
        mov     [z], l
        mov     l, h
@@ -147,9 +148,9 @@ innerend:
        add     z, 8
        cmp     k, p
-        jc      outerloop
+        jc      bignum_mul_outerloop
-end:
+bignum_mul_end:
        pop     r15
        pop     r14
        pop     r13
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S
new file mode 100644
index 0000000000..d6ad514020
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8.S
@@ -0,0 +1,187 @@
+// $OpenBSD: bignum_mul_4_8.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[4], y[4]; output z[8]
+//
+//    extern void bignum_mul_4_8(uint64_t z[static 8], const uint64_t x[static 4],
+//                               const uint64_t y[static 4]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_4_8)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_4_8)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// Copied in or set up
+#define y rcx
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// Add in x[i] * rdx to the (i,i+1) position with the register window
+// Would be nice to have conditional expressions reg[i], reg[i+1] ...
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg2]
+.if ((\arg1 + \arg2) % 4 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 4 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 4 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 4 == 3)
+        adcx    r11, rax
+        adox    r8, rbx
+.endif
+.endm
+// Add in the whole j'th row
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+        mulpadd \arg1, 0
+.if (\arg1 % 4 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 4 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 4 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 4 == 3)
+        mov     [z+8*\arg1],r11
+.endif
+        mulpadd \arg1, 1
+        mulpadd \arg1, 2
+.if (\arg1 % 4 == 0)
+        mulx    r8, rax, [x+24]
+        adcx    r11, rax
+        adox    r8, zero
+        adcx    r8, zero
+.elseif (\arg1 % 4 == 1)
+        mulx    r9, rax, [x+24]
+        adcx    r8, rax
+        adox    r9, zero
+        adcx    r9, zero
+.elseif (\arg1 % 4 == 2)
+        mulx    r10, rax, [x+24]
+        adcx    r9, rax
+        adox    r10, zero
+        adcx    r10, zero
+.elseif (\arg1 % 4 == 3)
+        mulx    r11, rax, [x+24]
+        adcx    r10, rax
+        adox    r11, zero
+        adcx    r11, zero
+.endif
+.endm
+S2N_BN_SYMBOL(bignum_mul_4_8):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+// Save more registers to play with
+        push    rbp
+        push    rbx
+// Copy y into a safe register to start with
+        mov     y, rdx
+// Zero a register, which also makes sure we don't get a fake carry-in
+        xor     zeroe, zeroe
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r11,r10,r9 as y[0] * x from 1..4
+        mov     rdx, [y]
+        mulx    r9, r8, [x]
+        mov     [z], r8
+        mulx    r10, rbx, [x+8]
+        adcx    r9, rbx
+        mulx    r11, rbx, [x+16]
+        adcx    r10, rbx
+        mulx    r8, rbx, [x+24]
+        adcx    r11, rbx
+        adcx    r8, zero
+// Now all the other rows in a uniform pattern
+        addrow  1
+        addrow  2
+        addrow  3
+// Now write back the additional columns
+        mov     [z+32], r8
+        mov     [z+40], r9
+        mov     [z+48], r10
+        mov     [z+56], r11
+// Restore registers and return
+        pop     rbx
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
index 70ff69e372..2592d1d658 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_4_8_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul_4_8_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Multiply z := x * y
 // Inputs x[4], y[4]; output z[8]
 //
-//    extern void bignum_mul_4_8_alt
+//    extern void bignum_mul_4_8_alt(uint64_t z[static 8], const uint64_t x[static 4],
-//      (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
+//                                   const uint64_t y[static 4]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
 // Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
@@ -72,7 +74,7 @@
        adc     h, rdx
 S2N_BN_SYMBOL(bignum_mul_4_8_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S
new file mode 100644
index 0000000000..56cbdf06e0
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12.S
@@ -0,0 +1,223 @@
+// $OpenBSD: bignum_mul_6_12.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[6], y[6]; output z[12]
+//
+//    extern void bignum_mul_6_12(uint64_t z[static 12], const uint64_t x[static 6],
+//                                const uint64_t y[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_6_12)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_6_12)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// Copied in or set up
+#define y rcx
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// Add in x[i] * rdx to the (i,i+1) position with the register window
+// Would be nice to have conditional expressions reg[i], reg[i+1] ...
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg2]
+.if ((\arg1 + \arg2) % 6 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 6 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 6 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 6 == 3)
+        adcx    r11, rax
+        adox    r12, rbx
+.elseif ((\arg1 + \arg2) % 6 == 4)
+        adcx    r12, rax
+        adox    r13, rbx
+.elseif ((\arg1 + \arg2) % 6 == 5)
+        adcx    r13, rax
+        adox    r8, rbx
+.endif
+.endm
+// Add in the whole j'th row
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+        mulpadd \arg1, 0
+.if (\arg1 % 6 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 6 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 6 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 6 == 3)
+        mov     [z+8*\arg1],r11
+.elseif (\arg1 % 6 == 4)
+        mov     [z+8*\arg1],r12
+.elseif (\arg1 % 6 == 5)
+        mov     [z+8*\arg1],r13
+.endif
+        mulpadd \arg1, 1
+        mulpadd \arg1, 2
+        mulpadd \arg1, 3
+        mulpadd \arg1, 4
+.if (\arg1 % 6 == 0)
+        mulx    r8, rax, [x+40]
+        adcx    r13, rax
+        adox    r8, zero
+        adcx    r8, zero
+.elseif (\arg1 % 6 == 1)
+        mulx    r9, rax, [x+40]
+        adcx    r8, rax
+        adox    r9, zero
+        adcx    r9, zero
+.elseif (\arg1 % 6 == 2)
+        mulx    r10, rax, [x+40]
+        adcx    r9, rax
+        adox    r10, zero
+        adcx    r10, zero
+.elseif (\arg1 % 6 == 3)
+        mulx    r11, rax, [x+40]
+        adcx    r10, rax
+        adox    r11, zero
+        adcx    r11, zero
+.elseif (\arg1 % 6 == 4)
+        mulx    r12, rax, [x+40]
+        adcx    r11, rax
+        adox    r12, zero
+        adcx    r12, zero
+.elseif (\arg1 % 6 == 5)
+        mulx    r13, rax, [x+40]
+        adcx    r12, rax
+        adox    r13, zero
+        adcx    r13, zero
+.endif
+.endm
+S2N_BN_SYMBOL(bignum_mul_6_12):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+// Save more registers to play with
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+// Copy y into a safe register to start with
+        mov     y, rdx
+// Zero a register, which also makes sure we don't get a fake carry-in
+        xor     zeroe, zeroe
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r13,r12,r11,r10,r9 as y[0] * x from 1..6
+        mov     rdx, [y]
+        mulx    r9, r8, [x]
+        mov     [z], r8
+        mulx    r10, rbx, [x+8]
+        adcx    r9, rbx
+        mulx    r11, rbx, [x+16]
+        adcx    r10, rbx
+        mulx    r12, rbx, [x+24]
+        adcx    r11, rbx
+        mulx    r13, rbx, [x+32]
+        adcx    r12, rbx
+        mulx    r8, rbx, [x+40]
+        adcx    r13, rbx
+        adcx    r8, zero
+// Now all the other rows in a uniform pattern
+        addrow  1
+        addrow  2
+        addrow  3
+        addrow  4
+        addrow  5
+// Now write back the additional columns
+        mov     [z+48], r8
+        mov     [z+56], r9
+        mov     [z+64], r10
+        mov     [z+72], r11
+        mov     [z+80], r12
+        mov     [z+88], r13
+// Restore registers and return
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S
new file mode 100644
index 0000000000..077c52b38e
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_6_12_alt.S
@@ -0,0 +1,199 @@
+// $OpenBSD: bignum_mul_6_12_alt.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[6], y[6]; output z[12]
+//
+//    extern void bignum_mul_6_12_alt(uint64_t z[static 12],
+//                                    const uint64_t x[static 6],
+//                                    const uint64_t y[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_6_12_alt)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_6_12_alt)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// This is moved from rdx to free it for muls
+#define y rcx
+// Other variables used as a rotating 3-word window to add terms to
+#define t0 r8
+#define t1 r9
+#define t2 r10
+// Macro for the key "multiply and add to (c,h,l)" step
+#define combadd(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+// A minutely shorter form for when c = 0 initially
+#define combadz(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, c
+// A short form where we don't expect a top carry
+#define combads(h,l,numa,numb)                  \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx
+S2N_BN_SYMBOL(bignum_mul_6_12_alt):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+// Copy y into a safe register to start with
+        mov     y, rdx
+// Result term 0
+        mov     rax, [x]
+        mul     QWORD PTR [y]
+        mov     [z], rax
+        mov     t0, rdx
+        xor     t1, t1
+// Result term 1
+        xor     t2, t2
+        combads(t1,t0,[x],[y+8])
+        combadz(t2,t1,t0,[x+8],[y])
+        mov     [z+8], t0
+// Result term 2
+        xor     t0, t0
+        combadz(t0,t2,t1,[x],[y+16])
+        combadd(t0,t2,t1,[x+8],[y+8])
+        combadd(t0,t2,t1,[x+16],[y])
+        mov     [z+16], t1
+// Result term 3
+        xor     t1, t1
+        combadz(t1,t0,t2,[x],[y+24])
+        combadd(t1,t0,t2,[x+8],[y+16])
+        combadd(t1,t0,t2,[x+16],[y+8])
+        combadd(t1,t0,t2,[x+24],[y])
+        mov     [z+24], t2
+// Result term 4
+        xor     t2, t2
+        combadz(t2,t1,t0,[x],[y+32])
+        combadd(t2,t1,t0,[x+8],[y+24])
+        combadd(t2,t1,t0,[x+16],[y+16])
+        combadd(t2,t1,t0,[x+24],[y+8])
+        combadd(t2,t1,t0,[x+32],[y])
+        mov     [z+32], t0
+// Result term 5
+        xor     t0, t0
+        combadz(t0,t2,t1,[x],[y+40])
+        combadd(t0,t2,t1,[x+8],[y+32])
+        combadd(t0,t2,t1,[x+16],[y+24])
+        combadd(t0,t2,t1,[x+24],[y+16])
+        combadd(t0,t2,t1,[x+32],[y+8])
+        combadd(t0,t2,t1,[x+40],[y])
+        mov     [z+40], t1
+// Result term 6
+        xor     t1, t1
+        combadz(t1,t0,t2,[x+8],[y+40])
+        combadd(t1,t0,t2,[x+16],[y+32])
+        combadd(t1,t0,t2,[x+24],[y+24])
+        combadd(t1,t0,t2,[x+32],[y+16])
+        combadd(t1,t0,t2,[x+40],[y+8])
+        mov     [z+48], t2
+// Result term 7
+        xor     t2, t2
+        combadz(t2,t1,t0,[x+16],[y+40])
+        combadd(t2,t1,t0,[x+24],[y+32])
+        combadd(t2,t1,t0,[x+32],[y+24])
+        combadd(t2,t1,t0,[x+40],[y+16])
+        mov     [z+56], t0
+// Result term 8
+        xor     t0, t0
+        combadz(t0,t2,t1,[x+24],[y+40])
+        combadd(t0,t2,t1,[x+32],[y+32])
+        combadd(t0,t2,t1,[x+40],[y+24])
+        mov     [z+64], t1
+// Result term 9
+        xor     t1, t1
+        combadz(t1,t0,t2,[x+32],[y+40])
+        combadd(t1,t0,t2,[x+40],[y+32])
+        mov     [z+72], t2
+// Result term 10
+        combads(t1,t0,[x+40],[y+40])
+        mov     [z+80], t0
+// Result term 11
+        mov     [z+88], t1
+// Return
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S
new file mode 100644
index 0000000000..faa0196d8e
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16.S
@@ -0,0 +1,273 @@
+// $OpenBSD: bignum_mul_8_16.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Multiply z := x * y
+// Inputs x[8], y[8]; output z[16]
+//
+//    extern void bignum_mul_8_16(uint64_t z[static 16], const uint64_t x[static 8],
+//                                const uint64_t y[static 8]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
+// Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_8_16)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_8_16)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// Copied in or set up
+#define y rcx
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// mulpadd i, j adds x[i] * rdx (now assumed = y[j]) into the window at i+j
+.macro mulpadd arg1,arg2
+        mulx    rbx, rax, [x+8*\arg1]
+.if ((\arg1 + \arg2) % 8 == 0)
+        adcx    r8, rax
+        adox    r9, rbx
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        adcx    r9, rax
+        adox    r10, rbx
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        adcx    r10, rax
+        adox    r11, rbx
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        adcx    r11, rax
+        adox    r12, rbx
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        adcx    r12, rax
+        adox    r13, rbx
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        adcx    r13, rax
+        adox    r14, rbx
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        adcx    r14, rax
+        adox    r15, rbx
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        adcx    r15, rax
+        adox    r8, rbx
+.endif
+.endm
+// mulpade i, j adds x[i] * rdx (now assumed = y[j]) into the window at i+j
+// but re-creates the top word assuming nothing to add there
+.macro mulpade arg1,arg2
+.if ((\arg1 + \arg2) % 8 == 0)
+        mulx    r9, rax, [x+8*\arg1]
+        adcx    r8, rax
+        adox    r9, zero
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        mulx    r10, rax, [x+8*\arg1]
+        adcx    r9, rax
+        adox    r10, zero
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        mulx    r11, rax, [x+8*\arg1]
+        adcx    r10, rax
+        adox    r11, zero
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        mulx    r12, rax, [x+8*\arg1]
+        adcx    r11, rax
+        adox    r12, zero
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        mulx    r13, rax, [x+8*\arg1]
+        adcx    r12, rax
+        adox    r13, zero
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        mulx    r14, rax, [x+8*\arg1]
+        adcx    r13, rax
+        adox    r14, zero
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        mulx    r15, rax, [x+8*\arg1]
+        adcx    r14, rax
+        adox    r15, zero
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        mulx    r8, rax, [x+8*\arg1]
+        adcx    r15, rax
+        adox    r8, zero
+.endif
+.endm
+// Add in the whole j'th row
+.macro addrow arg1
+        mov     rdx, [y+8*\arg1]
+        xor     zeroe, zeroe
+        mulpadd 0, \arg1
+.if (\arg1 % 8 == 0)
+        mov     [z+8*\arg1],r8
+.elseif (\arg1 % 8 == 1)
+        mov     [z+8*\arg1],r9
+.elseif (\arg1 % 8 == 2)
+        mov     [z+8*\arg1],r10
+.elseif (\arg1 % 8 == 3)
+        mov     [z+8*\arg1],r11
+.elseif (\arg1 % 8 == 4)
+        mov     [z+8*\arg1],r12
+.elseif (\arg1 % 8 == 5)
+        mov     [z+8*\arg1],r13
+.elseif (\arg1 % 8 == 6)
+        mov     [z+8*\arg1],r14
+.elseif (\arg1 % 8 == 7)
+        mov     [z+8*\arg1],r15
+.endif
+        mulpadd 1, \arg1
+        mulpadd 2, \arg1
+        mulpadd 3, \arg1
+        mulpadd 4, \arg1
+        mulpadd 5, \arg1
+        mulpadd 6, \arg1
+        mulpade 7, \arg1
+.if (\arg1 % 8 == 0)
+        adc     r8, zero
+.elseif (\arg1 % 8 == 1)
+        adc     r9, zero
+.elseif (\arg1 % 8 == 2)
+        adc     r10, zero
+.elseif (\arg1 % 8 == 3)
+        adc     r11, zero
+.elseif (\arg1 % 8 == 4)
+        adc     r12, zero
+.elseif (\arg1 % 8 == 5)
+        adc     r13, zero
+.elseif (\arg1 % 8 == 6)
+        adc     r14, zero
+.elseif (\arg1 % 8 == 7)
+        adc     r15, zero
+.endif
+.endm
+S2N_BN_SYMBOL(bignum_mul_8_16):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+        mov     rdx, r8
+#endif
+// Save more registers to play with
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+// Copy y into a safe register to start with
+        mov     y, rdx
+// Zero a register, which also makes sure we don't get a fake carry-in
+        xor     zeroe, zeroe
+// Do the zeroth row, which is a bit different
+// Write back the zero-zero product and then accumulate
+// r8,r15,r14,r13,r12,r11,r10,r9 as y[0] * x from 1..8
+        mov     rdx, [y]
+        mulx    r9, r8, [x]
+        mov     [z], r8
+        mulx    r10, rbx, [x+8]
+        adc     r9, rbx
+        mulx    r11, rbx, [x+16]
+        adc     r10, rbx
+        mulx    r12, rbx, [x+24]
+        adc     r11, rbx
+        mulx    r13, rbx, [x+32]
+        adc     r12, rbx
+        mulx    r14, rbx, [x+40]
+        adc     r13, rbx
+        mulx    r15, rbx, [x+48]
+        adc     r14, rbx
+        mulx    r8, rbx, [x+56]
+        adc     r15, rbx
+        adc     r8, zero
+// Now all the other rows in a uniform pattern
+        addrow  1
+        addrow  2
+        addrow  3
+        addrow  4
+        addrow  5
+        addrow  6
+        addrow  7
+// Now write back the additional columns
+        mov     [z+64], r8
+        mov     [z+72], r9
+        mov     [z+80], r10
+        mov     [z+88], r11
+        mov     [z+96], r12
+        mov     [z+104], r13
+        mov     [z+112], r14
+        mov     [z+120], r15
+// Real epilog
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
index 066403b074..0e30b9170f 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_mul_8_16_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_mul_8_16_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,9 @@
 // Multiply z := x * y
 // Inputs x[8], y[8]; output z[16]
 //
-//    extern void bignum_mul_8_16_alt
+//    extern void bignum_mul_8_16_alt(uint64_t z[static 16],
-//     (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
+//                                    const uint64_t x[static 8],
+//                                    const uint64_t y[static 8]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x, RDX = y
 // Microsoft x64 ABI:   RCX = z, RDX = x, R8 = y
@@ -72,7 +75,7 @@
        adc     h, rdx
 S2N_BN_SYMBOL(bignum_mul_8_16_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
index 54e3f59442..86f1af2ac4 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,7 @@
 // Square z := x^2
 // Input x[n]; output z[k]
 //
-//    extern void bignum_sqr
+//    extern void bignum_sqr(uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
-//     (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
 //
 // Does the "z := x^2" operation where x is n digits and result z is k.
 // Truncates the result in general unless k >= 2 * n
@@ -62,7 +63,7 @@
 #define llshort ebp
 S2N_BN_SYMBOL(bignum_sqr):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -86,7 +87,7 @@ S2N_BN_SYMBOL(bignum_sqr):
 // If p = 0 the result is trivial and nothing needs doing
        test    p, p
-        jz      end
+        jz      bignum_sqr_end
 // initialize (hh,ll) = 0
@@ -97,7 +98,7 @@ S2N_BN_SYMBOL(bignum_sqr):
        xor     k, k
-outerloop:
+bignum_sqr_outerloop:
 // First let bot = MAX 0 (k + 1 - n) and top = MIN (k + 1) n
 // We want to accumulate all x[i] * x[k - i] for bot <= i < top
@@ -122,7 +123,7 @@ outerloop:
 // If htop <= bot then main doubled part of the sum is empty
        cmp     i, htop
-        jnc     nosumming
+        jnc     bignum_sqr_nosumming
 // Use a moving pointer for [y] = x[k-i] for the cofactor
@@ -132,7 +133,7 @@ outerloop:
 // Do the main part of the sum x[i] * x[k - i] for 2 * i < k
-innerloop:
+bignum_sqr_innerloop:
        mov     a, [x+8*i]
        mul     QWORD PTR [y]
        add     l, a
@@ -141,7 +142,7 @@ innerloop:
        sub     y, 8
        inc     i
        cmp     i, htop
-        jc      innerloop
+        jc      bignum_sqr_innerloop
 // Now double it
@@ -151,11 +152,11 @@ innerloop:
 // If k is even (which means 2 * i = k) and i < n add the extra x[i]^2 term
-nosumming:
+bignum_sqr_nosumming:
        test    k, 1
-        jnz     innerend
+        jnz     bignum_sqr_innerend
        cmp     i, n
-        jnc     innerend
+        jnc     bignum_sqr_innerend
        mov     a, [x+8*i]
        mul     a
@@ -165,7 +166,7 @@ nosumming:
 // Now add the local sum into the global sum, store and shift
-innerend:
+bignum_sqr_innerend:
        add     l, ll
        mov     [z+8*k], l
        adc     h, hh
@@ -175,11 +176,11 @@ innerend:
        inc     k
        cmp     k, p
-        jc      outerloop
+        jc      bignum_sqr_outerloop
 // Restore registers and return
-end:
+bignum_sqr_end:
        pop     r15
        pop     r14
        pop     r13
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S
new file mode 100644
index 0000000000..25664782f7
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8.S
@@ -0,0 +1,158 @@
+// $OpenBSD: bignum_sqr_4_8.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[4]; output z[8]
+//
+//    extern void bignum_sqr_4_8(uint64_t z[static 8], const uint64_t x[static 4]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_4_8)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_4_8)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// Other registers
+#define d1 r8
+#define d2 r9
+#define d3 r10
+#define d4 r11
+#define d5 r12
+#define d6 r13
+S2N_BN_SYMBOL(bignum_sqr_4_8):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+// Save more registers to play with
+        push    rbp
+        push    r12
+        push    r13
+// Set up an initial window [d6;...d1] = [23;03;01]
+        mov     rdx, [x]
+        mulx    d2, d1, [x+8]
+        mulx    d4, d3, [x+24]
+        mov     rdx, [x+16]
+        mulx    d6, d5, [x+24]
+// Clear our zero register, and also initialize the flags for the carry chain
+        xor     zeroe, zeroe
+// Chain in the addition of 02 + 12 + 13 to that window (no carry-out possible)
+// This gives all the "heterogeneous" terms of the squaring ready to double
+        mulx    rcx, rax, [x]
+        adcx    d2, rax
+        adox    d3, rcx
+        mulx    rcx, rax, [x+8]
+        adcx    d3, rax
+        adox    d4, rcx
+        mov     rdx, [x+24]
+        mulx    rcx, rax, [x+8]
+        adcx    d4, rax
+        adox    d5, rcx
+        adcx    d5, zero
+        adox    d6, zero
+        adcx    d6, zero
+// In principle this is otiose as CF and OF carries are absorbed at this point
+// However it seems helpful for the OOO engine to be told it's a fresh start
+        xor     zeroe, zeroe
+// Double and add to the 00 + 11 + 22 + 33 terms
+//
+// We could use shift-double but this seems tidier and in larger squarings
+// it was actually more efficient. I haven't experimented with this small
+// case to see how much that matters. Note: the writeback here is sprinkled
+// into the sequence in such a way that things still work if z = x, i.e. if
+// the output overwrites the input buffer and beyond.
+        mov     rdx, [x]
+        mulx    rdx, rax, rdx
+        mov     [z], rax
+        adcx    d1, d1
+        adox    d1, rdx
+        mov     rdx, [x+8]
+        mov     [z+8], d1
+        mulx    rdx, rax, rdx
+        adcx    d2, d2
+        adox    d2, rax
+        adcx    d3, d3
+        adox    d3, rdx
+        mov     rdx, [x+16]
+        mov     [z+16], d2
+        mulx    rdx, rax, rdx
+        adcx    d4, d4
+        adox    d4, rax
+        adcx    d5, d5
+        adox    d5, rdx
+        mov     rdx, [x+24]
+        mov     [z+24], d3
+        mulx    rdx, rax, rdx
+        mov     [z+32], d4
+        adcx    d6, d6
+        mov     [z+40], d5
+        adox    d6, rax
+        mov     [z+48], d6
+        adcx    rdx, zero
+        adox    rdx, zero
+        mov     [z+56], rdx
+// Restore saved registers and return
+        pop     r13
+        pop     r12
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
index 7c534ae907..7eafac3284 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_4_8_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr_4_8_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,8 +18,8 @@
 // Square, z := x^2
 // Input x[4]; output z[8]
 //
-//    extern void bignum_sqr_4_8_alt
+//    extern void bignum_sqr_4_8_alt(uint64_t z[static 8],
-//      (uint64_t z[static 8], uint64_t x[static 4]);
+//                                   const uint64_t x[static 4]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x
 // Microsoft x64 ABI:   RCX = z, RDX = x
@@ -71,7 +73,7 @@
        adc     c, 0
 S2N_BN_SYMBOL(bignum_sqr_4_8_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S
new file mode 100644
index 0000000000..3f055e8b75
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12.S
@@ -0,0 +1,227 @@
+// $OpenBSD: bignum_sqr_6_12.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[6]; output z[12]
+//
+//    extern void bignum_sqr_6_12(uint64_t z[static 12], const uint64_t x[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_6_12)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_6_12)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// Other registers
+#define d1 r8
+#define d2 r9
+#define d3 r10
+#define d4 r11
+#define d5 r12
+#define d6 r13
+#define d7 r14
+#define d8 r15
+#define d9 rbx
+// Care is needed: re-using the zero register
+#define d10 rbp
+S2N_BN_SYMBOL(bignum_sqr_6_12):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+// Save more registers to play with
+        push    rbp
+        push    rbx
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+// Set up an initial window [d8;...d1] = [34;05;03;01]
+        mov     rdx, [x]
+        mulx    d2, d1, [x+8]
+        mulx    d4, d3, [x+24]
+        mulx    d6, d5, [x+40]
+        mov     rdx, [x+24]
+        mulx    d8, d7, [x+32]
+// Clear our zero register, and also initialize the flags for the carry chain
+        xor     zeroe, zeroe
+// Chain in the addition of 02 + 12 + 13 + 14 + 15 to that window
+// (no carry-out possible since we add it to the top of a product)
+        mov     rdx, [x+16]
+        mulx    rcx, rax, [x]
+        adcx    d2, rax
+        adox    d3, rcx
+        mulx    rcx, rax, [x+8]
+        adcx    d3, rax
+        adox    d4, rcx
+        mov     rdx, [x+8]
+        mulx    rcx, rax, [x+24]
+        adcx    d4, rax
+        adox    d5, rcx
+        mulx    rcx, rax, [x+32]
+        adcx    d5, rax
+        adox    d6, rcx
+        mulx    rcx, rax, [x+40]
+        adcx    d6, rax
+        adox    d7, rcx
+        adcx    d7, zero
+        adox    d8, zero
+        adcx    d8, zero
+// Again zero out the flags. Actually they are already cleared but it may
+// help decouple these in the OOO engine not to wait for the chain above
+        xor     zeroe, zeroe
+// Now chain in the 04 + 23 + 24 + 25 + 35 + 45 terms
+// We are running out of registers and here our zero register is not zero!
+        mov     rdx, [x+32]
+        mulx    rcx, rax, [x]
+        adcx    d4, rax
+        adox    d5, rcx
+        mov     rdx, [x+16]
+        mulx    rcx, rax, [x+24]
+        adcx    d5, rax
+        adox    d6, rcx
+        mulx    rcx, rax, [x+32]
+        adcx    d6, rax
+        adox    d7, rcx
+        mulx    rcx, rax, [x+40]
+        adcx    d7, rax
+        adox    d8, rcx
+        mov     rdx, [x+24]
+        mulx    d9, rax, [x+40]
+        adcx    d8, rax
+        adox    d9, zero
+        mov     rdx, [x+32]
+        mulx    d10, rax, [x+40]
+        adcx    d9, rax
+        mov     eax, 0
+        adox    d10, rax
+        adcx    d10, rax
+// Again, just for a clear fresh start for the flags
+        xor     eax, eax
+// Double and add to the 00 + 11 + 22 + 33 + 44 + 55 terms
+//
+// We could use shift-double but this seems tidier and in larger squarings
+// it was actually more efficient. I haven't experimented with this small
+// case to see how much that matters. Note: the writeback here is sprinkled
+// into the sequence in such a way that things still work if z = x, i.e. if
+// the output overwrites the input buffer and beyond.
+        mov     rdx, [x]
+        mulx    rdx, rax, rdx
+        mov     [z], rax
+        adcx    d1, d1
+        adox    d1, rdx
+        mov     rdx, [x+8]
+        mov     [z+8], d1
+        mulx    rdx, rax, rdx
+        adcx    d2, d2
+        adox    d2, rax
+        adcx    d3, d3
+        adox    d3, rdx
+        mov     rdx, [x+16]
+        mov     [z+16], d2
+        mulx    rdx, rax, rdx
+        adcx    d4, d4
+        adox    d4, rax
+        adcx    d5, d5
+        adox    d5, rdx
+        mov     rdx, [x+24]
+        mov     [z+24], d3
+        mulx    rdx, rax, rdx
+        adcx    d6, d6
+        adox    d6, rax
+        adcx    d7, d7
+        adox    d7, rdx
+        mov     rdx, [x+32]
+        mov     [z+32], d4
+        mulx    rdx, rax, rdx
+        adcx    d8, d8
+        adox    d8, rax
+        adcx    d9, d9
+        adox    d9, rdx
+        mov     rdx, [x+40]
+        mov     [z+40], d5
+        mulx    rdx, rax, rdx
+        mov     [z+48], d6
+        adcx    d10, d10
+        mov     [z+56], d7
+        adox    d10, rax
+        mov     [z+64], d8
+        mov     eax, 0
+        mov     [z+72], d9
+        adcx    rdx, rax
+        mov     [z+80], d10
+        adox    rdx, rax
+        mov     [z+88], rdx
+// Restore saved registers and return
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbx
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S
new file mode 100644
index 0000000000..eb43b0a15b
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_6_12_alt.S
@@ -0,0 +1,210 @@
+// $OpenBSD: bignum_sqr_6_12_alt.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[6]; output z[12]
+//
+//    extern void bignum_sqr_6_12_alt(uint64_t z[static 12],
+//                                    const uint64_t x[static 6]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_6_12_alt)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_6_12_alt)
+        .text
+// Input arguments
+#define z rdi
+#define x rsi
+// Other variables used as a rotating 3-word window to add terms to
+#define t0 r8
+#define t1 r9
+#define t2 r10
+// Additional temporaries for local windows to share doublings
+#define u0 rcx
+#define u1 r11
+// Macro for the key "multiply and add to (c,h,l)" step
+#define combadd(c,h,l,numa,numb)                \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+// Set up initial window (c,h,l) = numa * numb
+#define combaddz(c,h,l,numa,numb)               \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        xor     c, c;                           \
+        mov     l, rax;                         \
+        mov     h, rdx
+// Doubling step (c,h,l) = 2 * (c,hh,ll) + (0,h,l)
+#define doubladd(c,h,l,hh,ll)                   \
+        add     ll, ll;                         \
+        adc     hh, hh;                         \
+        adc     c, c;                           \
+        add     l, ll;                          \
+        adc     h, hh;                          \
+        adc     c, 0
+// Square term incorporation (c,h,l) += numba^2
+#define combadd1(c,h,l,numa)                    \
+        mov     rax, numa;                      \
+        mul     rax;                            \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+// A short form where we don't expect a top carry
+#define combads(h,l,numa)                       \
+        mov     rax, numa;                      \
+        mul     rax;                            \
+        add     l, rax;                         \
+        adc     h, rdx
+// A version doubling directly before adding, for single non-square terms
+#define combadd2(c,h,l,numa,numb)               \
+        mov     rax, numa;                      \
+        mul     QWORD PTR numb;                 \
+        add     rax, rax;                       \
+        adc     rdx, rdx;                       \
+        adc     c, 0;                           \
+        add     l, rax;                         \
+        adc     h, rdx;                         \
+        adc     c, 0
+S2N_BN_SYMBOL(bignum_sqr_6_12_alt):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+// Result term 0
+        mov     rax, [x]
+        mul     rax
+        mov     [z], rax
+        mov     t0, rdx
+        xor     t1, t1
+// Result term 1
+        xor     t2, t2
+        combadd2(t2,t1,t0,[x],[x+8])
+        mov     [z+8], t0
+// Result term 2
+        xor     t0, t0
+        combadd1(t0,t2,t1,[x+8])
+        combadd2(t0,t2,t1,[x],[x+16])
+        mov     [z+16], t1
+// Result term 3
+        combaddz(t1,u1,u0,[x],[x+24])
+        combadd(t1,u1,u0,[x+8],[x+16])
+        doubladd(t1,t0,t2,u1,u0)
+        mov     [z+24], t2
+// Result term 4
+        combaddz(t2,u1,u0,[x],[x+32])
+        combadd(t2,u1,u0,[x+8],[x+24])
+        doubladd(t2,t1,t0,u1,u0)
+        combadd1(t2,t1,t0,[x+16])
+        mov     [z+32], t0
+// Result term 5
+        combaddz(t0,u1,u0,[x],[x+40])
+        combadd(t0,u1,u0,[x+8],[x+32])
+        combadd(t0,u1,u0,[x+16],[x+24])
+        doubladd(t0,t2,t1,u1,u0)
+        mov     [z+40], t1
+// Result term 6
+        combaddz(t1,u1,u0,[x+8],[x+40])
+        combadd(t1,u1,u0,[x+16],[x+32])
+        doubladd(t1,t0,t2,u1,u0)
+        combadd1(t1,t0,t2,[x+24])
+        mov     [z+48], t2
+// Result term 7
+        combaddz(t2,u1,u0,[x+16],[x+40])
+        combadd(t2,u1,u0,[x+24],[x+32])
+        doubladd(t2,t1,t0,u1,u0)
+        mov     [z+56], t0
+// Result term 8
+        xor     t0, t0
+        combadd2(t0,t2,t1,[x+24],[x+40])
+        combadd1(t0,t2,t1,[x+32])
+        mov     [z+64], t1
+// Result term 9
+        xor     t1, t1
+        combadd2(t1,t0,t2,[x+32],[x+40])
+        mov     [z+72], t2
+// Result term 10
+        combads(t1,t0,[x+40])
+        mov     [z+80], t0
+// Result term 11
+        mov     [z+88], t1
+// Return
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S
new file mode 100644
index 0000000000..41277b5b6a
--- /dev/null
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16.S
@@ -0,0 +1,311 @@
+// $OpenBSD: bignum_sqr_8_16.S,v 1.4 2025/08/12 10:23:40 jsing Exp $
+//
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+// ----------------------------------------------------------------------------
+// Square, z := x^2
+// Input x[8]; output z[16]
+//
+//    extern void bignum_sqr_8_16(uint64_t z[static 16], const uint64_t x[static 8]);
+//
+// Standard x86-64 ABI: RDI = z, RSI = x
+// Microsoft x64 ABI:   RCX = z, RDX = x
+// ----------------------------------------------------------------------------
+#include "s2n_bignum_internal.h"
+        .intel_syntax noprefix
+        S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_8_16)
+        S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_8_16)
+        .text
+// These are actually right
+#define z rdi
+#define x rsi
+// A zero register
+#define zero rbp
+#define zeroe ebp
+// mulpadd i, j adds rdx * x[i] into the window  at the i+j point
+.macro mulpadd arg1,arg2
+        mulx    rcx, rax, [x+8*\arg1]
+.if ((\arg1 + \arg2) % 8 == 0)
+        adcx    r8, rax
+        adox    r9, rcx
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        adcx    r9, rax
+        adox    r10, rcx
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        adcx    r10, rax
+        adox    r11, rcx
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        adcx    r11, rax
+        adox    r12, rcx
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        adcx    r12, rax
+        adox    r13, rcx
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        adcx    r13, rax
+        adox    r14, rcx
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        adcx    r14, rax
+        adox    r15, rcx
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        adcx    r15, rax
+        adox    r8, rcx
+.endif
+.endm
+// mulpade i, j adds rdx * x[i] into the window at i+j
+// but re-creates the top word assuming nothing to add there
+.macro mulpade arg1,arg2
+.if ((\arg1 + \arg2) % 8 == 0)
+        mulx    r9, rax, [x+8*\arg1]
+        adcx    r8, rax
+        adox    r9, zero
+.elseif ((\arg1 + \arg2) % 8 == 1)
+        mulx    r10, rax, [x+8*\arg1]
+        adcx    r9, rax
+        adox    r10, zero
+.elseif ((\arg1 + \arg2) % 8 == 2)
+        mulx    r11, rax, [x+8*\arg1]
+        adcx    r10, rax
+        adox    r11, zero
+.elseif ((\arg1 + \arg2) % 8 == 3)
+        mulx    r12, rax, [x+8*\arg1]
+        adcx    r11, rax
+        adox    r12, zero
+.elseif ((\arg1 + \arg2) % 8 == 4)
+        mulx    r13, rax, [x+8*\arg1]
+        adcx    r12, rax
+        adox    r13, zero
+.elseif ((\arg1 + \arg2) % 8 == 5)
+        mulx    r14, rax, [x+8*\arg1]
+        adcx    r13, rax
+        adox    r14, zero
+.elseif ((\arg1 + \arg2) % 8 == 6)
+        mulx    r15, rax, [x+8*\arg1]
+        adcx    r14, rax
+        adox    r15, zero
+.elseif ((\arg1 + \arg2) % 8 == 7)
+        mulx    r8, rax, [x+8*\arg1]
+        adcx    r15, rax
+        adox    r8, zero
+.endif
+.endm
+.macro diagonals
+        xor     zeroe, zeroe
+// Set initial window [r8..r10] + 2 wb = 10 + 20 + 30 + 40 + 50 + 60 + 70
+        mov     rdx, [x]
+        mulx    rax, r9, [x+8]
+        mov     [z+8], r9
+        mulx    rcx, r10, [x+16]
+        adcx    r10, rax
+        mov     [z+16], r10
+        mulx    rax, r11, [x+24]
+        adcx    r11, rcx
+        mulx    rcx, r12, [x+32]
+        adcx    r12, rax
+        mulx    rax, r13, [x+40]
+        adcx    r13, rcx
+        mulx    rcx, r14, [x+48]
+        adcx    r14, rax
+        mulx    r8, r15, [x+56]
+        adcx    r15, rcx
+        adcx    r8, zero
+// Add in the next diagonal = 21 + 31 + 41 + 51 + 61 + 71 + 54
+        xor     zeroe, zeroe
+        mov     rdx, [x+8]
+        mulpadd 2, 1
+        mov     [z+24], r11
+        mulpadd 3, 1
+        mov     [z+32], r12
+        mulpadd 4, 1
+        mulpadd 5, 1
+        mulpadd 6, 1
+        mulpade 7, 1
+        mov     rdx, [x+32]
+        mulpade 5, 4
+        adcx    r10, zero
+// And the next one = 32 + 42 + 52 + 62 + 72 + 64 + 65
+        xor     zeroe, zeroe
+        mov     rdx, [x+16]
+        mulpadd 3, 2
+        mov     [z+40], r13
+        mulpadd 4, 2
+        mov     [z+48], r14
+        mulpadd 5, 2
+        mulpadd 6, 2
+        mulpadd 7, 2
+        mov     rdx, [x+48]
+        mulpade 4, 6
+        mulpade 5, 6
+        adcx    r12, zero
+// And the final one = 43 + 53 + 63 + 73 + 74 + 75 + 76
+        xor     zeroe, zeroe
+        mov     rdx, [x+24]
+        mulpadd 4, 3
+        mov     [z+56], r15
+        mulpadd 5, 3
+        mov     [z+64], r8
+        mulpadd 6, 3
+        mulpadd 7, 3
+        mov     rdx, [x+56]
+        mulpadd 4, 7
+        mulpade 5, 7
+        mulpade 6, 7
+        adcx    r14, zero
+// Double and add things; use z[1]..z[8] and thereafter the registers
+// r9..r15 which haven't been written back yet
+        xor     zeroe, zeroe
+        mov     rdx, [x]
+        mulx    rcx, rax, rdx
+        mov     [z], rax
+        mov     rax, [z+8]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+8], rax
+        mov     rax, [z+16]
+        mov     rdx, [x+8]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+16], rax
+        mov     rax, [z+24]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+24], rax
+        mov     rax, [z+32]
+        mov     rdx, [x+16]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+32], rax
+        mov     rax, [z+40]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+40], rax
+        mov     rax, [z+48]
+        mov     rdx, [x+24]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+48], rax
+        mov     rax, [z+56]
+        adcx    rax, rax
+        adox    rax, rcx
+        mov     [z+56], rax
+        mov     rax, [z+64]
+        mov     rdx, [x+32]
+        mulx    rcx, rdx, rdx
+        adcx    rax, rax
+        adox    rax, rdx
+        mov     [z+64], rax
+        adcx    r9, r9
+        adox    r9, rcx
+        mov     [z+72], r9
+        mov     rdx, [x+40]
+        mulx    rcx, rdx, rdx
+        adcx    r10, r10
+        adox    r10, rdx
+        mov     [z+80], r10
+        adcx    r11, r11
+        adox    r11, rcx
+        mov     [z+88], r11
+        mov     rdx, [x+48]
+        mulx    rcx, rdx, rdx
+        adcx    r12, r12
+        adox    r12, rdx
+        mov     [z+96], r12
+        adcx    r13, r13
+        adox    r13, rcx
+        mov     [z+104], r13
+        mov     rdx, [x+56]
+        mulx    r15, rdx, rdx
+        adcx    r14, r14
+        adox    r14, rdx
+        mov     [z+112], r14
+        adcx    r15, zero
+        adox    r15, zero
+        mov     [z+120], r15
+.endm
+S2N_BN_SYMBOL(bignum_sqr_8_16):
+        _CET_ENDBR
+#if WINDOWS_ABI
+        push    rdi
+        push    rsi
+        mov     rdi, rcx
+        mov     rsi, rdx
+#endif
+// Save more registers to play with
+        push    rbp
+        push    r12
+        push    r13
+        push    r14
+        push    r15
+// Do the multiplication
+        diagonals
+// Real epilog
+        pop     r15
+        pop     r14
+        pop     r13
+        pop     r12
+        pop     rbp
+#if WINDOWS_ABI
+        pop    rsi
+        pop    rdi
+#endif
+        ret
+#if defined(__linux__) && defined(__ELF__)
+.section .note.GNU-stack,"",%progbits
+#endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
index ac0b6f96c2..cb10ba2a12 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sqr_8_16_alt.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sqr_8_16_alt.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +18,8 @@
 // Square, z := x^2
 // Input x[8]; output z[16]
 //
-//    extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]);
+//    extern void bignum_sqr_8_16_alt(uint64_t z[static 16],
+//                                    const uint64_t x[static 8]);
 //
 // Standard x86-64 ABI: RDI = z, RSI = x
 // Microsoft x64 ABI:   RCX = z, RDX = x
@@ -103,7 +106,7 @@
        adc     c, 0
 S2N_BN_SYMBOL(bignum_sqr_8_16_alt):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S b/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
index 3ff8a30510..7324d3a71e 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
+++ b/src/lib/libcrypto/bn/arch/amd64/bignum_sub.S
@@ -1,3 +1,5 @@
+// $OpenBSD: bignum_sub.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +18,8 @@
 // Subtract, z := x - y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
 //
-//    extern uint64_t bignum_sub
+//    extern uint64_t bignum_sub(uint64_t p, uint64_t *z, uint64_t m,
-//     (uint64_t p, uint64_t *z,
+//                               const uint64_t *x, uint64_t n, const uint64_t *y);
-//      uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
 //
 // Does the z := x - y operation, truncating modulo p words in general and
 // returning a top borrow (0 or 1) in the p'th place, only subtracting input
@@ -49,7 +50,7 @@
 S2N_BN_SYMBOL(bignum_sub):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
@@ -75,7 +76,7 @@ S2N_BN_SYMBOL(bignum_sub):
        cmp     p, n
        cmovc   n, p
        cmp     m, n
-        jc      ylonger
+        jc      bignum_sub_ylonger
 // The case where x is longer or of the same size (p >= m >= n)
@@ -83,32 +84,32 @@ S2N_BN_SYMBOL(bignum_sub):
        sub     m, n
        inc     m
        test    n, n
-        jz      xtest
+        jz      bignum_sub_xtest
-xmainloop:
+bignum_sub_xmainloop:
        mov     a, [x+8*i]
        sbb     a, [y+8*i]
        mov     [z+8*i],a
        inc     i
        dec     n
-        jnz     xmainloop
+        jnz     bignum_sub_xmainloop
-        jmp     xtest
+        jmp     bignum_sub_xtest
-xtoploop:
+bignum_sub_xtoploop:
        mov     a, [x+8*i]
        sbb     a, 0
        mov     [z+8*i],a
        inc     i
-xtest:
+bignum_sub_xtest:
        dec     m
-        jnz     xtoploop
+        jnz     bignum_sub_xtoploop
        sbb     a, a
        test    p, p
-        jz      tailskip
+        jz      bignum_sub_tailskip
-tailloop:
+bignum_sub_tailloop:
        mov     [z+8*i],a
        inc     i
        dec     p
-        jnz     tailloop
+        jnz     bignum_sub_tailloop
-tailskip:
+bignum_sub_tailskip:
        neg     a
 #if WINDOWS_ABI
        pop    rsi
@@ -118,29 +119,29 @@ tailskip:
 // The case where y is longer (p >= n > m)
-ylonger:
+bignum_sub_ylonger:
        sub     p, n
        sub     n, m
        test    m, m
-        jz      ytoploop
+        jz      bignum_sub_ytoploop
-ymainloop:
+bignum_sub_ymainloop:
        mov     a, [x+8*i]
        sbb     a, [y+8*i]
        mov     [z+8*i],a
        inc     i
        dec     m
-        jnz     ymainloop
+        jnz     bignum_sub_ymainloop
-ytoploop:
+bignum_sub_ytoploop:
        mov     ashort, 0
        sbb     a, [y+8*i]
        mov     [z+8*i],a
        inc     i
        dec     n
-        jnz     ytoploop
+        jnz     bignum_sub_ytoploop
        sbb     a, a
        test    p, p
-        jnz     tailloop
+        jnz     bignum_sub_tailloop
        neg     a
 #if WINDOWS_ABI
        pop    rsi
diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
index a377a05681..6c3888687b 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
+++ b/src/lib/libcrypto/bn/arch/amd64/bn_arch.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.c,v 1.7 2023/06/24 16:01:44 jsing Exp $ */
+/*      $OpenBSD: bn_arch.c,v 1.17 2025/09/01 15:33:23 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -19,6 +19,7 @@
 #include "bn_arch.h"
 #include "bn_local.h"
+#include "crypto_arch.h"
 #include "s2n_bignum.h"
 #ifdef HAVE_BN_ADD
@@ -26,8 +27,8 @@ BN_ULONG
 bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
    int b_len)
 {
-        return bignum_add(r_len, (uint64_t *)r, a_len, (uint64_t *)a,
+        return bignum_add(r_len, (uint64_t *)r, a_len, (const uint64_t *)a,
-            b_len, (uint64_t *)b);
+            b_len, (const uint64_t *)b);
 }
 #endif
@@ -36,8 +37,8 @@ bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 BN_ULONG
 bn_add_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n)
 {
-        return bignum_add(n, (uint64_t *)rd, n, (uint64_t *)ad, n,
+        return bignum_add(n, (uint64_t *)rd, n, (const uint64_t *)ad, n,
-            (uint64_t *)bd);
+            (const uint64_t *)bd);
 }
 #endif
@@ -46,8 +47,8 @@ BN_ULONG
 bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
    int b_len)
 {
-        return bignum_sub(r_len, (uint64_t *)r, a_len, (uint64_t *)a,
+        return bignum_sub(r_len, (uint64_t *)r, a_len, (const uint64_t *)a,
-            b_len, (uint64_t *)b);
+            b_len, (const uint64_t *)b);
 }
 #endif
@@ -55,52 +56,99 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 BN_ULONG
 bn_sub_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n)
 {
-        return bignum_sub(n, (uint64_t *)rd, n, (uint64_t *)ad, n,
+        return bignum_sub(n, (uint64_t *)rd, n, (const uint64_t *)ad, n,
-            (uint64_t *)bd);
+            (const uint64_t *)bd);
 }
 #endif
-#ifdef HAVE_BN_MUL_ADD_WORDS
+#ifdef HAVE_BN_MOD_ADD_WORDS
-BN_ULONG
+void
-bn_mul_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
+bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
 {
-        return bignum_cmadd(num, (uint64_t *)rd, w, num, (uint64_t *)ad);
+        bignum_modadd(n, (uint64_t *)r, (const uint64_t *)a,
+            (const uint64_t *)b, (const uint64_t *)m);
 }
 #endif
-#ifdef HAVE_BN_MUL_WORDS
+#ifdef HAVE_BN_MOD_SUB_WORDS
-BN_ULONG
+void
-bn_mul_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
+bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
 {
-        return bignum_cmul(num, (uint64_t *)rd, w, num, (uint64_t *)ad);
+        bignum_modsub(n, (uint64_t *)r, (const uint64_t *)a,
+            (const uint64_t *)b, (const uint64_t *)m);
 }
 #endif
 #ifdef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba4(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_mul_4_8((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+        bignum_mul_4_8_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
+}
+#endif
+#ifdef HAVE_BN_MUL_COMBA6
+void
+bn_mul_comba6(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
-        bignum_mul_4_8_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
+                bignum_mul_6_12((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+        bignum_mul_6_12_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
 }
 #endif
 #ifdef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd)
+bn_mul_comba8(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
-        bignum_mul_8_16_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd);
+                bignum_mul_8_16((uint64_t *)rd, (const uint64_t *)ad,
+                    (const uint64_t *)bd);
+                return;
+        }
+        bignum_mul_8_16_alt((uint64_t *)rd, (const uint64_t *)ad,
+            (const uint64_t *)bd);
 }
 #endif
-#ifdef HAVE_BN_SQR
+#ifdef HAVE_BN_MUL_WORDS
-int
+void
-bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx)
+bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int a_len, const BN_ULONG *b,
+    int b_len)
+{
+        bignum_mul(a_len + b_len, (uint64_t *)r, a_len, (const uint64_t *)a,
+            b_len, (const uint64_t *)b);
+}
+#endif
+#ifdef HAVE_BN_MULW_ADD_WORDS
+BN_ULONG
+bn_mulw_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
 {
-        bignum_sqr(r_len, (uint64_t *)r->d, a->top, (uint64_t *)a->d);
+        return bignum_cmadd(num, (uint64_t *)rd, w, num, (const uint64_t *)ad);
+}
+#endif
-        return 1;
+#ifdef HAVE_BN_MULW_WORDS
+BN_ULONG
+bn_mulw_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w)
+{
+        return bignum_cmul(num, (uint64_t *)rd, w, num, (const uint64_t *)ad);
 }
 #endif
@@ -108,8 +156,25 @@ bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx)
 void
 bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
-        bignum_sqr_4_8_alt((uint64_t *)rd, (uint64_t *)ad);
+                bignum_sqr_4_8((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+        bignum_sqr_4_8_alt((uint64_t *)rd, (const uint64_t *)ad);
+}
+#endif
+#ifdef HAVE_BN_SQR_COMBA6
+void
+bn_sqr_comba6(BN_ULONG *rd, const BN_ULONG *ad)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
+                bignum_sqr_6_12((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+        bignum_sqr_6_12_alt((uint64_t *)rd, (const uint64_t *)ad);
 }
 #endif
@@ -117,8 +182,20 @@ bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad)
 void
 bn_sqr_comba8(BN_ULONG *rd, const BN_ULONG *ad)
 {
-        /* XXX - consider using non-alt on CPUs that have the ADX extension. */
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_ADX) != 0) {
-        bignum_sqr_8_16_alt((uint64_t *)rd, (uint64_t *)ad);
+                bignum_sqr_8_16((uint64_t *)rd, (const uint64_t *)ad);
+                return;
+        }
+        bignum_sqr_8_16_alt((uint64_t *)rd, (const uint64_t *)ad);
+}
+#endif
+#ifdef HAVE_BN_SQR_WORDS
+void
+bn_sqr_words(BN_ULONG *rd, const BN_ULONG *ad, int a_len)
+{
+        bignum_sqr(a_len * 2, (uint64_t *)rd, a_len, (const uint64_t *)ad);
 }
 #endif
diff --git a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h b/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
index 927cd75208..3cb1d1d274 100644
--- a/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/amd64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.14 2024/03/26 06:09:25 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.19 2025/09/01 15:15:44 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -27,14 +27,20 @@
 #define HAVE_BN_DIV_WORDS
-#define HAVE_BN_MUL_ADD_WORDS
+#define HAVE_BN_MOD_ADD_WORDS
+#define HAVE_BN_MOD_SUB_WORDS
 #define HAVE_BN_MUL_COMBA4
+#define HAVE_BN_MUL_COMBA6
 #define HAVE_BN_MUL_COMBA8
 #define HAVE_BN_MUL_WORDS
+#define HAVE_BN_MULW_ADD_WORDS
+#define HAVE_BN_MULW_WORDS
-#define HAVE_BN_SQR
 #define HAVE_BN_SQR_COMBA4
+#define HAVE_BN_SQR_COMBA6
 #define HAVE_BN_SQR_COMBA8
+#define HAVE_BN_SQR_WORDS
 #define HAVE_BN_SUB
 #define HAVE_BN_SUB_WORDS
diff --git a/src/lib/libcrypto/bn/arch/amd64/word_clz.S b/src/lib/libcrypto/bn/arch/amd64/word_clz.S
index 3926fcd4b0..705fbdbbda 100644
--- a/src/lib/libcrypto/bn/arch/amd64/word_clz.S
+++ b/src/lib/libcrypto/bn/arch/amd64/word_clz.S
@@ -1,3 +1,5 @@
+// $OpenBSD: word_clz.S,v 1.7 2025/08/11 14:13:56 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +18,7 @@
 // Count leading zero bits in a single word
 // Input a; output function return
 //
-//    extern uint64_t word_clz (uint64_t a);
+//    extern uint64_t word_clz(uint64_t a);
 //
 // Standard x86-64 ABI: RDI = a, returns RAX
 // Microsoft x64 ABI:   RCX = a, returns RAX
@@ -30,7 +32,7 @@
        .text
 S2N_BN_SYMBOL(word_clz):
-        _CET_ENDBR
+        _CET_ENDBR
 #if WINDOWS_ABI
        push    rdi
diff --git a/src/lib/libcrypto/bn/arch/i386/bn_arch.h b/src/lib/libcrypto/bn/arch/i386/bn_arch.h
index eef519fcc7..288cbdeaa9 100644
--- a/src/lib/libcrypto/bn/arch/i386/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/i386/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.9 2023/02/16 10:41:03 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.11 2025/09/07 03:56:37 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -26,14 +26,13 @@
 #define HAVE_BN_DIV_WORDS
-#define HAVE_BN_MUL_ADD_WORDS
 #define HAVE_BN_MUL_COMBA4
 #define HAVE_BN_MUL_COMBA8
-#define HAVE_BN_MUL_WORDS
+#define HAVE_BN_MULW_ADD_WORDS
+#define HAVE_BN_MULW_WORDS
 #define HAVE_BN_SQR_COMBA4
 #define HAVE_BN_SQR_COMBA8
-#define HAVE_BN_SQR_WORDS
 #define HAVE_BN_SUB_WORDS
diff --git a/src/lib/libcrypto/bn/arch/mips64/bn_arch.h b/src/lib/libcrypto/bn/arch/mips64/bn_arch.h
index 53771bce1e..562a398f33 100644
--- a/src/lib/libcrypto/bn/arch/mips64/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/mips64/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.7 2023/01/23 12:17:58 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.9 2025/09/07 03:56:37 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -25,14 +25,13 @@
 #define HAVE_BN_DIV_WORDS
 #define HAVE_BN_DIV_3_WORDS
-#define HAVE_BN_MUL_ADD_WORDS
 #define HAVE_BN_MUL_COMBA4
 #define HAVE_BN_MUL_COMBA8
-#define HAVE_BN_MUL_WORDS
+#define HAVE_BN_MULW_ADD_WORDS
+#define HAVE_BN_MULW_WORDS
 #define HAVE_BN_SQR_COMBA4
 #define HAVE_BN_SQR_COMBA8
-#define HAVE_BN_SQR_WORDS
 #define HAVE_BN_SUB_WORDS
diff --git a/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h b/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h
index 46e932a2d5..21bcdf48d3 100644
--- a/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h
+++ b/src/lib/libcrypto/bn/arch/powerpc/bn_arch.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_arch.h,v 1.6 2023/01/23 12:17:58 jsing Exp $ */
+/*      $OpenBSD: bn_arch.h,v 1.8 2025/09/07 03:56:37 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -24,14 +24,13 @@
 #define HAVE_BN_DIV_WORDS
-#define HAVE_BN_MUL_ADD_WORDS
 #define HAVE_BN_MUL_COMBA4
 #define HAVE_BN_MUL_COMBA8
-#define HAVE_BN_MUL_WORDS
+#define HAVE_BN_MULW_ADD_WORDS
+#define HAVE_BN_MULW_WORDS
 #define HAVE_BN_SQR_COMBA4
 #define HAVE_BN_SQR_COMBA8
-#define HAVE_BN_SQR_WORDS
 #define HAVE_BN_SUB_WORDS
diff --git a/src/lib/libcrypto/bn/asm/bn-586.pl b/src/lib/libcrypto/bn/asm/bn-586.pl
index 71b775af8d..9b4b11ad5b 100644
--- a/src/lib/libcrypto/bn/asm/bn-586.pl
+++ b/src/lib/libcrypto/bn/asm/bn-586.pl
@@ -6,21 +6,20 @@ require "x86asm.pl";
 &asm_init($ARGV[0],$0);
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
-&bn_mul_add_words("bn_mul_add_words");
+&bn_mulw_add_words("bn_mulw_add_words");
-&bn_mul_words("bn_mul_words");
+&bn_mulw_words("bn_mulw_words");
-&bn_sqr_words("bn_sqr_words");
+&bn_sqr_word_wise("bn_sqr_word_wise");
 &bn_div_words("bn_div_words");
 &bn_add_words("bn_add_words");
 &bn_sub_words("bn_sub_words");
 &asm_finish();
-sub bn_mul_add_words
+sub bn_mulw_add_words
        {
        local($name)=@_;
@@ -207,7 +206,7 @@ sub bn_mul_add_words
        &function_end($name);
        }
-sub bn_mul_words
+sub bn_mulw_words
        {
        local($name)=@_;
@@ -319,7 +318,7 @@ sub bn_mul_words
        &function_end($name);
        }
-sub bn_sqr_words
+sub bn_sqr_word_wise
        {
        local($name)=@_;
diff --git a/src/lib/libcrypto/bn/asm/mips.pl b/src/lib/libcrypto/bn/asm/mips.pl
index 02d43e15b0..aaa0c5d8b0 100644
--- a/src/lib/libcrypto/bn/asm/mips.pl
+++ b/src/lib/libcrypto/bn/asm/mips.pl
@@ -110,19 +110,19 @@ $code.=<<___;
 .set    noat
 .align  5
-.globl  bn_mul_add_words
+.globl  bn_mulw_add_words
-.ent    bn_mul_add_words
+.ent    bn_mulw_add_words
-bn_mul_add_words:
+bn_mulw_add_words:
        .set    noreorder
-        bgtz    $a2,bn_mul_add_words_internal
+        bgtz    $a2,bn_mulw_add_words_internal
        move    $v0,$zero
        jr      $ra
        move    $a0,$v0
-.end    bn_mul_add_words
+.end    bn_mulw_add_words
 .align  5
-.ent    bn_mul_add_words_internal
+.ent    bn_mulw_add_words_internal
-bn_mul_add_words_internal:
+bn_mulw_add_words_internal:
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
        .frame  $sp,6*$SZREG,$ra
@@ -140,9 +140,9 @@ $code.=<<___;
        .set    reorder
        li      $minus4,-4
        and     $ta0,$a2,$minus4
-        beqz    $ta0,.L_bn_mul_add_words_tail
+        beqz    $ta0,.L_bn_mulw_add_words_tail
-.L_bn_mul_add_words_loop:
+.L_bn_mulw_add_words_loop:
        $LD     $t0,0($a1)
        $MULTU  $t0,$a3
        $LD     $t1,0($a0)
@@ -201,13 +201,13 @@ $code.=<<___;
        sltu    $at,$ta3,$at
        $ST     $ta3,-$BNSZ($a0)
        .set    noreorder
-        bgtz    $ta0,.L_bn_mul_add_words_loop
+        bgtz    $ta0,.L_bn_mulw_add_words_loop
        $ADDU   $v0,$at
-        beqz    $a2,.L_bn_mul_add_words_return
+        beqz    $a2,.L_bn_mulw_add_words_return
        nop
-.L_bn_mul_add_words_tail:
+.L_bn_mulw_add_words_tail:
        .set    reorder
        $LD     $t0,0($a1)
        $MULTU  $t0,$a3
@@ -222,7 +222,7 @@ $code.=<<___;
        sltu    $at,$t1,$at
        $ST     $t1,0($a0)
        $ADDU   $v0,$at
-        beqz    $a2,.L_bn_mul_add_words_return
+        beqz    $a2,.L_bn_mulw_add_words_return
        $LD     $t0,$BNSZ($a1)
        $MULTU  $t0,$a3
@@ -237,7 +237,7 @@ $code.=<<___;
        sltu    $at,$t1,$at
        $ST     $t1,$BNSZ($a0)
        $ADDU   $v0,$at
-        beqz    $a2,.L_bn_mul_add_words_return
+        beqz    $a2,.L_bn_mulw_add_words_return
        $LD     $t0,2*$BNSZ($a1)
        $MULTU  $t0,$a3
@@ -252,7 +252,7 @@ $code.=<<___;
        $ST     $t1,2*$BNSZ($a0)
        $ADDU   $v0,$at
-.L_bn_mul_add_words_return:
+.L_bn_mulw_add_words_return:
        .set    noreorder
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
@@ -266,22 +266,22 @@ ___
 $code.=<<___;
        jr      $ra
        move    $a0,$v0
-.end    bn_mul_add_words_internal
+.end    bn_mulw_add_words_internal
 .align  5
-.globl  bn_mul_words
+.globl  bn_mulw_words
-.ent    bn_mul_words
+.ent    bn_mulw_words
-bn_mul_words:
+bn_mulw_words:
        .set    noreorder
-        bgtz    $a2,bn_mul_words_internal
+        bgtz    $a2,bn_mulw_words_internal
        move    $v0,$zero
        jr      $ra
        move    $a0,$v0
-.end    bn_mul_words
+.end    bn_mulw_words
 .align  5
-.ent    bn_mul_words_internal
+.ent    bn_mulw_words_internal
-bn_mul_words_internal:
+bn_mulw_words_internal:
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
        .frame  $sp,6*$SZREG,$ra
@@ -299,9 +299,9 @@ $code.=<<___;
        .set    reorder
        li      $minus4,-4
        and     $ta0,$a2,$minus4
-        beqz    $ta0,.L_bn_mul_words_tail
+        beqz    $ta0,.L_bn_mulw_words_tail
-.L_bn_mul_words_loop:
+.L_bn_mulw_words_loop:
        $LD     $t0,0($a1)
        $MULTU  $t0,$a3
        $LD     $t2,$BNSZ($a1)
@@ -341,13 +341,13 @@ $code.=<<___;
        sltu    $ta3,$v0,$at
        $ST     $v0,-$BNSZ($a0)
        .set    noreorder
-        bgtz    $ta0,.L_bn_mul_words_loop
+        bgtz    $ta0,.L_bn_mulw_words_loop
        $ADDU   $v0,$ta3,$ta2
-        beqz    $a2,.L_bn_mul_words_return
+        beqz    $a2,.L_bn_mulw_words_return
        nop
-.L_bn_mul_words_tail:
+.L_bn_mulw_words_tail:
        .set    reorder
        $LD     $t0,0($a1)
        $MULTU  $t0,$a3
@@ -358,7 +358,7 @@ $code.=<<___;
        sltu    $t1,$v0,$at
        $ST     $v0,0($a0)
        $ADDU   $v0,$t1,$t0
-        beqz    $a2,.L_bn_mul_words_return
+        beqz    $a2,.L_bn_mulw_words_return
        $LD     $t0,$BNSZ($a1)
        $MULTU  $t0,$a3
@@ -369,7 +369,7 @@ $code.=<<___;
        sltu    $t1,$v0,$at
        $ST     $v0,$BNSZ($a0)
        $ADDU   $v0,$t1,$t0
-        beqz    $a2,.L_bn_mul_words_return
+        beqz    $a2,.L_bn_mulw_words_return
        $LD     $t0,2*$BNSZ($a1)
        $MULTU  $t0,$a3
@@ -380,7 +380,7 @@ $code.=<<___;
        $ST     $v0,2*$BNSZ($a0)
        $ADDU   $v0,$t1,$t0
-.L_bn_mul_words_return:
+.L_bn_mulw_words_return:
        .set    noreorder
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
@@ -394,22 +394,22 @@ ___
 $code.=<<___;
        jr      $ra
        move    $a0,$v0
-.end    bn_mul_words_internal
+.end    bn_mulw_words_internal
 .align  5
-.globl  bn_sqr_words
+.globl  bn_sqr_word_wise
-.ent    bn_sqr_words
+.ent    bn_sqr_word_wise
-bn_sqr_words:
+bn_sqr_word_wise:
        .set    noreorder
-        bgtz    $a2,bn_sqr_words_internal
+        bgtz    $a2,bn_sqr_word_wise_internal
        move    $v0,$zero
        jr      $ra
        move    $a0,$v0
-.end    bn_sqr_words
+.end    bn_sqr_word_wise
 .align  5
-.ent    bn_sqr_words_internal
+.ent    bn_sqr_word_wise_internal
-bn_sqr_words_internal:
+bn_sqr_word_wise_internal:
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
        .frame  $sp,6*$SZREG,$ra
@@ -427,9 +427,9 @@ $code.=<<___;
        .set    reorder
        li      $minus4,-4
        and     $ta0,$a2,$minus4
-        beqz    $ta0,.L_bn_sqr_words_tail
+        beqz    $ta0,.L_bn_sqr_word_wise_tail
-.L_bn_sqr_words_loop:
+.L_bn_sqr_word_wise_loop:
        $LD     $t0,0($a1)
        $MULTU  $t0,$t0
        $LD     $t2,$BNSZ($a1)
@@ -463,13 +463,13 @@ $code.=<<___;
        $ST     $ta3,-2*$BNSZ($a0)
        .set    noreorder
-        bgtz    $ta0,.L_bn_sqr_words_loop
+        bgtz    $ta0,.L_bn_sqr_word_wise_loop
        $ST     $ta2,-$BNSZ($a0)
-        beqz    $a2,.L_bn_sqr_words_return
+        beqz    $a2,.L_bn_sqr_word_wise_return
        nop
-.L_bn_sqr_words_tail:
+.L_bn_sqr_word_wise_tail:
        .set    reorder
        $LD     $t0,0($a1)
        $MULTU  $t0,$t0
@@ -478,7 +478,7 @@ $code.=<<___;
        mfhi    $t0
        $ST     $t1,0($a0)
        $ST     $t0,$BNSZ($a0)
-        beqz    $a2,.L_bn_sqr_words_return
+        beqz    $a2,.L_bn_sqr_word_wise_return
        $LD     $t0,$BNSZ($a1)
        $MULTU  $t0,$t0
@@ -487,7 +487,7 @@ $code.=<<___;
        mfhi    $t0
        $ST     $t1,2*$BNSZ($a0)
        $ST     $t0,3*$BNSZ($a0)
-        beqz    $a2,.L_bn_sqr_words_return
+        beqz    $a2,.L_bn_sqr_word_wise_return
        $LD     $t0,2*$BNSZ($a1)
        $MULTU  $t0,$t0
@@ -496,7 +496,7 @@ $code.=<<___;
        $ST     $t1,4*$BNSZ($a0)
        $ST     $t0,5*$BNSZ($a0)
-.L_bn_sqr_words_return:
+.L_bn_sqr_word_wise_return:
        .set    noreorder
 ___
 $code.=<<___ if ($flavour =~ /nubi/i);
@@ -511,7 +511,7 @@ $code.=<<___;
        jr      $ra
        move    $a0,$v0
-.end    bn_sqr_words_internal
+.end    bn_sqr_word_wise_internal
 .align  5
 .globl  bn_add_words
diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl
index c9b7f9477d..9b8dc55bff 100644
--- a/src/lib/libcrypto/bn/asm/ppc.pl
+++ b/src/lib/libcrypto/bn/asm/ppc.pl
@@ -204,9 +204,9 @@ $data=<<EOF;
 #       bn_sub_words
 #       bn_add_words
 #       bn_div_words
-#       bn_sqr_words
+#       bn_sqr_word_wise
-#       bn_mul_words
+#       bn_mulw_words
-#       bn_mul_add_words
+#       bn_mulw_add_words
 #
 #       NOTE:   It is possible to optimize this code more for
 #       specific PowerPC or Power architectures. On the Northstar
@@ -248,9 +248,9 @@ $data=<<EOF;
        .globl  .bn_sub_words
        .globl  .bn_add_words
        .globl  .bn_div_words
-        .globl  .bn_sqr_words
+        .globl  .bn_sqr_word_wise
-        .globl  .bn_mul_words
+        .globl  .bn_mulw_words
-        .globl  .bn_mul_add_words
+        .globl  .bn_mulw_add_words
        
 # .text section
        
@@ -1702,16 +1702,16 @@ Lppcasm_div9:
 #
 #       NOTE:   The following label name should be changed to
-#               "bn_sqr_words" i.e. remove the first dot
+#               "bn_sqr_word_wise" i.e. remove the first dot
 #               for the gcc compiler. This should be automatically
 #               done in the build
 #
 .align  4
-.bn_sqr_words:
+.bn_sqr_word_wise:
 #
-#       Optimized version of bn_sqr_words
+#       Optimized version of bn_sqr_word_wise
 #
-#       void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
+#       void bn_sqr_word_wise(BN_ULONG *r, BN_ULONG *a, int n)
 #
 #       r3 = r
 #       r4 = a
@@ -1740,15 +1740,15 @@ Lppcasm_sqr_adios:
 #
 #       NOTE:   The following label name should be changed to
-#               "bn_mul_words" i.e. remove the first dot
+#               "bn_mulw_words" i.e. remove the first dot
 #               for the gcc compiler. This should be automatically
 #               done in the build
 #
 .align  4       
-.bn_mul_words:
+.bn_mulw_words:
 #
-# BN_ULONG bn_mul_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+# BN_ULONG bn_mulw_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 #
 # r3 = rp
 # r4 = ap
@@ -1842,15 +1842,15 @@ Lppcasm_mw_OVER:
 #
 #       NOTE:   The following label name should be changed to
-#               "bn_mul_add_words" i.e. remove the first dot
+#               "bn_mulw_add_words" i.e. remove the first dot
 #               for the gcc compiler. This should be automatically
 #               done in the build
 #
 .align  4
-.bn_mul_add_words:
+.bn_mulw_add_words:
 #
-# BN_ULONG bn_mul_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
+# BN_ULONG bn_mulw_add_words(BN_ULONG *rp, BN_ULONG *ap, int num, BN_ULONG w)
 #
 # r3 = rp
 # r4 = ap
diff --git a/src/lib/libcrypto/bn/asm/x86-mont.pl b/src/lib/libcrypto/bn/asm/x86-mont.pl
index 6524651748..3be440f11f 100755
--- a/src/lib/libcrypto/bn/asm/x86-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86-mont.pl
@@ -32,8 +32,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],$0);
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 7c3c0b142f..3f9e24a868 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.80 2025/03/09 15:22:40 tb Exp $ */
+/* $OpenBSD: bn.h,v 1.85 2025/12/05 17:25:55 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -125,6 +125,8 @@
 #ifndef HEADER_BN_H
 #define HEADER_BN_H
+#include <inttypes.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -138,59 +140,17 @@
 extern "C" {
 #endif
-/* This next option uses the C libraries (2 word)/(1 word) function.
+#if defined(_LP64) || defined(_WIN64)
- * If it is not defined, I use my C version (which is slower).
- * The reason for this flag is that when the particular C compiler
- * library routine is used, and the library is linked with a different
- * compiler, the library is missing.  This mostly happens when the
- * library is built with gcc and then linked using normal cc.  This would
- * be a common occurrence because gcc normally produces code that is
- * 2 times faster than system compilers for the big number stuff.
- * For machines with only one compiler (or shared libraries), this should
- * be on.  Again this in only really a problem on machines
- * using "long long's", are 32bit, and are not using my assembler code. */
-/* #define BN_DIV2W */
-#ifdef _LP64
 #undef  BN_LLONG
-#define BN_ULONG        unsigned long
+#define BN_ULONG        uint64_t
-#define BN_LONG         long
-#define BN_BITS         128
 #define BN_BYTES        8
 #define BN_BITS2        64
-#define BN_BITS4        32
-#define BN_MASK2        (0xffffffffffffffffL)
-#define BN_MASK2l       (0xffffffffL)
-#define BN_MASK2h       (0xffffffff00000000L)
-#define BN_MASK2h1      (0xffffffff80000000L)
-#define BN_TBIT         (0x8000000000000000L)
-#define BN_DEC_CONV     (10000000000000000000UL)
-#define BN_DEC_FMT1     "%lu"
-#define BN_DEC_FMT2     "%019lu"
-#define BN_DEC_NUM      19
-#define BN_HEX_FMT1     "%lX"
-#define BN_HEX_FMT2     "%016lX"
 #else
-#define BN_ULLONG       unsigned long long
+#define BN_ULLONG       uint64_t
 #define BN_LLONG
-#define BN_ULONG        unsigned int
+#define BN_ULONG        uint32_t
-#define BN_LONG         int
-#define BN_BITS         64
 #define BN_BYTES        4
 #define BN_BITS2        32
-#define BN_BITS4        16
-#define BN_MASK         (0xffffffffffffffffLL)
-#define BN_MASK2        (0xffffffffL)
-#define BN_MASK2l       (0xffff)
-#define BN_MASK2h1      (0xffff8000L)
-#define BN_MASK2h       (0xffff0000L)
-#define BN_TBIT         (0x80000000L)
-#define BN_DEC_CONV     (1000000000L)
-#define BN_DEC_FMT1     "%u"
-#define BN_DEC_FMT2     "%09u"
-#define BN_DEC_NUM      9
-#define BN_HEX_FMT1     "%X"
-#define BN_HEX_FMT2     "%08X"
 #endif
 #define BN_FLG_MALLOCED         0x01
diff --git a/src/lib/libcrypto/bn/bn_add.c b/src/lib/libcrypto/bn/bn_add.c
index 86768a312a..81fa60e429 100644
--- a/src/lib/libcrypto/bn/bn_add.c
+++ b/src/lib/libcrypto/bn/bn_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_add.c,v 1.26 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_add.c,v 1.29 2025/05/25 04:53:05 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,44 +60,10 @@
 #include <limits.h>
 #include <stdio.h>
-#include <openssl/err.h>
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
-/*
- * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
- * are both arrays of words. Any carry resulting from the addition is returned.
- */
-#ifndef HAVE_BN_ADD_WORDS
-BN_ULONG
-bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG carry = 0;
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-        while (n & ~3) {
-                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return carry;
-}
-#endif
 /*
 * bn_add() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b are both
@@ -147,40 +113,6 @@ bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
 #endif
 /*
- * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
- * are both arrays of words. Any borrow resulting from the subtraction is
- * returned.
- */
-#ifndef HAVE_BN_SUB_WORDS
-BN_ULONG
-bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
-{
-        BN_ULONG borrow = 0;
-        assert(n >= 0);
-        if (n <= 0)
-                return 0;
-        while (n & ~3) {
-                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
-                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
-                a += 4;
-                b += 4;
-                r += 4;
-                n -= 4;
-        }
-        while (n) {
-                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
-                a++;
-                b++;
-                r++;
-                n--;
-        }
-        return borrow;
-}
-#endif
-/*
 * bn_sub() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b are both
 * arrays of words (r may be the same as a or b). The length of a and b may
 * differ, while r must be at least max(a_len, b_len) in length. Any borrow
@@ -208,7 +140,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
        /* XXX - consider doing four at a time to match bn_sub_words. */
        while (diff_len < 0) {
                /* Compute r[0] = 0 - b[0] - borrow. */
-                bn_subw(0 - b[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(0, b[0], borrow, &borrow, &r[0]);
                diff_len++;
                b++;
                r++;
@@ -217,7 +149,7 @@ bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b,
        /* XXX - consider doing four at a time to match bn_sub_words. */
        while (diff_len > 0) {
                /* Compute r[0] = a[0] - 0 - borrow. */
-                bn_subw(a[0], borrow, &borrow, &r[0]);
+                bn_subw_subw(a[0], 0, borrow, &borrow, &r[0]);
                diff_len--;
                a++;
                r++;
diff --git a/src/lib/libcrypto/bn/bn_add_sub.c b/src/lib/libcrypto/bn/bn_add_sub.c
new file mode 100644
index 0000000000..5c9d5a2b1a
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_add_sub.c
@@ -0,0 +1,178 @@
+/* $OpenBSD: bn_add_sub.c,v 1.1 2025/05/25 04:30:55 jsing Exp $ */
+/*
+ * Copyright (c) 2023,2024,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/bn.h>
+#include "bn_internal.h"
+/*
+ * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b
+ * are both arrays of words. Any carry resulting from the addition is returned.
+ */
+#ifndef HAVE_BN_ADD_WORDS
+BN_ULONG
+bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG carry = 0;
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    carry, &carry, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0], carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return carry;
+}
+#endif
+/*
+ * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b
+ * are both arrays of words. Any borrow resulting from the subtraction is
+ * returned.
+ */
+#ifndef HAVE_BN_SUB_WORDS
+BN_ULONG
+bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+{
+        BN_ULONG borrow = 0;
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r[3], &r[2], &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return borrow;
+}
+#endif
+/*
+ * bn_sub_borrow() computes a[i] - b[i], returning the resulting borrow only.
+ */
+#ifndef HAVE_BN_SUB_WORDS_BORROW
+BN_ULONG
+bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n)
+{
+        BN_ULONG borrow = 0;
+        BN_ULONG r;
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3], b[2], b[1], b[0],
+                    borrow, &borrow, &r, &r, &r, &r);
+                a += 4;
+                b += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0], borrow, &borrow, &r);
+                a++;
+                b++;
+                n--;
+        }
+        return borrow;
+}
+#endif
+/*
+ * bn_add_words_masked() computes r[] = a[] + (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_ADD_WORDS_MASKED
+BN_ULONG
+bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG carry = 0;
+        /* XXX - consider conditional/masked versions of bn_addw_addw/bn_qwaddqw. */
+        while (n >= 4) {
+                bn_qwaddqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, carry, &carry, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_addw_addw(a[0], b[0] & mask, carry, &carry, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return carry;
+}
+#endif
+/*
+ * bn_sub_words_masked() computes r[] = a[] - (b[] & mask), where a, b and r are
+ * arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_SUB_WORDS_MASKED
+BN_ULONG
+bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n)
+{
+        BN_ULONG borrow = 0;
+        /* XXX - consider conditional/masked versions of bn_subw_subw/bn_qwsubqw. */
+        /* Compute conditional r[i] = a[i] - b[i]. */
+        while (n >= 4) {
+                bn_qwsubqw(a[3], a[2], a[1], a[0], b[3] & mask, b[2] & mask,
+                    b[1] & mask, b[0] & mask, borrow, &borrow, &r[3], &r[2],
+                    &r[1], &r[0]);
+                a += 4;
+                b += 4;
+                r += 4;
+                n -= 4;
+        }
+        while (n > 0) {
+                bn_subw_subw(a[0], b[0] & mask, borrow, &borrow, &r[0]);
+                a++;
+                b++;
+                r++;
+                n--;
+        }
+        return borrow;
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_convert.c b/src/lib/libcrypto/bn/bn_convert.c
index 6a6354f44e..ab5bc519c8 100644
--- a/src/lib/libcrypto/bn/bn_convert.c
+++ b/src/lib/libcrypto/bn/bn_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_convert.c,v 1.23 2024/11/08 14:18:44 jsing Exp $ */
+/* $OpenBSD: bn_convert.c,v 1.25 2025/12/05 14:12:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,11 +65,19 @@
 #include <openssl/bio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "bytestring.h"
 #include "crypto_internal.h"
+#include "err_local.h"
+#if BN_BYTES == 8
+#define BN_DEC_CONV     UINT64_C(10000000000000000000)
+#define BN_DEC_NUM      19
+#else
+#define BN_DEC_CONV     UINT32_C(1000000000)
+#define BN_DEC_NUM      9
+#endif
 static int bn_dec2bn_cbs(BIGNUM **bnp, CBS *cbs);
 static int bn_hex2bn_cbs(BIGNUM **bnp, CBS *cbs);
diff --git a/src/lib/libcrypto/bn/bn_ctx.c b/src/lib/libcrypto/bn/bn_ctx.c
index 129b9c9781..eda93dcaa4 100644
--- a/src/lib/libcrypto/bn/bn_ctx.c
+++ b/src/lib/libcrypto/bn/bn_ctx.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_ctx.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/*      $OpenBSD: bn_ctx.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -19,9 +19,9 @@
 #include <string.h>
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 #define BN_CTX_INITIAL_LEN      8
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 09a8a364df..0a914db752 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_div.c,v 1.41 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_div.c,v 1.44 2025/09/07 06:28:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,25 +62,15 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_arch.h"
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0);
 #ifndef HAVE_BN_DIV_WORDS
-#if defined(BN_LLONG) && defined(BN_DIV2W)
-BN_ULONG
-bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
-{
-        return ((BN_ULONG)(((((BN_ULLONG)h) << BN_BITS2)|l)/(BN_ULLONG)d));
-}
-#else
 /* Divide h,l by d and return the result. */
 /* I need to test this some more :-( */
 BN_ULONG
@@ -148,7 +138,6 @@ bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
        ret |= q;
        return (ret);
 }
-#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */
 #endif
 /*
@@ -375,7 +364,7 @@ BN_div_internal(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator,
                 *  | wnum - sdiv * q | < sdiv
                 */
                q = bn_div_3_words(wnump, d1, d0);
-                l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q);
+                l0 = bn_mulw_words(tmp->d, sdiv->d, div_n, q);
                tmp->d[div_n] = l0;
                wnum.d--;
diff --git a/src/lib/libcrypto/bn/bn_exp.c b/src/lib/libcrypto/bn/bn_exp.c
index e925d325d2..6a5c1c857a 100644
--- a/src/lib/libcrypto/bn/bn_exp.c
+++ b/src/lib/libcrypto/bn/bn_exp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_exp.c,v 1.58 2025/02/13 11:15:09 tb Exp $ */
+/* $OpenBSD: bn_exp.c,v 1.59 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,10 +112,9 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "constant_time.h"
+#include "err_local.h"
 /* maximum precomputation table size for *variable* sliding windows */
 #define TABLE_SIZE      32
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index fa5d71a7f3..319d9ca390 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gcd.c,v 1.29 2024/04/10 14:58:06 beck Exp $ */
+/* $OpenBSD: bn_gcd.c,v 1.31 2025/06/02 12:40:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -109,9 +109,8 @@
 *
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static BIGNUM *
 euclid(BIGNUM *a, BIGNUM *b)
@@ -681,8 +680,10 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct
                                        /* A >= 2*B, so D=2 or D=3 */
                                        if (!BN_sub(M, A, T))
                                                goto err;
-                                        if (!BN_add(D,T,B)) goto err; /* use D (:= 3*B) as temp */
+                                        /* use D (:= 3*B) as temp */
-                                                if (BN_ucmp(A, D) < 0) {
+                                        if (!BN_add(D, T, B))
+                                                goto err;
+                                        if (BN_ucmp(A, D) < 0) {
                                                /* A < 3*B, so D=2 */
                                                if (!BN_set_word(D, 2))
                                                        goto err;
diff --git a/src/lib/libcrypto/bn/bn_internal.h b/src/lib/libcrypto/bn/bn_internal.h
index fd04bc9f8a..efe8202aa0 100644
--- a/src/lib/libcrypto/bn/bn_internal.h
+++ b/src/lib/libcrypto/bn/bn_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_internal.h,v 1.15 2023/06/25 11:42:26 jsing Exp $ */
+/*      $OpenBSD: bn_internal.h,v 1.21 2025/12/05 14:12:32 tb Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -18,6 +18,7 @@
 #include <openssl/bn.h>
 #include "bn_arch.h"
+#include "bn_local.h"
 #ifndef HEADER_BN_INTERNAL_H
 #define HEADER_BN_INTERNAL_H
@@ -26,6 +27,30 @@ int bn_word_clz(BN_ULONG w);
 int bn_bitsize(const BIGNUM *bn);
+BN_ULONG bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    int num);
+BN_ULONG bn_sub_words_borrow(const BN_ULONG *a, const BN_ULONG *b, size_t n);
+BN_ULONG bn_add_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+BN_ULONG bn_sub_words_masked(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    BN_ULONG mask, size_t n);
+void bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n);
+void bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n);
+void bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n);
+void bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap,
+    const BN_ULONG *bp, const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0,
+    int n_len);
+void bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len);
 #ifndef HAVE_BN_CT_NE_ZERO
 static inline int
 bn_ct_ne_zero(BN_ULONG w)
diff --git a/src/lib/libcrypto/bn/bn_isqrt.c b/src/lib/libcrypto/bn/bn_isqrt.c
index 018d5f34bd..b725519e1a 100644
--- a/src/lib/libcrypto/bn/bn_isqrt.c
+++ b/src/lib/libcrypto/bn/bn_isqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_isqrt.c,v 1.10 2023/06/04 17:28:35 tb Exp $ */
+/*      $OpenBSD: bn_isqrt.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 *
@@ -19,10 +19,10 @@
 #include <stdint.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "crypto_internal.h"
+#include "err_local.h"
 /*
 * Calculate integer square root of |n| using a variant of Newton's method.
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 72b988650c..0326e72c4d 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_lib.c,v 1.93 2024/04/16 13:07:14 jsing Exp $ */
+/* $OpenBSD: bn_lib.c,v 1.95 2025/12/15 12:09:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,9 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "bn_internal.h"
+#include "err_local.h"
 BIGNUM *
 BN_new(void)
@@ -350,7 +349,7 @@ BN_ULONG
 BN_get_word(const BIGNUM *a)
 {
        if (a->top > 1)
-                return BN_MASK2;
+                return (BN_ULONG)-1;
        else if (a->top == 1)
                return a->d[0];
        /* a->top == 0 */
diff --git a/src/lib/libcrypto/bn/bn_local.h b/src/lib/libcrypto/bn/bn_local.h
index 067ffab3d9..106a2cdf2d 100644
--- a/src/lib/libcrypto/bn/bn_local.h
+++ b/src/lib/libcrypto/bn/bn_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_local.h,v 1.50 2025/02/13 11:04:20 tb Exp $ */
+/* $OpenBSD: bn_local.h,v 1.61 2025/12/05 14:12:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,6 +116,20 @@
 #include <openssl/bn.h>
+#if BN_BYTES == 8
+#define BN_MASK2        UINT64_C(0xffffffffffffffff)
+#define BN_MASK2l       UINT64_C(0xffffffff)
+#define BN_MASK2h       UINT64_C(0xffffffff00000000)
+#define BN_BITS         128
+#define BN_BITS4        32
+#else
+#define BN_MASK2        UINT32_C(0xffffffff)
+#define BN_MASK2l       UINT32_C(0xffff)
+#define BN_MASK2h       UINT32_C(0xffff0000)
+#define BN_BITS         64
+#define BN_BITS4        16
+#endif
 __BEGIN_HIDDEN_DECLS
 struct bignum_st {
@@ -239,12 +253,16 @@ BN_ULONG bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len,
 BN_ULONG bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len,
    const BN_ULONG *b, int b_len);
-void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb);
+void bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
-void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
-void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b);
+void bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b);
+void bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int a_len, const BN_ULONG *b,
+    int b_len);
 void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a);
 void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a);
+void bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int a_len);
 int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
    const BN_ULONG *np, const BN_ULONG *n0, int num);
@@ -254,13 +272,8 @@ int bn_expand_bits(BIGNUM *a, size_t bits);
 int bn_expand_bytes(BIGNUM *a, size_t bytes);
 int bn_wexpand(BIGNUM *a, int words);
-BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
+BN_ULONG bn_mulw_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-    int num);
+BN_ULONG bn_mulw_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
-    int num);
-BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
-void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);
 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d);
 void bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q,
    BN_ULONG *out_r);
diff --git a/src/lib/libcrypto/bn/bn_mod.c b/src/lib/libcrypto/bn/bn_mod.c
index 365f6fcf03..7198c02e3b 100644
--- a/src/lib/libcrypto/bn/bn_mod.c
+++ b/src/lib/libcrypto/bn/bn_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mod.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mod.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project. */
 /* ====================================================================
@@ -111,9 +111,8 @@
 * [including the GNU Public Licence.]
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 int
 BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx)
diff --git a/src/lib/libcrypto/bn/bn_mod_sqrt.c b/src/lib/libcrypto/bn/bn_mod_sqrt.c
index 280002cc48..fc55f84317 100644
--- a/src/lib/libcrypto/bn/bn_mod_sqrt.c
+++ b/src/lib/libcrypto/bn/bn_mod_sqrt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mod_sqrt.c,v 1.3 2023/08/03 18:53:55 tb Exp $ */
+/*      $OpenBSD: bn_mod_sqrt.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -16,9 +16,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 /*
 * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic
diff --git a/src/lib/libcrypto/bn/bn_mod_words.c b/src/lib/libcrypto/bn/bn_mod_words.c
new file mode 100644
index 0000000000..f368e074db
--- /dev/null
+++ b/src/lib/libcrypto/bn/bn_mod_words.c
@@ -0,0 +1,110 @@
+/*      $OpenBSD: bn_mod_words.c,v 1.7 2025/09/07 05:21:29 jsing Exp $  */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "bn_local.h"
+#include "bn_internal.h"
+/*
+ * bn_mod_add_words() computes r[] = (a[] + b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_ADD_WORDS
+void
+bn_mod_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG carry, mask;
+        /*
+         * Compute a + b, then compute r - m to determine if r >= m, considering
+         * any carry that resulted from the addition. Finally complete a
+         * conditional subtraction of r - m.
+         */
+        /* XXX - change bn_add_words to use size_t. */
+        carry = bn_add_words(r, a, b, n);
+        mask = ~(carry - bn_sub_words_borrow(r, m, n));
+        bn_sub_words_masked(r, r, m, mask, n);
+}
+#endif
+/*
+ * bn_mod_sub_words() computes r[] = (a[] - b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b).
+ */
+#ifndef HAVE_BN_MOD_SUB_WORDS
+void
+bn_mod_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, size_t n)
+{
+        BN_ULONG borrow, mask;
+        /*
+         * Compute a - b, then complete a conditional addition of r + m
+         * based on the resulting borrow.
+         */
+        /* XXX - change bn_sub_words to use size_t. */
+        borrow = bn_sub_words(r, a, b, n);
+        mask = (0 - borrow);
+        bn_add_words_masked(r, r, m, mask, n);
+}
+#endif
+/*
+ * bn_mod_mul_words() computes r[] = (a[] * b[]) mod m[], where a, b, r and
+ * m are arrays of words with length n (r may be the same as a or b) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_MUL_WORDS
+void
+bn_mod_mul_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b,
+    const BN_ULONG *m, BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_mul_comba4(t, a, b);
+        } else if (n == 6) {
+                bn_mul_comba6(t, a, b);
+        } else if (n == 8) {
+                bn_mul_comba8(t, a, b);
+        } else {
+                bn_mul_words(t, a, n, b, n);
+        }
+        bn_montgomery_reduce_words(r, t, m, m0, n);
+}
+#endif
+/*
+ * bn_mod_sqr_words() computes r[] = (a[] * a[]) mod m[], where a, r and
+ * m are arrays of words with length n (r may be the same as a) in the
+ * Montgomery domain. The result remains in the Montgomery domain.
+ */
+#ifndef HAVE_BN_MOD_SQR_WORDS
+void
+bn_mod_sqr_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *m,
+    BN_ULONG *t, BN_ULONG m0, size_t n)
+{
+        if (n == 4) {
+                bn_sqr_comba4(t, a);
+        } else if (n == 6) {
+                bn_sqr_comba6(t, a);
+        } else if (n == 8) {
+                bn_sqr_comba8(t, a);
+        } else {
+                bn_sqr_words(t, a, n);
+        }
+        bn_montgomery_reduce_words(r, t, m, m0, n);
+}
+#endif
diff --git a/src/lib/libcrypto/bn/bn_mont.c b/src/lib/libcrypto/bn/bn_mont.c
index edd7bcd0c8..c9e95fb08b 100644
--- a/src/lib/libcrypto/bn/bn_mont.c
+++ b/src/lib/libcrypto/bn/bn_mont.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mont.c,v 1.66 2025/03/09 15:22:40 tb Exp $ */
+/* $OpenBSD: bn_mont.c,v 1.70 2025/08/30 07:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,6 +116,7 @@
 * sections 3.8 and 4.2 in http://security.ece.orst.edu/koc/papers/r01rsasw.pdf
 */
+#include <limits.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <string.h>
@@ -214,7 +215,7 @@ BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx)
                 goto err;
        mont->N.neg = 0;
        mont->ri = ((BN_num_bits(mod) + BN_BITS2 - 1) / BN_BITS2) * BN_BITS2;
-        if (mont->ri * 2 < mont->ri)
+        if (mont->ri > INT_MAX / 2)
                goto err;
        /*
@@ -316,6 +317,44 @@ BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod,
 LCRYPTO_ALIAS(BN_MONT_CTX_set_locked);
 /*
+ * bn_montgomery_reduce_words() performs Montgomery reduction, reducing the input
+ * from its Montgomery form aR to a, returning the result in r. a must be twice
+ * the length of the modulus. Note that the input is mutated in the process of
+ * performing the reduction.
+ */
+void
+bn_montgomery_reduce_words(BN_ULONG *r, BN_ULONG *a, const BN_ULONG *n,
+    BN_ULONG n0, int n_len)
+{
+        BN_ULONG v, mask;
+        BN_ULONG carry = 0;
+        int i;
+        /* Add multiples of the modulus, so that it becomes divisible by R. */
+        for (i = 0; i < n_len; i++) {
+                v = bn_mulw_add_words(&a[i], n, n_len, a[i] * n0);
+                bn_addw_addw(v, a[i + n_len], carry, &carry, &a[i + n_len]);
+        }
+        /* Divide by R (this is the equivalent of right shifting by n_len). */
+        a = &a[n_len];
+        /*
+         * The output is now in the range of [0, 2N). Attempt to reduce once by
+         * subtracting the modulus. If the reduction was necessary then the
+         * result is already in r, otherwise copy the value prior to reduction
+         * from the top half of a.
+         */
+        mask = carry - bn_sub_words(r, a, n, n_len);
+        for (i = 0; i < n_len; i++) {
+                *r = (*r & ~mask) | (*a & mask);
+                r++;
+                a++;
+        }
+}
+/*
 * bn_montgomery_reduce() performs Montgomery reduction, reducing the input
 * from its Montgomery form aR to a, returning the result in r. Note that the
 * input is mutated in the process of performing the reduction, destroying its
@@ -325,7 +364,6 @@ static int
 bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
 {
        BIGNUM *n;
-        BN_ULONG *ap, *rp, n0, v, carry, mask;
        int i, max, n_len;
        n = &mctx->N;
@@ -341,7 +379,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
        /*
         * Expand a to twice the length of the modulus, zero if necessary.
-         * XXX - make this a requirement of the caller.
+         * XXX - make this a requirement of the caller or use a temporary
+         * allocation.
         */
        if ((max = 2 * n_len) < n_len)
                return 0;
@@ -350,33 +389,8 @@ bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx)
        for (i = a->top; i < max; i++)
                a->d[i] = 0;
-        carry = 0;
+        bn_montgomery_reduce_words(r->d, a->d, n->d, mctx->n0[0], n_len);
-        n0 = mctx->n0[0];
-        /* Add multiples of the modulus, so that it becomes divisible by R. */
-        for (i = 0; i < n_len; i++) {
-                v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0);
-                bn_addw_addw(v, a->d[i + n_len], carry, &carry,
-                    &a->d[i + n_len]);
-        }
-        /* Divide by R (this is the equivalent of right shifting by n_len). */
-        ap = &a->d[n_len];
-        /*
-         * The output is now in the range of [0, 2N). Attempt to reduce once by
-         * subtracting the modulus. If the reduction was necessary then the
-         * result is already in r, otherwise copy the value prior to reduction
-         * from the top half of a.
-         */
-        mask = carry - bn_sub_words(r->d, ap, n->d, n_len);
-        rp = r->d;
-        for (i = 0; i < n_len; i++) {
-                *rp = (*rp & ~mask) | (*ap & mask);
-                rp++;
-                ap++;
-        }
        r->top = n_len;
        bn_correct_top(r);
@@ -417,7 +431,7 @@ bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
        return ret;
 }
-static void
+static inline void
 bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
    BN_ULONG *tp, BN_ULONG w, BN_ULONG *carry_a, BN_ULONG *carry_n, int n_len)
 {
@@ -452,7 +466,7 @@ bn_montgomery_multiply_word(const BN_ULONG *ap, BN_ULONG b, const BN_ULONG *np,
 * given word arrays. The caller must ensure that rp, ap, bp and np are all
 * n_len words in length, while tp must be n_len * 2 + 2 words in length.
 */
-static void
+void
 bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,
    const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0, int n_len)
 {
diff --git a/src/lib/libcrypto/bn/bn_mul.c b/src/lib/libcrypto/bn/bn_mul.c
index bdeb9b0fe8..7db0f61849 100644
--- a/src/lib/libcrypto/bn/bn_mul.c
+++ b/src/lib/libcrypto/bn/bn_mul.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_mul.c,v 1.39 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_mul.c,v 1.46 2025/09/01 15:39:59 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,6 +57,7 @@
 */
 #include <assert.h>
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
@@ -73,7 +74,7 @@
 */
 #ifndef HAVE_BN_MUL_COMBA4
 void
-bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba4(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
        BN_ULONG c0, c1, c2;
@@ -103,13 +104,73 @@ bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 #endif
 /*
+ * bn_mul_comba6() computes r[] = a[] * b[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a and b are both
+ * six word arrays, producing a 12 word array result.
+ */
+#ifndef HAVE_BN_MUL_COMBA6
+void
+bn_mul_comba6(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
+{
+        BN_ULONG c0, c1, c2;
+        bn_mulw_addtw(a[0], b[0],  0,  0,  0, &c2, &c1, &r[0]);
+        bn_mulw_addtw(a[0], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]);
+        bn_mulw_addtw(a[2], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]);
+        bn_mulw_addtw(a[0], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]);
+        bn_mulw_addtw(a[4], b[0],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[0], b[4], c2, c1, c0, &c2, &c1, &r[4]);
+        bn_mulw_addtw(a[0], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[0], c2, c1, c0, &c2, &c1, &r[5]);
+        bn_mulw_addtw(a[5], b[1],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[2], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[1], b[5], c2, c1, c0, &c2, &c1, &r[6]);
+        bn_mulw_addtw(a[2], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[3], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[2], c2, c1, c0, &c2, &c1, &r[7]);
+        bn_mulw_addtw(a[5], b[3],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[4], b[4], c2, c1, c0, &c2, &c1, &c0);
+        bn_mulw_addtw(a[3], b[5], c2, c1, c0, &c2, &c1, &r[8]);
+        bn_mulw_addtw(a[4], b[5],  0, c2, c1, &c2, &c1, &c0);
+        bn_mulw_addtw(a[5], b[4], c2, c1, c0, &c2, &c1, &r[9]);
+        bn_mulw_addtw(a[5], b[5],  0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+/*
 * bn_mul_comba8() computes r[] = a[] * b[] using Comba multiplication
 * (https://everything2.com/title/Comba+multiplication), where a and b are both
 * eight word arrays, producing a 16 word array result.
 */
 #ifndef HAVE_BN_MUL_COMBA8
 void
-bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
+bn_mul_comba8(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b)
 {
        BN_ULONG c0, c1, c2;
@@ -195,14 +256,13 @@ bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b)
 #endif
 /*
- * bn_mul_words() computes (carry:r[i]) = a[i] * w + carry, where a is an array
+ * bn_mulw_words() computes (carry:r[i]) = a[i] * w + carry, where a is an array
- * of words and w is a single word. This should really be called bn_mulw_words()
+ * of words and w is a single word. This is used as a step in the multiplication
- * since only one input is an array. This is used as a step in the multiplication
 * of word arrays.
 */
-#ifndef HAVE_BN_MUL_WORDS
+#ifndef HAVE_BN_MULW_WORDS
 BN_ULONG
-bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
+bn_mulw_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
 {
        BN_ULONG carry = 0;
@@ -228,14 +288,13 @@ bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
 #endif
 /*
- * bn_mul_add_words() computes (carry:r[i]) = a[i] * w + r[i] + carry, where
+ * bn_mulw_add_words() computes (carry:r[i]) = a[i] * w + r[i] + carry, where
- * a is an array of words and w is a single word. This should really be called
+ * a is an array of words and w is a single word. This is used as a step in the
- * bn_mulw_add_words() since only one input is an array. This is used as a step
+ * multiplication of word arrays.
- * in the multiplication of word arrays.
 */
-#ifndef HAVE_BN_MUL_ADD_WORDS
+#ifndef HAVE_BN_MULW_ADD_WORDS
 BN_ULONG
-bn_mul_add_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
+bn_mulw_add_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
 {
        BN_ULONG carry = 0;
@@ -262,62 +321,60 @@ bn_mul_add_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w)
 }
 #endif
+#ifndef HAVE_BN_MUL_WORDS
 void
-bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb)
+bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int a_len, const BN_ULONG *b,
+    int b_len)
 {
        BN_ULONG *rr;
+        if (a_len < b_len) {
-        if (na < nb) {
                int itmp;
-                BN_ULONG *ltmp;
+                const BN_ULONG *ltmp;
-                itmp = na;
+                itmp = a_len;
-                na = nb;
+                a_len = b_len;
-                nb = itmp;
+                b_len = itmp;
                ltmp = a;
                a = b;
                b = ltmp;
        }
-        rr = &(r[na]);
+        rr = &(r[a_len]);
-        if (nb <= 0) {
+        if (b_len <= 0) {
-                (void)bn_mul_words(r, a, na, 0);
+                (void)bn_mulw_words(r, a, a_len, 0);
                return;
        } else
-                rr[0] = bn_mul_words(r, a, na, b[0]);
+                rr[0] = bn_mulw_words(r, a, a_len, b[0]);
        for (;;) {
-                if (--nb <= 0)
+                if (--b_len <= 0)
                        return;
-                rr[1] = bn_mul_add_words(&(r[1]), a, na, b[1]);
+                rr[1] = bn_mulw_add_words(&(r[1]), a, a_len, b[1]);
-                if (--nb <= 0)
+                if (--b_len <= 0)
                        return;
-                rr[2] = bn_mul_add_words(&(r[2]), a, na, b[2]);
+                rr[2] = bn_mulw_add_words(&(r[2]), a, a_len, b[2]);
-                if (--nb <= 0)
+                if (--b_len <= 0)
                        return;
-                rr[3] = bn_mul_add_words(&(r[3]), a, na, b[3]);
+                rr[3] = bn_mulw_add_words(&(r[3]), a, a_len, b[3]);
-                if (--nb <= 0)
+                if (--b_len <= 0)
                        return;
-                rr[4] = bn_mul_add_words(&(r[4]), a, na, b[4]);
+                rr[4] = bn_mulw_add_words(&(r[4]), a, a_len, b[4]);
                rr += 4;
                r += 4;
                b += 4;
        }
 }
+#endif
+static int
-#ifndef HAVE_BN_MUL
-int
 bn_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int rn, BN_CTX *ctx)
 {
-        bn_mul_normal(r->d, a->d, a->top, b->d, b->top);
+        bn_mul_words(r->d, a->d, a->top, b->d, b->top);
        return 1;
 }
-#endif /* HAVE_BN_MUL */
 int
 BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
 {
@@ -338,14 +395,16 @@ BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
        if (rr == NULL)
                goto err;
-        rn = a->top + b->top;
+        if (a->top > INT_MAX - b->top)
-        if (rn < a->top)
                goto err;
+        rn = a->top + b->top;
        if (!bn_wexpand(rr, rn))
                goto err;
        if (a->top == 4 && b->top == 4) {
                bn_mul_comba4(rr->d, a->d, b->d);
+        } else if (a->top == 6 && b->top == 6) {
+                bn_mul_comba6(rr->d, a->d, b->d);
        } else if (a->top == 8 && b->top == 8) {
                bn_mul_comba8(rr->d, a->d, b->d);
        } else {
diff --git a/src/lib/libcrypto/bn/bn_prime.c b/src/lib/libcrypto/bn/bn_prime.c
index 5a4aa50bf1..3d7f18a8ea 100644
--- a/src/lib/libcrypto/bn/bn_prime.c
+++ b/src/lib/libcrypto/bn/bn_prime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_prime.c,v 1.34 2023/07/20 06:26:27 tb Exp $ */
+/* $OpenBSD: bn_prime.c,v 1.37 2025/11/08 16:27:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -109,12 +109,12 @@
 *
 */
-#include <stdio.h>
+#include <stddef.h>
-#include <time.h>
-#include <openssl/err.h>
+#include <openssl/bn.h>
 #include "bn_local.h"
+#include "err_local.h"
 /* The quick sieve algorithm approach to weeding out primes is
 * Philip Zimmermann's, as implemented in PGP.  I have had a read of
@@ -339,7 +339,7 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem,
 loop:
        for (i = 1; i < NUMPRIMES; i++) {
                /* check that rnd is a prime */
-                BN_LONG mod = BN_mod_word(rnd, primes[i]);
+                BN_ULONG mod = BN_mod_word(rnd, primes[i]);
                if (mod == (BN_ULONG)-1)
                        goto err;
                if (mod <= 1) {
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index 9cfcd8e2c0..d3b16f70a0 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.30 2024/03/16 20:42:33 tb Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -115,9 +115,8 @@
 #include <string.h>
 #include <time.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static int
 bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
diff --git a/src/lib/libcrypto/bn/bn_recp.c b/src/lib/libcrypto/bn/bn_recp.c
index e3f22c52a9..ed5049b772 100644
--- a/src/lib/libcrypto/bn/bn_recp.c
+++ b/src/lib/libcrypto/bn/bn_recp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_recp.c,v 1.33 2025/02/04 20:22:20 tb Exp $ */
+/* $OpenBSD: bn_recp.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,9 +58,8 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 struct bn_recp_ctx_st {
        BIGNUM *N;      /* the divisor */
diff --git a/src/lib/libcrypto/bn/bn_shift.c b/src/lib/libcrypto/bn/bn_shift.c
index 12edc7c0a0..b9f73cc322 100644
--- a/src/lib/libcrypto/bn/bn_shift.c
+++ b/src/lib/libcrypto/bn/bn_shift.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_shift.c,v 1.22 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_shift.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022, 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -16,9 +16,9 @@
 */
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "bn_local.h"
+#include "err_local.h"
 static inline int
 bn_lshift(BIGNUM *r, const BIGNUM *a, int n)
diff --git a/src/lib/libcrypto/bn/bn_sqr.c b/src/lib/libcrypto/bn/bn_sqr.c
index 0dbccbf85d..27e08bdf13 100644
--- a/src/lib/libcrypto/bn/bn_sqr.c
+++ b/src/lib/libcrypto/bn/bn_sqr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_sqr.c,v 1.36 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_sqr.c,v 1.42 2025/09/07 05:21:29 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,8 +64,6 @@
 #include "bn_local.h"
 #include "bn_internal.h"
-int bn_sqr(BIGNUM *r, const BIGNUM *a, int max, BN_CTX *ctx);
 /*
 * bn_sqr_comba4() computes r[] = a[] * a[] using Comba multiplication
 * (https://everything2.com/title/Comba+multiplication), where a is a
@@ -97,6 +95,51 @@ bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a)
 #endif
 /*
+ * bn_sqr_comba6() computes r[] = a[] * a[] using Comba multiplication
+ * (https://everything2.com/title/Comba+multiplication), where a is an
+ * six word array, producing an 12 word array result.
+ */
+#ifndef HAVE_BN_SQR_COMBA6
+void
+bn_sqr_comba6(BN_ULONG *r, const BN_ULONG *a)
+{
+        BN_ULONG c2, c1, c0;
+        bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]);
+        bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]);
+        bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]);
+        bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]);
+        bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[0], c2, c1, c0, &c2, &c1, &r[4]);
+        bn_mul2_mulw_addtw(a[5], a[0], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[1], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[3], a[2], c2, c1, c0, &c2, &c1, &r[5]);
+        bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[2], c2, c1, c0, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[1], c2, c1, c0, &c2, &c1, &r[6]);
+        bn_mul2_mulw_addtw(a[5], a[2], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[4], a[3], c2, c1, c0, &c2, &c1, &r[7]);
+        bn_mulw_addtw(a[4], a[4], 0, c2, c1, &c2, &c1, &c0);
+        bn_mul2_mulw_addtw(a[5], a[3], c2, c1, c0, &c2, &c1, &r[8]);
+        bn_mul2_mulw_addtw(a[5], a[4], 0, c2, c1, &c2, &c1, &r[9]);
+        bn_mulw_addtw(a[5], a[5], 0, c2, c1, &c2, &r[11], &r[10]);
+}
+#endif
+/*
 * bn_sqr_comba8() computes r[] = a[] * a[] using Comba multiplication
 * (https://everything2.com/title/Comba+multiplication), where a is an
 * eight word array, producing an 16 word array result.
@@ -160,7 +203,7 @@ bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a)
 }
 #endif
-#ifndef HAVE_BN_SQR
+#ifndef HAVE_BN_SQR_WORDS
 /*
 * bn_sqr_add_words() computes (r[i*2+1]:r[i*2]) = (r[i*2+1]:r[i*2]) + a[i] * a[i].
 */
@@ -197,12 +240,16 @@ bn_sqr_add_words(BN_ULONG *r, const BN_ULONG *a, int n)
        }
 }
-static void
+/*
-bn_sqr_normal(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len)
+ * bn_sqr_words() computes r[] = a[] * a[].
+ */
+void
+bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int a_len)
 {
        const BN_ULONG *ap;
        BN_ULONG *rp;
        BN_ULONG w;
+        int r_len;
        int n;
        if (a_len <= 0)
@@ -213,13 +260,14 @@ bn_sqr_normal(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len)
        ap++;
        rp = r;
+        r_len = a_len * 2;
        rp[0] = rp[r_len - 1] = 0;
        rp++;
        /* Compute initial product - r[n:1] = a[n:1] * a[0] */
        n = a_len - 1;
        if (n > 0) {
-                rp[n] = bn_mul_words(rp, ap, n, w);
+                rp[n] = bn_mulw_words(rp, ap, n, w);
        }
        rp += 2;
        n--;
@@ -229,7 +277,7 @@ bn_sqr_normal(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len)
                w = ap[0];
                ap++;
-                rp[n] = bn_mul_add_words(rp, ap, n, w);
+                rp[n] = bn_mulw_add_words(rp, ap, n, w);
                rp += 2;
                n--;
        }
@@ -240,20 +288,20 @@ bn_sqr_normal(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len)
        /* Add squares. */
        bn_sqr_add_words(r, a, a_len);
 }
+#endif
 /*
 * bn_sqr() computes a * a, storing the result in r. The caller must ensure that
 * r is not the same BIGNUM as a and that r has been expanded to rn = a->top * 2
 * words.
 */
-int
+static int
-bn_sqr(BIGNUM *r, const BIGNUM *a, int r_len, BN_CTX *ctx)
+bn_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
 {
-        bn_sqr_normal(r->d, r_len, a->d, a->top);
+        bn_sqr_words(r->d, a->d, a->top);
        return 1;
 }
-#endif
 int
 BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
@@ -281,10 +329,12 @@ BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx)
        if (a->top == 4) {
                bn_sqr_comba4(rr->d, a->d);
+        } else if (a->top == 6) {
+                bn_sqr_comba6(rr->d, a->d);
        } else if (a->top == 8) {
                bn_sqr_comba8(rr->d, a->d);
        } else {
-                if (!bn_sqr(rr, a, r_len, ctx))
+                if (!bn_sqr(rr, a, ctx))
                        goto err;
        }
diff --git a/src/lib/libcrypto/bn/bn_word.c b/src/lib/libcrypto/bn/bn_word.c
index a82b911e67..e035878cb9 100644
--- a/src/lib/libcrypto/bn/bn_word.c
+++ b/src/lib/libcrypto/bn/bn_word.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_word.c,v 1.21 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_word.c,v 1.22 2025/08/30 07:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -232,7 +232,7 @@ BN_mul_word(BIGNUM *a, BN_ULONG w)
                if (w == 0)
                        BN_zero(a);
                else {
-                        ll = bn_mul_words(a->d, a->d, a->top, w);
+                        ll = bn_mulw_words(a->d, a->d, a->top, w);
                        if (ll) {
                                if (!bn_wexpand(a, a->top + 1))
                                        return (0);
diff --git a/src/lib/libcrypto/bn/s2n_bignum.h b/src/lib/libcrypto/bn/s2n_bignum.h
index ce6e8cdc94..7d77894cdc 100644
--- a/src/lib/libcrypto/bn/s2n_bignum.h
+++ b/src/lib/libcrypto/bn/s2n_bignum.h
@@ -1,3 +1,5 @@
+// $OpenBSD: s2n_bignum.h,v 1.4 2025/08/12 10:01:37 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -34,182 +36,240 @@
 //        throughput, generally offering higher performance there.
 // ----------------------------------------------------------------------------
+#if defined(_MSC_VER) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L || defined(__STDC_NO_VLA__)
+#define S2N_BIGNUM_STATIC
+#else
+#define S2N_BIGNUM_STATIC static
+#endif
 // Add, z := x + y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
-extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Add modulo p_25519, z := (x + y) mod p_25519, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Add modulo p_256, z := (x + y) mod p_256, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Add modulo p_256k1, z := (x + y) mod p_256k1, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_add_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_add_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Add modulo p_384, z := (x + y) mod p_384, assuming x and y reduced
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_add_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_add_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 // Add modulo p_521, z := (x + y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_add_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_add_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+// Add modulo p_sm2, z := (x + y) mod p_sm2, assuming x and y reduced
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_add_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Compute "amontification" constant z :== 2^{128k} (congruent mod m)
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_amontifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_amontifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
 // Almost-Montgomery multiply, z :== (x * y / 2^{64k}) (congruent mod m)
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_amontmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_amontmul (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 // Almost-Montgomery reduce, z :== (x' / 2^{64p}) (congruent mod m)
 // Inputs x[n], m[k], p; output z[k]
-extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
+extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, const uint64_t *m, uint64_t p);
 // Almost-Montgomery square, z :== (x^2 / 2^{64k}) (congruent mod m)
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_amontsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_amontsqr (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 // Convert 4-digit (256-bit) bignum to/from big-endian form
 // Input x[4]; output z[4]
-extern void bignum_bigendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_bigendian_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert 6-digit (384-bit) bignum to/from big-endian form
 // Input x[6]; output z[6]
-extern void bignum_bigendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_bigendian_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Select bitfield starting at bit n with length l <= 64
 // Inputs x[k], n, l; output function return
-extern uint64_t bignum_bitfield (uint64_t k, uint64_t *x, uint64_t n, uint64_t l);
+extern uint64_t bignum_bitfield (uint64_t k, const uint64_t *x, uint64_t n, uint64_t l);
 // Return size of bignum in bits
 // Input x[k]; output function return
-extern uint64_t bignum_bitsize (uint64_t k, uint64_t *x);
+extern uint64_t bignum_bitsize (uint64_t k, const uint64_t *x);
 // Divide by a single (nonzero) word, z := x / m and return x mod m
 // Inputs x[n], m; outputs function return (remainder) and z[k]
-extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
+extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t m);
 // Divide by a single word, z := x / m when known to be exact
 // Inputs x[n], m; output z[k]
-extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m);
+extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t m);
 // Count leading zero digits (64-bit words)
 // Input x[k]; output function return
-extern uint64_t bignum_cld (uint64_t k, uint64_t *x);
+extern uint64_t bignum_cld (uint64_t k, const uint64_t *x);
 // Count leading zero bits
 // Input x[k]; output function return
-extern uint64_t bignum_clz (uint64_t k, uint64_t *x);
+extern uint64_t bignum_clz (uint64_t k, const uint64_t *x);
 // Multiply-add with single-word multiplier, z := z + c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 // Negated multiply-add with single-word multiplier, z := z - c * y
 // Inputs c, y[n]; outputs function return (negative carry-out) and z[k]
-extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 // Find modulus of bignum w.r.t. single nonzero word m, returning x mod m
 // Input x[k], m; output function return
-extern uint64_t bignum_cmod (uint64_t k, uint64_t *x, uint64_t m);
+extern uint64_t bignum_cmod (uint64_t k, const uint64_t *x, uint64_t m);
 // Multiply by a single word, z := c * y
 // Inputs c, y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y);
+extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, const uint64_t *y);
 // Multiply by a single word modulo p_25519, z := (c * x) mod p_25519, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p25519 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_cmul_p25519_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Multiply by a single word modulo p_256, z := (c * x) mod p_256, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p256 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_cmul_p256_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Multiply by a single word modulo p_256k1, z := (c * x) mod p_256k1, assuming x reduced
 // Inputs c, x[4]; output z[4]
-extern void bignum_cmul_p256k1 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_cmul_p256k1_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]);
+extern void bignum_cmul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Multiply by a single word modulo p_384, z := (c * x) mod p_384, assuming x reduced
 // Inputs c, x[6]; output z[6]
-extern void bignum_cmul_p384 (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
+extern void bignum_cmul_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_cmul_p384_alt (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]);
+extern void bignum_cmul_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Multiply by a single word modulo p_521, z := (c * x) mod p_521, assuming x reduced
 // Inputs c, x[9]; output z[9]
-extern void bignum_cmul_p521 (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
+extern void bignum_cmul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 9]);
-extern void bignum_cmul_p521_alt (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]);
+extern void bignum_cmul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Multiply by a single word modulo p_sm2, z := (c * x) mod p_sm2, assuming x reduced
+// Inputs c, x[4]; output z[4]
+extern void bignum_cmul_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_cmul_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t c, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Test bignums for coprimality, gcd(x,y) = 1
 // Inputs x[m], y[n]; output function return; temporary buffer t[>=2*max(m,n)]
-extern uint64_t bignum_coprime (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y, uint64_t *t);
+extern uint64_t bignum_coprime (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y, uint64_t *t);
 // Copy bignum with zero-extension or truncation, z := x
 // Input x[n]; output z[k]
-extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
+extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
+// Given table: uint64_t[height*width], copy table[idx*width...(idx+1)*width-1]
+// into z[0..width-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*width]; output z[width]
+extern void bignum_copy_row_from_table (uint64_t *z, const uint64_t *table, uint64_t height,
+        uint64_t width, uint64_t idx);
+// Given table: uint64_t[height*width], copy table[idx*width...(idx+1)*width-1]
+// into z[0..width-1]. width must be a multiple of 8.
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*width]; output z[width]
+extern void bignum_copy_row_from_table_8n (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t width, uint64_t idx);
+// Given table: uint64_t[height*16], copy table[idx*16...(idx+1)*16-1] into z[0..row-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*16]; output z[16]
+extern void bignum_copy_row_from_table_16 (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t idx);
+// Given table: uint64_t[height*32], copy table[idx*32...(idx+1)*32-1] into z[0..row-1].
+// This function is constant-time with respect to the value of `idx`. This is
+// achieved by reading the whole table and using the bit-masking to get the
+// `idx`-th row.
+// Input table[height*32]; output z[32]
+extern void bignum_copy_row_from_table_32 (uint64_t *z, const uint64_t *table,
+        uint64_t height, uint64_t idx);
 // Count trailing zero digits (64-bit words)
 // Input x[k]; output function return
-extern uint64_t bignum_ctd (uint64_t k, uint64_t *x);
+extern uint64_t bignum_ctd (uint64_t k, const uint64_t *x);
 // Count trailing zero bits
 // Input x[k]; output function return
-extern uint64_t bignum_ctz (uint64_t k, uint64_t *x);
+extern uint64_t bignum_ctz (uint64_t k, const uint64_t *x);
 // Convert from almost-Montgomery form, z := (x / 2^256) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_deamont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_deamont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_deamont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_deamont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert from almost-Montgomery form, z := (x / 2^256) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_deamont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_deamont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert from almost-Montgomery form, z := (x / 2^384) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_deamont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_deamont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_deamont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_deamont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Convert from almost-Montgomery form z := (x / 2^576) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_deamont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_deamont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Convert from almost-Montgomery form z := (x / 2^256) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_deamont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert from (almost-)Montgomery form z := (x / 2^{64k}) mod m
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_demont (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_demont (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 // Convert from Montgomery form z := (x / 2^256) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_demont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_demont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_demont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_demont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert from Montgomery form z := (x / 2^256) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_demont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_demont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert from Montgomery form z := (x / 2^384) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_demont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_demont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_demont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_demont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Convert from Montgomery form z := (x / 2^576) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_demont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_demont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Convert from Montgomery form z := (x / 2^256) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_demont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Select digit x[n]
 // Inputs x[k], n; output function return
-extern uint64_t bignum_digit (uint64_t k, uint64_t *x, uint64_t n);
+extern uint64_t bignum_digit (uint64_t k, const uint64_t *x, uint64_t n);
 // Return size of bignum in digits (64-bit word)
 // Input x[k]; output function return
-extern uint64_t bignum_digitsize (uint64_t k, uint64_t *x);
+extern uint64_t bignum_digitsize (uint64_t k, const uint64_t *x);
 // Divide bignum by 10: z' := z div 10, returning remainder z mod 10
 // Inputs z[k]; outputs function return (remainder) and z[k]
@@ -217,294 +277,391 @@ extern uint64_t bignum_divmod10 (uint64_t k, uint64_t *z);
 // Double modulo p_25519, z := (2 * x) mod p_25519, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Double modulo p_256, z := (2 * x) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Double modulo p_256k1, z := (2 * x) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_double_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_double_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Double modulo p_384, z := (2 * x) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_double_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_double_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Double modulo p_521, z := (2 * x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_double_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_double_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Double modulo p_sm2, z := (2 * x) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_double_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Extended Montgomery reduce, returning results in input-output buffer
 // Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
-extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
+extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t w);
 // Extended Montgomery reduce in 8-digit blocks, results in input-output buffer
 // Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
-extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w);
+extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t w);
+// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k]
+// Temporary buffer m_precalc[12*(k/4-1)]
+extern uint64_t bignum_emontredc_8n_cdiff (uint64_t k, uint64_t *z, const uint64_t *m,
+                                          uint64_t w, uint64_t *m_precalc);
 // Test bignums for equality, x = y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_eq (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_eq (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Test bignum for even-ness
 // Input x[k]; output function return
-extern uint64_t bignum_even (uint64_t k, uint64_t *x);
+extern uint64_t bignum_even (uint64_t k, const uint64_t *x);
 // Convert 4-digit (256-bit) bignum from big-endian bytes
 // Input x[32] (bytes); output z[4]
-extern void bignum_frombebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
+extern void bignum_frombebytes_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint8_t x[S2N_BIGNUM_STATIC 32]);
 // Convert 6-digit (384-bit) bignum from big-endian bytes
 // Input x[48] (bytes); output z[6]
-extern void bignum_frombebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
+extern void bignum_frombebytes_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint8_t x[S2N_BIGNUM_STATIC 48]);
 // Convert 4-digit (256-bit) bignum from little-endian bytes
 // Input x[32] (bytes); output z[4]
-extern void bignum_fromlebytes_4 (uint64_t z[static 4], uint8_t x[static 32]);
+extern void bignum_fromlebytes_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint8_t x[S2N_BIGNUM_STATIC 32]);
 // Convert 6-digit (384-bit) bignum from little-endian bytes
 // Input x[48] (bytes); output z[6]
-extern void bignum_fromlebytes_6 (uint64_t z[static 6], uint8_t x[static 48]);
+extern void bignum_fromlebytes_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint8_t x[S2N_BIGNUM_STATIC 48]);
 // Convert little-endian bytes to 9-digit 528-bit bignum
 // Input x[66] (bytes); output z[9]
-extern void bignum_fromlebytes_p521 (uint64_t z[static 9],uint8_t x[static 66]);
+extern void bignum_fromlebytes_p521 (uint64_t z[S2N_BIGNUM_STATIC 9],const uint8_t x[S2N_BIGNUM_STATIC 66]);
 // Compare bignums, x >= y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_ge (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_ge (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Compare bignums, x > y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_gt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_gt (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Halve modulo p_256, z := (x / 2) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_half_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_half_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Halve modulo p_256k1, z := (x / 2) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_half_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_half_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Halve modulo p_384, z := (x / 2) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_half_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_half_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Halve modulo p_521, z := (x / 2) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_half_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_half_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Halve modulo p_sm2, z := (x / 2) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_half_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Modular inverse modulo p_25519 = 2^255 - 19
+// Input x[4]; output z[4]
+extern void bignum_inv_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Modular inverse modulo p_256 = 2^256 - 2^224 + 2^192 + 2^96 - 1
+// Input x[4]; output z[4]
+extern void bignum_inv_p256(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Modular inverse modulo p_384 = 2^384 - 2^128 - 2^96 + 2^32 - 1
+// Input x[6]; output z[6]
+extern void bignum_inv_p384(uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6]);
+// Modular inverse modulo p_521 = 2^521 - 1
+// Input x[9]; output z[9]
+extern void bignum_inv_p521(uint64_t z[S2N_BIGNUM_STATIC 9],const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Modular inverse modulo p_sm2 = 2^256 - 2^224 - 2^96 + 2^64 - 1
+// Input x[4]; output z[4]
+extern void bignum_inv_sm2(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Inverse square root modulo p_25519
+// Input x[4]; output function return (Legendre symbol) and z[4]
+extern int64_t bignum_invsqrt_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern int64_t bignum_invsqrt_p25519_alt(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Test bignum for zero-ness, x = 0
 // Input x[k]; output function return
-extern uint64_t bignum_iszero (uint64_t k, uint64_t *x);
+extern uint64_t bignum_iszero (uint64_t k, const uint64_t *x);
 // Multiply z := x * y
 // Inputs x[16], y[16]; output z[32]; temporary buffer t[>=32]
-extern void bignum_kmul_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t y[static 16], uint64_t t[static 32]);
+extern void bignum_kmul_16_32 (uint64_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 16], const uint64_t y[S2N_BIGNUM_STATIC 16], uint64_t t[S2N_BIGNUM_STATIC 32]);
 // Multiply z := x * y
 // Inputs x[32], y[32]; output z[64]; temporary buffer t[>=96]
-extern void bignum_kmul_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t y[static 32], uint64_t t[static 96]);
+extern void bignum_kmul_32_64 (uint64_t z[S2N_BIGNUM_STATIC 64], const uint64_t x[S2N_BIGNUM_STATIC 32], const uint64_t y[S2N_BIGNUM_STATIC 32], uint64_t t[S2N_BIGNUM_STATIC 96]);
 // Square, z := x^2
 // Input x[16]; output z[32]; temporary buffer t[>=24]
-extern void bignum_ksqr_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t t[static 24]);
+extern void bignum_ksqr_16_32 (uint64_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 16], uint64_t t[S2N_BIGNUM_STATIC 24]);
 // Square, z := x^2
 // Input x[32]; output z[64]; temporary buffer t[>=72]
-extern void bignum_ksqr_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t t[static 72]);
+extern void bignum_ksqr_32_64 (uint64_t z[S2N_BIGNUM_STATIC 64], const uint64_t x[S2N_BIGNUM_STATIC 32], uint64_t t[S2N_BIGNUM_STATIC 72]);
 // Compare bignums, x <= y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_le (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_le (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Convert 4-digit (256-bit) bignum to/from little-endian form
 // Input x[4]; output z[4]
-extern void bignum_littleendian_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_littleendian_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert 6-digit (384-bit) bignum to/from little-endian form
 // Input x[6]; output z[6]
-extern void bignum_littleendian_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_littleendian_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Compare bignums, x < y
 // Inputs x[m], y[n]; output function return
-extern uint64_t bignum_lt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_lt (uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Multiply-add, z := z + x * y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
+// Multiply-add modulo the order of the curve25519/edwards25519 basepoint
+// Inputs x[4], y[4], c[4]; output z[4]
+extern void bignum_madd_n25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4], const uint64_t c[S2N_BIGNUM_STATIC 4]);
+extern void bignum_madd_n25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4], const uint64_t c[S2N_BIGNUM_STATIC 4]);
+// Reduce modulo group order, z := x mod m_25519
+// Input x[4]; output z[4]
+extern void bignum_mod_m25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Reduce modulo basepoint order, z := x mod n_25519
+// Input x[k]; output z[4]
+extern void bignum_mod_n25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+// Reduce modulo basepoint order, z := x mod n_25519
+// Input x[4]; output z[4]
+extern void bignum_mod_n25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo group order, z := x mod n_256
 // Input x[k]; output z[4]
-extern void bignum_mod_n256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_n256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
-extern void bignum_mod_n256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_n256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
 // Reduce modulo group order, z := x mod n_256
 // Input x[4]; output z[4]
-extern void bignum_mod_n256_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_n256_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo group order, z := x mod n_256k1
 // Input x[4]; output z[4]
-extern void bignum_mod_n256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_n256k1_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo group order, z := x mod n_384
 // Input x[k]; output z[6]
-extern void bignum_mod_n384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_n384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
-extern void bignum_mod_n384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_n384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
 // Reduce modulo group order, z := x mod n_384
 // Input x[6]; output z[6]
-extern void bignum_mod_n384_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_mod_n384_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Reduce modulo group order, z := x mod n_521
 // Input x[9]; output z[9]
-extern void bignum_mod_n521_9 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_mod_n521_9 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
-extern void bignum_mod_n521_9_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_mod_n521_9_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Reduce modulo group order, z := x mod n_sm2
+// Input x[k]; output z[4]
+extern void bignum_mod_nsm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+extern void bignum_mod_nsm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+// Reduce modulo group order, z := x mod n_sm2
+// Input x[4]; output z[4]
+extern void bignum_mod_nsm2_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo field characteristic, z := x mod p_25519
 // Input x[4]; output z[4]
-extern void bignum_mod_p25519_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p25519_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo field characteristic, z := x mod p_256
 // Input x[k]; output z[4]
-extern void bignum_mod_p256 (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
-extern void bignum_mod_p256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x);
+extern void bignum_mod_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
 // Reduce modulo field characteristic, z := x mod p_256
 // Input x[4]; output z[4]
-extern void bignum_mod_p256_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p256_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo field characteristic, z := x mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_mod_p256k1_4 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_mod_p256k1_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Reduce modulo field characteristic, z := x mod p_384
 // Input x[k]; output z[6]
-extern void bignum_mod_p384 (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
-extern void bignum_mod_p384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x);
+extern void bignum_mod_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t k, const uint64_t *x);
 // Reduce modulo field characteristic, z := x mod p_384
 // Input x[6]; output z[6]
-extern void bignum_mod_p384_6 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_mod_p384_6 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Reduce modulo field characteristic, z := x mod p_521
 // Input x[9]; output z[9]
-extern void bignum_mod_p521_9 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_mod_p521_9 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Reduce modulo field characteristic, z := x mod p_sm2
+// Input x[k]; output z[4]
+extern void bignum_mod_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t k, const uint64_t *x);
+// Reduce modulo field characteristic, z := x mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_mod_sm2_4 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Add modulo m, z := (x + y) mod m, assuming x and y reduced
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_modadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_modadd (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 // Double modulo m, z := (2 * x) mod m, assuming x reduced
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_moddouble (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_moddouble (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
+// Modular exponentiation for arbitrary odd modulus, z := (a^p) mod m
+// Inputs a[k], p[k], m[k]; output z[k], temporary buffer t[>=3*k]
+extern void bignum_modexp(uint64_t k,uint64_t *z, const uint64_t *a,const uint64_t *p,const uint64_t *m,uint64_t *t);
 // Compute "modification" constant z := 2^{64k} mod m
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_modifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_modifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
 // Invert modulo m, z = (1/a) mod b, assuming b is an odd number > 1, a coprime to b
 // Inputs a[k], b[k]; output z[k]; temporary buffer t[>=3*k]
-extern void bignum_modinv (uint64_t k, uint64_t *z, uint64_t *a, uint64_t *b, uint64_t *t);
+extern void bignum_modinv (uint64_t k, uint64_t *z, const uint64_t *a, const uint64_t *b, uint64_t *t);
 // Optionally negate modulo m, z := (-x) mod m (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[k], m[k]; output z[k]
-extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x, uint64_t *m);
+extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, const uint64_t *x, const uint64_t *m);
 // Subtract modulo m, z := (x - y) mod m, assuming x and y reduced
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_modsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_modsub (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 // Compute "montification" constant z := 2^{128k} mod m
 // Input m[k]; output z[k]; temporary buffer t[>=k]
-extern void bignum_montifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t);
+extern void bignum_montifier (uint64_t k, uint64_t *z, const uint64_t *m, uint64_t *t);
+// Montgomery inverse modulo p_256 = 2^256 - 2^224 + 2^192 + 2^96 - 1
+// Input x[4]; output z[4]
+extern void bignum_montinv_p256(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+// Montgomery inverse modulo p_384 = 2^384 - 2^128 - 2^96 + 2^32 - 1
+// Input x[6]; output z[6]
+extern void bignum_montinv_p384(uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6]);
+// Montgomery inverse modulo p_sm2 = 2^256 - 2^224 - 2^96 + 2^64 - 1
+// Input x[4]; output z[4]
+extern void bignum_montinv_sm2(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Montgomery multiply, z := (x * y / 2^{64k}) mod m
 // Inputs x[k], y[k], m[k]; output z[k]
-extern void bignum_montmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m);
+extern void bignum_montmul (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y, const uint64_t *m);
 // Montgomery multiply, z := (x * y / 2^256) mod p_256
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_montmul_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
-extern void bignum_montmul_p256_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Montgomery multiply, z := (x * y / 2^256) mod p_256k1
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_montmul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
-extern void bignum_montmul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_montmul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Montgomery multiply, z := (x * y / 2^384) mod p_384
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_montmul_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_montmul_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
-extern void bignum_montmul_p384_alt (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_montmul_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 // Montgomery multiply, z := (x * y / 2^576) mod p_521
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_montmul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_montmul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
-extern void bignum_montmul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_montmul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+// Montgomery multiply, z := (x * y / 2^256) mod p_sm2
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_montmul_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montmul_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Montgomery reduce, z := (x' / 2^{64p}) MOD m
 // Inputs x[n], m[k], p; output z[k]
-extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p);
+extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, const uint64_t *m, uint64_t p);
 // Montgomery square, z := (x^2 / 2^{64k}) mod m
 // Inputs x[k], m[k]; output z[k]
-extern void bignum_montsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m);
+extern void bignum_montsqr (uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *m);
 // Montgomery square, z := (x^2 / 2^256) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_montsqr_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_montsqr_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Montgomery square, z := (x^2 / 2^256) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_montsqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_montsqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_montsqr_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Montgomery square, z := (x^2 / 2^384) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_montsqr_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_montsqr_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_montsqr_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_montsqr_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Montgomery square, z := (x^2 / 2^576) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_montsqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_montsqr_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
-extern void bignum_montsqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_montsqr_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Montgomery square, z := (x^2 / 2^256) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_montsqr_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_montsqr_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Multiply z := x * y
 // Inputs x[m], y[n]; output z[k]
-extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Multiply z := x * y
 // Inputs x[4], y[4]; output z[8]
-extern void bignum_mul_4_8 (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_4_8 (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
-extern void bignum_mul_4_8_alt (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_4_8_alt (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Multiply z := x * y
 // Inputs x[6], y[6]; output z[12]
-extern void bignum_mul_6_12 (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_mul_6_12 (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
-extern void bignum_mul_6_12_alt (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_mul_6_12_alt (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 // Multiply z := x * y
 // Inputs x[8], y[8]; output z[16]
-extern void bignum_mul_8_16 (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
+extern void bignum_mul_8_16 (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8], const uint64_t y[S2N_BIGNUM_STATIC 8]);
-extern void bignum_mul_8_16_alt (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]);
+extern void bignum_mul_8_16_alt (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8], const uint64_t y[S2N_BIGNUM_STATIC 8]);
 // Multiply modulo p_25519, z := (x * y) mod p_25519
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_mul_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
-extern void bignum_mul_p25519_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Multiply modulo p_256k1, z := (x * y) mod p_256k1
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_mul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
-extern void bignum_mul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mul_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Multiply modulo p_521, z := (x * y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_mul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_mul_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
-extern void bignum_mul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_mul_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
 // Multiply bignum by 10 and add word: z := 10 * z + d
 // Inputs z[k], d; outputs function return (carry) and z[k]
@@ -512,55 +669,59 @@ extern uint64_t bignum_muladd10 (uint64_t k, uint64_t *z, uint64_t d);
 // Multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[k], y[k]; output z[k]
-extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y);
+extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, const uint64_t *x, const uint64_t *y);
 // 256-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[4], y[4]; output z[4]
-extern void bignum_mux_4 (uint64_t p, uint64_t z[static 4],uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_mux_4 (uint64_t p, uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // 384-bit multiplex/select z := x (if p nonzero) or z := y (if p zero)
 // Inputs p, x[6], y[6]; output z[6]
-extern void bignum_mux_6 (uint64_t p, uint64_t z[static 6],uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_mux_6 (uint64_t p, uint64_t z[S2N_BIGNUM_STATIC 6],const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 // Select element from 16-element table, z := xs[k*i]
 // Inputs xs[16*k], i; output z[k]
-extern void bignum_mux16 (uint64_t k, uint64_t *z, uint64_t *xs, uint64_t i);
+extern void bignum_mux16 (uint64_t k, uint64_t *z, const uint64_t *xs, uint64_t i);
 // Negate modulo p_25519, z := (-x) mod p_25519, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Negate modulo p_256, z := (-x) mod p_256, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Negate modulo p_256k1, z := (-x) mod p_256k1, assuming x reduced
 // Input x[4]; output z[4]
-extern void bignum_neg_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_neg_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Negate modulo p_384, z := (-x) mod p_384, assuming x reduced
 // Input x[6]; output z[6]
-extern void bignum_neg_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_neg_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Negate modulo p_521, z := (-x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_neg_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_neg_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Negate modulo p_sm2, z := (-x) mod p_sm2, assuming x reduced
+// Input x[4]; output z[4]
+extern void bignum_neg_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Negated modular inverse, z := (-1/x) mod 2^{64k}
 // Input x[k]; output z[k]
-extern void bignum_negmodinv (uint64_t k, uint64_t *z, uint64_t *x);
+extern void bignum_negmodinv (uint64_t k, uint64_t *z, const uint64_t *x);
 // Test bignum for nonzero-ness x =/= 0
 // Input x[k]; output function return
-extern uint64_t bignum_nonzero (uint64_t k, uint64_t *x);
+extern uint64_t bignum_nonzero (uint64_t k, const uint64_t *x);
 // Test 256-bit bignum for nonzero-ness x =/= 0
 // Input x[4]; output function return
-extern uint64_t bignum_nonzero_4(uint64_t x[static 4]);
+extern uint64_t bignum_nonzero_4(const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Test 384-bit bignum for nonzero-ness x =/= 0
 // Input x[6]; output function return
-extern uint64_t bignum_nonzero_6(uint64_t x[static 6]);
+extern uint64_t bignum_nonzero_6(const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Normalize bignum in-place by shifting left till top bit is 1
 // Input z[k]; outputs function return (bits shifted left) and z[k]
@@ -568,7 +729,7 @@ extern uint64_t bignum_normalize (uint64_t k, uint64_t *z);
 // Test bignum for odd-ness
 // Input x[k]; output function return
-extern uint64_t bignum_odd (uint64_t k, uint64_t *x);
+extern uint64_t bignum_odd (uint64_t k, const uint64_t *x);
 // Convert single digit to bignum, z := n
 // Input n; output z[k]
@@ -576,39 +737,43 @@ extern void bignum_of_word (uint64_t k, uint64_t *z, uint64_t n);
 // Optionally add, z := x + y (if p nonzero) or z := x (if p zero)
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 // Optionally negate, z := -x (if p nonzero) or z := x (if p zero)
 // Inputs p, x[k]; outputs function return (nonzero input) and z[k]
-extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x);
+extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, const uint64_t *x);
 // Optionally negate modulo p_25519, z := (-x) mod p_25519 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p25519 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Optionally negate modulo p_256, z := (-x) mod p_256 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p256 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Optionally negate modulo p_256k1, z := (-x) mod p_256k1 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[4]; output z[4]
-extern void bignum_optneg_p256k1 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]);
+extern void bignum_optneg_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Optionally negate modulo p_384, z := (-x) mod p_384 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[6]; output z[6]
-extern void bignum_optneg_p384 (uint64_t z[static 6], uint64_t p, uint64_t x[static 6]);
+extern void bignum_optneg_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Optionally negate modulo p_521, z := (-x) mod p_521 (if p nonzero) or z := x (if p zero), assuming x reduced
 // Inputs p, x[9]; output z[9]
-extern void bignum_optneg_p521 (uint64_t z[static 9], uint64_t p, uint64_t x[static 9]);
+extern void bignum_optneg_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Optionally negate modulo p_sm2, z := (-x) mod p_sm2 (if p nonzero) or z := x (if p zero), assuming x reduced
+// Inputs p, x[4]; output z[4]
+extern void bignum_optneg_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], uint64_t p, const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Optionally subtract, z := x - y (if p nonzero) or z := x (if p zero)
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 // Optionally subtract or add, z := x + sgn(p) * y interpreting p as signed
 // Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y);
+extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, const uint64_t *x, uint64_t p, const uint64_t *y);
 // Return bignum of power of 2, z := 2^n
 // Input n; output z[k]
@@ -616,216 +781,376 @@ extern void bignum_pow2 (uint64_t k, uint64_t *z, uint64_t n);
 // Shift bignum left by c < 64 bits z := x * 2^c
 // Inputs x[n], c; outputs function return (carry-out) and z[k]
-extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
+extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t c);
 // Shift bignum right by c < 64 bits z := floor(x / 2^c)
 // Inputs x[n], c; outputs function return (bits shifted out) and z[k]
-extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c);
+extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x, uint64_t c);
 // Square, z := x^2
 // Input x[n]; output z[k]
-extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x);
+extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, const uint64_t *x);
 // Square, z := x^2
 // Input x[4]; output z[8]
-extern void bignum_sqr_4_8 (uint64_t z[static 8], uint64_t x[static 4]);
+extern void bignum_sqr_4_8 (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_sqr_4_8_alt (uint64_t z[static 8], uint64_t x[static 4]);
+extern void bignum_sqr_4_8_alt (uint64_t z[S2N_BIGNUM_STATIC 8], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Square, z := x^2
 // Input x[6]; output z[12]
-extern void bignum_sqr_6_12 (uint64_t z[static 12], uint64_t x[static 6]);
+extern void bignum_sqr_6_12 (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_sqr_6_12_alt (uint64_t z[static 12], uint64_t x[static 6]);
+extern void bignum_sqr_6_12_alt (uint64_t z[S2N_BIGNUM_STATIC 12], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Square, z := x^2
 // Input x[8]; output z[16]
-extern void bignum_sqr_8_16 (uint64_t z[static 16], uint64_t x[static 8]);
+extern void bignum_sqr_8_16 (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8]);
-extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]);
+extern void bignum_sqr_8_16_alt (uint64_t z[S2N_BIGNUM_STATIC 16], const uint64_t x[S2N_BIGNUM_STATIC 8]);
 // Square modulo p_25519, z := (x^2) mod p_25519
 // Input x[4]; output z[4]
-extern void bignum_sqr_p25519 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_sqr_p25519_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p25519_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Square modulo p_256k1, z := (x^2) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_sqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_sqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_sqr_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Square modulo p_521, z := (x^2) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_sqr_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_sqr_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
-extern void bignum_sqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_sqr_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Square root modulo p_25519
+// Input x[4]; output function return (Legendre symbol) and z[4]
+extern int64_t bignum_sqrt_p25519(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern int64_t bignum_sqrt_p25519_alt(uint64_t z[S2N_BIGNUM_STATIC 4],const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Subtract, z := x - y
 // Inputs x[m], y[n]; outputs function return (carry-out) and z[p]
-extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y);
+extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, const uint64_t *x, uint64_t n, const uint64_t *y);
 // Subtract modulo p_25519, z := (x - y) mod p_25519, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p25519 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Subtract modulo p_256, z := (x - y) mod p_256, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Subtract modulo p_256k1, z := (x - y) mod p_256k1, assuming x and y reduced
 // Inputs x[4], y[4]; output z[4]
-extern void bignum_sub_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]);
+extern void bignum_sub_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Subtract modulo p_384, z := (x - y) mod p_384, assuming x and y reduced
 // Inputs x[6], y[6]; output z[6]
-extern void bignum_sub_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]);
+extern void bignum_sub_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6], const uint64_t y[S2N_BIGNUM_STATIC 6]);
 // Subtract modulo p_521, z := (x - y) mod p_521, assuming x and y reduced
 // Inputs x[9], y[9]; output z[9]
-extern void bignum_sub_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]);
+extern void bignum_sub_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9], const uint64_t y[S2N_BIGNUM_STATIC 9]);
+// Subtract modulo p_sm2, z := (x - y) mod p_sm2, assuming x and y reduced
+// Inputs x[4], y[4]; output z[4]
+extern void bignum_sub_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4], const uint64_t y[S2N_BIGNUM_STATIC 4]);
 // Convert 4-digit (256-bit) bignum to big-endian bytes
 // Input x[4]; output z[32] (bytes)
-extern void bignum_tobebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
+extern void bignum_tobebytes_4 (uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert 6-digit (384-bit) bignum to big-endian bytes
 // Input x[6]; output z[48] (bytes)
-extern void bignum_tobebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
+extern void bignum_tobebytes_6 (uint8_t z[S2N_BIGNUM_STATIC 48], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Convert 4-digit (256-bit) bignum to little-endian bytes
 // Input x[4]; output z[32] (bytes)
-extern void bignum_tolebytes_4 (uint8_t z[static 32], uint64_t x[static 4]);
+extern void bignum_tolebytes_4 (uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert 6-digit (384-bit) bignum to little-endian bytes
 // Input x[6]; output z[48] (bytes)
-extern void bignum_tolebytes_6 (uint8_t z[static 48], uint64_t x[static 6]);
+extern void bignum_tolebytes_6 (uint8_t z[S2N_BIGNUM_STATIC 48], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Convert 9-digit 528-bit bignum to little-endian bytes
 // Input x[6]; output z[66] (bytes)
-extern void bignum_tolebytes_p521 (uint8_t z[static 66], uint64_t x[static 9]);
+extern void bignum_tolebytes_p521 (uint8_t z[S2N_BIGNUM_STATIC 66], const uint64_t x[S2N_BIGNUM_STATIC 9]);
 // Convert to Montgomery form z := (2^256 * x) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_tomont_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_tomont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert to Montgomery form z := (2^256 * x) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_tomont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_tomont_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_tomont_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Convert to Montgomery form z := (2^384 * x) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_tomont_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_tomont_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_tomont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_tomont_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Convert to Montgomery form z := (2^576 * x) mod p_521
 // Input x[9]; output z[9]
-extern void bignum_tomont_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_tomont_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Convert to Montgomery form z := (2^256 * x) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_tomont_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Triple modulo p_256, z := (3 * x) mod p_256
 // Input x[4]; output z[4]
-extern void bignum_triple_p256 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_triple_p256_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Triple modulo p_256k1, z := (3 * x) mod p_256k1
 // Input x[4]; output z[4]
-extern void bignum_triple_p256k1 (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256k1 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
-extern void bignum_triple_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]);
+extern void bignum_triple_p256k1_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Triple modulo p_384, z := (3 * x) mod p_384
 // Input x[6]; output z[6]
-extern void bignum_triple_p384 (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_triple_p384 (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
-extern void bignum_triple_p384_alt (uint64_t z[static 6], uint64_t x[static 6]);
+extern void bignum_triple_p384_alt (uint64_t z[S2N_BIGNUM_STATIC 6], const uint64_t x[S2N_BIGNUM_STATIC 6]);
 // Triple modulo p_521, z := (3 * x) mod p_521, assuming x reduced
 // Input x[9]; output z[9]
-extern void bignum_triple_p521 (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_triple_p521 (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
-extern void bignum_triple_p521_alt (uint64_t z[static 9], uint64_t x[static 9]);
+extern void bignum_triple_p521_alt (uint64_t z[S2N_BIGNUM_STATIC 9], const uint64_t x[S2N_BIGNUM_STATIC 9]);
+// Triple modulo p_sm2, z := (3 * x) mod p_sm2
+// Input x[4]; output z[4]
+extern void bignum_triple_sm2 (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
+extern void bignum_triple_sm2_alt (uint64_t z[S2N_BIGNUM_STATIC 4], const uint64_t x[S2N_BIGNUM_STATIC 4]);
 // Montgomery ladder step for curve25519
 // Inputs point[8], pp[16], b; output rr[16]
-extern void curve25519_ladderstep(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
+extern void curve25519_ladderstep(uint64_t rr[16],const uint64_t point[8],const uint64_t pp[16],uint64_t b);
-extern void curve25519_ladderstep_alt(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b);
+extern void curve25519_ladderstep_alt(uint64_t rr[16],const uint64_t point[8],const uint64_t pp[16],uint64_t b);
 // Projective scalar multiplication, x coordinate only, for curve25519
 // Inputs scalar[4], point[4]; output res[8]
-extern void curve25519_pxscalarmul(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_pxscalarmul(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
-extern void curve25519_pxscalarmul_alt(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_pxscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
 // x25519 function for curve25519
 // Inputs scalar[4], point[4]; output res[4]
-extern void curve25519_x25519(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_x25519(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
-extern void curve25519_x25519_alt(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]);
+extern void curve25519_x25519_alt(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 4]);
+// x25519 function for curve25519 (byte array arguments)
+// Inputs scalar[32] (bytes), point[32] (bytes); output res[32] (bytes)
+extern void curve25519_x25519_byte(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32],const uint8_t point[S2N_BIGNUM_STATIC 32]);
+extern void curve25519_x25519_byte_alt(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32],const uint8_t point[S2N_BIGNUM_STATIC 32]);
 // x25519 function for curve25519 on base element 9
 // Input scalar[4]; output res[4]
-extern void curve25519_x25519base(uint64_t res[static 4],uint64_t scalar[static 4]);
+extern void curve25519_x25519base(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
-extern void curve25519_x25519base_alt(uint64_t res[static 4],uint64_t scalar[static 4]);
+extern void curve25519_x25519base_alt(uint64_t res[S2N_BIGNUM_STATIC 4],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+// x25519 function for curve25519 on base element 9 (byte array arguments)
+// Input scalar[32] (bytes); output res[32] (bytes)
+extern void curve25519_x25519base_byte(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32]);
+extern void curve25519_x25519base_byte_alt(uint8_t res[S2N_BIGNUM_STATIC 32],const uint8_t scalar[S2N_BIGNUM_STATIC 32]);
+// Decode compressed 256-bit form of edwards25519 point
+// Input c[32] (bytes); output function return and z[8]
+extern uint64_t edwards25519_decode(uint64_t z[S2N_BIGNUM_STATIC 8], const uint8_t c[S2N_BIGNUM_STATIC 32]);
+extern uint64_t edwards25519_decode_alt(uint64_t z[S2N_BIGNUM_STATIC 8], const uint8_t c[S2N_BIGNUM_STATIC 32]);
+// Encode edwards25519 point into compressed form as 256-bit number
+// Input p[8]; output z[32] (bytes)
+extern void edwards25519_encode(uint8_t z[S2N_BIGNUM_STATIC 32], const uint64_t p[S2N_BIGNUM_STATIC 8]);
 // Extended projective addition for edwards25519
 // Inputs p1[16], p2[16]; output p3[16]
-extern void edwards25519_epadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
+extern void edwards25519_epadd(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 16]);
-extern void edwards25519_epadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]);
+extern void edwards25519_epadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 16]);
 // Extended projective doubling for edwards25519
 // Inputs p1[12]; output p3[16]
-extern void edwards25519_epdouble(uint64_t p3[static 16],uint64_t p1[static 12]);
+extern void edwards25519_epdouble(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
-extern void edwards25519_epdouble_alt(uint64_t p3[static 16],uint64_t p1[static 12]);
+extern void edwards25519_epdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 // Projective doubling for edwards25519
 // Inputs p1[12]; output p3[12]
-extern void edwards25519_pdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void edwards25519_pdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
-extern void edwards25519_pdouble_alt(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void edwards25519_pdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 // Extended projective + precomputed mixed addition for edwards25519
 // Inputs p1[16], p2[12]; output p3[16]
-extern void edwards25519_pepadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
+extern void edwards25519_pepadd(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
-extern void edwards25519_pepadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]);
+extern void edwards25519_pepadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 16],const uint64_t p1[S2N_BIGNUM_STATIC 16],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+// Scalar multiplication by standard basepoint for edwards25519 (Ed25519)
+// Input scalar[4]; output res[8]
+extern void edwards25519_scalarmulbase(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+extern void edwards25519_scalarmulbase_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4]);
+// Double scalar multiplication for edwards25519, fresh and base point
+// Input scalar[4], point[8], bscalar[4]; output res[8]
+extern void edwards25519_scalarmuldouble(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4], const uint64_t point[S2N_BIGNUM_STATIC 8],const uint64_t bscalar[S2N_BIGNUM_STATIC 4]);
+extern void edwards25519_scalarmuldouble_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4], const uint64_t point[S2N_BIGNUM_STATIC 8],const uint64_t bscalar[S2N_BIGNUM_STATIC 4]);
+// Scalar product of 2-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[512], b[512], bt[256] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k2(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 512],const int16_t b[S2N_BIGNUM_STATIC 512],const int16_t bt[S2N_BIGNUM_STATIC 256]);
+// Scalar product of 3-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[768], b[768], bt[384] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k3(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 768],const int16_t b[S2N_BIGNUM_STATIC 768],const int16_t bt[S2N_BIGNUM_STATIC 384]);
+// Scalar product of 4-element polynomial vectors in NTT domain, with mulcache
+// Inputs a[1024], b[1024], bt[512] (signed 16-bit words); output r[256] (signed 16-bit words)
+extern void mlkem_basemul_k4(int16_t r[S2N_BIGNUM_STATIC 256],const int16_t a[S2N_BIGNUM_STATIC 1024],const int16_t b[S2N_BIGNUM_STATIC 1024],const int16_t bt[S2N_BIGNUM_STATIC 512]);
+// Inverse number-theoretic transform from ML-KEM
+// Input a[256] (signed 16-bit words), z_01234[80] (signed 16-bit words), z_56[384] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_intt(int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z_01234[S2N_BIGNUM_STATIC 80],const int16_t z_56[S2N_BIGNUM_STATIC 384]);
+// Precompute the mulcache data for a polynomial in the NTT domain
+// Inputs a[256], z[128] and t[128] (signed 16-bit words); output x[128] (signed 16-bit words)
+extern void mlkem_mulcache_compute(int16_t x[S2N_BIGNUM_STATIC 128],const int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z[S2N_BIGNUM_STATIC 128],const int16_t t[S2N_BIGNUM_STATIC 128]);
+// Forward number-theoretic transform from ML-KEM
+// Input a[256] (signed 16-bit words), z_01234[80] (signed 16-bit words), z_56[384] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_ntt(int16_t a[S2N_BIGNUM_STATIC 256],const int16_t z_01234[S2N_BIGNUM_STATIC 80],const int16_t z_56[S2N_BIGNUM_STATIC 384]);
+// Canonical modular reduction of polynomial coefficients for ML-KEM
+// Input a[256] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_reduce(int16_t a[S2N_BIGNUM_STATIC 256]);
+// Pack ML-KEM polynomial coefficients as 12-bit numbers
+// Input a[256] (signed 16-bit words); output r[384] (bytes)
+extern void mlkem_tobytes(uint8_t r[S2N_BIGNUM_STATIC 384],const int16_t a[S2N_BIGNUM_STATIC 256]);
+// Conversion of ML-KEM polynomial coefficients to Montgomery form
+// Input a[256] (signed 16-bit words); output a[256] (signed 16-bit words)
+extern void mlkem_tomont(int16_t a[S2N_BIGNUM_STATIC 256]);
+// Uniform rejection sampling for ML-KEM
+// Inputs *buf (unsigned bytes), buflen, table (unsigned bytes); output r[256] (signed 16-bit words), return
+extern uint64_t mlkem_rej_uniform_VARIABLE_TIME(int16_t r[S2N_BIGNUM_STATIC 256],const uint8_t *buf,uint64_t buflen,const uint8_t *table);
 // Point addition on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12], p2[12]; output p3[12]
-extern void p256_montjadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
+extern void p256_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
 // Point doubling on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12]; output p3[12]
-extern void p256_montjdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void p256_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 // Point mixed addition on NIST curve P-256 in Montgomery-Jacobian coordinates
 // Inputs p1[12], p2[8]; output p3[12]
-extern void p256_montjmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
+extern void p256_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void p256_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+// Montgomery-Jacobian form scalar multiplication for P-256
+// Input scalar[4], point[12]; output res[12]
+extern void p256_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+extern void p256_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+// Scalar multiplication for NIST curve P-256
+// Input scalar[4], point[8]; output res[8]
+extern void p256_scalarmul(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 8]);
+extern void p256_scalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 8]);
+// Scalar multiplication for precomputed point on NIST curve P-256
+// Input scalar[4], blocksize, table[]; output res[8]
+extern void p256_scalarmulbase(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],uint64_t blocksize,const uint64_t *table);
+extern void p256_scalarmulbase_alt(uint64_t res[S2N_BIGNUM_STATIC 8],const uint64_t scalar[S2N_BIGNUM_STATIC 4],uint64_t blocksize,const uint64_t *table);
 // Point addition on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18], p2[18]; output p3[18]
-extern void p384_montjadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 18]);
+extern void p384_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
 // Point doubling on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18]; output p3[18]
-extern void p384_montjdouble(uint64_t p3[static 18],uint64_t p1[static 18]);
+extern void p384_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18]);
 // Point mixed addition on NIST curve P-384 in Montgomery-Jacobian coordinates
 // Inputs p1[18], p2[12]; output p3[18]
-extern void p384_montjmixadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 12]);
+extern void p384_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void p384_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 18],const uint64_t p1[S2N_BIGNUM_STATIC 18],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+// Montgomery-Jacobian form scalar multiplication for P-384
+// Input scalar[6], point[18]; output res[18]
+extern void p384_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 18],const uint64_t scalar[S2N_BIGNUM_STATIC 6],const uint64_t point[S2N_BIGNUM_STATIC 18]);
+extern void p384_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 18],const uint64_t scalar[S2N_BIGNUM_STATIC 6],const uint64_t point[S2N_BIGNUM_STATIC 18]);
 // Point addition on NIST curve P-521 in Jacobian coordinates
 // Inputs p1[27], p2[27]; output p3[27]
-extern void p521_jadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 27]);
+extern void p521_jadd(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 27]);
+extern void p521_jadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 27]);
 // Point doubling on NIST curve P-521 in Jacobian coordinates
 // Input p1[27]; output p3[27]
-extern void p521_jdouble(uint64_t p3[static 27],uint64_t p1[static 27]);
+extern void p521_jdouble(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27]);
+extern void p521_jdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27]);
 // Point mixed addition on NIST curve P-521 in Jacobian coordinates
 // Inputs p1[27], p2[18]; output p3[27]
-extern void p521_jmixadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 18]);
+extern void p521_jmixadd(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+extern void p521_jmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 27],const uint64_t p1[S2N_BIGNUM_STATIC 27],const uint64_t p2[S2N_BIGNUM_STATIC 18]);
+// Jacobian form scalar multiplication for P-521
+// Input scalar[9], point[27]; output res[27]
+extern void p521_jscalarmul(uint64_t res[S2N_BIGNUM_STATIC 27],const uint64_t scalar[S2N_BIGNUM_STATIC 9],const uint64_t point[S2N_BIGNUM_STATIC 27]);
+extern void p521_jscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 27],const uint64_t scalar[S2N_BIGNUM_STATIC 9],const uint64_t point[S2N_BIGNUM_STATIC 27]);
 // Point addition on SECG curve secp256k1 in Jacobian coordinates
 // Inputs p1[12], p2[12]; output p3[12]
-extern void secp256k1_jadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]);
+extern void secp256k1_jadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void secp256k1_jadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
 // Point doubling on SECG curve secp256k1 in Jacobian coordinates
 // Input p1[12]; output p3[12]
-extern void secp256k1_jdouble(uint64_t p3[static 12],uint64_t p1[static 12]);
+extern void secp256k1_jdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void secp256k1_jdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
 // Point mixed addition on SECG curve secp256k1 in Jacobian coordinates
 // Inputs p1[12], p2[8]; output p3[12]
-extern void secp256k1_jmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]);
+extern void secp256k1_jmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void secp256k1_jmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+// Keccak-f1600 permutation for SHA3
+// Inputs a[25], rc[24]; output a[25]
+extern void sha3_keccak_f1600(uint64_t a[S2N_BIGNUM_STATIC 25],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 25],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+// Batched 2-way Keccak-f1600 permutation for SHA3
+// Inputs a[50], rc[24]; output a[50]
+extern void sha3_keccak2_f1600(uint64_t a[S2N_BIGNUM_STATIC 50],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak2_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 50],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+// Batched 4-way Keccak-f1600 permutation for SHA3
+// Inputs a[100], rc[24]; output a[100]
+extern void sha3_keccak4_f1600(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak4_f1600_alt(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+extern void sha3_keccak4_f1600_alt2(uint64_t a[S2N_BIGNUM_STATIC 100],const uint64_t rc[S2N_BIGNUM_STATIC 24]);
+// Point addition on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12], p2[12]; output p3[12]
+extern void sm2_montjadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 12]);
+// Point doubling on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12]; output p3[12]
+extern void sm2_montjdouble(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjdouble_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12]);
+// Point mixed addition on CC curve SM2 in Montgomery-Jacobian coordinates
+// Inputs p1[12], p2[8]; output p3[12]
+extern void sm2_montjmixadd(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+extern void sm2_montjmixadd_alt(uint64_t p3[S2N_BIGNUM_STATIC 12],const uint64_t p1[S2N_BIGNUM_STATIC 12],const uint64_t p2[S2N_BIGNUM_STATIC 8]);
+// Montgomery-Jacobian form scalar multiplication for CC curve SM2
+// Input scalar[4], point[12]; output res[12]
+extern void sm2_montjscalarmul(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
+extern void sm2_montjscalarmul_alt(uint64_t res[S2N_BIGNUM_STATIC 12],const uint64_t scalar[S2N_BIGNUM_STATIC 4],const uint64_t point[S2N_BIGNUM_STATIC 12]);
 // Reverse the bytes in a single word
 // Input a; output function return
@@ -839,6 +1164,10 @@ extern uint64_t word_clz (uint64_t a);
 // Input a; output function return
 extern uint64_t word_ctz (uint64_t a);
+// Perform 59 "divstep" iterations and return signed matrix of updates
+// Inputs d, f, g; output m[2][2] and function return
+extern int64_t word_divstep59(int64_t m[2][2],int64_t d,uint64_t f,uint64_t g);
 // Return maximum of two unsigned 64-bit words
 // Inputs a, b; output function return
 extern uint64_t word_max (uint64_t a, uint64_t b);
@@ -851,6 +1180,10 @@ extern uint64_t word_min (uint64_t a, uint64_t b);
 // Input a; output function return
 extern uint64_t word_negmodinv (uint64_t a);
+// Count number of set bits in a single 64-bit word (population count)
+// Input a; output function return
+extern uint64_t word_popcount (uint64_t a);
 // Single-word reciprocal, 2^64 + ret = ceil(2^128/a) - 1 if MSB of "a" is set
 // Input a; output function return
 extern uint64_t word_recip (uint64_t a);
diff --git a/src/lib/libcrypto/bn/s2n_bignum_internal.h b/src/lib/libcrypto/bn/s2n_bignum_internal.h
index b82db7d019..37eebb4fd6 100644
--- a/src/lib/libcrypto/bn/s2n_bignum_internal.h
+++ b/src/lib/libcrypto/bn/s2n_bignum_internal.h
@@ -1,3 +1,5 @@
+// $OpenBSD: s2n_bignum_internal.h,v 1.5 2025/08/12 10:01:37 jsing Exp $
+//
 // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
@@ -14,14 +16,14 @@
 #ifdef __APPLE__
 #   define S2N_BN_SYMBOL(NAME) _##NAME
+#   if defined(__AARCH64EL__) || defined(__ARMEL__)
+#     define __LF %%
+#   else
+#     define __LF ;
+#   endif
 #else
 #   define S2N_BN_SYMBOL(name) name
-#endif
+#   define __LF ;
-#ifdef __CET__
-#   include <cet.h>
-#else
-#   define _CET_ENDBR
 #endif
 #define S2N_BN_SYM_VISIBILITY_DIRECTIVE(name) .globl S2N_BN_SYMBOL(name)
@@ -34,3 +36,24 @@
 #else
 #   define S2N_BN_SYM_PRIVACY_DIRECTIVE(name)  /* NO-OP: S2N_BN_SYM_PRIVACY_DIRECTIVE */
 #endif
+// Enable indirect branch tracking support unless explicitly disabled
+// with -DNO_IBT. If the platform supports CET, simply inherit this from
+// the usual header. Otherwise manually define _CET_ENDBR, used at each
+// x86 entry point, to be the ENDBR64 instruction, with an explicit byte
+// sequence for compilers/assemblers that don't know about it. Note that
+// it is safe to use ENDBR64 on all platforms, since the encoding is by
+// design interpreted as a NOP on all pre-CET x86_64 processors. The only
+// downside is a small increase in code size and potentially a modest
+// slowdown from executing one more instruction.
+#if NO_IBT
+#   if defined(_CET_ENDBR)
+#     error "The s2n-bignum build option NO_IBT was configured, but _CET_ENDBR is defined in this compilation unit. That is weird, so failing the build."
+#   endif
+#   define _CET_ENDBR
+#elif defined(__CET__)
+#   include <cet.h>
+#elif !defined(_CET_ENDBR)
+#   define _CET_ENDBR .byte 0xf3,0x0f,0x1e,0xfa
+#endif
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index 51ce90ff80..4a0c17c598 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: buffer.c,v 1.28 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: buffer.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,7 +61,8 @@
 #include <string.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
+#include "err_local.h"
 /*
 * LIMIT_BEFORE_EXPANSION is the maximum n such that (n + 3) / 3 * 4 < 2**31.
diff --git a/src/lib/libcrypto/cast/cast_local.h b/src/lib/libcrypto/cast/cast_local.h
index 5fb9911105..c8b89071c5 100644
--- a/src/lib/libcrypto/cast/cast_local.h
+++ b/src/lib/libcrypto/cast/cast_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cast_local.h,v 1.2 2023/07/08 07:25:43 jsing Exp $ */
+/* $OpenBSD: cast_local.h,v 1.3 2025/11/26 10:19:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,6 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#ifndef HEADER_CAST_LOCAL_H
+#define HEADER_CAST_LOCAL_H
 #undef c2l
 #define c2l(c,l)        (l =((unsigned long)(*((c)++)))    , \
                         l|=((unsigned long)(*((c)++)))<< 8L, \
@@ -214,3 +217,5 @@ extern const CAST_LONG CAST_S_table4[256];
 extern const CAST_LONG CAST_S_table5[256];
 extern const CAST_LONG CAST_S_table6[256];
 extern const CAST_LONG CAST_S_table7[256];
+#endif /* HEADER_CAST_LOCAL_H */
diff --git a/src/lib/libcrypto/cert.pem b/src/lib/libcrypto/cert.pem
index a7fd3519fb..7031ac8fe8 100644
--- a/src/lib/libcrypto/cert.pem
+++ b/src/lib/libcrypto/cert.pem
@@ -1,4 +1,4 @@
-# $OpenBSD: cert.pem,v 1.31 2025/03/16 07:44:35 tb Exp $
+# $OpenBSD: cert.pem,v 1.33 2025/11/17 20:15:35 sthen Exp $
 ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
@@ -960,49 +960,6 @@ AgEGMAoGCCqGSM49BAMDA2gAMGUCMBq8W9f+qdJUDkpd0m2xQNz0Q9XSSpkZElaA
 43j4ptZLvZuHjw/l1lOWqzzIQNph91Oj9w==
 -----END CERTIFICATE-----
-### Baltimore
-=== /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 33554617 (0x20000b9)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: May 12 18:46:00 2000 GMT
-            Not After : May 12 23:59:00 2025 GMT
-        Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                E5:9D:59:30:82:47:58:CC:AC:FA:08:54:36:86:7B:3A:B5:04:4D:F0
-            X509v3 Basic Constraints: critical
-                CA:TRUE, pathlen:3
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-SHA1 Fingerprint=D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
-SHA256 Fingerprint=16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
-----BEGIN CERTIFICATE-----
-MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
-RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
-VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
-DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
-ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
-VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
-mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
-IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
-mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
-XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
-dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
-jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
-BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
-DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
-9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
-jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
-Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
-ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
-R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
 ### Buypass AS-983163327
 === /C=NO/O=Buypass AS-983163327/CN=Buypass Class 2 Root CA
@@ -1728,61 +1685,6 @@ v64fG9PiO/yzcnMcmyiQiRM9HcEARwmWmjgb3bHPDcK0RPOWlc4yOo80nOAXx17O
 rg3bhzjlP1v9mxnhMUF6cKojawHhRUzNlM47ni3niAIi9G7oyOzWPPO5std3eqx7
 -----END CERTIFICATE-----
-### Comodo CA Limited
-=== /C=GB/ST=Greater Manchester/L=Salford/O=Comodo CA Limited/CN=AAA Certificate Services
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 1 (0x1)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jan  1 00:00:00 2004 GMT
-            Not After : Dec 31 23:59:59 2028 GMT
-        Subject: C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                A0:11:0A:23:3E:96:F1:07:EC:E2:AF:29:EF:82:A5:7F:D0:30:A4:B4
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 CRL Distribution Points:
-                Full Name:
-                  URI:http://crl.comodoca.com/AAACertificateServices.crl
-                Full Name:
-                  URI:http://crl.comodo.net/AAACertificateServices.crl
-SHA1 Fingerprint=D1:EB:23:A4:6D:17:D6:8F:D9:25:64:C2:F1:F1:60:17:64:D8:E3:49
-SHA256 Fingerprint=D7:A7:A0:FB:5D:7E:27:31:D7:71:E9:48:4E:BC:DE:F7:1D:5F:0C:3E:0A:29:48:78:2B:C8:3E:E0:EA:69:9E:F4
-----BEGIN CERTIFICATE-----
-MIIEMjCCAxqgAwIBAgIBATANBgkqhkiG9w0BAQUFADB7MQswCQYDVQQGEwJHQjEb
-MBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHDAdTYWxmb3JkMRow
-GAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UEAwwYQUFBIENlcnRpZmlj
-YXRlIFNlcnZpY2VzMB4XDTA0MDEwMTAwMDAwMFoXDTI4MTIzMTIzNTk1OVowezEL
-MAkGA1UEBhMCR0IxGzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE
-BwwHU2FsZm9yZDEaMBgGA1UECgwRQ29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMM
-GEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAL5AnfRu4ep2hxxNRUSOvkbIgwadwSr+GB+O5AL686tdUIoWMQua
-BtDFcCLNSS1UY8y2bmhGC1Pqy0wkwLxyTurxFa70VJoSCsN6sjNg4tqJVfMiWPPe
-3M/vg4aijJRPn2jymJBGhCfHdr/jzDUsi14HZGWCwEiwqJH5YZ92IFCokcdmtet4
-YgNW8IoaE+oxox6gmf049vYnMlhvB/VruPsUK6+3qszWY19zjNoFmag4qMsXeDZR
-rOme9Hg6jc8P2ULimAyrL58OAd7vn5lJ8S3frHRNG5i1R8XlKdH5kBjHYpy+g8cm
-ez6KJcfA3Z3mNWgQIJ2P2N7Sw4ScDV7oL8kCAwEAAaOBwDCBvTAdBgNVHQ4EFgQU
-oBEKIz6W8Qfs4q8p74Klf9AwpLQwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQF
-MAMBAf8wewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20v
-QUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29t
-b2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDANBgkqhkiG9w0BAQUF
-AAOCAQEACFb8AvCb6P+k+tZ7xkSAzk/ExfYAWMymtrwUSWgEdujm7l3sAg9g1o1Q
-GE8mTgHj5rCl7r+8dFRBv/38ErjHT1r0iWAFf2C3BUrz9vHCv8S5dIa2LX1rzNLz
-Rt0vxuBqw8M0Ayx9lt1awg6nCpnBBYurDC/zXDrPbDdVCYfeU0BsWO/8tqtlbgT2
-G9w84FoVxp7Z8VlIMCFlA2zs6SFz7JsDoeA3raAVGI/6ugLOpyypEBMs1OUIJqsi
-l2D4kF501KKaU73yqWjgom7C12yxow+ev+to51byrvLjKzg6CYG1a4XXvi3tPxq3
-smPi9WIsgtRqAEFQ8TmDn5XpNpaYbg==
-----END CERTIFICATE-----
 ### Cybertrust Japan Co., Ltd.
 === /C=JP/O=Cybertrust Japan Co., Ltd./CN=SecureSign Root CA12
@@ -3070,53 +2972,6 @@ eu6FSqdQgPCnXEqULl8FmTxSQeDNtGPPAUO6nIPcj2A781q0tHuu2guQOHXvgR1m
 0vdXcDazv/wor3ElhVsT/h5/WrQ8
 -----END CERTIFICATE-----
-### Entrust.net
-=== /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 946069240 (0x3863def8)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Dec 24 17:50:51 1999 GMT
-            Not After : Jul 24 14:15:12 2029 GMT
-        Subject: O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048)
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                55:E4:81:D1:11:80:BE:D8:89:B9:08:A3:31:F9:A1:24:09:16:B9:70
-SHA1 Fingerprint=50:30:06:09:1D:97:D4:F5:AE:39:F7:CB:E7:92:7D:7D:65:2D:34:31
-SHA256 Fingerprint=6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77
-----BEGIN CERTIFICATE-----
-MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
-RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
-bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
-IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
-ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw05OTEyMjQxNzUwNTFaFw0yOTA3
-MjQxNDE1MTJaMIG0MRQwEgYDVQQKEwtFbnRydXN0Lm5ldDFAMD4GA1UECxQ3d3d3
-LmVudHJ1c3QubmV0L0NQU18yMDQ4IGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxp
-YWIuKTElMCMGA1UECxMcKGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDEzMDEG
-A1UEAxMqRW50cnVzdC5uZXQgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgKDIwNDgp
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArU1LqRKGsuqjIAcVFmQq
-K0vRvwtKTY7tgHalZ7d4QMBzQshowNtTK91euHaYNZOLGp18EzoOH1u3Hs/lJBQe
-sYGpjX24zGtLA/ECDNyrpUAkAH90lKGdCCmziAv1h3edVc3kw37XamSrhRSGlVuX
-MlBvPci6Zgzj/L24ScF2iUkZ/cCovYmjZy/Gn7xxGWC4LeksyZB2ZnuU4q941mVT
-XTzWnLLPKQP5L6RQstRIzgUyVYr9smRMDuSYB3Xbf9+5CFVghTAp+XtIpGmG4zU/
-HoZdenoVve8AjhUiVBcAkCaTvA5JaJG/+EfTnZVCwQ5N328mz8MYIWJmQ3DW1cAH
-4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
-HQ4EFgQUVeSB0RGAvtiJuQijMfmhJAkWuXAwDQYJKoZIhvcNAQEFBQADggEBADub
-j1abMOdTmXx6eadNl9cZlZD7Bh/KM3xGY4+WZiT6QBshJ8rmcnPyT/4xmf3IDExo
-U8aAghOY+rat2l098c5u9hURlIIM7j+VrxGrD9cv3h8Dj1csHsm7mhpElesYT6Yf
-zX1XEC+bBAlahLVu2B064dae0Wx5XnkcFMXj0EyTO2U87d89vqbllRrDtRnDvV5b
-u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
-bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
-fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
 ### FNMT-RCM
 === /C=ES/O=FNMT-RCM/OU=AC RAIZ FNMT-RCM
@@ -3559,47 +3414,6 @@ u+YfjyW6hY0XHgL+XVAEV8/+LbzvXMAaq7afJMbfc2hIkCwU9D9SGuTSyxTDYWnP
 N3ec592kD3ZDZopD8p/7DEJ4Y9HiD2971KE9dJeFt0g5QdYg/NA6s/rob8SKunE3
 vouXsXgxT7PntgMTzlSdriVZzH81Xwj3QEUxeCp6
 -----END CERTIFICATE-----
-=== /C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            04:00:00:00:00:01:15:4b:5a:c3:94
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Sep  1 12:00:00 1998 GMT
-            Not After : Jan 28 12:00:00 2028 GMT
-        Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B
-SHA1 Fingerprint=B1:BC:96:8B:D4:F4:9D:62:2A:A8:9A:81:F2:15:01:52:A4:1D:82:9C
-SHA256 Fingerprint=EB:D4:10:40:E4:BB:3E:C7:42:C9:E3:81:D3:1E:F2:A4:1A:48:B6:68:5C:96:E7:CE:F3:C1:DF:6C:D4:33:1C:99
-----BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
-A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
-b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
-MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
-YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
-aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
-jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
-xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
-1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
-snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
-U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
-9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
-BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
-AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
-yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
-38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
-AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
-DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
-HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----
 ### GoDaddy.com, Inc.
@@ -4644,6 +4458,101 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2
 XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E=
 -----END CERTIFICATE-----
+### OISTE Foundation
+=== /C=CH/O=OISTE Foundation/CN=OISTE Server Root ECC G1
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            23:f9:c3:d6:35:af:8f:28:4b:1f:f0:54:ea:7e:97:9d
+    Signature Algorithm: ecdsa-with-SHA384
+        Validity
+            Not Before: May 31 14:42:28 2023 GMT
+            Not After : May 24 14:42:27 2048 GMT
+        Subject: C=CH, O=OISTE Foundation, CN=OISTE Server Root ECC G1
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier:
+                keyid:37:4D:88:65:CF:FC:3D:8A:D5:A3:F1:49:C0:4E:0C:10:6F:42:B4:9C
+            X509v3 Subject Key Identifier:
+                37:4D:88:65:CF:FC:3D:8A:D5:A3:F1:49:C0:4E:0C:10:6F:42:B4:9C
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+SHA1 Fingerprint=3B:F6:8B:09:AE:2A:92:7B:BA:E3:8D:3F:11:95:D9:E6:44:0C:45:E2
+SHA256 Fingerprint=EE:C9:97:C0:C3:0F:21:6F:7E:3B:8B:30:7D:2B:AE:42:41:2D:75:3F:C8:21:9D:AF:D1:52:0B:25:72:85:0F:49
+-----BEGIN CERTIFICATE-----
+MIICNTCCAbqgAwIBAgIQI/nD1jWvjyhLH/BU6n6XnTAKBggqhkjOPQQDAzBLMQsw
+CQYDVQQGEwJDSDEZMBcGA1UECgwQT0lTVEUgRm91bmRhdGlvbjEhMB8GA1UEAwwY
+T0lTVEUgU2VydmVyIFJvb3QgRUNDIEcxMB4XDTIzMDUzMTE0NDIyOFoXDTQ4MDUy
+NDE0NDIyN1owSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoMEE9JU1RFIEZvdW5kYXRp
+b24xITAfBgNVBAMMGE9JU1RFIFNlcnZlciBSb290IEVDQyBHMTB2MBAGByqGSM49
+AgEGBSuBBAAiA2IABBcv+hK8rBjzCvRE1nZCnrPoH7d5qVi2+GXROiFPqOujvqQy
+cvO2Ackr/XeFblPdreqqLiWStukhEaivtUwL85Zgmjvn6hp4LrQ95SjeHIC6XG4N
+2xml4z+cKrhAS93mT6NjMGEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBQ3
+TYhlz/w9itWj8UnATgwQb0K0nDAdBgNVHQ4EFgQUN02IZc/8PYrVo/FJwE4MEG9C
+tJwwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCpKjAd0MKfkFFR
+QD6VVCHNFmb3U2wIFjnQEnx/Yxvf4zgAOdktUyBFCxxgZzFDJe0CMQCSia7pXGKD
+YmH5LVerVrkR3SW+ak5KGoJr3M/TvEqzPNcum9v4KGm8ay3sMaE641c=
+-----END CERTIFICATE-----
+=== /C=CH/O=OISTE Foundation/CN=OISTE Server Root RSA G1
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            55:a5:d9:67:94:28:c6:ed:0c:fa:27:dd:5b:01:4d:18
+    Signature Algorithm: sha384WithRSAEncryption
+        Validity
+            Not Before: May 31 14:37:16 2023 GMT
+            Not After : May 24 14:37:15 2048 GMT
+        Subject: C=CH, O=OISTE Foundation, CN=OISTE Server Root RSA G1
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Authority Key Identifier:
+                keyid:F2:C9:C1:0F:0D:63:00:BB:EC:45:0E:4A:1F:B5:B1:B3:36:CD:0E:8D
+            X509v3 Subject Key Identifier:
+                F2:C9:C1:0F:0D:63:00:BB:EC:45:0E:4A:1F:B5:B1:B3:36:CD:0E:8D
+            X509v3 Key Usage: critical
+                Digital Signature, Certificate Sign, CRL Sign
+SHA1 Fingerprint=F7:00:34:25:94:88:68:31:E4:34:87:3F:70:FE:86:B3:86:9F:F0:6E
+SHA256 Fingerprint=9A:E3:62:32:A5:18:9F:FD:DB:35:3D:FD:26:52:0C:01:53:95:D2:27:77:DA:C5:9D:B5:7B:98:C0:89:A6:51:E6
+-----BEGIN CERTIFICATE-----
+MIIFgzCCA2ugAwIBAgIQVaXZZ5Qoxu0M+ifdWwFNGDANBgkqhkiG9w0BAQwFADBL
+MQswCQYDVQQGEwJDSDEZMBcGA1UECgwQT0lTVEUgRm91bmRhdGlvbjEhMB8GA1UE
+AwwYT0lTVEUgU2VydmVyIFJvb3QgUlNBIEcxMB4XDTIzMDUzMTE0MzcxNloXDTQ4
+MDUyNDE0MzcxNVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoMEE9JU1RFIEZvdW5k
+YXRpb24xITAfBgNVBAMMGE9JU1RFIFNlcnZlciBSb290IFJTQSBHMTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAKqu9KuCz/vlNwvn1ZatkOhLKdxVYOPM
+vLO8LZK55KN68YG0nnJyQ98/qwsmtO57Gmn7KNByXEptaZnwYx4M0rH/1ow00O7b
+rEi56rAUjtgHqSSY3ekJvqgiG1k50SeH3BzN+Puz6+mTeO0Pzjd8JnduodgsIUzk
+ik/HEzxux9UTl7Ko2yRpg1bTacuCErudG/L4NPKYKyqOBGf244ehHa1uzjZ0Dl4z
+O8vbUZeUapU8zhhabkvG/AePLhq5SvdkNCncpo1Q4Y2LS+VIG24ugBA/5J8bZT8R
+tOpXaZ+0AOuFJJkk9SGdl6r7NH8CaxWQrbueWhl/pIzY+m0o/DjH40ytas7ZTpOS
+jswMZ78LS5bOZmdTaMsXEY5Z96ycG7mOaES3GK/m5Q9l3JUJsJMStR8+lKXHiHUh
+sd4JJCpM4rzsTGdHwimIuQq6+cF0zowYJmXa92/GjHtoXAvuY8BeS/FOzJ8vD+Ho
+mnqT8eDI278n5mUpezbgMxVz8p1rhAhoKzYHKyfMeNhqhw5HdPSqoBNdZH702xSu
+zrkL8Fl47l6QGzwBrd7KJvX4V84c5Ss2XCTLdyEr0YconosP4EmQufU2MVshGYR
+i3drVByjtdgQ8K4p92cIiBdcuJd5z+orKu5YM+Vt6SmqZQENghPsJQtdLEByFSnT
+kCz3GkPVavBpAgMBAAGjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU
+8snBDw1jALvsRQ5KH7WxszbNDo0wHQYDVR0OBBYEFPLJwQ8NYwC77EUOSh+1sbM2
+zQ6NMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQwFAAOCAgEANGd5sjrG5T33
+I3K5Ce+SrScfoE4KsvXaFwyihdJ+klH9FWXXXGtkFu6KRcoMQzZENdl//nk6HOjG
+5D1rd9QhEOP28yBOqb6J8xycqd+8MDoX0TJD0KqKchxRKEzdNsjkLWd9kYccnbz8
+qyiWXmFcuCIzGEgWUOrKL+mlSdx/PKQZvDatkuK59EvV6wit53j+F8Bdh3foZ3dP
+AGav9LEDOr4SfEE15fSmG0eLy3n31r8Xbk5l8PjaV8GUgeV6Vg27Rn9vkf195hfk
+gSe7BYhW3SCl95gtkRlpMV+bMPKZrXJAlszYd2abtNUOshD+FKrDgHGdPY3ofRRs
+YWSGRqbXVMW215AWRqWFyp464+YTFrYVI8ypKVL9AMb2kI5Wj4kI3Zaq5tNqqYY1
+9tVFeEJKRvwDyF7YZvZFZSS0vod7VSCd9521Kvy5YhnLbDuv0204bKt7ph6N/Ome
+/msVuduCmsuY33OhkKCgxeDoAaijFJzIwZqsFVAzje18KotzlUBDJvyBpCpfOZC3
+J8tRd/iWkx7P8nd9H0aTolkelUTFLXVksNb54Dxp6gS1HAviRkRNQzuXSXERvSS2
+wq1yVAb+axj5d9spLFKebXd7Yv0PTY6YMjAwcRLWJTXjn/hvnLXrahut6hDTlhZy
+BiElxky8j3C7DOReIoMt0r7+hVu05L0=
+-----END CERTIFICATE-----
 ### QuoVadis Limited
 === /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3
@@ -5481,52 +5390,6 @@ CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR
 ### Starfield Technologies, Inc.
-=== /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jun 29 17:39:16 2004 GMT
-            Not After : Jun 29 17:39:16 2034 GMT
-        Subject: C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-            X509v3 Authority Key Identifier:
-                keyid:BF:5F:B7:D1:CE:DD:1F:86:F4:5B:55:AC:DC:D7:10:C2:0E:A9:88:E7
-                DirName:/C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority
-                serial:00
-            X509v3 Basic Constraints:
-                CA:TRUE
-SHA1 Fingerprint=AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
-SHA256 Fingerprint=14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58
-----BEGIN CERTIFICATE-----
-MIIEDzCCAvegAwIBAgIBADANBgkqhkiG9w0BAQUFADBoMQswCQYDVQQGEwJVUzEl
-MCMGA1UEChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMp
-U3RhcmZpZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQw
-NjI5MTczOTE2WhcNMzQwNjI5MTczOTE2WjBoMQswCQYDVQQGEwJVUzElMCMGA1UE
-ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjEyMDAGA1UECxMpU3RhcmZp
-ZWxkIENsYXNzIDIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwggEgMA0GCSqGSIb3
-DQEBAQUAA4IBDQAwggEIAoIBAQC3Msj+6XGmBIWtDBFk385N78gDGIc/oav7PKaf
-8MOh2tTYbitTkPskpD6E8J7oX+zlJ0T1KKY/e97gKvDIr1MvnsoFAZMej2YcOadN
-+lq2cwQlZut3f+dZxkqZJRRU6ybH838Z1TBwj6+wRir/resp7defqgSHo9T5iaU0
-X9tDkYI22WY8sbi5gv2cOj4QyDvvBmVmepsZGD3/cVE8MC5fvj13c7JdBmzDI1aa
-K4UmkhynArPkPw2vCHmCuDY96pzTNbO8acr1zJ3o/WSNF4Azbl5KXZnJHoe0nRrA
-1W4TNSNe35tfPe/W93bC6j67eA0cQmdrBNj41tpvi/JEoAGrAgEDo4HFMIHCMB0G
-A1UdDgQWBBS/X7fRzt0fhvRbVazc1xDCDqmI5zCBkgYDVR0jBIGKMIGHgBS/X7fR
-zt0fhvRbVazc1xDCDqmI56FspGowaDELMAkGA1UEBhMCVVMxJTAjBgNVBAoTHFN0
-YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4xMjAwBgNVBAsTKVN0YXJmaWVsZCBD
-bGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8w
-DQYJKoZIhvcNAQEFBQADggEBAAWdP4id0ckaVaGsafPzWdqbAYcaT1epoXkJKtv3
-L7IezMdeatiDh6GX70k1PncGQVhiv45YuApnP+yz3SFmH8lU+nLMPUxA2IGvd56D
-eruix/U0F47ZEUD0/CwqTRV/p2JdLiXTAAsgGh1o+Re49L2L7ShZ3U0WixeDyLJl
-xy16paq8U4Zt3VekyvggQQto8PT7dL5WXXp59fkdheMtlb71cZBDzI0fmgAKhynp
-VSJYACPq4xJDKVtHCN2MQWplBqjlIapBtJUhlbl90TSrE9atvNziPTnNvT51cKEY
-WQPJIrSPnNVeKtelttQKbfi3QBFGmh95DmK/D5fs4C8fF5Q=
-----END CERTIFICATE-----
 === /C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./CN=Starfield Root Certificate Authority - G2
 Certificate:
    Data:
@@ -5675,6 +5538,61 @@ Ld6leNcG2mqeSz53OiATIgHQv2ieY2BrNU0LbbqhPcCT4H8js1WtciVORvnSFu+w
 ZMEBnunKoGqYDs/YYPIvSbjkQuE4NRb0yG5P94FW6LqjviOvrv1vA+ACOzB2+htt
 Qc8Bsem4yWb02ybzOqR08kkkW8mw0FfB+j564ZfJ
 -----END CERTIFICATE-----
+=== /C=CH/O=SwissSign AG/CN=SwissSign RSA TLS Root CA 2022 - 1
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            43:fa:0c:5f:4e:1b:80:18:44:ef:d1:b4:4f:35:1f:44:f4:80:ed:cb
+    Signature Algorithm: sha256WithRSAEncryption
+        Validity
+            Not Before: Jun  8 11:08:22 2022 GMT
+            Not After : Jun  8 11:08:22 2047 GMT
+        Subject: C=CH, O=SwissSign AG, CN=SwissSign RSA TLS Root CA 2022 - 1
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier:
+                keyid:6F:8E:62:8B:93:43:B0:E1:40:F6:A7:C3:FD:F1:0F:B8:0F:15:38:A5
+            X509v3 Subject Key Identifier:
+                6F:8E:62:8B:93:43:B0:E1:40:F6:A7:C3:FD:F1:0F:B8:0F:15:38:A5
+SHA1 Fingerprint=81:34:0A:BE:4C:CD:CE:CC:E7:7D:CC:8A:D4:57:E2:45:A0:77:5D:CE
+SHA256 Fingerprint=19:31:44:F4:31:E0:FD:DB:74:07:17:D4:DE:92:6A:57:11:33:88:4B:43:60:D3:0E:27:29:13:CB:E6:60:CE:41
+-----BEGIN CERTIFICATE-----
+MIIFkzCCA3ugAwIBAgIUQ/oMX04bgBhE79G0TzUfRPSA7cswDQYJKoZIhvcNAQEL
+BQAwUTELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzErMCkGA1UE
+AxMiU3dpc3NTaWduIFJTQSBUTFMgUm9vdCBDQSAyMDIyIC0gMTAeFw0yMjA2MDgx
+MTA4MjJaFw00NzA2MDgxMTA4MjJaMFExCzAJBgNVBAYTAkNIMRUwEwYDVQQKEwxT
+d2lzc1NpZ24gQUcxKzApBgNVBAMTIlN3aXNzU2lnbiBSU0EgVExTIFJvb3QgQ0Eg
+MjAyMiAtIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDLKmjiC8NX
+vDVjvHClO/OMPE5Xlm7DTjak9gLKHqquuN6orx122ro10JFwB9+zBvKK8i5VUXu7
+LCTLf5ImgKO0lPaCoaTo+nUdWfMHamFk4saMla+ju45vVs9xzF6BYQ1t8qsCLqSX
+5XH8irCRIFucdFJtrhUnWXjyCcplDn/L9Ovn3KlMd/YrFgSVrpxxpT8q2kFC5zyE
+EPThPYxr4iuRR1VPuFa+Rd4iUU1OKNlfGUEGjw5NBuBwQCMBauTLE5tzrE0USJIt
+/m2n+IdreXXhvhCxqohAWVTXz8TQm0SzOGlkjIHRI36qOTw7D59Ke4LKa2/KIj4x
+0LDQKhySio/YGZxH5D4MucLNvkEM+KRHBdvBFzA4OmnczcNpI/2aDwLOEGrOyvi5
+KaM2iYauC8BPY7kGWUleDsFpswrzd34unYyzJ5jSmY0lpx+Gs6ZUcDj8fV3oT4MM
+0ZPlEuRU2j7yrTrePjxF8CgPBrnh25d7mUWe3f6VWQQvdT/TromZhqwUtKiE+shd
+OxtYk8EXlFXIC+OCeYSf8wCENO7cMdWP8vpPlkwGqnj73mSiI80fPsWMvDdUDrta
+clXvyFu1cvh43zcgTFeRc5JzrBh3Q4IgaezprClG5QtO+DdziZaKHG29777YtvTK
+wP1H8K4LWCDFyB02rpeNUIMmJCn3nTsPBQIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
+AQH/MA4GA1UdDwEB/wQEAwIBBjAfBgNVHSMEGDAWgBRvjmKLk0Ow4UD2p8P98Q+4
+DxU4pTAdBgNVHQ4EFgQUb45ii5NDsOFA9qfD/fEPuA8VOKUwDQYJKoZIhvcNAQEL
+BQADggIBAKwsKUF9+lz1GpUYvyypiqkkVHX1uECry6gkUSsYP2OprphWKwVDIqO3
+10aewCoSPY6WlkDfDDOLazeROpW7OSltwAJsipQLBwJNGD77+3v1dj2b9l4wBlgz
+Hqp41eZUBDqyggmNzhYzWUUo8aWjlw5DI/0LIICQ/+Mmz7hkkeUFjxOgdg3XNwwQ
+iJb0Pr6VvfHDffCjw3lHC1ySFWPtUnWK50Zpy1FVCypM9fJkT6lc/2cyjlUtMoIc
+gC9qkfjLvH4YoiaoLqNTKIftV+Vlek4ASltOU8liNr3CjlvrzG4ngRhZi0Rjn9UM
+ZfQpZX+RLOV/fuiJz48gy20HQhFRJjKKLjpHE7iNvUcNCfAWpO2Whi4Z2L6MOuhF
+LhG6rlrnub+xzI/goP+4s9GFe3lmozm1O2bYQL7Pt2eLSMkZJVX8vY3PXtpOpvJp
+zv1/THfQwUY1mFwjmwJFQ5Ra3bxHrSL+ul4vkSkphnsh3m5kt8sNjzdbowhq6/Td
+Ao9QAwKxuDdollDruF/UKIqlIgyKhPBZLtU30WHlQnNYKoH3dtvi4k0NX/a3vgW0
+rk4N3hY9A4GzJl5LuEsAz/+MF7psYC0nhzck5npgL7XTgwSqT0N1osGDsieYK7EO
+gLrAhV5Cud+xYJHT6xh+cHiudoO+cVrQkOPKwRYlZ0rwtnu64ZzZ
+-----END CERTIFICATE-----
 ### T-Systems Enterprise Services GmbH
@@ -6020,55 +5938,6 @@ HL/EVlP6Y2XQ8xwOFvVrhlhNGNTkDY6lnVuR3HYkUD/GKvvZt5y11ubQ2egZixVx
 SK236thZiNSQvxaz2emsWWFUyBy6ysHK4bkgTI86k4mloMy/0/Z1pHWWbVY=
 -----END CERTIFICATE-----
-### The Go Daddy Group, Inc.
-=== /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 0 (0x0)
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Jun 29 17:06:20 2004 GMT
-            Not After : Jun 29 17:06:20 2034 GMT
-        Subject: C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority
-        X509v3 extensions:
-            X509v3 Subject Key Identifier:
-                D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-            X509v3 Authority Key Identifier:
-                keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
-                DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
-                serial:00
-            X509v3 Basic Constraints:
-                CA:TRUE
-SHA1 Fingerprint=27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4
-SHA256 Fingerprint=C3:84:6B:F2:4B:9E:93:CA:64:27:4C:0E:C6:7C:1E:CC:5E:02:4F:FC:AC:D2:D7:40:19:35:0E:81:FE:54:6A:E4
-----BEGIN CERTIFICATE-----
-MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
-MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
-YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
-MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
-ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
-MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
-ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
-PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
-wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
-EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
-avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
-YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
-sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
-/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
-IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
-YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
-ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
-OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
-TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
-HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
-dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
-ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----
 ### The USERTRUST Network
 === /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust ECC Certification Authority
@@ -6258,6 +6127,92 @@ AwIBBjAKBggqhkjOPQQDAwNnADBkAjBe8usGzEkxn0AAbbd+NvBNEU/zy4k6LHiR
 UKNbwMp1JvK/kF0LgoxgKJ/GcJpo5PECMFxYDlZ2z1jD1xCMuo6u47xkdUfFVZDj
 /bpV6wfEU6s3qe4hsiFbYI89MvHVI5TWWA==
 -----END CERTIFICATE-----
+=== /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS ECC Root CA
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            36:74:e1:4d:7c:65:13:c9:ac:83:55:25:a0:3e:52:7e:2f:50:68:c7
+    Signature Algorithm: ecdsa-with-SHA384
+        Validity
+            Not Before: May 15 05:41:56 2024 GMT
+            Not After : May 15 05:41:55 2044 GMT
+        Subject: C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia TLS ECC Root CA
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier:
+                2C:85:53:BB:B1:43:CD:32:EA:9E:A3:87:FE:A2:98:A8:A6:93:E9:10
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+SHA1 Fingerprint=B5:EC:39:F3:A1:66:37:AE:C3:05:94:57:E2:BE:11:BE:B7:A1:7F:36
+SHA256 Fingerprint=C0:07:6B:9E:F0:53:1F:B1:A6:56:D6:7C:4E:BE:97:CD:5D:BA:A4:1E:F4:45:98:AC:C2:48:98:78:C9:2D:87:11
+-----BEGIN CERTIFICATE-----
+MIICMTCCAbegAwIBAgIUNnThTXxlE8msg1UloD5Sfi9QaMcwCgYIKoZIzj0EAwMw
+WDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dpZXMs
+IEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgRUNDIFJvb3QgQ0EwHhcNMjQw
+NTE1MDU0MTU2WhcNNDQwNTE1MDU0MTU1WjBYMQswCQYDVQQGEwJDTjElMCMGA1UE
+ChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1c3RB
+c2lhIFRMUyBFQ0MgUm9vdCBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABLh/pVs/
+AT598IhtrimY4ZtcU5nb9wj/1WrgjstEpvDBjL1P1M7UiFPoXlfXTr4sP/MSpwDp
+guMqWzJ8S5sUKZ74LYO1644xST0mYekdcouJtgq7nDM1D9rs3qlKH8kzsaNCMEAw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQULIVTu7FDzTLqnqOH/qKYqKaT6RAw
+DgYDVR0PAQH/BAQDAgEGMAoGCCqGSM49BAMDA2gAMGUCMFRH18MtYYZI9HlaVQ01
+L18N9mdsd0AaRuf4aFtOJx24mH1/k78ITcTaRTChD15KeAIxAKORh/IRM4PDwYqR
+OkwrULG9IpRdNYlzg8WbGf60oenUoWa2AaU2+dhoYSi3dOGiMQ==
+-----END CERTIFICATE-----
+=== /C=CN/O=TrustAsia Technologies, Inc./CN=TrustAsia TLS RSA Root CA
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            1c:18:d8:cf:e5:53:3f:22:35:46:53:54:24:3c:6c:47:d1:5c:4a:9c
+    Signature Algorithm: sha384WithRSAEncryption
+        Validity
+            Not Before: May 15 05:41:57 2024 GMT
+            Not After : May 15 05:41:56 2044 GMT
+        Subject: C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia TLS RSA Root CA
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Subject Key Identifier:
+                B8:07:91:79:5C:06:F4:46:FD:7B:59:CA:5A:26:91:A7:45:2B:F8:53
+            X509v3 Key Usage: critical
+                Certificate Sign, CRL Sign
+SHA1 Fingerprint=A5:46:50:C5:62:EA:95:9A:1A:A7:04:6F:17:58:C7:29:53:3D:03:FA
+SHA256 Fingerprint=06:C0:8D:7D:AF:D8:76:97:1E:B1:12:4F:E6:7F:84:7E:C0:C7:A1:58:D3:EA:53:CB:E9:40:E2:EA:97:91:F4:C3
+-----BEGIN CERTIFICATE-----
+MIIFgDCCA2igAwIBAgIUHBjYz+VTPyI1RlNUJDxsR9FcSpwwDQYJKoZIhvcNAQEM
+BQAwWDELMAkGA1UEBhMCQ04xJTAjBgNVBAoTHFRydXN0QXNpYSBUZWNobm9sb2dp
+ZXMsIEluYy4xIjAgBgNVBAMTGVRydXN0QXNpYSBUTFMgUlNBIFJvb3QgQ0EwHhcN
+MjQwNTE1MDU0MTU3WhcNNDQwNTE1MDU0MTU2WjBYMQswCQYDVQQGEwJDTjElMCMG
+A1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywgSW5jLjEiMCAGA1UEAxMZVHJ1
+c3RBc2lhIFRMUyBSU0EgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
+AgoCggIBAMMWuBtqpERz5dZO9LnPWwvB0ZqB9WOwj0PBuwhaGnrhB3YmH49pVr7+
+NmDQDIPNlOrnxS1cLwUWAp4KqC/lYCZUlviYQB2srp10Zy9U+5RjmOMmSoPGlbYJ
+Q1DNDX3eRA5gEk9bNb2/mThtfWza4mhzH/kxpRkQcwUqwzIZheo0qt1CHjCNP561
+HmHVb70AcnKtEj+qpklz8oYVlQwQX1Fkzv93uMltrOXVmPGZLmzjyUT5tUMnCE32
+ft5EebuyjBza00tsLtbDeLdM1aTk2tyKjg7/D8OmYCYozza/+lcK7Fs/6TAWe8Tb
+xNRkoDD75f0dcZLdKY9BWN4ArTr9PXwaqLEX8E40eFgl1oUh63kd0Nyrz2I8sMeX
+i9bQn9P+PN7F4/w6g3CEIR0JwqH8uyghZVNgepBtljhb//HXeltt08lwSUq6HTrQ
+UNoyIBnkiz/r1RYmNzz7dZ6wB3C4FGB33PYPXFIKvF1tjVEK2sUYyJtt3LCDs3+j
+TnhMmCWr8n4uIF6CFabW2I+s5c0yhsj55NqJ4js+k8UTav/H9xj8Z7XvGCxUq0DT
+bE3txci3OE9kxJRMT6DNrqXGJyV1J23G2pyOsAWZ1SgRxSHUuPzHlqtKZFlhaxP8
+S8ySpg+kUb8OWJDZgoM5pl+z+m6Ss80zDoWo8SnTq1mt1tve1CuBAgMBAAGjQjBA
+MA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFLgHkXlcBvRG/XtZylomkadFK/hT
+MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQwFAAOCAgEAIZtqBSBdGBanEqT3
+Rz/NyjuujsCCztxIJXgXbODgcMTWltnZ9r96nBO7U5WS/8+S4PPFJzVXqDuiGev4
+iqME3mmL5Dw8veWv0BIb5Ylrc5tvJQJLkIKvQMKtuppgJFqBTQUYo+IzeXoLH5Pt
+7DlK9RME7I10nYEKqG/odv6LTytpEoYKNDbdgptvT+Bz3Ul/KD7JO6NXBNiT2Twp
+2xIQaOHEibgGIOcberyxk2GaGUARtWqFVwHxtlotJnMnlvm5P1vQiJ3koP26TpUJ
+g3933FEFlJ0gcXax7PqJtZwuhfG5WyRasQmr2soaB82G39tp27RIGAAtvKLEiUUj
+pQ7hRGU+isFqMB3iYPg6qocJQrmBktwliJiJ8Xw18WLK7nn4GS/+X/jbh87qqA8M
+pugLoDzga5SYnH+tBuYc6kIQX+ImFTw3OffXvO645e8D7r0i+yiGNFjEWn9hongP
+XvPKnbwbPKfILfanIhHKA9jnZwqKDss1jjQ52MjqjZ9k4DewbNfFj8GQYSbbJIwe
+SsCI3zWQzj8C9GRh3sfIB5XeMhg6j6JCQCTl1jNdfK7vsU1P1FeQNWrcrgSXSYk0
+ly4wBOeY99sLAZDBHwo/+ML+TvrbmnNzFrwFuHnYWa8G5z9nODmxfKuU4CkUpijy
+323imttUQ/hHWKNddBWcwauwxzQ=
+-----END CERTIFICATE-----
 ### Trustwave Holdings, Inc.
@@ -6669,63 +6624,6 @@ rYy0UGYwEAYJKwYBBAGCNxUBBAMCAQAwCgYIKoZIzj0EAwMDaAAwZQIwJsdpW9zV
 Mgj/mkkCtojeFK9dbJlxjRo/i9fgojaGHAeCOnZT/cKi7e97sIBPWA9LUzm9
 -----END CERTIFICATE-----
-### XRamp Security Services Inc
-=== /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp Global Certification Authority
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
-    Signature Algorithm: sha1WithRSAEncryption
-        Validity
-            Not Before: Nov  1 17:14:04 2004 GMT
-            Not After : Jan  1 05:37:19 2035 GMT
-        Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
-        X509v3 extensions:
-            1.3.6.1.4.1.311.20.2:
-                ...C.A
-            X509v3 Key Usage:
-                Digital Signature, Certificate Sign, CRL Sign
-            X509v3 Basic Constraints: critical
-                CA:TRUE
-            X509v3 Subject Key Identifier:
-                C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B
-            X509v3 CRL Distribution Points:
-                Full Name:
-                  URI:http://crl.xrampsecurity.com/XGCA.crl
-            1.3.6.1.4.1.311.21.1:
-                ...
-SHA1 Fingerprint=B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
-SHA256 Fingerprint=CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
-----BEGIN CERTIFICATE-----
-MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
-gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
-MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
-UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
-NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
-dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
-dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
-dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
-38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
-KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
-DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
-qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
-JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
-PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
-jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
-eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
-ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
-vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
-qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
-IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
-i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
-O+7ETPTsJ3xCwnR8gooJybQDJbw=
-----END CERTIFICATE-----
 ### certSIGN
 === /C=RO/O=certSIGN/OU=certSIGN ROOT CA
diff --git a/src/lib/libcrypto/cms/cms_dd.c b/src/lib/libcrypto/cms/cms_dd.c
index 0a357094c5..daccbcd988 100644
--- a/src/lib/libcrypto/cms/cms_dd.c
+++ b/src/lib/libcrypto/cms/cms_dd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_dd.c,v 1.17 2023/10/26 09:08:57 tb Exp $ */
+/* $OpenBSD: cms_dd.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -56,11 +56,11 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 /* CMS DigestedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index ef6925dbd6..928b396815 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.25 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -58,12 +58,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* CMS EncryptedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_env.c b/src/lib/libcrypto/cms/cms_env.c
index 629d23215e..7fa578466d 100644
--- a/src/lib/libcrypto/cms/cms_env.c
+++ b/src/lib/libcrypto/cms/cms_env.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_env.c,v 1.28 2024/11/01 18:42:10 tb Exp $ */
+/* $OpenBSD: cms_env.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -59,12 +59,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* CMS EnvelopedData Utilities */
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
index f01dcf73ed..5435fa404c 100644
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,13 +57,13 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "cms_local.h"
+#include "err_local.h"
 CMS_ReceiptRequest *
 d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len)
diff --git a/src/lib/libcrypto/cms/cms_io.c b/src/lib/libcrypto/cms/cms_io.c
index 84ada47c49..a9be5461a3 100644
--- a/src/lib/libcrypto/cms/cms_io.c
+++ b/src/lib/libcrypto/cms/cms_io.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_io.c,v 1.21 2024/03/30 01:53:05 joshua Exp $ */
+/* $OpenBSD: cms_io.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -54,12 +54,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 int
 CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms)
diff --git a/src/lib/libcrypto/cms/cms_kari.c b/src/lib/libcrypto/cms/cms_kari.c
index 86b1ad9e83..c23da18058 100644
--- a/src/lib/libcrypto/cms/cms_kari.c
+++ b/src/lib/libcrypto/cms/cms_kari.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_kari.c,v 1.17 2024/11/01 18:34:06 tb Exp $ */
+/* $OpenBSD: cms_kari.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,10 +57,10 @@
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include "cms_local.h"
+#include "err_local.h"
 /* Key Agreement Recipient Info (KARI) routines */
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
index 2d7a8d9f21..b9fc5c21c7 100644
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_lib.c,v 1.26 2024/11/01 18:53:35 tb Exp $ */
+/* $OpenBSD: cms_lib.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,13 +57,13 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 CMS_ContentInfo *
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index b6fe5df961..f64f4ab68c 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.31 2024/01/14 18:40:24 tb Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.35 2025/09/30 12:51:16 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -58,13 +58,13 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -267,7 +267,7 @@ kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                /* Check byte failure */
                goto err;
        }
-        if (inlen < (size_t)(tmp[0] - 4)) {
+        if (inlen < 4 + (size_t)tmp[0]) {
                /* Invalid length value */
                goto err;
        }
@@ -368,13 +368,13 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
        kekcipher = EVP_get_cipherbyobj(kekalg->algorithm);
        if (!kekcipher) {
                CMSerror(CMS_R_UNKNOWN_CIPHER);
-                return 0;
+                goto err;
        }
        kekctx = EVP_CIPHER_CTX_new();
        if (kekctx == NULL) {
                CMSerror(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
        /* Fixup cipher based on AlgorithmIdentifier to set IV etc */
        if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de))
@@ -389,8 +389,8 @@ cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri,
        /* Finish password based key derivation to setup key in "ctx" */
-        if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
+        if (!EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass,
-            pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) {
+            pwri->passlen, algtmp->parameter, kekctx, en_de)) {
                CMSerror(ERR_R_EVP_LIB);
                goto err;
        }
diff --git a/src/lib/libcrypto/cms/cms_sd.c b/src/lib/libcrypto/cms/cms_sd.c
index 9cdd4ce143..abcac83e47 100644
--- a/src/lib/libcrypto/cms/cms_sd.c
+++ b/src/lib/libcrypto/cms/cms_sd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_sd.c,v 1.33 2024/04/20 10:11:55 tb Exp $ */
+/* $OpenBSD: cms_sd.c,v 1.36 2025/07/31 02:24:21 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -57,7 +57,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/cms.h>
 #include <openssl/objects.h>
@@ -66,6 +65,7 @@
 #include "asn1_local.h"
 #include "cms_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -484,35 +484,6 @@ CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk,
 }
 LCRYPTO_ALIAS(CMS_add1_signer);
-static int
-cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t)
-{
-        ASN1_TIME *tt;
-        int r = 0;
-        if (t)
-                tt = t;
-        else
-                tt = X509_gmtime_adj(NULL, 0);
-        if (!tt)
-                goto merr;
-        if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
-                                                tt->type, tt, -1) <= 0)
-                goto merr;
-        r = 1;
- merr:
-        if (!t)
-                ASN1_TIME_free(tt);
-        if (!r)
-                CMSerror(ERR_R_MALLOC_FAILURE);
-        return r;
-}
 EVP_PKEY_CTX *
 CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si)
 {
@@ -778,6 +749,7 @@ cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain)
 int
 CMS_SignerInfo_sign(CMS_SignerInfo *si)
 {
+        ASN1_TIME *at = NULL;
        const EVP_MD *md;
        unsigned char *buf = NULL, *sig = NULL;
        int buf_len = 0;
@@ -788,7 +760,12 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
                goto err;
        if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) {
-                if (!cms_add1_signingTime(si, NULL))
+                if ((at = X509_gmtime_adj(NULL, 0)) == NULL) {
+                        CMSerror(ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
+                if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime,
+                    at->type, at, -1))
                        goto err;
        }
@@ -828,6 +805,7 @@ CMS_SignerInfo_sign(CMS_SignerInfo *si)
        ret = 1;
 err:
+        ASN1_TIME_free(at);
        (void)EVP_MD_CTX_reset(si->mctx);
        freezero(buf, buf_len);
        freezero(sig, sig_len);
@@ -1012,6 +990,8 @@ LCRYPTO_ALIAS(CMS_add_smimecap);
 * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
 * set |*out_algs| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has
 * an integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also PKCS7_simple_smimecap().
 */
 int
 CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **out_algs, int nid, int keysize)
diff --git a/src/lib/libcrypto/cms/cms_smime.c b/src/lib/libcrypto/cms/cms_smime.c
index 5a194748d9..a4918643d2 100644
--- a/src/lib/libcrypto/cms/cms_smime.c
+++ b/src/lib/libcrypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.28 2023/12/22 10:23:11 tb Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.31 2025/11/28 06:07:09 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
@@ -59,7 +59,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
@@ -67,6 +66,7 @@
 #include <openssl/x509_vfy.h>
 #include "cms_local.h"
+#include "err_local.h"
 static BIO *
 cms_get_text_bio(BIO *out, unsigned int flags)
@@ -277,25 +277,32 @@ CMS_ContentInfo *
 CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher,
    const unsigned char *key, size_t keylen, unsigned int flags)
 {
-        CMS_ContentInfo *cms;
+        CMS_ContentInfo *cms = NULL;
-        if (!cipher) {
+        if (cipher == NULL) {
                CMSerror(CMS_R_NO_CIPHER);
-                return NULL;
+                goto err;
        }
-        cms = CMS_ContentInfo_new();
-        if (cms == NULL)
+        if ((cms = CMS_ContentInfo_new()) == NULL)
-                return NULL;
+                goto err;
        if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen))
-                return NULL;
+                goto err;
-        if (!(flags & CMS_DETACHED))
+        if ((flags & CMS_DETACHED) == 0) {
-                CMS_set_detached(cms, 0);
+                if (!CMS_set_detached(cms, 0))
+                        goto err;
+        }
-        if ((flags & (CMS_STREAM | CMS_PARTIAL)) ||
+        if ((flags & (CMS_STREAM | CMS_PARTIAL)) == 0) {
-            CMS_final(cms, in, NULL, flags))
+                if (!CMS_final(cms, in, NULL, flags))
-                return cms;
+                        goto err;
+        }
+        return cms;
+ err:
        CMS_ContentInfo_free(cms);
        return NULL;
diff --git a/src/lib/libcrypto/conf/README b/src/lib/libcrypto/conf/README
deleted file mode 100644
index 96e53b34ed..0000000000
--- a/src/lib/libcrypto/conf/README
+++ /dev/null
@@ -1,73 +0,0 @@
-Configuration modules. These are a set of modules which can perform
-various configuration functions.
-Currently the routines should be called at most once when an application
-starts up: that is before it starts any threads.
-The routines read a configuration file set up like this:
-----
-#default section
-openssl_conf=init_section
-[init_section]
-module1=value1
-#Second instance of module1
-module1.1=valueX
-module2=value2
-module3=dso_literal
-module4=dso_section
-[dso_section]
-path=/some/path/to/some/dso.so
-other_stuff=other_value
----
-When this file is loaded a configuration module with the specified string
-(module* in the above example) is looked up and its init function called as:
-int conf_init_func(CONF_IMODULE *md, CONF *cnf);
-The function can then take whatever action is appropriate, for example further
-lookups based on the value. Multiple instances of the same config module can be
-loaded.
-When the application closes down the modules are cleaned up by calling an
-optional finish function:
-void conf_finish_func(CONF_IMODULE *md);
-The finish functions are called in reverse order: that is the last module
-loaded is the first one cleaned up.
-If no module exists with a given name then an attempt is made to load a DSO
-with the supplied name. This might mean that "module3" attempts to load a DSO
-called libmodule3.so or module3.dll for example. An explicit DSO name can be
-given by including a separate section as in the module4 example above.
-The DSO is expected to at least contain an initialization function:
-int OPENSSL_init(CONF_IMODULE *md, CONF *cnf);
-and may also include a finish function:
-void OPENSSL_finish(CONF_IMODULE *md);
-Static modules can also be added using,
-int CONF_module_add(char *name, dso_mod_init_func *ifunc, dso_mod_finish_func
-*ffunc);
-where "name" is the name in the configuration file this function corresponds
-to.
-A set of builtin modules (currently only an ASN1 non functional test module)
-can be added by calling OPENSSL_load_builtin_modules(). 
-The function OPENSSL_config() is intended as a simple configuration function
-that any application can call to perform various default configuration tasks.
-It uses the file openssl.cnf in the usual locations.
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
index f986243b65..0d5a67d9a5 100644
--- a/src/lib/libcrypto/conf/conf_api.c
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_api.c,v 1.26 2025/03/08 09:35:53 tb Exp $ */
+/* $OpenBSD: conf_api.c,v 1.29 2025/12/21 07:31:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,16 +56,10 @@
 * [including the GNU Public Licence.]
 */
-/* Part of the code in here was originally in conf.c, which is now removed */
-#ifndef CONF_DEBUG
-# undef NDEBUG /* avoid conflicting definitions */
-# define NDEBUG
-#endif
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <openssl/conf.h>
 #include "conf_local.h"
@@ -77,7 +71,6 @@ static IMPLEMENT_LHASH_DOALL_ARG_FN(value_free_hash, CONF_VALUE,
    LHASH_OF(CONF_VALUE))
 static IMPLEMENT_LHASH_DOALL_FN(value_free_stack, CONF_VALUE)
-/* Up until OpenSSL 0.9.5a, this was get_section */
 CONF_VALUE *
 _CONF_get_section(const CONF *conf, const char *section)
 {
@@ -229,7 +222,6 @@ value_free_stack_doall(CONF_VALUE *a)
        free(a);
 }
-/* Up until OpenSSL 0.9.5a, this was new_section */
 CONF_VALUE *
 _CONF_new_section(CONF *conf, const char *section)
 {
diff --git a/src/lib/libcrypto/conf/conf_def.c b/src/lib/libcrypto/conf/conf_def.c
index 0173a7117c..fe9391685d 100644
--- a/src/lib/libcrypto/conf/conf_def.c
+++ b/src/lib/libcrypto/conf/conf_def.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_def.c,v 1.44 2024/08/31 09:46:17 tb Exp $ */
+/* $OpenBSD: conf_def.c,v 1.45 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,12 +63,12 @@
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include "conf_def.h"
 #include "conf_local.h"
+#include "err_local.h"
 #define MAX_CONF_VALUE_LENGTH 65536
diff --git a/src/lib/libcrypto/conf/conf_lib.c b/src/lib/libcrypto/conf/conf_lib.c
index 863e1c9475..84b4f8b0a7 100644
--- a/src/lib/libcrypto/conf/conf_lib.c
+++ b/src/lib/libcrypto/conf/conf_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_lib.c,v 1.25 2025/03/08 09:35:53 tb Exp $ */
+/* $OpenBSD: conf_lib.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
 * project 2000.
 */
@@ -58,11 +58,11 @@
 #include <stdio.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/lhash.h>
 #include "conf_local.h"
+#include "err_local.h"
 static const CONF_METHOD *default_CONF_method = NULL;
diff --git a/src/lib/libcrypto/conf/conf_mod.c b/src/lib/libcrypto/conf/conf_mod.c
index 0e07bb3ea5..6e697cc478 100644
--- a/src/lib/libcrypto/conf/conf_mod.c
+++ b/src/lib/libcrypto/conf/conf_mod.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_mod.c,v 1.40 2024/10/10 06:51:22 tb Exp $ */
+/* $OpenBSD: conf_mod.c,v 1.41 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -63,9 +63,10 @@
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 /* This structure contains data about supported modules. */
 struct conf_module_st {
        /* Name of the module */
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index b4230f1b28..9fcf868403 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto.h,v 1.79 2025/03/09 15:29:56 tb Exp $ */
+/* $OpenBSD: crypto.h,v 1.80 2025/09/28 07:52:53 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -197,15 +197,15 @@ extern "C" {
 #ifndef CRYPTO_w_lock
 #define CRYPTO_w_lock(type)     \
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,OPENSSL_FILE,OPENSSL_LINE)
+        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,NULL,0)
 #define CRYPTO_w_unlock(type)   \
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,OPENSSL_FILE,OPENSSL_LINE)
+        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,NULL,0)
 #define CRYPTO_r_lock(type)     \
-        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,OPENSSL_FILE,OPENSSL_LINE)
+        CRYPTO_lock(CRYPTO_LOCK|CRYPTO_READ,type,NULL,0)
 #define CRYPTO_r_unlock(type)   \
-        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,OPENSSL_FILE,OPENSSL_LINE)
+        CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_READ,type,NULL,0)
 #define CRYPTO_add(addr,amount,type)    \
-        CRYPTO_add_lock(addr,amount,type,OPENSSL_FILE,OPENSSL_LINE)
+        CRYPTO_add_lock(addr,amount,type,NULL,0)
 #endif
 /* Some applications as well as some parts of OpenSSL need to allocate
@@ -275,9 +275,9 @@ DECLARE_STACK_OF(void)
 int CRYPTO_mem_ctrl(int mode);
-#define OPENSSL_malloc(num)     CRYPTO_malloc((num),OPENSSL_FILE,OPENSSL_LINE)
+#define OPENSSL_malloc(num)     CRYPTO_malloc((num),NULL,0)
-#define OPENSSL_strdup(str)     CRYPTO_strdup((str),OPENSSL_FILE,OPENSSL_LINE)
+#define OPENSSL_strdup(str)     CRYPTO_strdup((str),NULL,0)
-#define OPENSSL_free(addr)      CRYPTO_free((addr),OPENSSL_FILE,OPENSSL_LINE)
+#define OPENSSL_free(addr)      CRYPTO_free((addr),NULL,0)
 const char *OpenSSL_version(int type);
 #define OPENSSL_VERSION         0
diff --git a/src/lib/libcrypto/crypto_ex_data.c b/src/lib/libcrypto/crypto_ex_data.c
index ceb3a92e51..233905f888 100644
--- a/src/lib/libcrypto/crypto_ex_data.c
+++ b/src/lib/libcrypto/crypto_ex_data.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_ex_data.c,v 1.4 2024/08/03 07:45:26 tb Exp $ */
+/* $OpenBSD: crypto_ex_data.c,v 1.6 2025/06/15 15:58:56 tb Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -52,7 +52,7 @@ crypto_ex_data_classes_init(void)
                return 1;
        if ((classes_new = calloc(CRYPTO_EX_INDEX__COUNT,
-            sizeof(struct crypto_ex_data_index))) == NULL)
+            sizeof(*classes_new))) == NULL)
                return 0;
        CRYPTO_w_lock(CRYPTO_LOCK_EX_DATA);
@@ -100,11 +100,10 @@ CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
                goto err;
        if ((class = classes[class_index]) == NULL) {
-                if ((new_class = calloc(1,
+                if ((new_class = calloc(1, sizeof(*new_class))) == NULL)
-                    sizeof(struct crypto_ex_data_class))) == NULL)
                        goto err;
                if ((new_class->indexes = calloc(CRYPTO_EX_DATA_MAX_INDEX,
-                    sizeof(struct crypto_ex_data_index *))) == NULL)
+                    sizeof(*new_class->indexes))) == NULL)
                        goto err;
                new_class->indexes_len = CRYPTO_EX_DATA_MAX_INDEX;
                new_class->next_index = 1;
@@ -119,7 +118,7 @@ CRYPTO_get_ex_new_index(int class_index, long argl, void *argp,
                class = classes[class_index];
        }
-        if ((index = calloc(1, sizeof(struct crypto_ex_data_index))) == NULL)
+        if ((index = calloc(1, sizeof(*index))) == NULL)
                goto err;
        index->new_func = new_func;
@@ -200,12 +199,12 @@ crypto_ex_data_init(CRYPTO_EX_DATA *exdata)
        if (exdata->sk != NULL)
                goto err;
-        if ((ced = calloc(1, sizeof(struct crypto_ex_data))) == NULL)
+        if ((ced = calloc(1, sizeof(*ced))) == NULL)
                goto err;
        ced->class_index = -1;
-        if ((ced->slots = calloc(CRYPTO_EX_DATA_MAX_INDEX, sizeof(void *))) == NULL)
+        if ((ced->slots = calloc(CRYPTO_EX_DATA_MAX_INDEX, sizeof(*ced->slots))) == NULL)
                goto err;
        ced->slots_len = CRYPTO_EX_DATA_MAX_INDEX;
diff --git a/src/lib/libcrypto/crypto_init.c b/src/lib/libcrypto/crypto_init.c
index 6016d1ae40..ae4914e358 100644
--- a/src/lib/libcrypto/crypto_init.c
+++ b/src/lib/libcrypto/crypto_init.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_init.c,v 1.22 2024/10/17 14:27:57 jsing Exp $ */
+/*      $OpenBSD: crypto_init.c,v 1.26 2025/06/11 07:41:12 tb Exp $ */
 /*
 * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
 *
@@ -22,12 +22,12 @@
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 #include "crypto_internal.h"
+#include "err_local.h"
 #include "x509_issuer_cache.h"
 int OpenSSL_config(const char *);
@@ -37,6 +37,30 @@ static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT;
 static pthread_t crypto_init_thread;
 static int crypto_init_cleaned_up;
+void openssl_init_crypto_constructor(void)  __attribute__((constructor));
+#ifndef HAVE_CRYPTO_CPU_CAPS_INIT
+void
+crypto_cpu_caps_init(void)
+{
+}
+#endif
+/*
+ * This function is invoked as a constructor when the library is loaded. The
+ * code run from here must not allocate memory or trigger signals. The only
+ * safe code is to read data and update global variables.
+ */
+void
+openssl_init_crypto_constructor(void)
+{
+        crypto_cpu_caps_init();
+}
+/*
+ * This is used by various configure scripts to check availability of libcrypto,
+ * so we need to keep it.
+ */
 void
 OPENSSL_init(void)
 {
@@ -48,8 +72,6 @@ OPENSSL_init_crypto_internal(void)
 {
        crypto_init_thread = pthread_self();
-        crypto_cpu_caps_init();
        ERR_load_crypto_strings();
 }
diff --git a/src/lib/libcrypto/crypto_internal.h b/src/lib/libcrypto/crypto_internal.h
index 09ae7fa466..058245e95e 100644
--- a/src/lib/libcrypto/crypto_internal.h
+++ b/src/lib/libcrypto/crypto_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_internal.h,v 1.15 2025/01/19 07:51:41 jsing Exp $ */
+/*      $OpenBSD: crypto_internal.h,v 1.16 2025/07/22 09:18:02 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -300,6 +300,4 @@ crypto_ror_u64(uint64_t v, size_t shift)
 void crypto_cpu_caps_init(void);
-uint64_t crypto_cpu_caps_ia32(void);
 #endif
diff --git a/src/lib/libcrypto/crypto_legacy.c b/src/lib/libcrypto/crypto_legacy.c
index d864fc4c3f..dcaa63236c 100644
--- a/src/lib/libcrypto/crypto_legacy.c
+++ b/src/lib/libcrypto/crypto_legacy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_legacy.c,v 1.6 2024/11/06 04:18:42 tb Exp $ */
+/* $OpenBSD: crypto_legacy.c,v 1.9 2025/07/22 09:18:02 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -123,10 +123,10 @@
 #include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include "crypto_internal.h"
 #include "crypto_local.h"
+#include "err_local.h"
 #include "x86_arch.h"
 /* Machine independent capabilities. */
@@ -306,29 +306,6 @@ void
 }
 LCRYPTO_ALIAS(CRYPTO_get_dynlock_destroy_callback);
-#if !defined(OPENSSL_CPUID_SETUP) && !defined(OPENSSL_CPUID_OBJ)
-void
-OPENSSL_cpuid_setup(void)
-{
-}
-#endif
-#ifndef HAVE_CRYPTO_CPU_CAPS_INIT
-void
-crypto_cpu_caps_init(void)
-{
-        OPENSSL_cpuid_setup();
-}
-#endif
-#ifndef HAVE_CRYPTO_CPU_CAPS_IA32
-uint64_t
-crypto_cpu_caps_ia32(void)
-{
-        return 0;
-}
-#endif
 uint64_t
 OPENSSL_cpu_caps(void)
 {
diff --git a/src/lib/libcrypto/crypto_local.h b/src/lib/libcrypto/crypto_local.h
index 2b4c74552f..606f17cefb 100644
--- a/src/lib/libcrypto/crypto_local.h
+++ b/src/lib/libcrypto/crypto_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: crypto_local.h,v 1.4 2024/11/05 10:11:58 tb Exp $ */
+/* $OpenBSD: crypto_local.h,v 1.6 2025/06/09 14:37:48 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,6 +65,10 @@
 extern "C" {
 #endif
+#ifndef OPENSSLDIR
+#define OPENSSLDIR "/etc/ssl"
+#endif
 #define X509_CERT_AREA          OPENSSLDIR
 #define X509_CERT_DIR           OPENSSLDIR "/certs"
 #define X509_CERT_FILE          OPENSSLDIR "/cert.pem"
@@ -75,8 +79,6 @@ extern "C" {
 #define CTLOG_FILE              OPENSSLDIR "/ct_log_list.cnf"
 #define CTLOG_FILE_EVP          "CTLOG_FILE"
-void OPENSSL_cpuid_setup(void);
 #ifdef  __cplusplus
 }
 #endif
diff --git a/src/lib/libcrypto/ct/ct_b64.c b/src/lib/libcrypto/ct/ct_b64.c
index 101cd1e2b1..e6e0532add 100644
--- a/src/lib/libcrypto/ct/ct_b64.c
+++ b/src/lib/libcrypto/ct/ct_b64.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_b64.c,v 1.7 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_b64.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
@@ -61,11 +61,11 @@
 #include <string.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include "bytestring.h"
 #include "ct_local.h"
+#include "err_local.h"
 /*
 * Decodes the base64 string |in| into |out|.
diff --git a/src/lib/libcrypto/ct/ct_local.h b/src/lib/libcrypto/ct/ct_local.h
index cd19ed096a..152ab9d8c4 100644
--- a/src/lib/libcrypto/ct/ct_local.h
+++ b/src/lib/libcrypto/ct/ct_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_local.h,v 1.8 2021/12/20 17:19:19 jsing Exp $ */
+/*      $OpenBSD: ct_local.h,v 1.9 2025/11/26 10:19:57 tb Exp $ */
 /*
 * Written by Rob Percival (robpercival@google.com) for the OpenSSL project.
 */
@@ -51,6 +51,9 @@
 * ====================================================================
 */
+#ifndef HEADER_CT_LOCAL_H
+#define HEADER_CT_LOCAL_H
 #include <stddef.h>
 #include <openssl/ct.h>
@@ -258,3 +261,5 @@ int o2i_SCT_signature(SCT *sct, CBS *cbs);
 * Handlers for Certificate Transparency X509v3/OCSP extensions
 */
 extern const X509V3_EXT_METHOD v3_ct_scts[3];
+#endif /* HEADER_CT_LOCAL_H */
diff --git a/src/lib/libcrypto/ct/ct_log.c b/src/lib/libcrypto/ct/ct_log.c
index 72045477ac..48611df979 100644
--- a/src/lib/libcrypto/ct/ct_log.c
+++ b/src/lib/libcrypto/ct/ct_log.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_log.c,v 1.9 2024/11/05 09:35:40 tb Exp $ */
+/*      $OpenBSD: ct_log.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /* Author: Adam Eijdenberg <adam.eijdenberg@gmail.com>. */
 /* ====================================================================
 * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
@@ -65,13 +65,13 @@
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include "conf_local.h"
 #include "crypto_local.h"
+#include "err_local.h"
 /*
diff --git a/src/lib/libcrypto/ct/ct_oct.c b/src/lib/libcrypto/ct/ct_oct.c
index 1f5e5c75d0..686d845f11 100644
--- a/src/lib/libcrypto/ct/ct_oct.c
+++ b/src/lib/libcrypto/ct/ct_oct.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_oct.c,v 1.9 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_oct.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
@@ -67,10 +67,10 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include "bytestring.h"
 #include "ct_local.h"
+#include "err_local.h"
 int
 o2i_SCT_signature(SCT *sct, CBS *cbs)
diff --git a/src/lib/libcrypto/ct/ct_policy.c b/src/lib/libcrypto/ct/ct_policy.c
index eb2b312019..a242b0d8f8 100644
--- a/src/lib/libcrypto/ct/ct_policy.c
+++ b/src/lib/libcrypto/ct/ct_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_policy.c,v 1.6 2023/07/08 07:22:58 beck Exp $ */
+/*      $OpenBSD: ct_policy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Implementations of Certificate Transparency SCT policies.
 * Written by Rob Percival (robpercival@google.com) for the OpenSSL project.
@@ -56,11 +56,12 @@
 # error "CT is disabled"
 #endif
-#include <openssl/ct.h>
-#include <openssl/err.h>
 #include <time.h>
+#include <openssl/ct.h>
 #include "ct_local.h"
+#include "err_local.h"
 /*
 * Number of seconds in the future that an SCT timestamp can be, by default,
diff --git a/src/lib/libcrypto/ct/ct_sct.c b/src/lib/libcrypto/ct/ct_sct.c
index 4b2716e734..d647e34d92 100644
--- a/src/lib/libcrypto/ct/ct_sct.c
+++ b/src/lib/libcrypto/ct/ct_sct.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_sct.c,v 1.10 2023/07/22 17:02:49 tb Exp $ */
+/*      $OpenBSD: ct_sct.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com), Stephen Henson (steve@openssl.org)
 * and Adam Eijdenberg (adam.eijdenberg@gmail.com) for the OpenSSL project 2016.
@@ -67,11 +67,11 @@
 #include <openssl/asn1.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "ct_local.h"
+#include "err_local.h"
 SCT *
 SCT_new(void)
diff --git a/src/lib/libcrypto/ct/ct_sct_ctx.c b/src/lib/libcrypto/ct/ct_sct_ctx.c
index b2b6d4e269..930c7df59b 100644
--- a/src/lib/libcrypto/ct/ct_sct_ctx.c
+++ b/src/lib/libcrypto/ct/ct_sct_ctx.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_sct_ctx.c,v 1.6 2022/06/30 11:14:47 tb Exp $ */
+/*      $OpenBSD: ct_sct_ctx.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
@@ -64,11 +64,11 @@
 #include <stddef.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "ct_local.h"
+#include "err_local.h"
 SCT_CTX *
 SCT_CTX_new(void)
diff --git a/src/lib/libcrypto/ct/ct_vfy.c b/src/lib/libcrypto/ct/ct_vfy.c
index 424117263a..5dbb2096e1 100644
--- a/src/lib/libcrypto/ct/ct_vfy.c
+++ b/src/lib/libcrypto/ct/ct_vfy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_vfy.c,v 1.6 2022/01/06 14:34:40 jsing Exp $ */
+/*      $OpenBSD: ct_vfy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Rob Stradling (rob@comodo.com) and Stephen Henson
 * (steve@openssl.org) for the OpenSSL project 2014.
@@ -60,11 +60,11 @@
 #include <string.h>
 #include <openssl/ct.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "ct_local.h"
+#include "err_local.h"
 typedef enum sct_signature_type_t {
        SIGNATURE_TYPE_NOT_SET = -1,
diff --git a/src/lib/libcrypto/curve25519/curve25519.c b/src/lib/libcrypto/curve25519/curve25519.c
index 4e644c4280..0aa3d2855b 100644
--- a/src/lib/libcrypto/curve25519/curve25519.c
+++ b/src/lib/libcrypto/curve25519/curve25519.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: curve25519.c,v 1.16 2023/07/08 15:12:49 beck Exp $ */
+/*      $OpenBSD: curve25519.c,v 1.18 2025/07/29 10:52:20 tb Exp $ */
 /*
 * Copyright (c) 2015, Google Inc.
 *
@@ -3781,6 +3781,17 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a,
  }
 }
+/*
+ * int64_lshift21 returns |a << 21| but is defined when shifting bits into the
+ * sign bit. This works around a language flaw in C.
+ *
+ * XXX: This is a hack to avoid undefined behavior when shifting into the sign bit.
+ * We match BoringSSL's implementation here.
+ */
+static inline int64_t int64_lshift21(int64_t a) {
+  return (int64_t)((uint64_t)a << 21);
+}
 /* The set of scalars is \Z/l
 * where l = 2^252 + 27742317777372353535851937790883648493. */
@@ -3885,38 +3896,38 @@ x25519_sc_reduce(uint8_t *s) {
  carry6 = (s6 + (1 << 20)) >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry8 = (s8 + (1 << 20)) >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry10 = (s10 + (1 << 20)) >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry12 = (s12 + (1 << 20)) >> 21;
  s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
  carry14 = (s14 + (1 << 20)) >> 21;
  s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
  carry16 = (s16 + (1 << 20)) >> 21;
  s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
  carry7 = (s7 + (1 << 20)) >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry9 = (s9 + (1 << 20)) >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry11 = (s11 + (1 << 20)) >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  carry13 = (s13 + (1 << 20)) >> 21;
  s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
  carry15 = (s15 + (1 << 20)) >> 21;
  s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
  s5 += s17 * 666643;
  s6 += s17 * 470296;
@@ -3968,41 +3979,41 @@ x25519_sc_reduce(uint8_t *s) {
  carry0 = (s0 + (1 << 20)) >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry2 = (s2 + (1 << 20)) >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry4 = (s4 + (1 << 20)) >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry6 = (s6 + (1 << 20)) >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry8 = (s8 + (1 << 20)) >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry10 = (s10 + (1 << 20)) >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry1 = (s1 + (1 << 20)) >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry3 = (s3 + (1 << 20)) >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry5 = (s5 + (1 << 20)) >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry7 = (s7 + (1 << 20)) >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry9 = (s9 + (1 << 20)) >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry11 = (s11 + (1 << 20)) >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  s0 += s12 * 666643;
  s1 += s12 * 470296;
@@ -4014,40 +4025,40 @@ x25519_sc_reduce(uint8_t *s) {
  carry0 = s0 >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry1 = s1 >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry2 = s2 >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry3 = s3 >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry4 = s4 >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry5 = s5 >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry6 = s6 >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry7 = s7 >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry8 = s8 >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry9 = s9 >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry10 = s10 >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry11 = s11 >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  s0 += s12 * 666643;
  s1 += s12 * 470296;
@@ -4059,37 +4070,37 @@ x25519_sc_reduce(uint8_t *s) {
  carry0 = s0 >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry1 = s1 >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry2 = s2 >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry3 = s3 >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry4 = s4 >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry5 = s5 >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry6 = s6 >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry7 = s7 >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry8 = s8 >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry9 = s9 >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry10 = s10 >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  s[0] = s0 >> 0;
  s[1] = s0 >> 8;
@@ -4257,74 +4268,74 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  carry0 = (s0 + (1 << 20)) >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry2 = (s2 + (1 << 20)) >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry4 = (s4 + (1 << 20)) >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry6 = (s6 + (1 << 20)) >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry8 = (s8 + (1 << 20)) >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry10 = (s10 + (1 << 20)) >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry12 = (s12 + (1 << 20)) >> 21;
  s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
  carry14 = (s14 + (1 << 20)) >> 21;
  s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
  carry16 = (s16 + (1 << 20)) >> 21;
  s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
  carry18 = (s18 + (1 << 20)) >> 21;
  s19 += carry18;
-  s18 -= carry18 << 21;
+  s18 -= int64_lshift21(carry18);
  carry20 = (s20 + (1 << 20)) >> 21;
  s21 += carry20;
-  s20 -= carry20 << 21;
+  s20 -= int64_lshift21(carry20);
  carry22 = (s22 + (1 << 20)) >> 21;
  s23 += carry22;
-  s22 -= carry22 << 21;
+  s22 -= int64_lshift21(carry22);
  carry1 = (s1 + (1 << 20)) >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry3 = (s3 + (1 << 20)) >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry5 = (s5 + (1 << 20)) >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry7 = (s7 + (1 << 20)) >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry9 = (s9 + (1 << 20)) >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry11 = (s11 + (1 << 20)) >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  carry13 = (s13 + (1 << 20)) >> 21;
  s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
  carry15 = (s15 + (1 << 20)) >> 21;
  s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
  carry17 = (s17 + (1 << 20)) >> 21;
  s18 += carry17;
-  s17 -= carry17 << 21;
+  s17 -= int64_lshift21(carry17);
  carry19 = (s19 + (1 << 20)) >> 21;
  s20 += carry19;
-  s19 -= carry19 << 21;
+  s19 -= int64_lshift21(carry19);
  carry21 = (s21 + (1 << 20)) >> 21;
  s22 += carry21;
-  s21 -= carry21 << 21;
+  s21 -= int64_lshift21(carry21);
  s11 += s23 * 666643;
  s12 += s23 * 470296;
@@ -4376,38 +4387,38 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  carry6 = (s6 + (1 << 20)) >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry8 = (s8 + (1 << 20)) >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry10 = (s10 + (1 << 20)) >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry12 = (s12 + (1 << 20)) >> 21;
  s13 += carry12;
-  s12 -= carry12 << 21;
+  s12 -= int64_lshift21(carry12);
  carry14 = (s14 + (1 << 20)) >> 21;
  s15 += carry14;
-  s14 -= carry14 << 21;
+  s14 -= int64_lshift21(carry14);
  carry16 = (s16 + (1 << 20)) >> 21;
  s17 += carry16;
-  s16 -= carry16 << 21;
+  s16 -= int64_lshift21(carry16);
  carry7 = (s7 + (1 << 20)) >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry9 = (s9 + (1 << 20)) >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry11 = (s11 + (1 << 20)) >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  carry13 = (s13 + (1 << 20)) >> 21;
  s14 += carry13;
-  s13 -= carry13 << 21;
+  s13 -= int64_lshift21(carry13);
  carry15 = (s15 + (1 << 20)) >> 21;
  s16 += carry15;
-  s15 -= carry15 << 21;
+  s15 -= int64_lshift21(carry15);
  s5 += s17 * 666643;
  s6 += s17 * 470296;
@@ -4459,41 +4470,41 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  carry0 = (s0 + (1 << 20)) >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry2 = (s2 + (1 << 20)) >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry4 = (s4 + (1 << 20)) >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry6 = (s6 + (1 << 20)) >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry8 = (s8 + (1 << 20)) >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry10 = (s10 + (1 << 20)) >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry1 = (s1 + (1 << 20)) >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry3 = (s3 + (1 << 20)) >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry5 = (s5 + (1 << 20)) >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry7 = (s7 + (1 << 20)) >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry9 = (s9 + (1 << 20)) >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry11 = (s11 + (1 << 20)) >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  s0 += s12 * 666643;
  s1 += s12 * 470296;
@@ -4505,40 +4516,40 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  carry0 = s0 >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry1 = s1 >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry2 = s2 >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry3 = s3 >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry4 = s4 >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry5 = s5 >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry6 = s6 >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry7 = s7 >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry8 = s8 >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry9 = s9 >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry10 = s10 >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  carry11 = s11 >> 21;
  s12 += carry11;
-  s11 -= carry11 << 21;
+  s11 -= int64_lshift21(carry11);
  s0 += s12 * 666643;
  s1 += s12 * 470296;
@@ -4550,37 +4561,37 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b,
  carry0 = s0 >> 21;
  s1 += carry0;
-  s0 -= carry0 << 21;
+  s0 -= int64_lshift21(carry0);
  carry1 = s1 >> 21;
  s2 += carry1;
-  s1 -= carry1 << 21;
+  s1 -= int64_lshift21(carry1);
  carry2 = s2 >> 21;
  s3 += carry2;
-  s2 -= carry2 << 21;
+  s2 -= int64_lshift21(carry2);
  carry3 = s3 >> 21;
  s4 += carry3;
-  s3 -= carry3 << 21;
+  s3 -= int64_lshift21(carry3);
  carry4 = s4 >> 21;
  s5 += carry4;
-  s4 -= carry4 << 21;
+  s4 -= int64_lshift21(carry4);
  carry5 = s5 >> 21;
  s6 += carry5;
-  s5 -= carry5 << 21;
+  s5 -= int64_lshift21(carry5);
  carry6 = s6 >> 21;
  s7 += carry6;
-  s6 -= carry6 << 21;
+  s6 -= int64_lshift21(carry6);
  carry7 = s7 >> 21;
  s8 += carry7;
-  s7 -= carry7 << 21;
+  s7 -= int64_lshift21(carry7);
  carry8 = s8 >> 21;
  s9 += carry8;
-  s8 -= carry8 << 21;
+  s8 -= int64_lshift21(carry8);
  carry9 = s9 >> 21;
  s10 += carry9;
-  s9 -= carry9 << 21;
+  s9 -= int64_lshift21(carry9);
  carry10 = s10 >> 21;
  s11 += carry10;
-  s10 -= carry10 << 21;
+  s10 -= int64_lshift21(carry10);
  s[0] = s0 >> 0;
  s[1] = s0 >> 8;
diff --git a/src/lib/libcrypto/des/des.h b/src/lib/libcrypto/des/des.h
index 2d957a192c..ad7a418c01 100644
--- a/src/lib/libcrypto/des/des.h
+++ b/src/lib/libcrypto/des/des.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: des.h,v 1.23 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: des.h,v 1.26 2025/06/09 17:49:45 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,11 +56,20 @@
 * [including the GNU Public Licence.]
 */
-#ifndef HEADER_NEW_DES_H
+#ifndef HEADER_DES_H
-#define HEADER_NEW_DES_H
+#define HEADER_DES_H
 #include <openssl/opensslconf.h>
+#ifndef DES_LONG
+/* XXX - typedef to unsigned int everywhere. */
+#ifdef __i386__
+#define DES_LONG unsigned long
+#else
+#define DES_LONG unsigned int
+#endif
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/des/des_enc.c b/src/lib/libcrypto/des/des_enc.c
index deec50bffb..cb89784fb0 100644
--- a/src/lib/libcrypto/des/des_enc.c
+++ b/src/lib/libcrypto/des/des_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_enc.c,v 1.20 2024/08/31 16:17:13 jsing Exp $ */
+/* $OpenBSD: des_enc.c,v 1.21 2025/07/27 13:26:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -210,10 +210,8 @@ void
 DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
 {
        DES_LONG l, r, t, u;
-#ifndef DES_UNROLL
-        int i;
-#endif
        DES_LONG *s;
+        int i;
        r = data[0];
        l = data[1];
@@ -231,56 +229,21 @@ DES_encrypt1(DES_LONG *data, DES_key_schedule *ks, int enc)
        l = ROTATE(l, 29) & 0xffffffffL;
        s = ks->ks->deslong;
-        /* I don't know if it is worth the effort of loop unrolling the
-         * inner loop */
        if (enc) {
-#ifdef DES_UNROLL
+                for (i = 0; i < 32; i += 8) {
-                D_ENCRYPT(l, r, 0); /*  1 */
+                        D_ENCRYPT(l, r, i + 0);
-                D_ENCRYPT(r, l, 2); /*  2 */
+                        D_ENCRYPT(r, l, i + 2);
-                D_ENCRYPT(l, r, 4); /*  3 */
+                        D_ENCRYPT(l, r, i + 4);
-                D_ENCRYPT(r, l, 6); /*  4 */
+                        D_ENCRYPT(r, l, i + 6);
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#else
-                for (i = 0; i < 32; i += 4) {
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
                }
-#endif
        } else {
-#ifdef DES_UNROLL
+                for (i = 32; i > 0; i -= 8) {
-                D_ENCRYPT(l, r, 30); /* 16 */
+                        D_ENCRYPT(l, r, i - 2);
-                D_ENCRYPT(r, l, 28); /* 15 */
+                        D_ENCRYPT(r, l, i - 4);
-                D_ENCRYPT(l, r, 26); /* 14 */
+                        D_ENCRYPT(l, r, i - 6);
-                D_ENCRYPT(r, l, 24); /* 13 */
+                        D_ENCRYPT(r, l, i - 8);
-                D_ENCRYPT(l, r, 22); /* 12 */
-                D_ENCRYPT(r, l, 20); /* 11 */
-                D_ENCRYPT(l, r, 18); /* 10 */
-                D_ENCRYPT(r, l, 16); /*  9 */
-                D_ENCRYPT(l, r, 14); /*  8 */
-                D_ENCRYPT(r, l, 12); /*  7 */
-                D_ENCRYPT(l, r, 10); /*  6 */
-                D_ENCRYPT(r, l, 8); /*  5 */
-                D_ENCRYPT(l, r, 6); /*  4 */
-                D_ENCRYPT(r, l, 4); /*  3 */
-                D_ENCRYPT(l, r, 2); /*  2 */
-                D_ENCRYPT(r, l, 0); /*  1 */
-#else
-                for (i = 30; i > 0; i -= 4) {
-                        D_ENCRYPT(l, r, i - 0); /* 16 */
-                        D_ENCRYPT(r, l, i - 2); /* 15 */
                }
-#endif
        }
        /* rotate and clear the top bits on machines with 8byte longs */
@@ -298,10 +261,8 @@ void
 DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
 {
        DES_LONG l, r, t, u;
-#ifndef DES_UNROLL
-        int i;
-#endif
        DES_LONG *s;
+        int i;
        r = data[0];
        l = data[1];
@@ -320,53 +281,19 @@ DES_encrypt2(DES_LONG *data, DES_key_schedule *ks, int enc)
        /* I don't know if it is worth the effort of loop unrolling the
         * inner loop */
        if (enc) {
-#ifdef DES_UNROLL
+                for (i = 0; i < 32; i += 8) {
-                D_ENCRYPT(l, r, 0); /*  1 */
+                        D_ENCRYPT(l, r, i + 0);
-                D_ENCRYPT(r, l, 2); /*  2 */
+                        D_ENCRYPT(r, l, i + 2);
-                D_ENCRYPT(l, r, 4); /*  3 */
+                        D_ENCRYPT(l, r, i + 4);
-                D_ENCRYPT(r, l, 6); /*  4 */
+                        D_ENCRYPT(r, l, i + 6);
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#else
-                for (i = 0; i < 32; i += 4) {
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
                }
-#endif
        } else {
-#ifdef DES_UNROLL
+                for (i = 32; i > 0; i -= 8) {
-                D_ENCRYPT(l, r, 30); /* 16 */
+                        D_ENCRYPT(l, r, i - 2);
-                D_ENCRYPT(r, l, 28); /* 15 */
+                        D_ENCRYPT(r, l, i - 4);
-                D_ENCRYPT(l, r, 26); /* 14 */
+                        D_ENCRYPT(l, r, i - 6);
-                D_ENCRYPT(r, l, 24); /* 13 */
+                        D_ENCRYPT(r, l, i - 8);
-                D_ENCRYPT(l, r, 22); /* 12 */
-                D_ENCRYPT(r, l, 20); /* 11 */
-                D_ENCRYPT(l, r, 18); /* 10 */
-                D_ENCRYPT(r, l, 16); /*  9 */
-                D_ENCRYPT(l, r, 14); /*  8 */
-                D_ENCRYPT(r, l, 12); /*  7 */
-                D_ENCRYPT(l, r, 10); /*  6 */
-                D_ENCRYPT(r, l, 8); /*  5 */
-                D_ENCRYPT(l, r, 6); /*  4 */
-                D_ENCRYPT(r, l, 4); /*  3 */
-                D_ENCRYPT(l, r, 2); /*  2 */
-                D_ENCRYPT(r, l, 0); /*  1 */
-#else
-                for (i = 30; i > 0; i -= 4) {
-                        D_ENCRYPT(l, r, i - 0); /* 16 */
-                        D_ENCRYPT(r, l, i - 2); /* 15 */
                }
-#endif
        }
        /* rotate and clear the top bits on machines with 8byte longs */
        data[0] = ROTATE(l, 3) & 0xffffffffL;
diff --git a/src/lib/libcrypto/des/des_fcrypt.c b/src/lib/libcrypto/des/des_fcrypt.c
index b33b1240c2..2dd071f5d0 100644
--- a/src/lib/libcrypto/des/des_fcrypt.c
+++ b/src/lib/libcrypto/des/des_fcrypt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_fcrypt.c,v 1.4 2024/08/31 16:22:18 jsing Exp $ */
+/* $OpenBSD: des_fcrypt.c,v 1.5 2025/07/27 13:26:24 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -90,8 +90,8 @@ fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
 {
        DES_LONG l, r, t, u;
        DES_LONG *s;
-        int j;
        DES_LONG E0, E1;
+        int i, j;
        l = 0;
        r = 0;
@@ -101,32 +101,12 @@ fcrypt_body(DES_LONG *out, DES_key_schedule *ks, DES_LONG Eswap0,
        E1 = Eswap1;
        for (j = 0; j < 25; j++) {
-#ifndef DES_UNROLL
+                for (i = 0; i < 32; i += 8) {
-                int i;
+                        D_ENCRYPT(l, r, i + 0);
+                        D_ENCRYPT(r, l, i + 2);
-                for (i = 0; i < 32; i += 4) {
+                        D_ENCRYPT(l, r, i + 4);
-                        D_ENCRYPT(l, r, i + 0); /*  1 */
+                        D_ENCRYPT(r, l, i + 6);
-                        D_ENCRYPT(r, l, i + 2); /*  2 */
                }
-#else
-                D_ENCRYPT(l, r, 0); /*  1 */
-                D_ENCRYPT(r, l, 2); /*  2 */
-                D_ENCRYPT(l, r, 4); /*  3 */
-                D_ENCRYPT(r, l, 6); /*  4 */
-                D_ENCRYPT(l, r, 8); /*  5 */
-                D_ENCRYPT(r, l, 10); /*  6 */
-                D_ENCRYPT(l, r, 12); /*  7 */
-                D_ENCRYPT(r, l, 14); /*  8 */
-                D_ENCRYPT(l, r, 16); /*  9 */
-                D_ENCRYPT(r, l, 18); /*  10 */
-                D_ENCRYPT(l, r, 20); /*  11 */
-                D_ENCRYPT(r, l, 22); /*  12 */
-                D_ENCRYPT(l, r, 24); /*  13 */
-                D_ENCRYPT(r, l, 26); /*  14 */
-                D_ENCRYPT(l, r, 28); /*  15 */
-                D_ENCRYPT(r, l, 30); /*  16 */
-#endif
                t = l;
                l = r;
                r = t;
diff --git a/src/lib/libcrypto/des/des_key.c b/src/lib/libcrypto/des/des_key.c
index eee8a7e127..62d6a8bb19 100644
--- a/src/lib/libcrypto/des/des_key.c
+++ b/src/lib/libcrypto/des/des_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_key.c,v 1.1 2024/08/31 15:56:09 jsing Exp $ */
+/* $OpenBSD: des_key.c,v 1.2 2025/10/27 16:57:37 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -107,7 +107,7 @@ DES_check_key_parity(const_DES_cblock *key)
 }
 LCRYPTO_ALIAS(DES_check_key_parity);
-/* Weak and semi weak keys as taken from
+/* Weak and semi-weak keys as taken from
 * %A D.W. Davies
 * %A W.L. Price
 * %T Security for Computer Networks
diff --git a/src/lib/libcrypto/des/des_local.h b/src/lib/libcrypto/des/des_local.h
index 61bfde7520..077c03139f 100644
--- a/src/lib/libcrypto/des/des_local.h
+++ b/src/lib/libcrypto/des/des_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: des_local.h,v 1.5 2024/08/31 16:22:18 jsing Exp $ */
+/* $OpenBSD: des_local.h,v 1.6 2025/04/23 10:08:20 jsing Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -217,10 +217,6 @@ ROTATE(uint32_t a, uint32_t n)
 extern const DES_LONG DES_SPtrans[8][64];
-#ifdef OPENSSL_SMALL_FOOTPRINT
-#undef DES_UNROLL
-#endif
 __END_HIDDEN_DECLS
 #endif
diff --git a/src/lib/libcrypto/dh/dh_ameth.c b/src/lib/libcrypto/dh/dh_ameth.c
index 289307bfd6..ec59245b9c 100644
--- a/src/lib/libcrypto/dh/dh_ameth.c
+++ b/src/lib/libcrypto/dh/dh_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_ameth.c,v 1.42 2025/01/17 05:04:25 tb Exp $ */
+/* $OpenBSD: dh_ameth.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -61,12 +61,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 static void
diff --git a/src/lib/libcrypto/dh/dh_check.c b/src/lib/libcrypto/dh/dh_check.c
index a880f9fca1..1ba85bc824 100644
--- a/src/lib/libcrypto/dh/dh_check.c
+++ b/src/lib/libcrypto/dh/dh_check.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_check.c,v 1.30 2024/11/29 15:59:57 tb Exp $ */
+/* $OpenBSD: dh_check.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,7 +60,6 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "dh_local.h"
diff --git a/src/lib/libcrypto/dh/dh_gen.c b/src/lib/libcrypto/dh/dh_gen.c
index 3ffa5d80f1..f28f75909c 100644
--- a/src/lib/libcrypto/dh/dh_gen.c
+++ b/src/lib/libcrypto/dh/dh_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_gen.c,v 1.21 2023/07/08 15:29:03 beck Exp $ */
+/* $OpenBSD: dh_gen.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,10 +60,10 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 static int dh_builtin_genparams(DH *ret, int prime_len, int generator,
            BN_GENCB *cb);
diff --git a/src/lib/libcrypto/dh/dh_key.c b/src/lib/libcrypto/dh/dh_key.c
index 93b04f398f..89a02c8309 100644
--- a/src/lib/libcrypto/dh/dh_key.c
+++ b/src/lib/libcrypto/dh/dh_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_key.c,v 1.42 2024/05/09 20:43:36 tb Exp $ */
+/* $OpenBSD: dh_key.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,10 +60,10 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 static int
 generate_key(DH *dh)
diff --git a/src/lib/libcrypto/dh/dh_lib.c b/src/lib/libcrypto/dh/dh_lib.c
index 803aca6421..db76244550 100644
--- a/src/lib/libcrypto/dh/dh_lib.c
+++ b/src/lib/libcrypto/dh/dh_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_lib.c,v 1.46 2024/11/29 15:59:57 tb Exp $ */
+/* $OpenBSD: dh_lib.c,v 1.47 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,9 +63,9 @@
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include "dh_local.h"
+#include "err_local.h"
 static const DH_METHOD *default_DH_method = NULL;
diff --git a/src/lib/libcrypto/dh/dh_pmeth.c b/src/lib/libcrypto/dh/dh_pmeth.c
index 1e5327b11f..18517b0cde 100644
--- a/src/lib/libcrypto/dh/dh_pmeth.c
+++ b/src/lib/libcrypto/dh/dh_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_pmeth.c,v 1.17 2024/08/26 22:00:47 op Exp $ */
+/* $OpenBSD: dh_pmeth.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -64,12 +64,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "bn_local.h"
 #include "dh_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* DH pkey context structure */
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
index 866e5ec476..8e65cf68f7 100644
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.59 2024/04/13 14:02:51 tb Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.60 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -64,12 +64,12 @@
 #include <openssl/bn.h>
 #include <openssl/cms.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/dsa/dsa_asn1.c b/src/lib/libcrypto/dsa/dsa_asn1.c
index de6ec46195..e8957a99ff 100644
--- a/src/lib/libcrypto/dsa/dsa_asn1.c
+++ b/src/lib/libcrypto/dsa/dsa_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_asn1.c,v 1.33 2024/07/08 17:11:05 beck Exp $ */
+/* $OpenBSD: dsa_asn1.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -63,9 +63,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include "dsa_local.h"
+#include "err_local.h"
 /* Override the default new methods */
 static int
diff --git a/src/lib/libcrypto/dsa/dsa_lib.c b/src/lib/libcrypto/dsa/dsa_lib.c
index daf2fa135b..ecd517cf8a 100644
--- a/src/lib/libcrypto/dsa/dsa_lib.c
+++ b/src/lib/libcrypto/dsa/dsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_lib.c,v 1.48 2024/03/27 01:49:31 tb Exp $ */
+/* $OpenBSD: dsa_lib.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,7 +65,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
@@ -73,6 +72,7 @@
 #include "dh_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 static const DSA_METHOD *default_DSA_method = NULL;
diff --git a/src/lib/libcrypto/dsa/dsa_local.h b/src/lib/libcrypto/dsa/dsa_local.h
index fc77c09fcb..3d32e5e547 100644
--- a/src/lib/libcrypto/dsa/dsa_local.h
+++ b/src/lib/libcrypto/dsa/dsa_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_local.h,v 1.5 2024/11/29 07:42:35 tb Exp $ */
+/* $OpenBSD: dsa_local.h,v 1.6 2025/11/26 10:19:57 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2007 The OpenSSL Project.  All rights reserved.
 *
@@ -53,6 +53,9 @@
 *
 */
+#ifndef HEADER_DSA_LOCAL_H
+#define HEADER_DSA_LOCAL_H
 #include <openssl/dsa.h>
 __BEGIN_HIDDEN_DECLS
@@ -102,3 +105,5 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
 int dsa_check_key(const DSA *dsa);
 __END_HIDDEN_DECLS
+#endif /* HEADER_DSA_LOCAL_H */
diff --git a/src/lib/libcrypto/dsa/dsa_meth.c b/src/lib/libcrypto/dsa/dsa_meth.c
index c84b5287e1..c961bb13b4 100644
--- a/src/lib/libcrypto/dsa/dsa_meth.c
+++ b/src/lib/libcrypto/dsa/dsa_meth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: dsa_meth.c,v 1.7 2023/07/08 14:28:15 beck Exp $       */
+/*      $OpenBSD: dsa_meth.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
 *
@@ -19,9 +19,9 @@
 #include <string.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include "dsa_local.h"
+#include "err_local.h"
 DSA_METHOD *
 DSA_meth_new(const char *name, int flags)
diff --git a/src/lib/libcrypto/dsa/dsa_ossl.c b/src/lib/libcrypto/dsa/dsa_ossl.c
index c53c8b9001..6d1546f4fc 100644
--- a/src/lib/libcrypto/dsa/dsa_ossl.c
+++ b/src/lib/libcrypto/dsa/dsa_ossl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ossl.c,v 1.56 2024/05/11 06:43:50 tb Exp $ */
+/* $OpenBSD: dsa_ossl.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/sha.h>
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 /*
 * Since DSA parameters are entirely arbitrary and checking them to be
diff --git a/src/lib/libcrypto/dsa/dsa_pmeth.c b/src/lib/libcrypto/dsa/dsa_pmeth.c
index adc7319731..73889a8307 100644
--- a/src/lib/libcrypto/dsa/dsa_pmeth.c
+++ b/src/lib/libcrypto/dsa/dsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_pmeth.c,v 1.21 2024/10/19 14:39:44 tb Exp $ */
+/* $OpenBSD: dsa_pmeth.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -63,12 +63,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* DSA pkey context structure */
diff --git a/src/lib/libcrypto/dsa/dsa_prn.c b/src/lib/libcrypto/dsa/dsa_prn.c
index f276d82482..058b7d9ffd 100644
--- a/src/lib/libcrypto/dsa/dsa_prn.c
+++ b/src/lib/libcrypto/dsa/dsa_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_prn.c,v 1.10 2023/07/08 14:28:15 beck Exp $ */
+/* $OpenBSD: dsa_prn.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -59,9 +59,10 @@
 #include <stdio.h>
 #include <openssl/dsa.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
+#include "err_local.h"
 int
 DSA_print_fp(FILE *fp, const DSA *x, int off)
 {
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 903b18a8db..ddc8adea1e 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_ameth.c,v 1.73 2024/11/25 06:51:39 tb Exp $ */
+/* $OpenBSD: ec_ameth.c,v 1.74 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -66,7 +66,6 @@
 #include <openssl/bn.h>
 #include <openssl/cms.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs7.h>
 #include <openssl/objects.h>
@@ -74,6 +73,7 @@
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index ef318f8d43..35f4f5b0ba 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.111 2025/03/13 10:31:12 tb Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.112 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -66,12 +66,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 int
 EC_GROUP_get_basis_type(const EC_GROUP *group)
diff --git a/src/lib/libcrypto/ec/ec_convert.c b/src/lib/libcrypto/ec/ec_convert.c
index a18bc49132..3b88bd20ba 100644
--- a/src/lib/libcrypto/ec/ec_convert.c
+++ b/src/lib/libcrypto/ec/ec_convert.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_convert.c,v 1.14 2025/01/05 16:07:08 tb Exp $ */
+/* $OpenBSD: ec_convert.c,v 1.16 2025/12/26 18:44:19 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -64,10 +64,10 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 /*
 * Internal handling of the point conversion octet
@@ -452,7 +452,7 @@ EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point,
        if (ctx == NULL)
                goto err;
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -478,7 +478,7 @@ EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point,
        if (ctx == NULL)
                goto err;
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
diff --git a/src/lib/libcrypto/ec/ec_curve.c b/src/lib/libcrypto/ec/ec_curve.c
index a3ec2de7fb..fda2681704 100644
--- a/src/lib/libcrypto/ec/ec_curve.c
+++ b/src/lib/libcrypto/ec/ec_curve.c
@@ -1,7 +1,4 @@
-/* $OpenBSD: ec_curve.c,v 1.54 2025/03/09 17:53:11 tb Exp $ */
+/* $OpenBSD: ec_curve.c,v 1.60 2025/12/15 12:09:46 tb Exp $ */
-/*
- * Written by Nils Larsch for the OpenSSL project.
- */
 /* ====================================================================
 * Copyright (c) 1998-2010 The OpenSSL Project.  All rights reserved.
 *
@@ -78,10 +75,10 @@
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "ec_local.h"
+#include "err_local.h"
 static const struct {
        uint8_t seed[20];
@@ -130,6 +127,57 @@ static const struct {
 static const struct {
        uint8_t seed[20];
+        uint8_t p[32];
+        uint8_t a[32];
+        uint8_t b[32];
+        uint8_t x[32];
+        uint8_t y[32];
+        uint8_t order[32];
+} _EC_NIST_PRIME_256 = {
+        .seed = {
+                0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66,
+                0x78, 0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90,
+        },
+        .p = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xff,
+        },
+        .a = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+                0xff, 0xfc,
+        },
+        .b = {
+                0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb,
+                0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0,
+                0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2,
+                0x60, 0x4b,
+        },
+        .x = {
+                0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc,
+                0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
+                0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98,
+                0xc2, 0x96,
+        },
+        .y = {
+                0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7,
+                0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
+                0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf,
+                0x51, 0xf5,
+        },
+        .order = {
+                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
+                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad,
+                0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63,
+                0x25, 0x51,
+        },
+};
+static const struct {
+        uint8_t seed[20];
        uint8_t p[48];
        uint8_t a[48];
        uint8_t b[48];
@@ -255,192 +303,6 @@ static const struct {
 };
 static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V1 = {
-        .seed = {
-                0xe4, 0x3b, 0xb4, 0x60, 0xf0, 0xb8, 0x0c, 0xc0, 0xc0, 0xb0,
-                0x75, 0x79, 0x8e, 0x94, 0x80, 0x60, 0xf8, 0x32, 0x1b, 0x7d,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x6b, 0x01, 0x6c, 0x3b, 0xdc, 0xf1, 0x89, 0x41, 0xd0, 0xd6,
-                0x54, 0x92, 0x14, 0x75, 0xca, 0x71, 0xa9, 0xdb, 0x2f, 0xb2,
-                0x7d, 0x1d, 0x37, 0x79, 0x61, 0x85, 0xc2, 0x94, 0x2c, 0x0a,
-        },
-        .x = {
-                0x0f, 0xfa, 0x96, 0x3c, 0xdc, 0xa8, 0x81, 0x6c, 0xcc, 0x33,
-                0xb8, 0x64, 0x2b, 0xed, 0xf9, 0x05, 0xc3, 0xd3, 0x58, 0x57,
-                0x3d, 0x3f, 0x27, 0xfb, 0xbd, 0x3b, 0x3c, 0xb9, 0xaa, 0xaf,
-        },
-        .y = {
-                0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40,
-                0x54, 0xca, 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18,
-                0xce, 0x22, 0x6b, 0x39, 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0x9e, 0x5e, 0x9a, 0x9f, 0x5d,
-                0x90, 0x71, 0xfb, 0xd1, 0x52, 0x26, 0x88, 0x90, 0x9d, 0x0b,
-        },
-};
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V2 = {
-        .seed = {
-                0xe8, 0xb4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xca, 0x3b,
-                0x80, 0x99, 0x98, 0x2b, 0xe0, 0x9f, 0xcb, 0x9a, 0xe6, 0x16,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x61, 0x7f, 0xab, 0x68, 0x32, 0x57, 0x6c, 0xbb, 0xfe, 0xd5,
-                0x0d, 0x99, 0xf0, 0x24, 0x9c, 0x3f, 0xee, 0x58, 0xb9, 0x4b,
-                0xa0, 0x03, 0x8c, 0x7a, 0xe8, 0x4c, 0x8c, 0x83, 0x2f, 0x2c,
-        },
-        .x = {
-                0x38, 0xaf, 0x09, 0xd9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xc9,
-                0x21, 0xbb, 0x5e, 0x9e, 0x26, 0x29, 0x6a, 0x3c, 0xdc, 0xf2,
-                0xf3, 0x57, 0x57, 0xa0, 0xea, 0xfd, 0x87, 0xb8, 0x30, 0xe7,
-        },
-        .y = {
-                0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d,
-                0xa0, 0xfc, 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55,
-                0xde, 0x6e, 0xf4, 0x60, 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x80, 0x00, 0x00, 0xcf, 0xa7, 0xe8, 0x59, 0x43,
-                0x77, 0xd4, 0x14, 0xc0, 0x38, 0x21, 0xbc, 0x58, 0x20, 0x63,
-        },
-};
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[30];
-        uint8_t a[30];
-        uint8_t b[30];
-        uint8_t x[30];
-        uint8_t y[30];
-        uint8_t order[30];
-} _EC_X9_62_PRIME_239V3 = {
-        .seed = {
-                0x7d, 0x73, 0x74, 0x16, 0x8f, 0xfe, 0x34, 0x71, 0xb6, 0x0a,
-                0x85, 0x76, 0x86, 0xa1, 0x94, 0x75, 0xd3, 0xbf, 0xa2, 0xff,
-        },
-        .p = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff,
-        },
-        .a = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc,
-        },
-        .b = {
-                0x25, 0x57, 0x05, 0xfa, 0x2a, 0x30, 0x66, 0x54, 0xb1, 0xf4,
-                0xcb, 0x03, 0xd6, 0xa7, 0x50, 0xa3, 0x0c, 0x25, 0x01, 0x02,
-                0xd4, 0x98, 0x87, 0x17, 0xd9, 0xba, 0x15, 0xab, 0x6d, 0x3e,
-        },
-        .x = {
-                0x67, 0x68, 0xae, 0x8e, 0x18, 0xbb, 0x92, 0xcf, 0xcf, 0x00,
-                0x5c, 0x94, 0x9a, 0xa2, 0xc6, 0xd9, 0x48, 0x53, 0xd0, 0xe6,
-                0x60, 0xbb, 0xf8, 0x54, 0xb1, 0xc9, 0x50, 0x5f, 0xe9, 0x5a,
-        },
-        .y = {
-                0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d,
-                0x55, 0x2b, 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b,
-                0x6e, 0x81, 0x84, 0x99, 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3,
-        },
-        .order = {
-                0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff, 0x7f, 0xff, 0xff, 0x97, 0x5d, 0xeb, 0x41, 0xb3,
-                0xa6, 0x05, 0x7c, 0x3c, 0x43, 0x21, 0x46, 0x52, 0x65, 0x51,
-        },
-};
-static const struct {
-        uint8_t seed[20];
-        uint8_t p[32];
-        uint8_t a[32];
-        uint8_t b[32];
-        uint8_t x[32];
-        uint8_t y[32];
-        uint8_t order[32];
-} _EC_X9_62_PRIME_256V1 = {
-        .seed = {
-                0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66,
-                0x78, 0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90,
-        },
-        .p = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xff,
-        },
-        .a = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00,
-                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
-                0xff, 0xfc,
-        },
-        .b = {
-                0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb,
-                0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0,
-                0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2,
-                0x60, 0x4b,
-        },
-        .x = {
-                0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc,
-                0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81,
-                0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98,
-                0xc2, 0x96,
-        },
-        .y = {
-                0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7,
-                0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57,
-                0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf,
-                0x51, 0xf5,
-        },
-        .order = {
-                0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
-                0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad,
-                0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63,
-                0x25, 0x51,
-        },
-};
-static const struct {
        uint8_t p[29];
        uint8_t a[29];
        uint8_t b[29];
@@ -1121,7 +983,21 @@ static const struct ec_curve {
                .order = _EC_SECG_PRIME_256K1.order,
                .cofactor = 1,
        },
-        /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */
+        {
+                /* Everyone except OpenSSL calls this secp256r1 or P-256. */
+                .comment = "X9.62/SECG curve prime256v1",
+                .nid = NID_X9_62_prime256v1,
+                .seed_len = sizeof(_EC_NIST_PRIME_256.seed),
+                .param_len = sizeof(_EC_NIST_PRIME_256.p),
+                .seed = _EC_NIST_PRIME_256.seed,
+                .p = _EC_NIST_PRIME_256.p,
+                .a = _EC_NIST_PRIME_256.a,
+                .b = _EC_NIST_PRIME_256.b,
+                .x = _EC_NIST_PRIME_256.x,
+                .y = _EC_NIST_PRIME_256.y,
+                .order = _EC_NIST_PRIME_256.order,
+                .cofactor = 1,
+        },
        {
                .comment = "NIST/SECG curve secp384r1",
                .nid = NID_secp384r1,
@@ -1150,63 +1026,6 @@ static const struct ec_curve {
                .order = _EC_NIST_PRIME_521.order,
                .cofactor = 1,
        },
-        /* X9.62 curves */
-        {
-                .comment = "X9.62 curve prime239v1",
-                .nid = NID_X9_62_prime239v1,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V1.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V1.p),
-                .seed = _EC_X9_62_PRIME_239V1.seed,
-                .p = _EC_X9_62_PRIME_239V1.p,
-                .a = _EC_X9_62_PRIME_239V1.a,
-                .b = _EC_X9_62_PRIME_239V1.b,
-                .x = _EC_X9_62_PRIME_239V1.x,
-                .y = _EC_X9_62_PRIME_239V1.y,
-                .order = _EC_X9_62_PRIME_239V1.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62 curve prime239v2",
-                .nid = NID_X9_62_prime239v2,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V2.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V2.p),
-                .seed = _EC_X9_62_PRIME_239V2.seed,
-                .p = _EC_X9_62_PRIME_239V2.p,
-                .a = _EC_X9_62_PRIME_239V2.a,
-                .b = _EC_X9_62_PRIME_239V2.b,
-                .x = _EC_X9_62_PRIME_239V2.x,
-                .y = _EC_X9_62_PRIME_239V2.y,
-                .order = _EC_X9_62_PRIME_239V2.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62 curve prime239v3",
-                .nid = NID_X9_62_prime239v3,
-                .seed_len = sizeof(_EC_X9_62_PRIME_239V3.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_239V3.p),
-                .seed = _EC_X9_62_PRIME_239V3.seed,
-                .p = _EC_X9_62_PRIME_239V3.p,
-                .a = _EC_X9_62_PRIME_239V3.a,
-                .b = _EC_X9_62_PRIME_239V3.b,
-                .x = _EC_X9_62_PRIME_239V3.x,
-                .y = _EC_X9_62_PRIME_239V3.y,
-                .order = _EC_X9_62_PRIME_239V3.order,
-                .cofactor = 1,
-        },
-        {
-                .comment = "X9.62/SECG curve prime256v1",
-                .nid = NID_X9_62_prime256v1,
-                .seed_len = sizeof(_EC_X9_62_PRIME_256V1.seed),
-                .param_len = sizeof(_EC_X9_62_PRIME_256V1.p),
-                .seed = _EC_X9_62_PRIME_256V1.seed,
-                .p = _EC_X9_62_PRIME_256V1.p,
-                .a = _EC_X9_62_PRIME_256V1.a,
-                .b = _EC_X9_62_PRIME_256V1.b,
-                .x = _EC_X9_62_PRIME_256V1.x,
-                .y = _EC_X9_62_PRIME_256V1.y,
-                .order = _EC_X9_62_PRIME_256V1.order,
-                .cofactor = 1,
-        },
        /* RFC 5639 curves */
        {
                .comment = "RFC 5639 curve brainpoolP224r1",
@@ -1221,7 +1040,7 @@ static const struct ec_curve {
                .cofactor = 1,
        },
        {
-                .comment = "RFC 5639 curve brainpoolP224r2",
+                .comment = "RFC 5639 curve brainpoolP224t1",
                .nid = NID_brainpoolP224t1,
                .param_len = sizeof(_EC_brainpoolP224t1.p),
                .p = _EC_brainpoolP224t1.p,
@@ -1573,7 +1392,7 @@ ec_curve_from_group(const EC_GROUP *group)
        if ((cofactor = EC_GROUP_get0_cofactor(group)) != NULL) {
                BN_ULONG cofactor_word;
-                if ((cofactor_word = BN_get_word(cofactor)) == BN_MASK2)
+                if ((cofactor_word = BN_get_word(cofactor)) == (BN_ULONG)-1)
                        goto err;
                if (cofactor_word > INT_MAX)
                        goto err;
diff --git a/src/lib/libcrypto/ec/ec_field.c b/src/lib/libcrypto/ec/ec_field.c
new file mode 100644
index 0000000000..6576526e77
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_field.c
@@ -0,0 +1,202 @@
+/*      $OpenBSD: ec_field.c,v 1.3 2025/08/02 16:20:00 jsing Exp $      */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <string.h>
+#include <openssl/ec.h>
+#include "bn_local.h"
+#include "bn_internal.h"
+#include "ec_local.h"
+#include "ec_internal.h"
+int
+ec_field_modulus_from_bn(EC_FIELD_MODULUS *fm, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_MONT_CTX *mctx = NULL;
+        size_t i;
+        int ret = 0;
+        if (BN_is_negative(bn))
+                goto err;
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+        memset(fm, 0, sizeof(*fm));
+        fm->n = (BN_num_bits(bn) + BN_BITS2 - 1) / BN_BITS2;
+        for (i = 0; i < bn->top; i++)
+                fm->m.w[i] = bn->d[i];
+        /* XXX - implement this without BN_MONT_CTX. */
+        if ((mctx = BN_MONT_CTX_new()) == NULL)
+                goto err;
+        if (!BN_MONT_CTX_set(mctx, bn, ctx))
+                goto err;
+        for (i = 0; i < mctx->RR.top; i++)
+                fm->rr.w[i] = mctx->RR.d[i];
+        fm->minv0 = mctx->n0[0];
+        ret = 1;
+ err:
+        BN_MONT_CTX_free(mctx);
+        return ret;
+}
+int
+ec_field_element_from_bn(const EC_FIELD_MODULUS *fm, const EC_GROUP *group,
+    EC_FIELD_ELEMENT *fe, const BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        BIGNUM *tmp;
+        size_t i;
+        int ret = 0;
+        BN_CTX_start(ctx);
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        /* XXX - enforce 0 <= n < p. */
+        if (BN_num_bits(bn) > EC_FIELD_ELEMENT_MAX_BITS)
+                goto err;
+        /* XXX - do this without BN. */
+        if (!BN_nnmod(tmp, bn, group->p, ctx))
+                goto err;
+        if (BN_num_bits(tmp) > EC_FIELD_ELEMENT_MAX_BITS)
+                abort();
+        memset(fe->w, 0, sizeof(fe->w));
+        for (i = 0; i < tmp->top; i++)
+                fe->w[i] = tmp->d[i];
+        bn_mod_mul_words(fe->w, fe->w, fm->rr.w, fm->m.w, t, fm->minv0, fm->n);
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
+int
+ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe,
+    BIGNUM *bn, BN_CTX *ctx)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        size_t i;
+        if (!bn_wexpand(bn, fm->n))
+                return 0;
+        memset(t, 0, sizeof(t));
+        for (i = 0; i < fm->n; i++)
+                t[i] = fe->w[i];
+        bn_montgomery_reduce_words(bn->d, t, fm->m.w, fm->minv0, fm->n);
+        bn->top = fm->n;
+        bn_correct_top(bn);
+        return 1;
+}
+void
+ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src)
+{
+        memcpy(dst, src, sizeof(EC_FIELD_ELEMENT));
+}
+void
+ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional)
+{
+        BN_ULONG mask;
+        int i;
+        mask = bn_ct_eq_zero_mask(conditional);
+        for (i = 0; i < fm->n; i++)
+                r->w[i] = (a->w[i] & mask) | (b->w[i] & ~mask);
+}
+int
+ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
+    const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG v = 0;
+        int i;
+        for (i = 0; i < fm->n; i++)
+                v |= a->w[i] ^ b->w[i];
+        return bn_ct_eq_zero(v);
+}
+int
+ec_field_element_is_zero(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe)
+{
+        BN_ULONG v = 0;
+        int i;
+        for (i = 0; i < fm->n; i++)
+                v |= fe->w[i];
+        return bn_ct_eq_zero(v);
+}
+void
+ec_field_element_add(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_add_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+void
+ec_field_element_sub(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        bn_mod_sub_words(r->w, a->w, b->w, m->m.w, m->n);
+}
+void
+ec_field_element_mul(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        bn_mod_mul_words(r->w, a->w, b->w, m->m.w, t, m->minv0, m->n);
+}
+void
+ec_field_element_sqr(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a)
+{
+        BN_ULONG t[EC_FIELD_ELEMENT_MAX_WORDS * 2 + 2];
+        bn_mod_sqr_words(r->w, a->w, m->m.w, t, m->minv0, m->n);
+}
diff --git a/src/lib/libcrypto/ec/ec_internal.h b/src/lib/libcrypto/ec/ec_internal.h
new file mode 100644
index 0000000000..de0affa206
--- /dev/null
+++ b/src/lib/libcrypto/ec/ec_internal.h
@@ -0,0 +1,65 @@
+/*      $OpenBSD: ec_internal.h,v 1.3 2025/12/05 14:12:32 tb Exp $      */
+/*
+ * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/bn.h>
+#ifndef HEADER_EC_INTERNAL_H
+#define HEADER_EC_INTERNAL_H
+#define EC_FIELD_ELEMENT_MAX_BITS 521
+#define EC_FIELD_ELEMENT_MAX_BYTES \
+    (EC_FIELD_ELEMENT_MAX_BITS + 7) / 8
+#define EC_FIELD_ELEMENT_MAX_WORDS \
+    ((EC_FIELD_ELEMENT_MAX_BYTES + sizeof(BN_ULONG) - 1) / sizeof(BN_ULONG))
+typedef struct {
+        BN_ULONG w[EC_FIELD_ELEMENT_MAX_WORDS];
+} EC_FIELD_ELEMENT;
+typedef struct {
+        size_t n;
+        EC_FIELD_ELEMENT m;
+        EC_FIELD_ELEMENT rr;
+        BN_ULONG minv0;
+} EC_FIELD_MODULUS;
+int ec_field_modulus_from_bn(EC_FIELD_MODULUS *fm, const BIGNUM *bn,
+    BN_CTX *ctx);
+int ec_field_element_from_bn(const EC_FIELD_MODULUS *fm, const EC_GROUP *group,
+    EC_FIELD_ELEMENT *fe, const BIGNUM *bn, BN_CTX *ctx);
+int ec_field_element_to_bn(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe,
+    BIGNUM *bn, BN_CTX *ctx);
+void ec_field_element_copy(EC_FIELD_ELEMENT *dst, const EC_FIELD_ELEMENT *src);
+void ec_field_element_select(const EC_FIELD_MODULUS *fm, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b, int conditional);
+int ec_field_element_equal(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *a,
+    const EC_FIELD_ELEMENT *b);
+int ec_field_element_is_zero(const EC_FIELD_MODULUS *fm, const EC_FIELD_ELEMENT *fe);
+void ec_field_element_add(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_sub(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_mul(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a, const EC_FIELD_ELEMENT *b);
+void ec_field_element_sqr(const EC_FIELD_MODULUS *m, EC_FIELD_ELEMENT *r,
+    const EC_FIELD_ELEMENT *a);
+#endif
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index 6257d67cd1..e9777019c8 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.51 2025/01/25 10:34:36 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.52 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -66,11 +66,11 @@
 #include <openssl/opensslconf.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "ec_local.h"
 #include "ecdsa_local.h"
+#include "err_local.h"
 EC_KEY *
 EC_KEY_new(void)
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 7982d23f06..30b2cf95b8 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.123 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.131 2025/12/26 18:49:13 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -68,12 +68,12 @@
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/opensslv.h>
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 EC_GROUP *
 EC_GROUP_new(const EC_METHOD *meth)
@@ -165,6 +165,10 @@ EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src)
        dst->a_is_minus3 = src->a_is_minus3;
+        memcpy(&dst->fm, &src->fm, sizeof(src->fm));
+        memcpy(&dst->fe_a, &src->fe_a, sizeof(src->fe_a));
+        memcpy(&dst->fe_b, &src->fe_b, sizeof(src->fe_b));
        BN_MONT_CTX_free(dst->mont_ctx);
        dst->mont_ctx = NULL;
        if (src->mont_ctx != NULL) {
@@ -788,6 +792,16 @@ EC_GROUP_cmp(const EC_GROUP *group1, const EC_GROUP *group2, BN_CTX *ctx_in)
 }
 LCRYPTO_ALIAS(EC_GROUP_cmp);
+int
+ec_group_and_point_compatible(const EC_GROUP *group, const EC_POINT *point)
+{
+        if (group->meth != point->meth)
+                return 0;
+        if (group->nid == NID_undef || point->nid == NID_undef)
+                return 1;
+        return group->nid == point->nid;
+}
 EC_POINT *
 EC_POINT_new(const EC_GROUP *group)
 {
@@ -811,6 +825,7 @@ EC_POINT_new(const EC_GROUP *group)
                goto err;
        point->meth = group->meth;
+        point->nid = group->nid;
        return point;
@@ -852,6 +867,8 @@ EC_POINT_copy(EC_POINT *dst, const EC_POINT *src)
        if (dst == src)
                return 1;
+        dst->nid = src->nid;
        if (!bn_copy(dst->X, src->X))
                return 0;
        if (!bn_copy(dst->Y, src->Y))
@@ -860,6 +877,10 @@ EC_POINT_copy(EC_POINT *dst, const EC_POINT *src)
                return 0;
        dst->Z_is_one = src->Z_is_one;
+        memcpy(&dst->fe_x, &src->fe_x, sizeof(dst->fe_x));
+        memcpy(&dst->fe_y, &src->fe_y, sizeof(dst->fe_y));
+        memcpy(&dst->fe_z, &src->fe_z, sizeof(dst->fe_z));
        return 1;
 }
 LCRYPTO_ALIAS(EC_POINT_copy);
@@ -890,15 +911,11 @@ LCRYPTO_ALIAS(EC_POINT_dup);
 int
 EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
 {
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                return 0;
        }
+        return group->meth->point_set_to_infinity(group, point);
-        BN_zero(point->Z);
-        point->Z_is_one = 0;
-        return 1;
 }
 LCRYPTO_ALIAS(EC_POINT_set_to_infinity);
@@ -918,7 +935,7 @@ EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -969,7 +986,7 @@ EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1119,8 +1136,9 @@ EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != r->meth || group->meth != a->meth ||
+        if (!ec_group_and_point_compatible(group, r) ||
-            group->meth != b->meth) {
+            !ec_group_and_point_compatible(group, a) ||
+            !ec_group_and_point_compatible(group, b)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1150,7 +1168,8 @@ EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != r->meth || r->meth != a->meth) {
+        if (!ec_group_and_point_compatible(group, r) ||
+            !ec_group_and_point_compatible(group, a)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1179,7 +1198,7 @@ EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx_in)
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != a->meth) {
+        if (!ec_group_and_point_compatible(group, a)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1196,12 +1215,11 @@ LCRYPTO_ALIAS(EC_POINT_invert);
 int
 EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
 {
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                return 0;
        }
+        return group->meth->point_is_at_infinity(group, point);
-        return BN_is_zero(point->Z);
 }
 LCRYPTO_ALIAS(EC_POINT_is_at_infinity);
@@ -1221,7 +1239,7 @@ EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != point->meth) {
+        if (!ec_group_and_point_compatible(group, point)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1251,7 +1269,8 @@ EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
                ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
                goto err;
        }
-        if (group->meth != a->meth || a->meth != b->meth) {
+        if (!ec_group_and_point_compatible(group, a) ||
+            !ec_group_and_point_compatible(group, b)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
@@ -1324,6 +1343,12 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar,
                goto err;
        }
+        if (!ec_group_and_point_compatible(group, r) ||
+            (point != NULL && !ec_group_and_point_compatible(group, point))) {
+                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
+                goto err;
+        }
        if (g_scalar != NULL && point == NULL && p_scalar == NULL) {
                /*
                 * In this case we want to compute g_scalar * GeneratorPoint:
diff --git a/src/lib/libcrypto/ec/ec_local.h b/src/lib/libcrypto/ec/ec_local.h
index c7a54d3a2b..d84e92767c 100644
--- a/src/lib/libcrypto/ec/ec_local.h
+++ b/src/lib/libcrypto/ec/ec_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_local.h,v 1.67 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_local.h,v 1.73 2025/12/26 18:42:33 tb Exp $ */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -69,6 +69,9 @@
 *
 */
+#ifndef HEADER_EC_LOCAL_H
+#define HEADER_EC_LOCAL_H
 #include <stdlib.h>
 #include <openssl/bn.h>
@@ -76,6 +79,7 @@
 #include <openssl/objects.h>
 #include "bn_local.h"
+#include "ec_internal.h"
 __BEGIN_HIDDEN_DECLS
@@ -85,6 +89,9 @@ typedef struct ec_method_st {
        int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
            BIGNUM *b, BN_CTX *);
+        int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *);
+        int (*point_is_at_infinity)(const EC_GROUP *, const EC_POINT *);
        int (*point_is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *);
        int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
            BN_CTX *);
@@ -155,10 +162,15 @@ struct ec_group_st {
        /* Montgomery context used by EC_GFp_mont_method. */
        BN_MONT_CTX *mont_ctx;
+        EC_FIELD_MODULUS fm;
+        EC_FIELD_ELEMENT fe_a;
+        EC_FIELD_ELEMENT fe_b;
 } /* EC_GROUP */;
 struct ec_point_st {
        const EC_METHOD *meth;
+        int nid;
        /*
         * Jacobian projective coordinates: (X, Y, Z) represents (X/Z^2, Y/Z^3)
@@ -168,10 +180,15 @@ struct ec_point_st {
        BIGNUM *Y;
        BIGNUM *Z;
        int Z_is_one; /* enable optimized point arithmetics for special case */
+        EC_FIELD_ELEMENT fe_x;
+        EC_FIELD_ELEMENT fe_y;
+        EC_FIELD_ELEMENT fe_z;
 } /* EC_POINT */;
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
+const EC_METHOD *EC_GFp_homogeneous_projective_method(void);
 /* Compute r = scalar1 * point1 + scalar2 * point2 in non-constant time. */
 int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
@@ -179,6 +196,7 @@ int ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
    BN_CTX *ctx);
 int ec_group_is_builtin_curve(const EC_GROUP *group, int *out_nid);
+int ec_group_and_point_compatible(const EC_GROUP *group, const EC_POINT *point);
 /*
 * Wrappers around the unergonomic EC_POINT_{oct2point,point2oct}().
@@ -252,3 +270,5 @@ int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z,
    size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md);
 __END_HIDDEN_DECLS
+#endif /* HEADER_EC_LOCAL_H */
diff --git a/src/lib/libcrypto/ec/ec_mult.c b/src/lib/libcrypto/ec/ec_mult.c
index 673696a9fd..067df9a2a2 100644
--- a/src/lib/libcrypto/ec/ec_mult.c
+++ b/src/lib/libcrypto/ec/ec_mult.c
@@ -1,64 +1,19 @@
-/* $OpenBSD: ec_mult.c,v 1.58 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ec_mult.c,v 1.61 2025/12/26 18:44:19 tb Exp $ */
 /*
- * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project.
+ * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
- */
-/* ====================================================================
- * Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * Permission to use, copy, modify, and distribute this software for any
- *    endorse or promote products derived from this software without
+ * purpose with or without fee is hereby granted, provided that the above
- *    prior written permission. For written permission, please contact
+ * copyright notice and this permission notice appear in all copies.
- *    openssl-core@openssl.org.
 *
- * 5. Products derived from this software may not be called "OpenSSL"
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- *    nor may "OpenSSL" appear in their names without prior written
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- *    permission of the OpenSSL Project.
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- *
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * 6. Redistributions of any form whatsoever must retain the following
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- *    acknowledgment:
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- *    "This product includes software developed by the OpenSSL Project
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * Portions of this software developed by SUN MICROSYSTEMS, INC.,
- * and contributed to the OpenSSL project.
 */
 #include <stdint.h>
@@ -67,9 +22,9 @@
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include "ec_local.h"
+#include "err_local.h"
 /* Holds the wNAF digits of bn and the corresponding odd multiples of point. */
 struct ec_wnaf {
@@ -332,8 +287,9 @@ ec_wnaf_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
                ECerror(ERR_R_PASSED_NULL_PARAMETER);
                goto err;
        }
-        if (group->meth != r->meth || group->meth != point1->meth ||
+        if (!ec_group_and_point_compatible(group, r) ||
-            group->meth != point2->meth) {
+            !ec_group_and_point_compatible(group, point1) ||
+            !ec_group_and_point_compatible(group, point2)) {
                ECerror(EC_R_INCOMPATIBLE_OBJECTS);
                goto err;
        }
diff --git a/src/lib/libcrypto/ec/ec_pmeth.c b/src/lib/libcrypto/ec/ec_pmeth.c
index 85ac4822d1..69bf7e741a 100644
--- a/src/lib/libcrypto/ec/ec_pmeth.c
+++ b/src/lib/libcrypto/ec/ec_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_pmeth.c,v 1.26 2025/03/13 10:39:51 tb Exp $ */
+/* $OpenBSD: ec_pmeth.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -62,12 +62,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* EC pkey context structure */
diff --git a/src/lib/libcrypto/ec/eck_prn.c b/src/lib/libcrypto/ec/eck_prn.c
index c40a64966a..ed5fdce9c1 100644
--- a/src/lib/libcrypto/ec/eck_prn.c
+++ b/src/lib/libcrypto/ec/eck_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eck_prn.c,v 1.41 2025/01/25 10:30:17 tb Exp $ */
+/* $OpenBSD: eck_prn.c,v 1.42 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -66,12 +66,12 @@
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 int
 EC_KEY_print(BIO *bio, const EC_KEY *ec_key, int off)
diff --git a/src/lib/libcrypto/ec/ecp_hp_methods.c b/src/lib/libcrypto/ec/ecp_hp_methods.c
new file mode 100644
index 0000000000..0b34a55b9d
--- /dev/null
+++ b/src/lib/libcrypto/ec/ecp_hp_methods.c
@@ -0,0 +1,943 @@
+/*      $OpenBSD: ecp_hp_methods.c,v 1.5 2025/08/03 15:44:00 jsing Exp $        */
+/*
+ * Copyright (c) 2024-2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include "bn_internal.h"
+#include "crypto_internal.h"
+#include "ec_local.h"
+#include "ec_internal.h"
+#include "err_local.h"
+static int
+ec_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
+    const BIGNUM *b, BN_CTX *ctx)
+{
+        BIGNUM *t;
+        int ret = 0;
+        BN_CTX_start(ctx);
+        /* XXX - p must be a prime > 3. */
+        if (!bn_copy(group->p, p))
+                goto err;
+        if (!bn_copy(group->a, a))
+                goto err;
+        if (!bn_copy(group->b, b))
+                goto err;
+        /* XXX */
+        BN_set_negative(group->p, 0);
+        /* XXX */
+        if (!BN_nnmod(group->a, group->a, group->p, ctx))
+                goto err;
+        if (!BN_nnmod(group->b, group->b, group->p, ctx))
+                goto err;
+        if ((t = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (!BN_set_word(t, 3))
+                goto err;
+        if (!BN_mod_add(t, t, a, group->p, ctx))
+                goto err;
+        group->a_is_minus3 = BN_is_zero(t);
+        if (!ec_field_modulus_from_bn(&group->fm, group->p, ctx))
+                goto err;
+        if (!ec_field_element_from_bn(&group->fm, group, &group->fe_a, group->a, ctx))
+                goto err;
+        if (!ec_field_element_from_bn(&group->fm, group, &group->fe_b, group->b, ctx))
+                goto err;
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
+static int
+ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a,
+    BIGNUM *b, BN_CTX *ctx)
+{
+        if (p != NULL) {
+                if (!bn_copy(p, group->p))
+                        return 0;
+        }
+        if (a != NULL) {
+                if (!bn_copy(a, group->a))
+                        return 0;
+        }
+        if (b != NULL) {
+                if (!bn_copy(b, group->b))
+                        return 0;
+        }
+        return 1;
+}
+static int
+ec_point_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+{
+        /* Check if Z is equal to zero. */
+        return ec_field_element_is_zero(&group->fm, &point->fe_z);
+}
+static int
+ec_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+{
+        /* Infinity is (x = 0, y = 1, z = 0). */
+        memset(&point->fe_x, 0, sizeof(point->fe_x));
+        memset(&point->fe_y, 0, sizeof(point->fe_y));
+        memset(&point->fe_z, 0, sizeof(point->fe_z));
+        point->fe_y.w[0] = 1;
+        return 1;
+}
+static int
+ec_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point,
+    const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx)
+{
+        if (x == NULL || y == NULL) {
+                ECerror(ERR_R_PASSED_NULL_PARAMETER);
+                return 0;
+        }
+        if (!bn_copy(point->X, x))
+                return 0;
+        if (!bn_copy(point->Y, y))
+                return 0;
+        if (!BN_one(point->Z))
+                return 0;
+        /* XXX */
+        if (!BN_nnmod(point->X, point->X, group->p, ctx))
+                return 0;
+        if (!BN_nnmod(point->Y, point->Y, group->p, ctx))
+                return 0;
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_x, point->X, ctx))
+                return 0;
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_y, point->Y, ctx))
+                return 0;
+        if (!ec_field_element_from_bn(&group->fm, group, &point->fe_z, point->Z, ctx))
+                return 0;
+        return 1;
+}
+static int
+ec_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point,
+    BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+{
+        BIGNUM *zinv;
+        int ret = 0;
+        /*
+         * Convert homogeneous projective coordinates (XZ, YZ, Z) to affine
+         * coordinates (x = X/Z, y = Y/Z).
+         */
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_x, point->X, ctx))
+                return 0;
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_y, point->Y, ctx))
+                return 0;
+        if (!ec_field_element_to_bn(&group->fm, &point->fe_z, point->Z, ctx))
+                return 0;
+        BN_CTX_start(ctx);
+        if ((zinv = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (BN_mod_inverse_ct(zinv, point->Z, group->p, ctx) == NULL)
+                goto err;
+        if (x != NULL) {
+                if (!BN_mod_mul(x, point->X, zinv, group->p, ctx))
+                        goto err;
+        }
+        if (y != NULL) {
+                if (!BN_mod_mul(y, point->Y, zinv, group->p, ctx))
+                        goto err;
+        }
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
+static int
+ec_point_add_a1(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X2, Y2, Z2, X3, Y3, Z3;
+        EC_FIELD_ELEMENT b3, t0, t1, t2, t3, t4, t5;
+        EC_FIELD_ELEMENT ga, gb;
+        /*
+         * Complete, projective point addition for arbitrary prime order short
+         * Weierstrass curves with arbitrary a - see
+         * https://eprint.iacr.org/2015/1060, algorithm 1 and appendix A.1.
+         */
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+        ec_field_element_copy(&X2, &b->fe_x);
+        ec_field_element_copy(&Y2, &b->fe_y);
+        ec_field_element_copy(&Z2, &b->fe_z);
+        /* b3 := 3 * b ; */
+        ec_field_element_add(&group->fm, &b3, &gb, &gb);
+        ec_field_element_add(&group->fm, &b3, &b3, &gb);
+        /* t0 := X1 * X2 ; t1 := Y1 * Y2 ; t2 := Z1 * Z2 ; */
+        ec_field_element_mul(&group->fm, &t0, &X1, &X2);
+        ec_field_element_mul(&group->fm, &t1, &Y1, &Y2);
+        ec_field_element_mul(&group->fm, &t2, &Z1, &Z2);
+        /* t3 := X1 + Y1 ; t4 := X2 + Y2 ; t3 := t3 * t4 ; */
+        ec_field_element_add(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t4, &X2, &Y2);
+        ec_field_element_mul(&group->fm, &t3, &t3, &t4);
+        /* t4 := t0 + t1 ; t3 := t3 - t4 ; t4 := X1 + Z1 ; */
+        ec_field_element_add(&group->fm, &t4, &t0, &t1);
+        ec_field_element_sub(&group->fm, &t3, &t3, &t4);
+        ec_field_element_add(&group->fm, &t4, &X1, &Z1);
+        /* t5 := X2 + Z2 ; t4 := t4 * t5 ; t5 := t0 + t2 ; */
+        ec_field_element_add(&group->fm, &t5, &X2, &Z2);
+        ec_field_element_mul(&group->fm, &t4, &t4, &t5);
+        ec_field_element_add(&group->fm, &t5, &t0, &t2);
+        /* t4 := t4 - t5 ; t5 := Y1 + Z1 ; X3 := Y2 + Z2 ; */
+        ec_field_element_sub(&group->fm, &t4, &t4, &t5);
+        ec_field_element_add(&group->fm, &t5, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &X3, &Y2, &Z2);
+        /* t5 := t5 * X3 ; X3 := t1 + t2 ; t5 := t5 - X3 ; */
+        ec_field_element_mul(&group->fm, &t5, &t5, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &t2);
+        ec_field_element_sub(&group->fm, &t5, &t5, &X3);
+        /* Z3 := a * t4 ; X3 := b3 * t2 ; Z3 := X3 + Z3 ; */
+        ec_field_element_mul(&group->fm, &Z3, &ga, &t4);
+        ec_field_element_mul(&group->fm, &X3, &b3, &t2);
+        ec_field_element_add(&group->fm, &Z3, &X3, &Z3);
+        /* X3 := t1 - Z3 ; Z3 := t1 + Z3 ; Y3 := X3 * Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &t1, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &t1, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Z3);
+        /* t1 := t0 + t0 ; t1 := t1 + t0 ; t2 := a * t2 ; */
+        ec_field_element_add(&group->fm, &t1, &t0, &t0);
+        ec_field_element_add(&group->fm, &t1, &t1, &t0);
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+        /* t4 := b3 * t4 ; t1 := t1 + t2 ; t2 := t0 - t2 ; */
+        ec_field_element_mul(&group->fm, &t4, &b3, &t4);
+        ec_field_element_add(&group->fm, &t1, &t1, &t2);
+        ec_field_element_sub(&group->fm, &t2, &t0, &t2);
+        /* t2 := a * t2 ; t4 := t4 + t2 ; t0 := t1 * t4 ; */
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+        ec_field_element_add(&group->fm, &t4, &t4, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t1, &t4);
+        /* Y3 := Y3 + t0 ; t0 := t5 * t4 ; X3 := t3 * X3 ; */
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+        ec_field_element_mul(&group->fm, &t0, &t5, &t4);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+        /* X3 := X3 - t0 ; t0 := t3 * t1 ; Z3 := t5 * Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t0);
+        ec_field_element_mul(&group->fm, &t0, &t3, &t1);
+        ec_field_element_mul(&group->fm, &Z3, &t5, &Z3);
+        /* Z3 := Z3 + t0 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t0);
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+        return 1;
+}
+static int
+ec_point_add_a2(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X2, Y2, Z2, X3, Y3, Z3;
+        EC_FIELD_ELEMENT t0, t1, t2, t3, t4;
+        EC_FIELD_ELEMENT gb;
+        /*
+         * Complete, projective point addition for arbitrary prime order short
+         * Weierstrass curves with a = -3 - see https://eprint.iacr.org/2015/1060,
+         * algorithm 4 and appendix A.2.
+         */
+        ec_field_element_copy(&gb, &group->fe_b);
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+        ec_field_element_copy(&X2, &b->fe_x);
+        ec_field_element_copy(&Y2, &b->fe_y);
+        ec_field_element_copy(&Z2, &b->fe_z);
+        /* t0 := X1 * X2 ; t1 := Y1 * Y2 ; t2 := Z1 * Z2 ; */
+        ec_field_element_mul(&group->fm, &t0, &X1, &X2);
+        ec_field_element_mul(&group->fm, &t1, &Y1, &Y2);
+        ec_field_element_mul(&group->fm, &t2, &Z1, &Z2);
+        /* t3 := X1 + Y1 ; t4 := X2 + Y2 ; t3 := t3 * t4 ; */
+        ec_field_element_add(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t4, &X2, &Y2);
+        ec_field_element_mul(&group->fm, &t3, &t3, &t4);
+        /* t4 := t0 + t1 ; t3 := t3 - t4 ; t4 := Y1 + Z1 ; */
+        ec_field_element_add(&group->fm, &t4, &t0, &t1);
+        ec_field_element_sub(&group->fm, &t3, &t3, &t4);
+        ec_field_element_add(&group->fm, &t4, &Y1, &Z1);
+        /* X3 := Y2 + Z2 ; t4 := t4 * X3 ; X3 := t1 + t2 ; */
+        ec_field_element_add(&group->fm, &X3, &Y2, &Z2);
+        ec_field_element_mul(&group->fm, &t4, &t4, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &t2);
+        /* t4 := t4 - X3 ; X3 := X1 + Z1 ; Y3 := X2 + Z2 ; */
+        ec_field_element_sub(&group->fm, &t4, &t4, &X3);
+        ec_field_element_add(&group->fm, &X3, &X1, &Z1);
+        ec_field_element_add(&group->fm, &Y3, &X2, &Z2);
+        /* X3 := X3 * Y3 ; Y3 := t0 + t2 ; Y3 := X3 - Y3 ; */
+        ec_field_element_mul(&group->fm, &X3, &X3, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &t0, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &X3, &Y3);
+        /* Z3 := b * t2 ; X3 := Y3 - Z3 ; Z3 := X3 + X3 ; */
+        ec_field_element_mul(&group->fm, &Z3, &gb, &t2);
+        ec_field_element_sub(&group->fm, &X3, &Y3, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &X3, &X3);
+        /* X3 := X3 + Z3 ; Z3 := t1 - X3 ; X3 := t1 + X3 ; */
+        ec_field_element_add(&group->fm, &X3, &X3, &Z3);
+        ec_field_element_sub(&group->fm, &Z3, &t1, &X3);
+        ec_field_element_add(&group->fm, &X3, &t1, &X3);
+        /* Y3 := b * Y3 ; t1 := t2 + t2 ; t2 := t1 + t2 ; */
+        ec_field_element_mul(&group->fm, &Y3, &gb, &Y3);
+        ec_field_element_add(&group->fm, &t1, &t2, &t2);
+        ec_field_element_add(&group->fm, &t2, &t1, &t2);
+        /* Y3 := Y3 - t2 ; Y3 := Y3 - t0 ; t1 := Y3 + Y3 ; */
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &t0);
+        ec_field_element_add(&group->fm, &t1, &Y3, &Y3);
+        /* Y3 := t1 + Y3 ; t1 := t0 + t0 ; t0 := t1 + t0 ; */
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+        ec_field_element_add(&group->fm, &t1, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &t1, &t0);
+        /* t0 := t0 - t2 ; t1 := t4 * Y3 ; t2 := t0 * Y3 ; */
+        ec_field_element_sub(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t1, &t4, &Y3);
+        ec_field_element_mul(&group->fm, &t2, &t0, &Y3);
+        /* Y3 := X3 * Z3 ; Y3 := Y3 + t2 ; X3 := t3 * X3 ; */
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Z3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t2);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+        /* X3 := X3 - t1 ; Z3 := t4 * Z3 ; t1 := t3 * t0 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t1);
+        ec_field_element_mul(&group->fm, &Z3, &t4, &Z3);
+        ec_field_element_mul(&group->fm, &t1, &t3, &t0);
+        /* Z3 := Z3 + t1 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t1);
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+        return 1;
+}
+static int
+ec_point_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        if (group->a_is_minus3)
+                return ec_point_add_a2(group, r, a, b, ctx);
+        return ec_point_add_a1(group, r, a, b, ctx);
+}
+static int
+ec_point_dbl_a1(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X3, Y3, Z3;
+        EC_FIELD_ELEMENT b3, t0, t1, t2, t3;
+        EC_FIELD_ELEMENT ga, gb;
+        /*
+         * Exception-free point doubling for arbitrary prime order short
+         * Weierstrass curves with arbitrary a - see
+         * https://eprint.iacr.org/2015/1060, algorithm 3 and appendix A.1.
+         */
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+        /* b3 := 3 * b ; */
+        ec_field_element_add(&group->fm, &b3, &gb, &gb);
+        ec_field_element_add(&group->fm, &b3, &b3, &gb);
+        /* t0 := X^2; t1 := Y^2; t2 := Z^2 ; */
+        ec_field_element_sqr(&group->fm, &t0, &X1);
+        ec_field_element_sqr(&group->fm, &t1, &Y1);
+        ec_field_element_sqr(&group->fm, &t2, &Z1);
+        /* t3 := X * Y ; t3 := t3 + t3 ; Z3 := X * Z ; */
+        ec_field_element_mul(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t3, &t3, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &X1, &Z1);
+        /* Z3 := Z3 + Z3 ; X3 := a * Z3 ; Y3 := b3 * t2 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_mul(&group->fm, &X3, &ga, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &b3, &t2);
+        /* Y3 := X3 + Y3 ; X3 := t1 - Y3 ; Y3 := t1 + Y3 ; */
+        ec_field_element_add(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_sub(&group->fm, &X3, &t1, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+        /* Y3 := X3 * Y3 ; X3 := t3 * X3 ; Z3 := b3 * Z3 ; */
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_mul(&group->fm, &X3, &t3, &X3);
+        ec_field_element_mul(&group->fm, &Z3, &b3, &Z3);
+        /* t2 := a * t2 ; t3 := t0 - t2 ; t3 := a * t3 ; */
+        ec_field_element_mul(&group->fm, &t2, &ga, &t2);
+        ec_field_element_sub(&group->fm, &t3, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t3, &ga, &t3);
+        /* t3 := t3 + Z3 ; Z3 := t0 + t0 ; t0 := Z3 + t0 ; */
+        ec_field_element_add(&group->fm, &t3, &t3, &Z3);
+        ec_field_element_add(&group->fm, &Z3, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &Z3, &t0);
+        /* t0 := t0 + t2 ; t0 := t0 * t3 ; Y3 := Y3 + t0 ; */
+        ec_field_element_add(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t0, &t3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+        /* t2 := Y * Z ; t2 := t2 + t2 ; t0 := t2 * t3 ; */
+        ec_field_element_mul(&group->fm, &t2, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &t2, &t2, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t2, &t3);
+        /* X3 := X3 - t0 ; Z3 := t2 * t1 ; Z3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &t0);
+        ec_field_element_mul(&group->fm, &Z3, &t2, &t1);
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        /* Z3 := Z3 + Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+        return 1;
+}
+static int
+ec_point_dbl_a2(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT X1, Y1, Z1, X3, Y3, Z3;
+        EC_FIELD_ELEMENT t0, t1, t2, t3;
+        EC_FIELD_ELEMENT ga, gb;
+        /*
+         * Exception-free point doubling for arbitrary prime order short
+         * Weierstrass curves with a = -3 - see https://eprint.iacr.org/2015/1060,
+         * algorithm 6 and appendix A.2.
+         */
+        ec_field_element_copy(&ga, &group->fe_a);
+        ec_field_element_copy(&gb, &group->fe_b);
+        ec_field_element_copy(&X1, &a->fe_x);
+        ec_field_element_copy(&Y1, &a->fe_y);
+        ec_field_element_copy(&Z1, &a->fe_z);
+        /* t0 := X^2; t1 := Y^2; t2 := Z^2 ; */
+        ec_field_element_sqr(&group->fm, &t0, &X1);
+        ec_field_element_sqr(&group->fm, &t1, &Y1);
+        ec_field_element_sqr(&group->fm, &t2, &Z1);
+        /* t3 := X * Y ; t3 := t3 + t3 ; Z3 := X * Z ; */
+        ec_field_element_mul(&group->fm, &t3, &X1, &Y1);
+        ec_field_element_add(&group->fm, &t3, &t3, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &X1, &Z1);
+        /* Z3 := Z3 + Z3 ; Y3 := b * t2 ; Y3 := Y3 - Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_mul(&group->fm, &Y3, &gb, &t2);
+        ec_field_element_sub(&group->fm, &Y3, &Y3, &Z3);
+        /* X3 := Y3 + Y3 ; Y3 := X3 + Y3 ; X3 := t1 - Y3 ; */
+        ec_field_element_add(&group->fm, &X3, &Y3, &Y3);
+        ec_field_element_add(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_sub(&group->fm, &X3, &t1, &Y3);
+        /* Y3 := t1 + Y3 ; Y3 := X3 * Y3 ; X3 := X3 * t3 ; */
+        ec_field_element_add(&group->fm, &Y3, &t1, &Y3);
+        ec_field_element_mul(&group->fm, &Y3, &X3, &Y3);
+        ec_field_element_mul(&group->fm, &X3, &X3, &t3);
+        /* t3 := t2 + t2 ; t2 := t2 + t3 ; Z3 := b * Z3 ; */
+        ec_field_element_add(&group->fm, &t3, &t2, &t2);
+        ec_field_element_add(&group->fm, &t2, &t2, &t3);
+        ec_field_element_mul(&group->fm, &Z3, &gb, &Z3);
+        /* Z3 := Z3 - t2 ; Z3 := Z3 - t0 ; t3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &Z3, &Z3, &t2);
+        ec_field_element_sub(&group->fm, &Z3, &Z3, &t0);
+        ec_field_element_add(&group->fm, &t3, &Z3, &Z3);
+        /* Z3 := Z3 + t3 ; t3 := t0 + t0 ; t0 := t3 + t0 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &t3);
+        ec_field_element_add(&group->fm, &t3, &t0, &t0);
+        ec_field_element_add(&group->fm, &t0, &t3, &t0);
+        /* t0 := t0 - t2 ; t0 := t0 * Z3 ; Y3 := Y3 + t0 ; */
+        ec_field_element_sub(&group->fm, &t0, &t0, &t2);
+        ec_field_element_mul(&group->fm, &t0, &t0, &Z3);
+        ec_field_element_add(&group->fm, &Y3, &Y3, &t0);
+        /* t0 := Y * Z ; t0 := t0 + t0 ; Z3 := t0 * Z3 ; */
+        ec_field_element_mul(&group->fm, &t0, &Y1, &Z1);
+        ec_field_element_add(&group->fm, &t0, &t0, &t0);
+        ec_field_element_mul(&group->fm, &Z3, &t0, &Z3);
+        /* X3 := X3 - Z3 ; Z3 := t0 * t1 ; Z3 := Z3 + Z3 ; */
+        ec_field_element_sub(&group->fm, &X3, &X3, &Z3);
+        ec_field_element_mul(&group->fm, &Z3, &t0, &t1);
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        /* Z3 := Z3 + Z3 ; */
+        ec_field_element_add(&group->fm, &Z3, &Z3, &Z3);
+        ec_field_element_copy(&r->fe_x, &X3);
+        ec_field_element_copy(&r->fe_y, &Y3);
+        ec_field_element_copy(&r->fe_z, &Z3);
+        return 1;
+}
+static int
+ec_point_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx)
+{
+        if (group->a_is_minus3)
+                return ec_point_dbl_a2(group, r, a, ctx);
+        return ec_point_dbl_a1(group, r, a, ctx);
+}
+static int
+ec_point_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT y;
+        BN_ULONG mask;
+        int i;
+        /*
+         * Invert the point by setting Y = p - Y, if Y is non-zero and the point
+         * is not at infinity.
+         */
+        mask = ~(0 - (ec_point_is_at_infinity(group, point) |
+            ec_field_element_is_zero(&group->fm, &point->fe_y)));
+        /* XXX - masked/conditional subtraction? */
+        ec_field_element_sub(&group->fm, &y, &group->fm.m, &point->fe_y);
+        for (i = 0; i < group->fm.n; i++)
+                point->fe_y.w[i] = (point->fe_y.w[i] & ~mask) | (y.w[i] & mask);
+        return 1;
+}
+static int
+ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT sum, axz2, bz3, x3, y2z, z2;
+        /*
+         * Curve is defined by a Weierstrass equation y^2 = x^3 + a*x + b.
+         * The given point is in homogeneous projective coordinates
+         * (x = X/Z, y = Y/Z). Substitute and multiply by Z^3 in order to
+         * evaluate as zy^2 = x^3 + axz^2 + bz^3.
+         */
+        ec_field_element_sqr(&group->fm, &z2, &point->fe_z);
+        ec_field_element_sqr(&group->fm, &y2z, &point->fe_y);
+        ec_field_element_mul(&group->fm, &y2z, &y2z, &point->fe_z);
+        ec_field_element_sqr(&group->fm, &x3, &point->fe_x);
+        ec_field_element_mul(&group->fm, &x3, &x3, &point->fe_x);
+        ec_field_element_mul(&group->fm, &axz2, &group->fe_a, &point->fe_x);
+        ec_field_element_mul(&group->fm, &axz2, &axz2, &z2);
+        ec_field_element_mul(&group->fm, &bz3, &group->fe_b, &point->fe_z);
+        ec_field_element_mul(&group->fm, &bz3, &bz3, &z2);
+        ec_field_element_add(&group->fm, &sum, &x3, &axz2);
+        ec_field_element_add(&group->fm, &sum, &sum, &bz3);
+        return ec_field_element_equal(&group->fm, &y2z, &sum) |
+            ec_point_is_at_infinity(group, point);
+}
+static int
+ec_point_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        EC_FIELD_ELEMENT ax, ay, bx, by;
+        /*
+         * Compare two points that have homogeneous projection coordinates, that
+         * is (X_a/Z_a, Y_a/Z_a) == (X_b/Z_b, Y_b/Z_b). Return -1 on error, 0 on
+         * equality and 1 on inequality.
+         *
+         * If a and b are both at infinity, Z_a and Z_b will both be zero,
+         * resulting in all values becoming zero, resulting in equality. If a is
+         * at infinity and b is not, then Y_a will be one and Z_b will be
+         * non-zero, hence Y_a * Z_b will be non-zero. Z_a will be zero, hence
+         * Y_b * Z_a will be zero, resulting in inequality. The same applies if
+         * b is at infinity and a is not.
+         */
+        ec_field_element_mul(&group->fm, &ax, &a->fe_x, &b->fe_z);
+        ec_field_element_mul(&group->fm, &ay, &a->fe_y, &b->fe_z);
+        ec_field_element_mul(&group->fm, &bx, &b->fe_x, &a->fe_z);
+        ec_field_element_mul(&group->fm, &by, &b->fe_y, &a->fe_z);
+        return 1 - (ec_field_element_equal(&group->fm, &ax, &bx) &
+            ec_field_element_equal(&group->fm, &ay, &by));
+}
+#if 0
+static int
+ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
+    BN_CTX *ctx)
+{
+        size_t i;
+        /* XXX */
+        for (i = 0; i < num; i++) {
+                if (!EC_POINT_make_affine(group, points[0], ctx))
+                        return 0;
+        }
+        return 1;
+}
+#else
+static int
+ec_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[],
+    BN_CTX *ctx)
+{
+        BIGNUM **prod_Z = NULL;
+        BIGNUM *tmp, *tmp_Z;
+        size_t i;
+        int ret = 0;
+        if (num == 0)
+                return 1;
+        BN_CTX_start(ctx);
+        if ((tmp = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((tmp_Z = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((prod_Z = calloc(num, sizeof *prod_Z)) == NULL)
+                goto err;
+        for (i = 0; i < num; i++) {
+                if ((prod_Z[i] = BN_CTX_get(ctx)) == NULL)
+                        goto err;
+        }
+        if (!BN_is_zero(points[0]->Z)) {
+                if (!bn_copy(prod_Z[0], points[0]->Z))
+                        goto err;
+        } else {
+                if (!BN_one(prod_Z[0]))
+                        goto err;
+        }
+        for (i = 1; i < num; i++) {
+                if (!BN_is_zero(points[i]->Z)) {
+                        if (!BN_mod_mul(prod_Z[i], prod_Z[i - 1], points[i]->Z,
+                            group->p, ctx))
+                                goto err;
+                } else {
+                        if (!bn_copy(prod_Z[i], prod_Z[i - 1]))
+                                goto err;
+                }
+        }
+        if (!BN_mod_inverse_nonct(tmp, prod_Z[num - 1], group->p, ctx)) {
+                ECerror(ERR_R_BN_LIB);
+                goto err;
+        }
+        for (i = num - 1; i > 0; i--) {
+                if (BN_is_zero(points[i]->Z))
+                        continue;
+                if (!BN_mod_mul(tmp_Z, prod_Z[i - 1], tmp, group->p, ctx))
+                        goto err;
+                if (!BN_mod_mul(tmp, tmp, points[i]->Z, group->p, ctx))
+                        goto err;
+                if (!bn_copy(points[i]->Z, tmp_Z))
+                        goto err;
+        }
+        for (i = 0; i < num; i++) {
+                EC_POINT *p = points[i];
+                if (BN_is_zero(p->Z))
+                        continue;
+                if (!BN_mod_mul(p->X, p->X, p->Z, group->p, ctx))
+                        goto err;
+                if (!BN_mod_mul(p->Y, p->Y, p->Z, group->p, ctx))
+                        goto err;
+                if (!BN_one(p->Z))
+                        goto err;
+        }
+        ret = 1;
+ err:
+        BN_CTX_end(ctx);
+        free(prod_Z);
+        return ret;
+}
+#endif
+static void
+ec_point_select(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a,
+    const EC_POINT *b, int conditional)
+{
+        ec_field_element_select(&group->fm, &r->fe_x, &a->fe_x, &b->fe_x, conditional);
+        ec_field_element_select(&group->fm, &r->fe_y, &a->fe_y, &b->fe_y, conditional);
+        ec_field_element_select(&group->fm, &r->fe_z, &a->fe_z, &b->fe_z, conditional);
+}
+static int
+ec_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, const EC_POINT *point,
+    BN_CTX *ctx)
+{
+        BIGNUM *cardinality;
+        EC_POINT *multiples[15];
+        EC_POINT *rr = NULL, *t = NULL;
+        uint8_t *scalar_bytes = NULL;
+        int scalar_len = 0;
+        uint8_t j, wv;
+        int conditional, i;
+        int ret = 0;
+        memset(multiples, 0, sizeof(multiples));
+        BN_CTX_start(ctx);
+        /* XXX - consider blinding. */
+        if ((cardinality = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if (!BN_mul(cardinality, group->order, group->cofactor, ctx))
+                goto err;
+        /* XXX - handle scalar > cardinality and/or negative. */
+        /* Convert scalar into big endian bytes. */
+        scalar_len = BN_num_bytes(cardinality);
+        if ((scalar_bytes = calloc(1, scalar_len)) == NULL)
+                goto err;
+        if (!BN_bn2binpad(scalar, scalar_bytes, scalar_len))
+                goto err;
+        /* Compute multiples of point. */
+        if ((multiples[0] = EC_POINT_dup(point, group)) == NULL)
+                goto err;
+        for (i = 1; i < 15; i += 2) {
+                if ((multiples[i] = EC_POINT_new(group)) == NULL)
+                        goto err;
+                if (!EC_POINT_dbl(group, multiples[i], multiples[i / 2], ctx))
+                        goto err;
+                if ((multiples[i + 1] = EC_POINT_new(group)) == NULL)
+                        goto err;
+                if (!EC_POINT_add(group, multiples[i + 1], multiples[i], point, ctx))
+                        goto err;
+        }
+        if ((rr = EC_POINT_new(group)) == NULL)
+                goto err;
+        if ((t = EC_POINT_new(group)) == NULL)
+                goto err;
+        if (!EC_POINT_set_to_infinity(group, rr))
+                goto err;
+        for (i = 0; i < scalar_len; i++) {
+                if (i != 0) {
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                        if (!EC_POINT_dbl(group, rr, rr, ctx))
+                                goto err;
+                }
+                if (!EC_POINT_set_to_infinity(group, t))
+                        goto err;
+                wv = scalar_bytes[i] >> 4;
+                for (j = 1; j < 16; j++) {
+                        conditional = crypto_ct_eq_u8(j, wv);
+                        ec_point_select(group, t, t, multiples[j - 1], conditional);
+                }
+                if (!EC_POINT_add(group, rr, rr, t, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_dbl(group, rr, rr, ctx))
+                        goto err;
+                if (!EC_POINT_set_to_infinity(group, t))
+                        goto err;
+                wv = scalar_bytes[i] & 0xf;
+                for (j = 1; j < 16; j++) {
+                        conditional = crypto_ct_eq_u8(j, wv);
+                        ec_point_select(group, t, t, multiples[j - 1], conditional);
+                }
+                if (!EC_POINT_add(group, rr, rr, t, ctx))
+                        goto err;
+        }
+        if (!EC_POINT_copy(r, rr))
+                goto err;
+        ret = 1;
+ err:
+        for (i = 0; i < 15; i++)
+                EC_POINT_free(multiples[i]);
+        EC_POINT_free(rr);
+        EC_POINT_free(t);
+        freezero(scalar_bytes, scalar_len);
+        BN_CTX_end(ctx);
+        return ret;
+}
+static int
+ec_mul_single_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+    const EC_POINT *point, BN_CTX *ctx)
+{
+        return ec_mul(group, r, scalar, point, ctx);
+}
+static int
+ec_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar1,
+    const EC_POINT *point1, const BIGNUM *scalar2, const EC_POINT *point2,
+    BN_CTX *ctx)
+{
+        return ec_wnaf_mul(group, r, scalar1, point1, scalar2, point2, ctx);
+}
+static const EC_METHOD ec_GFp_homogeneous_projective_method = {
+        .group_set_curve = ec_group_set_curve,
+        .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
+        .point_set_affine_coordinates = ec_point_set_affine_coordinates,
+        .point_get_affine_coordinates = ec_point_get_affine_coordinates,
+        .add = ec_point_add,
+        .dbl = ec_point_dbl,
+        .invert = ec_point_invert,
+        .point_is_on_curve = ec_point_is_on_curve,
+        .point_cmp = ec_point_cmp,
+        .points_make_affine = ec_points_make_affine,
+        .mul_single_ct = ec_mul_single_ct,
+        .mul_double_nonct = ec_mul_double_nonct,
+};
+const EC_METHOD *
+EC_GFp_homogeneous_projective_method(void)
+{
+        return &ec_GFp_homogeneous_projective_method;
+}
diff --git a/src/lib/libcrypto/ec/ecp_methods.c b/src/lib/libcrypto/ec/ecp_methods.c
index ced85ceb1e..8fa78924d2 100644
--- a/src/lib/libcrypto/ec/ecp_methods.c
+++ b/src/lib/libcrypto/ec/ecp_methods.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_methods.c,v 1.45 2025/03/24 13:07:04 jsing Exp $ */
+/* $OpenBSD: ecp_methods.c,v 1.48 2026/01/18 10:07:44 tb Exp $ */
 /* Includes code written by Lenka Fibikova <fibikova@exp-math.uni-essen.de>
 * for the OpenSSL project.
 * Includes code written by Bodo Moeller for the OpenSSL project.
@@ -66,11 +66,11 @@
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "bn_local.h"
 #include "ec_local.h"
+#include "err_local.h"
 /*
 * Most method functions in this file are designed to work with non-trivial
@@ -180,6 +180,21 @@ ec_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
 }
 static int
+ec_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point)
+{
+        BN_zero(point->Z);
+        point->Z_is_one = 0;
+        return 1;
+}
+static int
+ec_point_is_at_infinity(const EC_GROUP *group, const EC_POINT *point)
+{
+        return BN_is_zero(point->Z);
+}
+static int
 ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
 {
        BIGNUM *rh, *tmp, *Z4, *Z6;
@@ -268,6 +283,65 @@ ec_point_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx)
 }
 /*
+ * Compare a and b under the assumption that exactly one of them is affine.
+ * This avoids needless multiplications by one, which are expensive in the
+ * Montgomery domain.
+ */
+static int
+ec_point_cmp_one_affine(const EC_GROUP *group, const EC_POINT *a,
+    const EC_POINT *b, BN_CTX *ctx)
+{
+        const EC_POINT *tmp;
+        BIGNUM *az, *bn;
+        int ret = -1;
+        BN_CTX_start(ctx);
+        if (a->Z_is_one == b->Z_is_one)
+                goto err;
+        /* Ensure b is the affine point. */
+        if (a->Z_is_one) {
+                tmp = a;
+                a = b;
+                b = tmp;
+        }
+        if ((az = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((bn = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        /* a->X == b->X * a->Z^2 ? */
+        if (!ec_field_sqr(group, az, a->Z, ctx))
+                goto err;
+        if (!ec_field_mul(group, bn, b->X, az, ctx))
+                goto err;
+        if (BN_cmp(a->X, bn) != 0) {
+                ret = 1;
+                goto err;
+        }
+        /* a->Y == b->Y * a->Z^3 ? */
+        if (!ec_field_mul(group, az, az, a->Z, ctx))
+                goto err;
+        if (!ec_field_mul(group, bn, b->Y, az, ctx))
+                goto err;
+        if (BN_cmp(a->Y, bn) != 0) {
+                ret = 1;
+                goto err;
+        }
+        ret = 0;
+ err:
+        BN_CTX_end(ctx);
+        return ret;
+}
+/*
 * Returns -1 on error, 0 if the points are equal, 1 if the points are distinct.
 */
@@ -275,8 +349,7 @@ static int
 ec_point_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
    BN_CTX *ctx)
 {
-        BIGNUM *tmp1, *tmp2, *Za23, *Zb23;
+        BIGNUM *az, *bz, *bn1, *bn2;
-        const BIGNUM *tmp1_, *tmp2_;
        int ret = -1;
        if (EC_POINT_is_at_infinity(group, a) && EC_POINT_is_at_infinity(group, b))
@@ -286,71 +359,51 @@ ec_point_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
        if (a->Z_is_one && b->Z_is_one)
                return BN_cmp(a->X, b->X) != 0 || BN_cmp(a->Y, b->Y) != 0;
+        if (a->Z_is_one || b->Z_is_one)
+                return ec_point_cmp_one_affine(group, a, b, ctx);
        BN_CTX_start(ctx);
-        if ((tmp1 = BN_CTX_get(ctx)) == NULL)
+        if ((az = BN_CTX_get(ctx)) == NULL)
-                goto end;
+                goto err;
-        if ((tmp2 = BN_CTX_get(ctx)) == NULL)
+        if ((bz = BN_CTX_get(ctx)) == NULL)
-                goto end;
+                goto err;
-        if ((Za23 = BN_CTX_get(ctx)) == NULL)
+        if ((bn1 = BN_CTX_get(ctx)) == NULL)
-                goto end;
+                goto err;
-        if ((Zb23 = BN_CTX_get(ctx)) == NULL)
+        if ((bn2 = BN_CTX_get(ctx)) == NULL)
-                goto end;
+                goto err;
-        /*
-         * Decide whether (X_a/Z_a^2, Y_a/Z_a^3) = (X_b/Z_b^2, Y_b/Z_b^3), or
-         * equivalently, (X_a*Z_b^2, Y_a*Z_b^3) = (X_b*Z_a^2, Y_b*Z_a^3).
-         */
-        if (!b->Z_is_one) {
-                if (!ec_field_sqr(group, Zb23, b->Z, ctx))
-                        goto end;
-                if (!ec_field_mul(group, tmp1, a->X, Zb23, ctx))
-                        goto end;
-                tmp1_ = tmp1;
-        } else
-                tmp1_ = a->X;
-        if (!a->Z_is_one) {
-                if (!ec_field_sqr(group, Za23, a->Z, ctx))
-                        goto end;
-                if (!ec_field_mul(group, tmp2, b->X, Za23, ctx))
-                        goto end;
-                tmp2_ = tmp2;
-        } else
-                tmp2_ = b->X;
-        /* compare  X_a*Z_b^2  with  X_b*Z_a^2 */
+        /* a->X * b->Z^2 == b->X * a->Z^2 ? */
-        if (BN_cmp(tmp1_, tmp2_) != 0) {
+        if (!ec_field_sqr(group, bz, b->Z, ctx))
-                ret = 1;        /* points differ */
+                goto err;
-                goto end;
+        if (!ec_field_mul(group, bn1, a->X, bz, ctx))
+                goto err;
+        if (!ec_field_sqr(group, az, a->Z, ctx))
+                goto err;
+        if (!ec_field_mul(group, bn2, b->X, az, ctx))
+                goto err;
+        if (BN_cmp(bn1, bn2) != 0) {
+                ret = 1;
+                goto err;
        }
-        if (!b->Z_is_one) {
-                if (!ec_field_mul(group, Zb23, Zb23, b->Z, ctx))
-                        goto end;
-                if (!ec_field_mul(group, tmp1, a->Y, Zb23, ctx))
-                        goto end;
-                /* tmp1_ = tmp1 */
-        } else
-                tmp1_ = a->Y;
-        if (!a->Z_is_one) {
-                if (!ec_field_mul(group, Za23, Za23, a->Z, ctx))
-                        goto end;
-                if (!ec_field_mul(group, tmp2, b->Y, Za23, ctx))
-                        goto end;
-                /* tmp2_ = tmp2 */
-        } else
-                tmp2_ = b->Y;
-        /* compare  Y_a*Z_b^3  with  Y_b*Z_a^3 */
+        /* a->Y * b->Z^3 == b->Y * a->Z^3 ? */
-        if (BN_cmp(tmp1_, tmp2_) != 0) {
+        if (!ec_field_mul(group, bz, bz, b->Z, ctx))
-                ret = 1;        /* points differ */
+                goto err;
-                goto end;
+        if (!ec_field_mul(group, bn1, a->Y, bz, ctx))
+                goto err;
+        if (!ec_field_mul(group, az, az, a->Z, ctx))
+                goto err;
+        if (!ec_field_mul(group, bn2, b->Y, az, ctx))
+                goto err;
+        if (BN_cmp(bn1, bn2) != 0) {
+                ret = 1;
+                goto err;
        }
-        /* points are equal */
        ret = 0;
- end:
+ err:
        BN_CTX_end(ctx);
        return ret;
@@ -1281,6 +1334,8 @@ ec_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
 static const EC_METHOD ec_GFp_simple_method = {
        .group_set_curve = ec_group_set_curve,
        .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
        .point_is_on_curve = ec_point_is_on_curve,
        .point_cmp = ec_point_cmp,
        .point_set_affine_coordinates = ec_point_set_affine_coordinates,
@@ -1304,6 +1359,8 @@ EC_GFp_simple_method(void)
 static const EC_METHOD ec_GFp_mont_method = {
        .group_set_curve = ec_mont_group_set_curve,
        .group_get_curve = ec_group_get_curve,
+        .point_set_to_infinity = ec_point_set_to_infinity,
+        .point_is_at_infinity = ec_point_is_at_infinity,
        .point_is_on_curve = ec_point_is_on_curve,
        .point_cmp = ec_point_cmp,
        .point_set_affine_coordinates = ec_point_set_affine_coordinates,
diff --git a/src/lib/libcrypto/ec/ecx_methods.c b/src/lib/libcrypto/ec/ecx_methods.c
index 6b5759d4fa..b08456d03b 100644
--- a/src/lib/libcrypto/ec/ecx_methods.c
+++ b/src/lib/libcrypto/ec/ecx_methods.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ecx_methods.c,v 1.14 2024/08/28 07:15:04 tb Exp $ */
+/*      $OpenBSD: ecx_methods.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
 *
@@ -20,13 +20,13 @@
 #include <openssl/cms.h>
 #include <openssl/curve25519.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "bytestring.h"
 #include "curve25519_internal.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/ecdh/ecdh.c b/src/lib/libcrypto/ecdh/ecdh.c
index dbb91f1991..c3affed682 100644
--- a/src/lib/libcrypto/ecdh/ecdh.c
+++ b/src/lib/libcrypto/ecdh/ecdh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdh.c,v 1.11 2025/02/17 09:25:45 tb Exp $ */
+/* $OpenBSD: ecdh.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
 *
@@ -73,10 +73,10 @@
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include "ec_local.h"
+#include "err_local.h"
 /*
 * Key derivation function from X9.63/SECG.
diff --git a/src/lib/libcrypto/ecdsa/ecdsa.c b/src/lib/libcrypto/ecdsa/ecdsa.c
index 5abc3586e3..4e00eb5ec8 100644
--- a/src/lib/libcrypto/ecdsa/ecdsa.c
+++ b/src/lib/libcrypto/ecdsa/ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdsa.c,v 1.19 2024/04/15 15:49:37 tb Exp $ */
+/* $OpenBSD: ecdsa.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2000-2002 The OpenSSL Project.  All rights reserved.
 *
@@ -61,11 +61,11 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/ec.h>
-#include <openssl/err.h>
 #include "bn_local.h"
 #include "ec_local.h"
 #include "ecdsa_local.h"
+#include "err_local.h"
 static const ASN1_TEMPLATE ECDSA_SIG_seq_tt[] = {
        {
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index 25fbb03875..a60769fc2a 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.c,v 1.75 2024/11/02 12:46:36 tb Exp $ */
+/* $OpenBSD: err.c,v 1.78 2025/06/10 08:53:37 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -484,33 +484,27 @@ err_build_SYS_str_reasons(void)
 {
        /* malloc cannot be used here, use static storage instead */
        static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON];
+        const char *errstr;
        int save_errno;
        int i;
        /* strerror(3) will set errno to EINVAL when i is an unknown errno. */
        save_errno = errno;
-        for (i = 1; i <= NUM_SYS_STR_REASONS; i++) {
+        for (i = 0; i < NUM_SYS_STR_REASONS; i++) {
-                ERR_STRING_DATA *str = &SYS_str_reasons[i - 1];
+                ERR_STRING_DATA *str = &SYS_str_reasons[i];
-                str->error = (unsigned long)i;
+                str->error = i + 1;
-                if (str->string == NULL) {
+                str->string = "unknown";
-                        char (*dest)[LEN_SYS_STR_REASON] =
-                            &(strerror_tab[i - 1]);
+                if ((errstr = strerror((int)str->error)) != NULL) {
-                        const char *src = strerror(i);
+                        strlcpy(strerror_tab[i], errstr, sizeof(strerror_tab[i]));
-                        if (src != NULL) {
+                        str->string = strerror_tab[i];
-                                strlcpy(*dest, src, sizeof *dest);
-                                str->string = *dest;
-                        }
                }
-                if (str->string == NULL)
-                        str->string = "unknown";
        }
        errno = save_errno;
-        /*
+        SYS_str_reasons[NUM_SYS_STR_REASONS].error = 0;
-         * Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL},
+        SYS_str_reasons[NUM_SYS_STR_REASONS].string = NULL;
-         * as required by ERR_load_strings.
-         */
 }
 #endif
@@ -830,7 +824,7 @@ err_clear_last_constant_time(int clear)
        es = ERR_get_state();
        if (es == NULL)
-        return;
+                return;
        top = es->top;
diff --git a/src/lib/libcrypto/err/err.h b/src/lib/libcrypto/err/err.h
index fe6c34dd0a..093db4316e 100644
--- a/src/lib/libcrypto/err/err.h
+++ b/src/lib/libcrypto/err/err.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.h,v 1.36 2025/03/09 15:12:18 tb Exp $ */
+/* $OpenBSD: err.h,v 1.38 2025/05/10 06:17:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -192,80 +192,9 @@ extern "C" {
 #define ERR_LIB_USER            128
 #ifndef LIBRESSL_INTERNAL
-#define SYSerr(f,r)  ERR_PUT_error(ERR_LIB_SYS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define PEMerr(f,r)     ERR_PUT_error(ERR_LIB_PEM,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BNerr(f,r)   ERR_PUT_error(ERR_LIB_BN,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define RSAerr(f,r)     ERR_PUT_error(ERR_LIB_RSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RSAerr(f,r)  ERR_PUT_error(ERR_LIB_RSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SSLerr(f,r)     ERR_PUT_error(ERR_LIB_SSL,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DHerr(f,r)   ERR_PUT_error(ERR_LIB_DH,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define EVPerr(f,r)  ERR_PUT_error(ERR_LIB_EVP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BUFerr(f,r)  ERR_PUT_error(ERR_LIB_BUF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OBJerr(f,r)  ERR_PUT_error(ERR_LIB_OBJ,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PEMerr(f,r)  ERR_PUT_error(ERR_LIB_PEM,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSAerr(f,r)  ERR_PUT_error(ERR_LIB_DSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509err(f,r) ERR_PUT_error(ERR_LIB_X509,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ASN1err(f,r) ERR_PUT_error(ERR_LIB_ASN1,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CONFerr(f,r) ERR_PUT_error(ERR_LIB_CONF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CRYPTOerr(f,r) ERR_PUT_error(ERR_LIB_CRYPTO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECerr(f,r)   ERR_PUT_error(ERR_LIB_EC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BIOerr(f,r)  ERR_PUT_error(ERR_LIB_BIO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS7err(f,r) ERR_PUT_error(ERR_LIB_PKCS7,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509V3err(f,r) ERR_PUT_error(ERR_LIB_X509V3,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS12err(f,r) ERR_PUT_error(ERR_LIB_PKCS12,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RANDerr(f,r) ERR_PUT_error(ERR_LIB_RAND,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSOerr(f,r) ERR_PUT_error(ERR_LIB_DSO,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ENGINEerr(f,r) ERR_PUT_error(ERR_LIB_ENGINE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OCSPerr(f,r) ERR_PUT_error(ERR_LIB_OCSP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define UIerr(f,r) ERR_PUT_error(ERR_LIB_UI,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define COMPerr(f,r) ERR_PUT_error(ERR_LIB_COMP,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDSAerr(f,r)  ERR_PUT_error(ERR_LIB_ECDSA,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDHerr(f,r)  ERR_PUT_error(ERR_LIB_ECDH,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define STOREerr(f,r) ERR_PUT_error(ERR_LIB_STORE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define FIPSerr(f,r) ERR_PUT_error(ERR_LIB_FIPS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CMSerr(f,r) ERR_PUT_error(ERR_LIB_CMS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define TSerr(f,r) ERR_PUT_error(ERR_LIB_TS,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define HMACerr(f,r) ERR_PUT_error(ERR_LIB_HMAC,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define JPAKEerr(f,r) ERR_PUT_error(ERR_LIB_JPAKE,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define GOSTerr(f,r) ERR_PUT_error(ERR_LIB_GOST,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define SSLerr(f,r)  ERR_PUT_error(ERR_LIB_SSL,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CTerr(f, r) ERR_PUT_error(ERR_LIB_CT,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define KDFerr(f, r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),OPENSSL_FILE,OPENSSL_LINE)
-#endif
-#ifdef LIBRESSL_INTERNAL
-#define SYSerror(r)  ERR_PUT_error(ERR_LIB_SYS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BNerror(r)   ERR_PUT_error(ERR_LIB_BN,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RSAerror(r)  ERR_PUT_error(ERR_LIB_RSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DHerror(r)   ERR_PUT_error(ERR_LIB_DH,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define EVPerror(r)  ERR_PUT_error(ERR_LIB_EVP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BUFerror(r)  ERR_PUT_error(ERR_LIB_BUF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OBJerror(r)  ERR_PUT_error(ERR_LIB_OBJ,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PEMerror(r)  ERR_PUT_error(ERR_LIB_PEM,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSAerror(r)  ERR_PUT_error(ERR_LIB_DSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509error(r) ERR_PUT_error(ERR_LIB_X509,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ASN1error(r) ERR_PUT_error(ERR_LIB_ASN1,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CONFerror(r) ERR_PUT_error(ERR_LIB_CONF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CRYPTOerror(r) ERR_PUT_error(ERR_LIB_CRYPTO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECerror(r)   ERR_PUT_error(ERR_LIB_EC,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define BIOerror(r)  ERR_PUT_error(ERR_LIB_BIO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS7error(r) ERR_PUT_error(ERR_LIB_PKCS7,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define X509V3error(r) ERR_PUT_error(ERR_LIB_X509V3,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define PKCS12error(r) ERR_PUT_error(ERR_LIB_PKCS12,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define RANDerror(r) ERR_PUT_error(ERR_LIB_RAND,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define DSOerror(r) ERR_PUT_error(ERR_LIB_DSO,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ENGINEerror(r) ERR_PUT_error(ERR_LIB_ENGINE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define OCSPerror(r) ERR_PUT_error(ERR_LIB_OCSP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define UIerror(r) ERR_PUT_error(ERR_LIB_UI,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define COMPerror(r) ERR_PUT_error(ERR_LIB_COMP,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDSAerror(r)  ERR_PUT_error(ERR_LIB_ECDSA,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define ECDHerror(r)  ERR_PUT_error(ERR_LIB_ECDH,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define STOREerror(r) ERR_PUT_error(ERR_LIB_STORE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define FIPSerror(r) ERR_PUT_error(ERR_LIB_FIPS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CMSerror(r) ERR_PUT_error(ERR_LIB_CMS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define TSerror(r) ERR_PUT_error(ERR_LIB_TS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define HMACerror(r) ERR_PUT_error(ERR_LIB_HMAC,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define JPAKEerror(r) ERR_PUT_error(ERR_LIB_JPAKE,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define GOSTerror(r) ERR_PUT_error(ERR_LIB_GOST,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define CTerror(r) ERR_PUT_error(ERR_LIB_CT,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
-#define KDFerror(r) ERR_PUT_error(ERR_LIB_KDF,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
 #endif
 #define ERR_PACK(l,f,r)         (((((unsigned long)l)&0xffL)<<24L)| \
diff --git a/src/lib/libcrypto/err/err_local.h b/src/lib/libcrypto/err/err_local.h
index d091b979cc..87cd40f4a8 100644
--- a/src/lib/libcrypto/err/err_local.h
+++ b/src/lib/libcrypto/err/err_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: err_local.h,v 1.1 2024/06/24 06:43:22 tb Exp $ */
+/*      $OpenBSD: err_local.h,v 1.5 2025/05/10 06:45:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -118,6 +118,34 @@ __BEGIN_HIDDEN_DECLS
 void ERR_load_const_strings(const ERR_STRING_DATA *str);
+#define ERR_PUT_ERROR(l, r) ERR_PUT_error((l), 0xfff, (r), OPENSSL_FILE, OPENSSL_LINE)
+#define ASN1error(r)    ERR_PUT_ERROR(ERR_LIB_ASN1, (r))
+#define BIOerror(r)     ERR_PUT_ERROR(ERR_LIB_BIO, (r))
+#define BNerror(r)      ERR_PUT_ERROR(ERR_LIB_BN, (r))
+#define BUFerror(r)     ERR_PUT_ERROR(ERR_LIB_BUF, (r))
+#define CMSerror(r)     ERR_PUT_ERROR(ERR_LIB_CMS, (r))
+#define CONFerror(r)    ERR_PUT_ERROR(ERR_LIB_CONF, (r))
+#define CRYPTOerror(r)  ERR_PUT_ERROR(ERR_LIB_CRYPTO, (r))
+#define CTerror(r)      ERR_PUT_ERROR(ERR_LIB_CT, (r))
+#define DHerror(r)      ERR_PUT_ERROR(ERR_LIB_DH, (r))
+#define DSAerror(r)     ERR_PUT_ERROR(ERR_LIB_DSA, (r))
+#define ECerror(r)      ERR_PUT_ERROR(ERR_LIB_EC, (r))
+#define EVPerror(r)     ERR_PUT_ERROR(ERR_LIB_EVP, (r))
+#define KDFerror(r)     ERR_PUT_ERROR(ERR_LIB_KDF, (r))
+#define OBJerror(r)     ERR_PUT_ERROR(ERR_LIB_OBJ, (r))
+#define OCSPerror(r)    ERR_PUT_ERROR(ERR_LIB_OCSP, (r))
+#define PEMerror(r)     ERR_PUT_ERROR(ERR_LIB_PEM, (r))
+#define PKCS12error(r)  ERR_PUT_ERROR(ERR_LIB_PKCS12, (r))
+#define PKCS7error(r)   ERR_PUT_ERROR(ERR_LIB_PKCS7, (r))
+#define RANDerror(r)    ERR_PUT_ERROR(ERR_LIB_RAND, (r))
+#define RSAerror(r)     ERR_PUT_ERROR(ERR_LIB_RSA, (r))
+#define SYSerror(r)     ERR_PUT_ERROR(ERR_LIB_SYS, (r))
+#define TSerror(r)      ERR_PUT_ERROR(ERR_LIB_TS, (r))
+#define UIerror(r)      ERR_PUT_ERROR(ERR_LIB_UI, (r))
+#define X509V3error(r)  ERR_PUT_ERROR(ERR_LIB_X509V3, (r))
+#define X509error(r)    ERR_PUT_ERROR(ERR_LIB_X509, (r))
 __END_HIDDEN_DECLS
 #endif /* HEADER_ERR_LOCAL_H */
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 7753c18c15..e1ae1e9a5b 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.59 2024/09/06 09:57:32 tb Exp $ */
+/* $OpenBSD: e_aes.c,v 1.83 2025/07/22 09:31:09 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -59,19 +59,15 @@
 #ifndef OPENSSL_NO_AES
 #include <openssl/aes.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
+#include "aes_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "modes_local.h"
 typedef struct {
        AES_KEY ks;
-        block128_f block;
-        union {
-                cbc128_f cbc;
-                ctr128_f ctr;
-        } stream;
 } EVP_AES_KEY;
 typedef struct {
@@ -84,15 +80,11 @@ typedef struct {
        int taglen;
        int iv_gen;             /* It is OK to generate IVs */
        int tls_aad_len;        /* TLS AAD length */
-        ctr128_f ctr;
 } EVP_AES_GCM_CTX;
 typedef struct {
        AES_KEY ks1, ks2;       /* AES key schedules to use */
-        XTS128_CONTEXT xts;
+        XTS128_CONTEXT xts;     /* XXX - replace with flags. */
-        void (*stream)(const unsigned char *in, unsigned char *out,
-            size_t length, const AES_KEY *key1, const AES_KEY *key2,
-            const unsigned char iv[16]);
 } EVP_AES_XTS_CTX;
 typedef struct {
@@ -103,131 +95,17 @@ typedef struct {
        int len_set;            /* Set if message length set */
        int L, M;               /* L and M parameters from RFC3610 */
        CCM128_CONTEXT ccm;
-        ccm128_f str;
 } EVP_AES_CCM_CTX;
 #define MAXBITCHUNK     ((size_t)1<<(sizeof(size_t)*8-4))
-#ifdef VPAES_ASM
-int vpaes_set_encrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-int vpaes_set_decrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-void vpaes_encrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-void vpaes_decrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-void vpaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
-#endif
-#ifdef BSAES_ASM
-void bsaes_cbc_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, unsigned char ivec[16], int enc);
-void bsaes_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-    size_t len, const AES_KEY *key, const unsigned char ivec[16]);
-void bsaes_xts_encrypt(const unsigned char *inp, unsigned char *out,
-    size_t len, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-void bsaes_xts_decrypt(const unsigned char *inp, unsigned char *out,
-    size_t len, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-#endif
-#ifdef AES_CTR_ASM
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
-    size_t blocks, const AES_KEY *key,
-    const unsigned char ivec[AES_BLOCK_SIZE]);
-#endif
-#ifdef AES_XTS_ASM
-void AES_xts_encrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-void AES_xts_decrypt(const char *inp, char *out, size_t len,
-    const AES_KEY *key1, const AES_KEY *key2, const unsigned char iv[16]);
-#endif
-#if     defined(AES_ASM) &&                             (  \
-        ((defined(__i386)       || defined(__i386__)    || \
-          defined(_M_IX86)) && defined(OPENSSL_IA32_SSE2))|| \
-        defined(__x86_64)       || defined(__x86_64__)  || \
-        defined(_M_AMD64)       || defined(_M_X64)      || \
-        defined(__INTEL__)                              )
-#include "x86_arch.h"
-#ifdef VPAES_ASM
-#define VPAES_CAPABLE   (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSSE3)
-#endif
-#ifdef BSAES_ASM
-#define BSAES_CAPABLE   VPAES_CAPABLE
-#endif
-/*
- * AES-NI section
- */
-#define AESNI_CAPABLE   (crypto_cpu_caps_ia32() & CPUCAP_MASK_AESNI)
-int aesni_set_encrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-int aesni_set_decrypt_key(const unsigned char *userKey, int bits,
-    AES_KEY *key);
-void aesni_encrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-void aesni_decrypt(const unsigned char *in, unsigned char *out,
-    const AES_KEY *key);
-void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, int enc);
-void aesni_cbc_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key, unsigned char *ivec, int enc);
-void aesni_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char *ivec);
-void aesni_xts_encrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-void aesni_xts_decrypt(const unsigned char *in, unsigned char *out,
-    size_t length, const AES_KEY *key1, const AES_KEY *key2,
-    const unsigned char iv[16]);
-void aesni_ccm64_encrypt_blocks (const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char ivec[16],
-    unsigned char cmac[16]);
-void aesni_ccm64_decrypt_blocks (const unsigned char *in, unsigned char *out,
-    size_t blocks, const void *key, const unsigned char ivec[16],
-    unsigned char cmac[16]);
 static int
-aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
 {
-        int ret, mode;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-        mode = ctx->cipher->flags & EVP_CIPH_MODE;
-        if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
-            !enc) {
-                ret = aesni_set_decrypt_key(key, ctx->key_len * 8,
-                    ctx->cipher_data);
-                dat->block = (block128_f)aesni_decrypt;
-                dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                    (cbc128_f)aesni_cbc_encrypt : NULL;
-        } else {
-                ret = aesni_set_encrypt_key(key, ctx->key_len * 8,
-                    ctx->cipher_data);
-                dat->block = (block128_f)aesni_encrypt;
-                if (mode == EVP_CIPH_CBC_MODE)
-                        dat->stream.cbc = (cbc128_f)aesni_cbc_encrypt;
-                else if (mode == EVP_CIPH_CTR_MODE)
-                        dat->stream.ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-                else
-                        dat->stream.cbc = NULL;
-        }
-        if (ret < 0) {
+        if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
                EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
                return 0;
        }
@@ -236,213 +114,54 @@ aesni_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
 }
 static int
-aesni_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+aes_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *in, size_t len)
+    const unsigned char *iv, int encrypt)
-{
-        aesni_cbc_encrypt(in, out, len, ctx->cipher_data, ctx->iv,
-            ctx->encrypt);
-        return 1;
-}
-static int
-aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *in, size_t len)
 {
-        size_t  bl = ctx->cipher->block_size;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        if (len < bl)
+        if (encrypt) {
-                return 1;
+                if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-        aesni_ecb_encrypt(in, out, len, ctx->cipher_data, ctx->encrypt);
+                        return 0;
-        return 1;
-}
-static int
-aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-        EVP_AES_GCM_CTX *gctx = ctx->cipher_data;
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                aesni_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
-                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks,
-                    (block128_f)aesni_encrypt);
-                gctx->ctr = (ctr128_f)aesni_ctr32_encrypt_blocks;
-                /* If we have an iv can set it directly, otherwise use
-                 * saved IV.
-                 */
-                if (iv == NULL && gctx->iv_set)
-                        iv = gctx->iv;
-                if (iv) {
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
-                        gctx->iv_set = 1;
                }
-                gctx->key_set = 1;
        } else {
-                /* If key set use IV, otherwise copy */
+                if (AES_set_decrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
-                if (gctx->key_set)
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-                        CRYPTO_gcm128_setiv(&gctx->gcm, iv, gctx->ivlen);
+                        return 0;
-                else
-                        memcpy(gctx->iv, iv, gctx->ivlen);
-                gctx->iv_set = 1;
-                gctx->iv_gen = 0;
-        }
-        return 1;
-}
-static int
-aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                /* key_len is two AES keys */
-                if (enc) {
-                        aesni_set_encrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_encrypt;
-                        xctx->stream = aesni_xts_encrypt;
-                } else {
-                        aesni_set_decrypt_key(key, ctx->key_len * 4,
-                            &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)aesni_decrypt;
-                        xctx->stream = aesni_xts_decrypt;
                }
-                aesni_set_encrypt_key(key + ctx->key_len / 2,
-                    ctx->key_len * 4, &xctx->ks2);
-                xctx->xts.block2 = (block128_f)aesni_encrypt;
-                xctx->xts.key1 = &xctx->ks1;
-        }
-        if (iv) {
-                xctx->xts.key2 = &xctx->ks2;
-                memcpy(ctx->iv, iv, 16);
        }
        return 1;
 }
 static int
-aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
+aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-    const unsigned char *iv, int enc)
+    const unsigned char *in, size_t len)
-{
-        EVP_AES_CCM_CTX *cctx = ctx->cipher_data;
-        if (!iv && !key)
-                return 1;
-        if (key) {
-                aesni_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
-                CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
-                    &cctx->ks, (block128_f)aesni_encrypt);
-                cctx->str = enc ? (ccm128_f)aesni_ccm64_encrypt_blocks :
-                    (ccm128_f)aesni_ccm64_decrypt_blocks;
-                cctx->key_set = 1;
-        }
-        if (iv) {
-                memcpy(ctx->iv, iv, 15 - cctx->L);
-                cctx->iv_set = 1;
-        }
-        return 1;
-}
-#endif
-static int
-aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
 {
-        int ret, mode;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-        mode = ctx->cipher->flags & EVP_CIPH_MODE;
-        if ((mode == EVP_CIPH_ECB_MODE || mode == EVP_CIPH_CBC_MODE) &&
-            !enc)
-#ifdef BSAES_CAPABLE
-                if (BSAES_CAPABLE && mode == EVP_CIPH_CBC_MODE) {
-                        ret = AES_set_decrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)AES_decrypt;
-                        dat->stream.cbc = (cbc128_f)bsaes_cbc_encrypt;
-                } else
-#endif
-#ifdef VPAES_CAPABLE
-                if (VPAES_CAPABLE) {
-                        ret = vpaes_set_decrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)vpaes_decrypt;
-                        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                            (cbc128_f)vpaes_cbc_encrypt : NULL;
-                } else
-#endif
-                {
-                        ret = AES_set_decrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)AES_decrypt;
-                        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                            (cbc128_f)AES_cbc_encrypt : NULL;
-                } else
-#ifdef BSAES_CAPABLE
-                if (BSAES_CAPABLE && mode == EVP_CIPH_CTR_MODE) {
-                        ret = AES_set_encrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)AES_encrypt;
-                        dat->stream.ctr = (ctr128_f)bsaes_ctr32_encrypt_blocks;
-                } else
-#endif
-#ifdef VPAES_CAPABLE
-                if (VPAES_CAPABLE) {
-                        ret = vpaes_set_encrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)vpaes_encrypt;
-                        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                            (cbc128_f)vpaes_cbc_encrypt : NULL;
-                } else
-#endif
-                {
-                        ret = AES_set_encrypt_key(key, ctx->key_len * 8,
-                            &dat->ks);
-                        dat->block = (block128_f)AES_encrypt;
-                        dat->stream.cbc = mode == EVP_CIPH_CBC_MODE ?
-                            (cbc128_f)AES_cbc_encrypt : NULL;
-#ifdef AES_CTR_ASM
-                        if (mode == EVP_CIPH_CTR_MODE)
-                                dat->stream.ctr = (ctr128_f)AES_ctr32_encrypt;
-#endif
-                }
-        if (ret < 0) {
+        AES_cbc_encrypt(in, out, len, &eak->ks, ctx->iv, ctx->encrypt);
-                EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-                return 0;
-        }
        return 1;
 }
 static int
-aes_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
+aes_ecb_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *in, size_t len)
+    const unsigned char *iv, int encrypt)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        if (dat->stream.cbc)
+        if (encrypt) {
-                (*dat->stream.cbc)(in, out, len, &dat->ks, ctx->iv,
+                if (AES_set_encrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
-                    ctx->encrypt);
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-        else if (ctx->encrypt)
+                        return 0;
-                CRYPTO_cbc128_encrypt(in, out, len, &dat->ks, ctx->iv,
+                }
-                    dat->block);
+        } else {
-        else
+                if (AES_set_decrypt_key(key, ctx->key_len * 8, &eak->ks) < 0) {
-                CRYPTO_cbc128_decrypt(in, out, len, &dat->ks, ctx->iv,
+                        EVPerror(EVP_R_AES_KEY_SETUP_FAILED);
-                    dat->block);
+                        return 0;
+                }
+        }
        return 1;
 }
@@ -451,15 +170,9 @@ static int
 aes_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
-        size_t  bl = ctx->cipher->block_size;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        size_t  i;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-        if (len < bl)
-                return 1;
-        for (i = 0, len -= bl; i <= len; i += bl)
+        aes_ecb_encrypt_internal(in, out, len, &eak->ks, ctx->encrypt);
-                (*dat->block)(in + i, out + i, &dat->ks);
        return 1;
 }
@@ -468,10 +181,10 @@ static int
 aes_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+        AES_ofb128_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num);
-        CRYPTO_ofb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            dat->block);
        return 1;
 }
@@ -479,10 +192,11 @@ static int
 aes_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+        AES_cfb128_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
+            ctx->encrypt);
-        CRYPTO_cfb128_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            ctx->encrypt, dat->block);
        return 1;
 }
@@ -490,10 +204,11 @@ static int
 aes_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
+        AES_cfb8_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
+            ctx->encrypt);
-        CRYPTO_cfb128_8_encrypt(in, out, len, &dat->ks, ctx->iv, &ctx->num,
-            ctx->encrypt, dat->block);
        return 1;
 }
@@ -501,24 +216,25 @@ static int
 aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
+        EVP_AES_KEY *eak = ctx->cipher_data;
-        if (ctx->flags&EVP_CIPH_FLAG_LENGTH_BITS) {
+        if ((ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) != 0) {
-                CRYPTO_cfb128_1_encrypt(in, out, len, &dat->ks, ctx->iv,
+                AES_cfb1_encrypt(in, out, len, &eak->ks, ctx->iv, &ctx->num,
-                    &ctx->num, ctx->encrypt, dat->block);
+                    ctx->encrypt);
                return 1;
        }
        while (len >= MAXBITCHUNK) {
-                CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks,
+                AES_cfb1_encrypt(in, out, MAXBITCHUNK * 8, &eak->ks, ctx->iv,
-                    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
+                    &ctx->num, ctx->encrypt);
                len -= MAXBITCHUNK;
                in += MAXBITCHUNK;
                out += MAXBITCHUNK;
        }
-        if (len)
+        if (len > 0) {
-                CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks,
+                AES_cfb1_encrypt(in, out, len * 8, &eak->ks, ctx->iv, &ctx->num,
-                    ctx->iv, &ctx->num, ctx->encrypt, dat->block);
+                    ctx->encrypt);
+        }
        return 1;
 }
@@ -527,40 +243,23 @@ static int
 aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    const unsigned char *in, size_t len)
 {
+        EVP_AES_KEY *eak = ctx->cipher_data;
        unsigned int num = ctx->num;
-        EVP_AES_KEY *dat = (EVP_AES_KEY *)ctx->cipher_data;
-        if (dat->stream.ctr)
+        AES_ctr128_encrypt(in, out, len, &eak->ks, ctx->iv, ctx->buf, &num);
-                CRYPTO_ctr128_encrypt_ctr32(in, out, len, &dat->ks,
-                    ctx->iv, ctx->buf, &num, dat->stream.ctr);
-        else
-                CRYPTO_ctr128_encrypt(in, out, len, &dat->ks,
-                    ctx->iv, ctx->buf, &num, dat->block);
        ctx->num = (size_t)num;
        return 1;
 }
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cbc = {
-        .nid = NID_aes_128_cbc,
-        .block_size = 16,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_cbc = {
        .nid = NID_aes_128_cbc,
        .block_size = 16,
        .key_len = 16,
        .iv_len = 16,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
        .do_cipher = aes_cbc_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -568,34 +267,17 @@ static const EVP_CIPHER aes_128_cbc = {
 const EVP_CIPHER *
 EVP_aes_128_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc;
-#else
        return &aes_128_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cbc);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ecb = {
-        .nid = NID_aes_128_ecb,
-        .block_size = 16,
-        .key_len = 16,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_ecb = {
        .nid = NID_aes_128_ecb,
        .block_size = 16,
        .key_len = 16,
        .iv_len = 0,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
        .do_cipher = aes_ecb_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -603,27 +285,10 @@ static const EVP_CIPHER aes_128_ecb = {
 const EVP_CIPHER *
 EVP_aes_128_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb;
-#else
        return &aes_128_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ecb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ofb = {
-        .nid = NID_aes_128_ofb128,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_ofb = {
        .nid = NID_aes_128_ofb128,
        .block_size = 1,
@@ -638,27 +303,10 @@ static const EVP_CIPHER aes_128_ofb = {
 const EVP_CIPHER *
 EVP_aes_128_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb;
-#else
        return &aes_128_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ofb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb = {
-        .nid = NID_aes_128_cfb128,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_cfb = {
        .nid = NID_aes_128_cfb128,
        .block_size = 1,
@@ -673,27 +321,10 @@ static const EVP_CIPHER aes_128_cfb = {
 const EVP_CIPHER *
 EVP_aes_128_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb;
-#else
        return &aes_128_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb128);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb1 = {
-        .nid = NID_aes_128_cfb1,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_cfb1 = {
        .nid = NID_aes_128_cfb1,
        .block_size = 1,
@@ -708,27 +339,10 @@ static const EVP_CIPHER aes_128_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_128_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1;
-#else
        return &aes_128_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb1);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_cfb8 = {
-        .nid = NID_aes_128_cfb8,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_cfb8 = {
        .nid = NID_aes_128_cfb8,
        .block_size = 1,
@@ -743,27 +357,10 @@ static const EVP_CIPHER aes_128_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_128_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8;
-#else
        return &aes_128_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_cfb8);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ctr = {
-        .nid = NID_aes_128_ctr,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_128_ctr = {
        .nid = NID_aes_128_ctr,
        .block_size = 1,
@@ -778,35 +375,17 @@ static const EVP_CIPHER aes_128_ctr = {
 const EVP_CIPHER *
 EVP_aes_128_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr;
-#else
        return &aes_128_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ctr);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cbc = {
-        .nid = NID_aes_192_cbc,
-        .block_size = 16,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_cbc = {
        .nid = NID_aes_192_cbc,
        .block_size = 16,
        .key_len = 24,
        .iv_len = 16,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
        .do_cipher = aes_cbc_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -814,34 +393,17 @@ static const EVP_CIPHER aes_192_cbc = {
 const EVP_CIPHER *
 EVP_aes_192_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc;
-#else
        return &aes_192_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cbc);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ecb = {
-        .nid = NID_aes_192_ecb,
-        .block_size = 16,
-        .key_len = 24,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_ecb = {
        .nid = NID_aes_192_ecb,
        .block_size = 16,
        .key_len = 24,
        .iv_len = 0,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
        .do_cipher = aes_ecb_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -849,27 +411,10 @@ static const EVP_CIPHER aes_192_ecb = {
 const EVP_CIPHER *
 EVP_aes_192_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb;
-#else
        return &aes_192_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ecb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ofb = {
-        .nid = NID_aes_192_ofb128,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_ofb = {
        .nid = NID_aes_192_ofb128,
        .block_size = 1,
@@ -884,27 +429,10 @@ static const EVP_CIPHER aes_192_ofb = {
 const EVP_CIPHER *
 EVP_aes_192_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb;
-#else
        return &aes_192_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ofb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb = {
-        .nid = NID_aes_192_cfb128,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_cfb = {
        .nid = NID_aes_192_cfb128,
        .block_size = 1,
@@ -919,27 +447,10 @@ static const EVP_CIPHER aes_192_cfb = {
 const EVP_CIPHER *
 EVP_aes_192_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb;
-#else
        return &aes_192_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb128);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb1 = {
-        .nid = NID_aes_192_cfb1,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_cfb1 = {
        .nid = NID_aes_192_cfb1,
        .block_size = 1,
@@ -954,27 +465,10 @@ static const EVP_CIPHER aes_192_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_192_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1;
-#else
        return &aes_192_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb1);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_cfb8 = {
-        .nid = NID_aes_192_cfb8,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_cfb8 = {
        .nid = NID_aes_192_cfb8,
        .block_size = 1,
@@ -989,27 +483,10 @@ static const EVP_CIPHER aes_192_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_192_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8;
-#else
        return &aes_192_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_cfb8);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ctr = {
-        .nid = NID_aes_192_ctr,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_192_ctr = {
        .nid = NID_aes_192_ctr,
        .block_size = 1,
@@ -1024,35 +501,17 @@ static const EVP_CIPHER aes_192_ctr = {
 const EVP_CIPHER *
 EVP_aes_192_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr;
-#else
        return &aes_192_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ctr);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cbc = {
-        .nid = NID_aes_256_cbc,
-        .block_size = 16,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_cbc_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_cbc = {
        .nid = NID_aes_256_cbc,
        .block_size = 16,
        .key_len = 32,
        .iv_len = 16,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE,
-        .init = aes_init_key,
+        .init = aes_cbc_init_key,
        .do_cipher = aes_cbc_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -1060,34 +519,17 @@ static const EVP_CIPHER aes_256_cbc = {
 const EVP_CIPHER *
 EVP_aes_256_cbc(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc;
-#else
        return &aes_256_cbc;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cbc);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ecb = {
-        .nid = NID_aes_256_ecb,
-        .block_size = 16,
-        .key_len = 32,
-        .iv_len = 0,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aesni_ecb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_ecb = {
        .nid = NID_aes_256_ecb,
        .block_size = 16,
        .key_len = 32,
        .iv_len = 0,
        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE,
-        .init = aes_init_key,
+        .init = aes_ecb_init_key,
        .do_cipher = aes_ecb_cipher,
        .ctx_size = sizeof(EVP_AES_KEY),
 };
@@ -1095,27 +537,10 @@ static const EVP_CIPHER aes_256_ecb = {
 const EVP_CIPHER *
 EVP_aes_256_ecb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb;
-#else
        return &aes_256_ecb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ecb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ofb = {
-        .nid = NID_aes_256_ofb128,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ofb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_ofb = {
        .nid = NID_aes_256_ofb128,
        .block_size = 1,
@@ -1130,27 +555,10 @@ static const EVP_CIPHER aes_256_ofb = {
 const EVP_CIPHER *
 EVP_aes_256_ofb(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb;
-#else
        return &aes_256_ofb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ofb);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb = {
-        .nid = NID_aes_256_cfb128,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_cfb = {
        .nid = NID_aes_256_cfb128,
        .block_size = 1,
@@ -1165,27 +573,10 @@ static const EVP_CIPHER aes_256_cfb = {
 const EVP_CIPHER *
 EVP_aes_256_cfb128(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb;
-#else
        return &aes_256_cfb;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb128);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb1 = {
-        .nid = NID_aes_256_cfb1,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb1_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_cfb1 = {
        .nid = NID_aes_256_cfb1,
        .block_size = 1,
@@ -1200,27 +591,10 @@ static const EVP_CIPHER aes_256_cfb1 = {
 const EVP_CIPHER *
 EVP_aes_256_cfb1(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1;
-#else
        return &aes_256_cfb1;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb1);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_cfb8 = {
-        .nid = NID_aes_256_cfb8,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CFB_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_cfb8_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_cfb8 = {
        .nid = NID_aes_256_cfb8,
        .block_size = 1,
@@ -1235,27 +609,10 @@ static const EVP_CIPHER aes_256_cfb8 = {
 const EVP_CIPHER *
 EVP_aes_256_cfb8(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8;
-#else
        return &aes_256_cfb8;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_cfb8);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ctr = {
-        .nid = NID_aes_256_ctr,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 16,
-        .flags = EVP_CIPH_CTR_MODE,
-        .init = aesni_init_key,
-        .do_cipher = aes_ctr_cipher,
-        .ctx_size = sizeof(EVP_AES_KEY),
-};
-#endif
 static const EVP_CIPHER aes_256_ctr = {
        .nid = NID_aes_256_ctr,
        .block_size = 1,
@@ -1270,11 +627,7 @@ static const EVP_CIPHER aes_256_ctr = {
 const EVP_CIPHER *
 EVP_aes_256_ctr(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr;
-#else
        return &aes_256_ctr;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ctr);
@@ -1455,35 +808,6 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
        }
 }
-static ctr128_f
-aes_gcm_set_key(AES_KEY *aes_key, GCM128_CONTEXT *gcm_ctx,
-    const unsigned char *key, size_t key_len)
-{
-#ifdef BSAES_CAPABLE
-        if (BSAES_CAPABLE) {
-                AES_set_encrypt_key(key, key_len * 8, aes_key);
-                CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
-                return (ctr128_f)bsaes_ctr32_encrypt_blocks;
-        } else
-#endif
-#ifdef VPAES_CAPABLE
-        if (VPAES_CAPABLE) {
-                vpaes_set_encrypt_key(key, key_len * 8, aes_key);
-                CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)vpaes_encrypt);
-                return NULL;
-        } else
-#endif
-                (void)0; /* terminate potentially open 'else' */
-        AES_set_encrypt_key(key, key_len * 8, aes_key);
-        CRYPTO_gcm128_init(gcm_ctx, aes_key, (block128_f)AES_encrypt);
-#ifdef AES_CTR_ASM
-        return (ctr128_f)AES_ctr32_encrypt;
-#else
-        return NULL;
-#endif
-}
 static int
 aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
@@ -1493,8 +817,8 @@ aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
        if (!iv && !key)
                return 1;
        if (key) {
-                gctx->ctr = aes_gcm_set_key(&gctx->ks, &gctx->gcm,
+                AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
-                    key, ctx->key_len);
+                CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, aes_encrypt_block128);
                /* If we have an iv can set it directly, otherwise use
                 * saved IV.
@@ -1554,14 +878,9 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        len -= EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
        if (ctx->encrypt) {
                /* Encrypt payload */
-                if (gctx->ctr) {
+                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out, len,
-                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm, in, out,
+                    aes_ctr32_encrypt_ctr128f))
-                            len, gctx->ctr))
+                        goto err;
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_encrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
                out += len;
                /* Finally write tag */
@@ -1569,19 +888,15 @@ aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                rv = len + EVP_GCM_TLS_EXPLICIT_IV_LEN + EVP_GCM_TLS_TAG_LEN;
        } else {
                /* Decrypt */
-                if (gctx->ctr) {
+                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out, len,
-                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm, in, out,
+                    aes_ctr32_encrypt_ctr128f))
-                            len, gctx->ctr))
+                        goto err;
-                                goto err;
-                } else {
-                        if (CRYPTO_gcm128_decrypt(&gctx->gcm, in, out, len))
-                                goto err;
-                }
                /* Retrieve tag */
                CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN);
                /* If tag mismatch wipe buffer */
-                if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) {
+                if (timingsafe_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN) != 0) {
                        explicit_bzero(out, len);
                        goto err;
                }
@@ -1615,25 +930,13 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                        if (CRYPTO_gcm128_aad(&gctx->gcm, in, len))
                                return -1;
                } else if (ctx->encrypt) {
-                        if (gctx->ctr) {
+                        if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
-                                if (CRYPTO_gcm128_encrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
-                                    in, out, len, gctx->ctr))
+                                return -1;
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_encrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
                } else {
-                        if (gctx->ctr) {
+                        if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
-                                if (CRYPTO_gcm128_decrypt_ctr32(&gctx->gcm,
+                            in, out, len, aes_ctr32_encrypt_ctr128f))
-                                    in, out, len, gctx->ctr))
+                                return -1;
-                                        return -1;
-                        } else {
-                                if (CRYPTO_gcm128_decrypt(&gctx->gcm,
-                                    in, out, len))
-                                        return -1;
-                        }
                }
                return len;
        } else {
@@ -1662,22 +965,6 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
      EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \
      EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_gcm = {
-        .nid = NID_aes_128_gcm,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_128_gcm = {
        .nid = NID_aes_128_gcm,
        .block_size = 1,
@@ -1694,29 +981,10 @@ static const EVP_CIPHER aes_128_gcm = {
 const EVP_CIPHER *
 EVP_aes_128_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm;
-#else
        return &aes_128_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_gcm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_gcm = {
-        .nid = NID_aes_192_gcm,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_192_gcm = {
        .nid = NID_aes_192_gcm,
        .block_size = 1,
@@ -1733,29 +1001,10 @@ static const EVP_CIPHER aes_192_gcm = {
 const EVP_CIPHER *
 EVP_aes_192_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm;
-#else
        return &aes_192_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_gcm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_gcm = {
-        .nid = NID_aes_256_gcm,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 12,
-        .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE,
-        .init = aesni_gcm_init_key,
-        .do_cipher = aes_gcm_cipher,
-        .cleanup = aes_gcm_cleanup,
-        .ctx_size = sizeof(EVP_AES_GCM_CTX),
-        .ctrl = aes_gcm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_256_gcm = {
        .nid = NID_aes_256_gcm,
        .block_size = 1,
@@ -1772,11 +1021,7 @@ static const EVP_CIPHER aes_256_gcm = {
 const EVP_CIPHER *
 EVP_aes_256_gcm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm;
-#else
        return &aes_256_gcm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_gcm);
@@ -1818,64 +1063,24 @@ aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
 static int
 aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
+    const unsigned char *iv, int encrypt)
 {
        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!iv && !key)
+        if (key != NULL) {
-                return 1;
-        if (key) do {
-#ifdef AES_XTS_ASM
-                xctx->stream = enc ? AES_xts_encrypt : AES_xts_decrypt;
-#else
-                xctx->stream = NULL;
-#endif
                /* key_len is two AES keys */
-#ifdef BSAES_CAPABLE
+                if (encrypt)
-                if (BSAES_CAPABLE)
-                        xctx->stream = enc ? bsaes_xts_encrypt :
-                            bsaes_xts_decrypt;
-                else
-#endif
-#ifdef VPAES_CAPABLE
-                if (VPAES_CAPABLE) {
-                        if (enc) {
-                                vpaes_set_encrypt_key(key, ctx->key_len * 4,
-                                    &xctx->ks1);
-                                xctx->xts.block1 = (block128_f)vpaes_encrypt;
-                        } else {
-                                vpaes_set_decrypt_key(key, ctx->key_len * 4,
-                                    &xctx->ks1);
-                                xctx->xts.block1 = (block128_f)vpaes_decrypt;
-                        }
-                        vpaes_set_encrypt_key(key + ctx->key_len / 2,
-                            ctx->key_len * 4, &xctx->ks2);
-                        xctx->xts.block2 = (block128_f)vpaes_encrypt;
-                        xctx->xts.key1 = &xctx->ks1;
-                        break;
-                } else
-#endif
-                        (void)0;        /* terminate potentially open 'else' */
-                if (enc) {
                        AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_encrypt;
+                else
-                } else {
                        AES_set_decrypt_key(key, ctx->key_len * 4, &xctx->ks1);
-                        xctx->xts.block1 = (block128_f)AES_decrypt;
-                }
-                AES_set_encrypt_key(key + ctx->key_len / 2,
+                AES_set_encrypt_key(key + ctx->key_len / 2, ctx->key_len * 4,
-                    ctx->key_len * 4, &xctx->ks2);
+                    &xctx->ks2);
-                xctx->xts.block2 = (block128_f)AES_encrypt;
                xctx->xts.key1 = &xctx->ks1;
-        } while (0);
+        }
-        if (iv) {
+        if (iv != NULL) {
                xctx->xts.key2 = &xctx->ks2;
                memcpy(ctx->iv, iv, 16);
        }
@@ -1889,17 +1094,15 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 {
        EVP_AES_XTS_CTX *xctx = ctx->cipher_data;
-        if (!xctx->xts.key1 || !xctx->xts.key2)
+        if (xctx->xts.key1 == NULL || xctx->xts.key2 == NULL)
-                return 0;
-        if (!out || !in || len < AES_BLOCK_SIZE)
                return 0;
-        if (xctx->stream)
+        if (out == NULL || in == NULL || len < AES_BLOCK_SIZE)
-                (*xctx->stream)(in, out, len, xctx->xts.key1, xctx->xts.key2,
-                    ctx->iv);
-        else if (CRYPTO_xts128_encrypt(&xctx->xts, ctx->iv, in, out, len,
-            ctx->encrypt))
                return 0;
+        aes_xts_encrypt_internal(in, out, len, xctx->xts.key1, xctx->xts.key2,
+            ctx->iv, ctx->encrypt);
        return 1;
 }
@@ -1907,22 +1110,6 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
    ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \
      EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY )
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_xts = {
-        .nid = NID_aes_128_xts,
-        .block_size = 1,
-        .key_len = 2 * 16,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_128_xts = {
        .nid = NID_aes_128_xts,
        .block_size = 1,
@@ -1939,29 +1126,10 @@ static const EVP_CIPHER aes_128_xts = {
 const EVP_CIPHER *
 EVP_aes_128_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts;
-#else
        return &aes_128_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_xts);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_xts = {
-        .nid = NID_aes_256_xts,
-        .block_size = 1,
-        .key_len = 2 * 32,
-        .iv_len = 16,
-        .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE,
-        .init = aesni_xts_init_key,
-        .do_cipher = aes_xts_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_XTS_CTX),
-        .ctrl = aes_xts_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_256_xts = {
        .nid = NID_aes_256_xts,
        .block_size = 1,
@@ -1978,11 +1146,7 @@ static const EVP_CIPHER aes_256_xts = {
 const EVP_CIPHER *
 EVP_aes_256_xts(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts;
-#else
        return &aes_256_xts;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_xts);
@@ -2062,23 +1226,12 @@ aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
        if (!iv && !key)
                return 1;
-        if (key) do {
+        if (key) {
-#ifdef VPAES_CAPABLE
-                if (VPAES_CAPABLE) {
-                        vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
-                        CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
-                            &cctx->ks, (block128_f)vpaes_encrypt);
-                        cctx->str = NULL;
-                        cctx->key_set = 1;
-                        break;
-                }
-#endif
                AES_set_encrypt_key(key, ctx->key_len * 8, &cctx->ks);
                CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
-                    &cctx->ks, (block128_f)AES_encrypt);
+                    &cctx->ks, aes_encrypt_block128);
-                cctx->str = NULL;
                cctx->key_set = 1;
-        } while (0);
+        }
        if (iv) {
                memcpy(ctx->iv, iv, 15 - cctx->L);
                cctx->iv_set = 1;
@@ -2094,7 +1247,14 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        CCM128_CONTEXT *ccm = &cctx->ccm;
        /* If not set up, return error */
-        if (!cctx->iv_set && !cctx->key_set)
+        if (!cctx->key_set)
+                return -1;
+        /* EVP_*Final() doesn't return any data */
+        if (in == NULL && out != NULL)
+                return 0;
+        if (!cctx->iv_set)
                return -1;
        if (!ctx->encrypt && !cctx->tag_set)
                return -1;
@@ -2113,9 +1273,7 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                CRYPTO_ccm128_aad(ccm, in, len);
                return len;
        }
-        /* EVP_*Final() doesn't return any data */
-        if (!in)
-                return 0;
        /* If not set length yet do it */
        if (!cctx->len_set) {
                if (CRYPTO_ccm128_setiv(ccm, ctx->iv, 15 - cctx->L, len))
@@ -2123,18 +1281,18 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                cctx->len_set = 1;
        }
        if (ctx->encrypt) {
-                if (cctx->str ? CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
+                if (CRYPTO_ccm128_encrypt_ccm64(ccm, in, out, len,
-                    cctx->str) : CRYPTO_ccm128_encrypt(ccm, in, out, len))
+                    aes_ccm64_encrypt_ccm128f) != 0)
                        return -1;
                cctx->tag_set = 1;
                return len;
        } else {
                int rv = -1;
-                if (cctx->str ? !CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
+                if (CRYPTO_ccm128_decrypt_ccm64(ccm, in, out, len,
-                    cctx->str) : !CRYPTO_ccm128_decrypt(ccm, in, out, len)) {
+                    aes_ccm64_decrypt_ccm128f) == 0) {
                        unsigned char tag[16];
                        if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) {
-                                if (!memcmp(tag, ctx->buf, cctx->M))
+                                if (timingsafe_memcmp(tag, ctx->buf, cctx->M) == 0)
                                        rv = len;
                        }
                }
@@ -2145,24 +1303,8 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                cctx->len_set = 0;
                return rv;
        }
 }
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_128_ccm = {
-        .nid = NID_aes_128_ccm,
-        .block_size = 1,
-        .key_len = 16,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_128_ccm = {
        .nid = NID_aes_128_ccm,
        .block_size = 1,
@@ -2179,29 +1321,10 @@ static const EVP_CIPHER aes_128_ccm = {
 const EVP_CIPHER *
 EVP_aes_128_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm;
-#else
        return &aes_128_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_128_ccm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_192_ccm = {
-        .nid = NID_aes_192_ccm,
-        .block_size = 1,
-        .key_len = 24,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_192_ccm = {
        .nid = NID_aes_192_ccm,
        .block_size = 1,
@@ -2218,29 +1341,10 @@ static const EVP_CIPHER aes_192_ccm = {
 const EVP_CIPHER *
 EVP_aes_192_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm;
-#else
        return &aes_192_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_192_ccm);
-#ifdef AESNI_CAPABLE
-static const EVP_CIPHER aesni_256_ccm = {
-        .nid = NID_aes_256_ccm,
-        .block_size = 1,
-        .key_len = 32,
-        .iv_len = 12,
-        .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE,
-        .init = aesni_ccm_init_key,
-        .do_cipher = aes_ccm_cipher,
-        .cleanup = NULL,
-        .ctx_size = sizeof(EVP_AES_CCM_CTX),
-        .ctrl = aes_ccm_ctrl,
-};
-#endif
 static const EVP_CIPHER aes_256_ccm = {
        .nid = NID_aes_256_ccm,
        .block_size = 1,
@@ -2257,11 +1361,7 @@ static const EVP_CIPHER aes_256_ccm = {
 const EVP_CIPHER *
 EVP_aes_256_ccm(void)
 {
-#ifdef AESNI_CAPABLE
-        return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm;
-#else
        return &aes_256_ccm;
-#endif
 }
 LCRYPTO_ALIAS(EVP_aes_256_ccm);
@@ -2273,7 +1373,6 @@ struct aead_aes_gcm_ctx {
                AES_KEY ks;
        } ks;
        GCM128_CONTEXT gcm;
-        ctr128_f ctr;
        unsigned char tag_len;
 };
@@ -2301,18 +1400,8 @@ aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len,
        if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL)
                return 0;
-#ifdef AESNI_CAPABLE
+        AES_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
-        if (AESNI_CAPABLE) {
+        CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks, aes_encrypt_block128);
-                aesni_set_encrypt_key(key, key_bits, &gcm_ctx->ks.ks);
-                CRYPTO_gcm128_init(&gcm_ctx->gcm, &gcm_ctx->ks.ks,
-                    (block128_f)aesni_encrypt);
-                gcm_ctx->ctr = (ctr128_f) aesni_ctr32_encrypt_blocks;
-        } else
-#endif
-        {
-                gcm_ctx->ctr = aes_gcm_set_key(&gcm_ctx->ks.ks, &gcm_ctx->gcm,
-                    key, key_len);
-        }
        gcm_ctx->tag_len = tag_len;
        ctx->aead_state = gcm_ctx;
@@ -2353,15 +1442,9 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
        if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                return 0;
-        if (gcm_ctx->ctr) {
+        if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
-                if (CRYPTO_gcm128_encrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk, aes_ctr32_encrypt_ctr128f))
-                    in_len - bulk, gcm_ctx->ctr))
+                return 0;
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_encrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk))
-                        return 0;
-        }
        CRYPTO_gcm128_tag(&gcm, out + in_len, gcm_ctx->tag_len);
        *out_len = in_len + gcm_ctx->tag_len;
@@ -2404,15 +1487,9 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len,
        if (CRYPTO_gcm128_aad(&gcm, ad, ad_len))
                return 0;
-        if (gcm_ctx->ctr) {
+        if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
-                if (CRYPTO_gcm128_decrypt_ctr32(&gcm, in + bulk, out + bulk,
+            in_len - bulk - gcm_ctx->tag_len, aes_ctr32_encrypt_ctr128f))
-                    in_len - bulk - gcm_ctx->tag_len, gcm_ctx->ctr))
+                return 0;
-                        return 0;
-        } else {
-                if (CRYPTO_gcm128_decrypt(&gcm, in + bulk, out + bulk,
-                    in_len - bulk - gcm_ctx->tag_len))
-                        return 0;
-        }
        CRYPTO_gcm128_tag(&gcm, tag, gcm_ctx->tag_len);
        if (timingsafe_memcmp(tag, in + plaintext_len, gcm_ctx->tag_len) != 0) {
diff --git a/src/lib/libcrypto/evp/e_bf.c b/src/lib/libcrypto/evp/e_bf.c
index 4f3799975b..8c32a5658e 100644
--- a/src/lib/libcrypto/evp/e_bf.c
+++ b/src/lib/libcrypto/evp/e_bf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_bf.c,v 1.19 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_bf.c,v 1.20 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -162,13 +162,14 @@ static const EVP_CIPHER bf_cbc = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = bf_init_key,
        .do_cipher = bf_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -184,13 +185,14 @@ static const EVP_CIPHER bf_cfb64 = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = bf_init_key,
        .do_cipher = bf_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -206,13 +208,14 @@ static const EVP_CIPHER bf_ofb = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = bf_init_key,
        .do_cipher = bf_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -228,13 +231,14 @@ static const EVP_CIPHER bf_ecb = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 0,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = bf_init_key,
        .do_cipher = bf_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_BF_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
diff --git a/src/lib/libcrypto/evp/e_camellia.c b/src/lib/libcrypto/evp/e_camellia.c
index 55dcc79922..8da46275a3 100644
--- a/src/lib/libcrypto/evp/e_camellia.c
+++ b/src/lib/libcrypto/evp/e_camellia.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_camellia.c,v 1.20 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_camellia.c,v 1.22 2025/05/27 03:58:12 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
 *
@@ -59,9 +59,9 @@
 #ifndef OPENSSL_NO_CAMELLIA
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/camellia.h>
+#include "err_local.h"
 #include "evp_local.h"
 /* Camellia subkey Structure */
@@ -163,13 +163,13 @@ static const EVP_CIPHER camellia_128_cbc = {
        .block_size = 16,
        .key_len = 16,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -185,13 +185,13 @@ static const EVP_CIPHER camellia_128_cfb128 = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_cfb128_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -207,13 +207,13 @@ static const EVP_CIPHER camellia_128_ofb = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -229,13 +229,13 @@ static const EVP_CIPHER camellia_128_ecb = {
        .block_size = 16,
        .key_len = 16,
        .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -321,13 +321,13 @@ static const EVP_CIPHER camellia_192_cbc = {
        .block_size = 16,
        .key_len = 24,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -343,13 +343,13 @@ static const EVP_CIPHER camellia_192_cfb128 = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_cfb128_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -365,13 +365,13 @@ static const EVP_CIPHER camellia_192_ofb = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -387,13 +387,13 @@ static const EVP_CIPHER camellia_192_ecb = {
        .block_size = 16,
        .key_len = 24,
        .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -479,13 +479,13 @@ static const EVP_CIPHER camellia_256_cbc = {
        .block_size = 16,
        .key_len = 32,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -501,13 +501,13 @@ static const EVP_CIPHER camellia_256_cfb128 = {
        .block_size = 1,
        .key_len = 32,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_cfb128_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -523,13 +523,13 @@ static const EVP_CIPHER camellia_256_ofb = {
        .block_size = 1,
        .key_len = 32,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -545,13 +545,13 @@ static const EVP_CIPHER camellia_256_ecb = {
        .block_size = 16,
        .key_len = 32,
        .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -589,13 +589,13 @@ static const EVP_CIPHER camellia_128_cfb1 = {
        .block_size = 1,
        .key_len = 128/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_cfb1_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -633,13 +633,13 @@ static const EVP_CIPHER camellia_192_cfb1 = {
        .block_size = 1,
        .key_len = 192/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_cfb1_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -677,13 +677,13 @@ static const EVP_CIPHER camellia_256_cfb1 = {
        .block_size = 1,
        .key_len = 256/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_cfb1_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -720,13 +720,13 @@ static const EVP_CIPHER camellia_128_cfb8 = {
        .block_size = 1,
        .key_len = 128/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_128_cfb8_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -762,13 +762,13 @@ static const EVP_CIPHER camellia_192_cfb8 = {
        .block_size = 1,
        .key_len = 192/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_192_cfb8_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -804,13 +804,13 @@ static const EVP_CIPHER camellia_256_cfb8 = {
        .block_size = 1,
        .key_len = 256/8,
        .iv_len = 16,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = camellia_init_key,
        .do_cipher = camellia_256_cfb8_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAMELLIA_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
diff --git a/src/lib/libcrypto/evp/e_cast.c b/src/lib/libcrypto/evp/e_cast.c
index 1575a7a5bb..283cb8cf63 100644
--- a/src/lib/libcrypto/evp/e_cast.c
+++ b/src/lib/libcrypto/evp/e_cast.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_cast.c,v 1.18 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_cast.c,v 1.19 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -162,13 +162,14 @@ static const EVP_CIPHER cast5_cbc = {
        .block_size = 8,
        .key_len = CAST_KEY_LENGTH,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = cast_init_key,
        .do_cipher = cast5_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -184,13 +185,14 @@ static const EVP_CIPHER cast5_cfb64 = {
        .block_size = 1,
        .key_len = CAST_KEY_LENGTH,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = cast_init_key,
        .do_cipher = cast5_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -206,13 +208,14 @@ static const EVP_CIPHER cast5_ofb = {
        .block_size = 1,
        .key_len = CAST_KEY_LENGTH,
        .iv_len = 8,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = cast_init_key,
        .do_cipher = cast5_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -228,13 +231,14 @@ static const EVP_CIPHER cast5_ecb = {
        .block_size = 8,
        .key_len = CAST_KEY_LENGTH,
        .iv_len = 0,
-        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = cast_init_key,
        .do_cipher = cast5_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(EVP_CAST_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
diff --git a/src/lib/libcrypto/evp/e_chacha20poly1305.c b/src/lib/libcrypto/evp/e_chacha20poly1305.c
index d176569f90..d3a1e44875 100644
--- a/src/lib/libcrypto/evp/e_chacha20poly1305.c
+++ b/src/lib/libcrypto/evp/e_chacha20poly1305.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_chacha20poly1305.c,v 1.37 2024/12/20 20:05:29 schwarze Exp $ */
+/* $OpenBSD: e_chacha20poly1305.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
@@ -26,12 +26,12 @@
 #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/chacha.h>
 #include <openssl/poly1305.h>
 #include "bytestring.h"
+#include "err_local.h"
 #include "evp_local.h"
 #define POLY1305_TAG_LEN 16
diff --git a/src/lib/libcrypto/evp/e_des.c b/src/lib/libcrypto/evp/e_des.c
index fb335e95b1..680f77a723 100644
--- a/src/lib/libcrypto/evp/e_des.c
+++ b/src/lib/libcrypto/evp/e_des.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_des.c,v 1.24 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_des.c,v 1.25 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,13 +226,14 @@ static const EVP_CIPHER des_cbc = {
        .block_size = 8,
        .key_len = 8,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
@@ -248,13 +249,14 @@ static const EVP_CIPHER des_cfb64 = {
        .block_size = 1,
        .key_len = 8,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
@@ -270,13 +272,14 @@ static const EVP_CIPHER des_ofb = {
        .block_size = 1,
        .key_len = 8,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
@@ -292,13 +295,14 @@ static const EVP_CIPHER des_ecb = {
        .block_size = 8,
        .key_len = 8,
        .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
@@ -314,13 +318,14 @@ static const EVP_CIPHER des_cfb1 = {
        .block_size = 1,
        .key_len = 8,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_cfb1_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
@@ -336,13 +341,14 @@ static const EVP_CIPHER des_cfb8 = {
        .block_size = 1,
        .key_len = 8,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_init_key,
        .do_cipher = des_cfb8_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_key_schedule),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des_ctrl,
 };
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 48fbcdb366..f3eb4cce1b 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_des3.c,v 1.30 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_des3.c,v 1.31 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -258,13 +258,14 @@ static const EVP_CIPHER des_ede_cbc = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+           EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede_init_key,
        .do_cipher = des_ede_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -280,13 +281,14 @@ static const EVP_CIPHER des_ede_cfb64 = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede_init_key,
        .do_cipher = des_ede_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -307,8 +309,8 @@ static const EVP_CIPHER des_ede_ofb = {
        .do_cipher = des_ede_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -324,13 +326,14 @@ static const EVP_CIPHER des_ede_ecb = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede_init_key,
        .do_cipher = des_ede_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -352,13 +355,14 @@ static const EVP_CIPHER des_ede3_cbc = {
        .block_size = 8,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -374,13 +378,14 @@ static const EVP_CIPHER des_ede3_cfb64 = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -396,13 +401,14 @@ static const EVP_CIPHER des_ede3_ofb = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -418,13 +424,14 @@ static const EVP_CIPHER des_ede3_ecb = {
        .block_size = 8,
        .key_len = 24,
        .iv_len = 0,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -441,13 +448,14 @@ static const EVP_CIPHER des_ede3_cfb1 = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_cfb1_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
@@ -464,13 +472,14 @@ static const EVP_CIPHER des_ede3_cfb8 = {
        .block_size = 1,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE |
+            EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = des_ede3_init_key,
        .do_cipher = des_ede3_cfb8_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DES_EDE_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = des3_ctrl,
 };
diff --git a/src/lib/libcrypto/evp/e_idea.c b/src/lib/libcrypto/evp/e_idea.c
index 86cf77602a..5d33a110fd 100644
--- a/src/lib/libcrypto/evp/e_idea.c
+++ b/src/lib/libcrypto/evp/e_idea.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_idea.c,v 1.22 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_idea.c,v 1.23 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -181,13 +181,13 @@ static const EVP_CIPHER idea_cbc = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 8,
-        .flags = 0 | EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = idea_init_key,
        .do_cipher = idea_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -203,13 +203,13 @@ static const EVP_CIPHER idea_cfb64 = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 8,
-        .flags = 0 | EVP_CIPH_CFB_MODE,
+        .flags = EVP_CIPH_CFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = idea_init_key,
        .do_cipher = idea_cfb64_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -225,13 +225,13 @@ static const EVP_CIPHER idea_ofb = {
        .block_size = 1,
        .key_len = 16,
        .iv_len = 8,
-        .flags = 0 | EVP_CIPH_OFB_MODE,
+        .flags = EVP_CIPH_OFB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = idea_init_key,
        .do_cipher = idea_ofb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
@@ -247,13 +247,13 @@ static const EVP_CIPHER idea_ecb = {
        .block_size = 8,
        .key_len = 16,
        .iv_len = 0,
-        .flags = 0 | EVP_CIPH_ECB_MODE,
+        .flags = EVP_CIPH_ECB_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = idea_init_key,
        .do_cipher = idea_ecb_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(IDEA_KEY_SCHEDULE),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
diff --git a/src/lib/libcrypto/evp/e_rc2.c b/src/lib/libcrypto/evp/e_rc2.c
index dc404cff20..b7ba60297a 100644
--- a/src/lib/libcrypto/evp/e_rc2.c
+++ b/src/lib/libcrypto/evp/e_rc2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_rc2.c,v 1.29 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_rc2.c,v 1.30 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,11 +63,11 @@
 #ifndef OPENSSL_NO_RC2
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/rc2.h>
+#include "err_local.h"
 #include "evp_local.h"
 static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
diff --git a/src/lib/libcrypto/evp/e_xcbc_d.c b/src/lib/libcrypto/evp/e_xcbc_d.c
index 1e3bee0791..1c5e6c32b2 100644
--- a/src/lib/libcrypto/evp/e_xcbc_d.c
+++ b/src/lib/libcrypto/evp/e_xcbc_d.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_xcbc_d.c,v 1.18 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: e_xcbc_d.c,v 1.19 2025/05/27 03:58:12 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -88,13 +88,13 @@ static const EVP_CIPHER d_xcbc_cipher = {
        .block_size = 8,
        .key_len = 24,
        .iv_len = 8,
-        .flags = EVP_CIPH_CBC_MODE,
+        .flags = EVP_CIPH_CBC_MODE | EVP_CIPH_FLAG_DEFAULT_ASN1,
        .init = desx_cbc_init_key,
        .do_cipher = desx_cbc_cipher,
        .cleanup = NULL,
        .ctx_size = sizeof(DESX_CBC_KEY),
-        .set_asn1_parameters = EVP_CIPHER_set_asn1_iv,
+        .set_asn1_parameters = NULL,
-        .get_asn1_parameters = EVP_CIPHER_get_asn1_iv,
+        .get_asn1_parameters = NULL,
        .ctrl = NULL,
 };
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index c2b81d0576..94295e1262 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp.h,v 1.137 2024/08/31 10:38:49 tb Exp $ */
+/* $OpenBSD: evp.h,v 1.138 2025/07/02 06:36:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -778,28 +778,24 @@ void *EVP_PKEY_get0(const EVP_PKEY *pkey);
 const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len);
 #ifndef OPENSSL_NO_RSA
-struct rsa_st;
+RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey);
-struct rsa_st *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+RSA *EVP_PKEY_get1_RSA(const EVP_PKEY *pkey);
-struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key);
-int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
 #endif
 #ifndef OPENSSL_NO_DSA
-struct dsa_st;
+DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey);
-struct dsa_st *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
+DSA *EVP_PKEY_get1_DSA(const EVP_PKEY *pkey);
-struct dsa_st *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
+int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, DSA *key);
-int EVP_PKEY_set1_DSA(EVP_PKEY *pkey, struct dsa_st *key);
 #endif
 #ifndef OPENSSL_NO_DH
-struct dh_st;
+DH *EVP_PKEY_get0_DH(const EVP_PKEY *pkey);
-struct dh_st *EVP_PKEY_get0_DH(EVP_PKEY *pkey);
+DH *EVP_PKEY_get1_DH(const EVP_PKEY *pkey);
-struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
+int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key);
-int EVP_PKEY_set1_DH(EVP_PKEY *pkey, struct dh_st *key);
 #endif
 #ifndef OPENSSL_NO_EC
-struct ec_key_st;
+EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey);
-struct ec_key_st *EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey);
+EC_KEY *EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey);
-struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key);
-int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
 #endif
 EVP_PKEY *EVP_PKEY_new(void);
diff --git a/src/lib/libcrypto/evp/evp_aead.c b/src/lib/libcrypto/evp/evp_aead.c
index b35f5157ed..fdac082217 100644
--- a/src/lib/libcrypto/evp/evp_aead.c
+++ b/src/lib/libcrypto/evp/evp_aead.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_aead.c,v 1.11 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_aead.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -19,8 +19,8 @@
 #include <string.h>
 #include <openssl/evp.h>
-#include <openssl/err.h>
+#include "err_local.h"
 #include "evp_local.h"
 size_t
diff --git a/src/lib/libcrypto/evp/evp_cipher.c b/src/lib/libcrypto/evp/evp_cipher.c
index e9c266d1b9..04e0e1c0b0 100644
--- a/src/lib/libcrypto/evp/evp_cipher.c
+++ b/src/lib/libcrypto/evp/evp_cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_cipher.c,v 1.23 2024/04/10 15:00:38 beck Exp $ */
+/* $OpenBSD: evp_cipher.c,v 1.28 2025/07/02 06:19:46 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -115,10 +115,10 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 int
@@ -167,7 +167,7 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *engine,
                }
                if ((ctx->cipher->flags & EVP_CIPH_CTRL_INIT) != 0) {
-                        if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) {
+                        if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL) <= 0) {
                                EVPerror(EVP_R_INITIALIZATION_ERROR);
                                return 0;
                        }
@@ -944,14 +944,20 @@ EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx)
 LCRYPTO_ALIAS(EVP_CIPHER_CTX_flags);
 /*
- * Used by CMS and its predecessors. Only GOST and RC2 have a custom method.
+ * Used by CMS and its predecessors. Only RC2 has a custom method.
 */
 int
-EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
+EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 {
        int iv_len;
+        if (ctx->cipher->get_asn1_parameters != NULL)
+                return ctx->cipher->get_asn1_parameters(ctx, type);
+        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) == 0)
+                return -1;
        if (type == NULL)
                return 0;
@@ -970,21 +976,15 @@ EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 }
 int
-EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
+EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
 {
-        if (ctx->cipher->get_asn1_parameters != NULL)
+        int iv_len;
-                return ctx->cipher->get_asn1_parameters(ctx, type);
-        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0)
-                return EVP_CIPHER_get_asn1_iv(ctx, type);
-        return -1;
+        if (ctx->cipher->set_asn1_parameters != NULL)
-}
+                return ctx->cipher->set_asn1_parameters(ctx, type);
-int
+        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) == 0)
-EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
+                return -1;
-{
-        int iv_len;
        if (type == NULL)
                return 0;
@@ -998,18 +998,6 @@ EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
        return ASN1_TYPE_set_octetstring(type, ctx->oiv, iv_len);
 }
-int
-EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *ctx, ASN1_TYPE *type)
-{
-        if (ctx->cipher->set_asn1_parameters != NULL)
-                return ctx->cipher->set_asn1_parameters(ctx, type);
-        if ((ctx->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) != 0)
-                return EVP_CIPHER_set_asn1_iv(ctx, type);
-        return -1;
-}
 /* Convert the various cipher NIDs and dummies to a proper OID NID */
 int
 EVP_CIPHER_type(const EVP_CIPHER *cipher)
diff --git a/src/lib/libcrypto/evp/evp_digest.c b/src/lib/libcrypto/evp/evp_digest.c
index 0a97d25c7d..8bd6691fbf 100644
--- a/src/lib/libcrypto/evp/evp_digest.c
+++ b/src/lib/libcrypto/evp/evp_digest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_digest.c,v 1.14 2024/04/10 15:00:38 beck Exp $ */
+/* $OpenBSD: evp_digest.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -114,10 +114,10 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include "err_local.h"
 #include "evp_local.h"
 int
diff --git a/src/lib/libcrypto/evp/evp_key.c b/src/lib/libcrypto/evp/evp_key.c
index e7c7ec3294..128bec0ac3 100644
--- a/src/lib/libcrypto/evp/evp_key.c
+++ b/src/lib/libcrypto/evp/evp_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_key.c,v 1.36 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_key.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/ui.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 /* should be init to zeros. */
diff --git a/src/lib/libcrypto/evp/evp_local.h b/src/lib/libcrypto/evp/evp_local.h
index 54cd65d0af..76465643c6 100644
--- a/src/lib/libcrypto/evp/evp_local.h
+++ b/src/lib/libcrypto/evp/evp_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_local.h,v 1.25 2024/08/29 16:58:19 tb Exp $ */
+/* $OpenBSD: evp_local.h,v 1.26 2025/05/27 03:58:12 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -353,9 +353,7 @@ struct evp_aead_ctx_st {
 };
 /* Legacy EVP_CIPHER methods used by CMS and its predecessors. */
-int EVP_CIPHER_set_asn1_iv(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
-int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *cipher, ASN1_TYPE *type);
 int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
diff --git a/src/lib/libcrypto/evp/evp_names.c b/src/lib/libcrypto/evp/evp_names.c
index 817d33602c..8757d191dd 100644
--- a/src/lib/libcrypto/evp/evp_names.c
+++ b/src/lib/libcrypto/evp/evp_names.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_names.c,v 1.18 2024/08/31 10:38:49 tb Exp $ */
+/*      $OpenBSD: evp_names.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 *
@@ -15,7 +15,6 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
diff --git a/src/lib/libcrypto/evp/evp_pbe.c b/src/lib/libcrypto/evp/evp_pbe.c
index 88ceb14033..cb2ace1fd0 100644
--- a/src/lib/libcrypto/evp/evp_pbe.c
+++ b/src/lib/libcrypto/evp/evp_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pbe.c,v 1.50 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_pbe.c,v 1.51 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,13 +60,13 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 #include "pkcs12_local.h"
diff --git a/src/lib/libcrypto/evp/evp_pkey.c b/src/lib/libcrypto/evp/evp_pkey.c
index a1e127352a..1c0b8b41e9 100644
--- a/src/lib/libcrypto/evp/evp_pkey.c
+++ b/src/lib/libcrypto/evp/evp_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_pkey.c,v 1.33 2025/02/04 04:51:34 tb Exp $ */
+/* $OpenBSD: evp_pkey.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,10 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* Extract a private key from a PKCS8 structure */
diff --git a/src/lib/libcrypto/evp/m_sigver.c b/src/lib/libcrypto/evp/m_sigver.c
index a3353854f1..66e4752242 100644
--- a/src/lib/libcrypto/evp/m_sigver.c
+++ b/src/lib/libcrypto/evp/m_sigver.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: m_sigver.c,v 1.27 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: m_sigver.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -58,11 +58,11 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 static int
diff --git a/src/lib/libcrypto/evp/p_legacy.c b/src/lib/libcrypto/evp/p_legacy.c
index 01cfdbcd6a..7c958a16e3 100644
--- a/src/lib/libcrypto/evp/p_legacy.c
+++ b/src/lib/libcrypto/evp/p_legacy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: p_legacy.c,v 1.6 2024/04/09 13:52:41 beck Exp $ */
+/*      $OpenBSD: p_legacy.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,10 +59,10 @@
 #include <stdlib.h>
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
+#include "err_local.h"
 #include "evp_local.h"
 int
diff --git a/src/lib/libcrypto/evp/p_lib.c b/src/lib/libcrypto/evp/p_lib.c
index 95c7721303..3f88185737 100644
--- a/src/lib/libcrypto/evp/p_lib.c
+++ b/src/lib/libcrypto/evp/p_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_lib.c,v 1.61 2024/08/22 12:24:24 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.63 2025/07/02 06:36:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -111,7 +111,6 @@
 #include <openssl/bio.h>
 #include <openssl/cmac.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
@@ -129,6 +128,7 @@
 #include <openssl/rsa.h>
 #endif
+#include "err_local.h"
 #include "evp_local.h"
 extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
@@ -628,7 +628,7 @@ LCRYPTO_ALIAS(EVP_PKEY_get0_hmac);
 #ifndef OPENSSL_NO_RSA
 RSA *
-EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
 {
        if (pkey->type == EVP_PKEY_RSA || pkey->type == EVP_PKEY_RSA_PSS)
                return pkey->pkey.rsa;
@@ -639,7 +639,7 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_RSA);
 RSA *
-EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+EVP_PKEY_get1_RSA(const EVP_PKEY *pkey)
 {
        RSA *rsa;
@@ -665,7 +665,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_RSA);
 #ifndef OPENSSL_NO_DSA
 DSA *
-EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+EVP_PKEY_get0_DSA(const EVP_PKEY *pkey)
 {
        if (pkey->type != EVP_PKEY_DSA) {
                EVPerror(EVP_R_EXPECTING_A_DSA_KEY);
@@ -676,7 +676,7 @@ EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_DSA);
 DSA *
-EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
+EVP_PKEY_get1_DSA(const EVP_PKEY *pkey)
 {
        DSA *dsa;
@@ -702,7 +702,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_DSA);
 #ifndef OPENSSL_NO_EC
 EC_KEY *
-EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
+EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey)
 {
        if (pkey->type != EVP_PKEY_EC) {
                EVPerror(EVP_R_EXPECTING_A_EC_KEY);
@@ -713,7 +713,7 @@ EVP_PKEY_get0_EC_KEY(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_EC_KEY);
 EC_KEY *
-EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+EVP_PKEY_get1_EC_KEY(const EVP_PKEY *pkey)
 {
        EC_KEY *key;
@@ -740,7 +740,7 @@ LCRYPTO_ALIAS(EVP_PKEY_set1_EC_KEY);
 #ifndef OPENSSL_NO_DH
 DH *
-EVP_PKEY_get0_DH(EVP_PKEY *pkey)
+EVP_PKEY_get0_DH(const EVP_PKEY *pkey)
 {
        if (pkey->type != EVP_PKEY_DH) {
                EVPerror(EVP_R_EXPECTING_A_DH_KEY);
@@ -751,7 +751,7 @@ EVP_PKEY_get0_DH(EVP_PKEY *pkey)
 LCRYPTO_ALIAS(EVP_PKEY_get0_DH);
 DH *
-EVP_PKEY_get1_DH(EVP_PKEY *pkey)
+EVP_PKEY_get1_DH(const EVP_PKEY *pkey)
 {
        DH *dh;
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index 7f472ea716..775cf78d62 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_sign.c,v 1.22 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: p_sign.c,v 1.23 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,7 +58,6 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 02132e2c38..cd7482df55 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_verify.c,v 1.21 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: p_verify.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,7 +58,6 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/evp/pmeth_fn.c b/src/lib/libcrypto/evp/pmeth_fn.c
index 308c434f0d..ad6c04dabb 100644
--- a/src/lib/libcrypto/evp/pmeth_fn.c
+++ b/src/lib/libcrypto/evp/pmeth_fn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_fn.c,v 1.11 2024/04/12 09:41:39 tb Exp $ */
+/* $OpenBSD: pmeth_fn.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -59,10 +59,10 @@
 #include <stdio.h>
 #include <stdlib.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
+#include "err_local.h"
 #include "evp_local.h"
 #define M_check_autoarg(ctx, arg, arglen, err) \
diff --git a/src/lib/libcrypto/evp/pmeth_gn.c b/src/lib/libcrypto/evp/pmeth_gn.c
index bc1c5bd7d2..fa5b446124 100644
--- a/src/lib/libcrypto/evp/pmeth_gn.c
+++ b/src/lib/libcrypto/evp/pmeth_gn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_gn.c,v 1.21 2024/08/31 09:14:21 tb Exp $ */
+/* $OpenBSD: pmeth_gn.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -60,12 +60,12 @@
 #include <stdlib.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 int
diff --git a/src/lib/libcrypto/evp/pmeth_lib.c b/src/lib/libcrypto/evp/pmeth_lib.c
index fbf4057c38..ce6beecad6 100644
--- a/src/lib/libcrypto/evp/pmeth_lib.c
+++ b/src/lib/libcrypto/evp/pmeth_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pmeth_lib.c,v 1.42 2025/01/20 12:57:28 tb Exp $ */
+/* $OpenBSD: pmeth_lib.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -63,12 +63,12 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 extern const EVP_PKEY_METHOD cmac_pkey_meth;
diff --git a/src/lib/libcrypto/format-pem.pl b/src/lib/libcrypto/format-pem.pl
index 5a96fe5b1d..fba3470344 100644
--- a/src/lib/libcrypto/format-pem.pl
+++ b/src/lib/libcrypto/format-pem.pl
@@ -1,5 +1,5 @@
 #!/usr/bin/perl
-# $OpenBSD: format-pem.pl,v 1.7 2024/11/01 11:19:13 sthen Exp $
+# $OpenBSD: format-pem.pl,v 1.8 2025/06/16 10:24:55 sthen Exp $
 #
 # Copyright (c) 2016 Stuart Henderson <sthen@openbsd.org>
 #
@@ -99,6 +99,7 @@ while(<>) {
                my $verify = qx/openssl verify -CAfile $t $t 2>&1/;
                if (not $verify =~ /^$t: OK$/) {
+                        $verify =~ s,$t: ,,;
                        print STDERR "ERROR: '$subj' cannot be verified with libressl\n---\n$verify---\n";
                        $ca{$o}{$subj}{'valid'} = 0;
                }
diff --git a/src/lib/libcrypto/hidden/crypto_namespace.h b/src/lib/libcrypto/hidden/crypto_namespace.h
index 741ad08549..43c8718ed0 100644
--- a/src/lib/libcrypto/hidden/crypto_namespace.h
+++ b/src/lib/libcrypto/hidden/crypto_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: crypto_namespace.h,v 1.4 2024/07/11 21:31:52 miod Exp $       */
+/*      $OpenBSD: crypto_namespace.h,v 1.5 2025/08/18 16:00:05 tb Exp $ */
 /*
 * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
 *
@@ -45,7 +45,11 @@
 # define LCRYPTO_UNUSED(x)
 # define LCRYPTO_USED(x)
 # define LCRYPTO_ALIAS1(pre,x)
+#ifdef _MSC_VER
+# define LCRYPTO_ALIAS(x)
+#else
 # define LCRYPTO_ALIAS(x)       asm("")
+#endif /* _MSC_VER */
 #endif
 #endif  /* _LIBCRYPTO_CRYPTO_NAMESPACE_H_ */
diff --git a/src/lib/libcrypto/hidden/openssl/asn1t.h b/src/lib/libcrypto/hidden/openssl/asn1t.h
index 17bcb4e453..8f5f09b09f 100644
--- a/src/lib/libcrypto/hidden/openssl/asn1t.h
+++ b/src/lib/libcrypto/hidden/openssl/asn1t.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1t.h,v 1.5 2024/07/08 17:01:54 beck Exp $ */
+/* $OpenBSD: asn1t.h,v 1.6 2025/08/22 14:07:34 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -30,6 +30,9 @@ LCRYPTO_USED(ASN1_item_ex_free);
 LCRYPTO_USED(ASN1_item_ex_d2i);
 LCRYPTO_USED(ASN1_item_ex_i2d);
 #if defined(LIBRESSL_NAMESPACE)
+extern LCRYPTO_USED(ASN1_BOOLEAN_it);
+extern LCRYPTO_USED(ASN1_TBOOLEAN_it);
+extern LCRYPTO_USED(ASN1_FBOOLEAN_it);
 extern LCRYPTO_USED(ASN1_SEQUENCE_it);
 extern LCRYPTO_USED(BIGNUM_it);
 extern LCRYPTO_USED(LONG_it);
diff --git a/src/lib/libcrypto/hidden/openssl/bio.h b/src/lib/libcrypto/hidden/openssl/bio.h
index 03da75a795..69651cf3cb 100644
--- a/src/lib/libcrypto/hidden/openssl/bio.h
+++ b/src/lib/libcrypto/hidden/openssl/bio.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio.h,v 1.8 2024/07/09 06:14:59 beck Exp $ */
+/* $OpenBSD: bio.h,v 1.9 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -103,7 +103,6 @@ LCRYPTO_USED(BIO_s_socket);
 LCRYPTO_USED(BIO_s_connect);
 LCRYPTO_USED(BIO_s_accept);
 LCRYPTO_USED(BIO_s_fd);
-LCRYPTO_USED(BIO_s_log);
 LCRYPTO_USED(BIO_s_bio);
 LCRYPTO_USED(BIO_s_null);
 LCRYPTO_USED(BIO_f_null);
diff --git a/src/lib/libcrypto/hidden/openssl/mlkem.h b/src/lib/libcrypto/hidden/openssl/mlkem.h
index 8cd80eb3af..e5f1fc0634 100644
--- a/src/lib/libcrypto/hidden/openssl/mlkem.h
+++ b/src/lib/libcrypto/hidden/openssl/mlkem.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: mlkem.h,v 1.4 2024/12/20 15:10:31 tb Exp $ */
+/* $OpenBSD: mlkem.h,v 1.6 2025/08/19 21:37:08 tb Exp $ */
 /*
- * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
+ * Copyright (c) 2025 Bob Beck <beck@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +18,6 @@
 #ifndef _LIBCRYPTO_MLKEM_H
 #define _LIBCRYPTO_MLKEM_H
-/* Undo when making public */
-#ifdef LIBRESSL_HAS_MLKEM
 #ifndef _MSC_VER
 #include_next <openssl/mlkem.h>
 #else
@@ -28,22 +25,22 @@
 #endif
 #include "crypto_namespace.h"
-LCRYPTO_USED(MLKEM768_generate_key);
+LCRYPTO_USED(MLKEM_private_key_new);
-LCRYPTO_USED(MLKEM768_public_from_private);
+LCRYPTO_USED(MLKEM_private_key_free);
-LCRYPTO_USED(MLKEM768_encap);
+LCRYPTO_USED(MLKEM_private_key_ciphertext_length);
-LCRYPTO_USED(MLKEM768_decap);
+LCRYPTO_USED(MLKEM_private_key_encoded_length);
-LCRYPTO_USED(MLKEM768_marshal_public_key);
+LCRYPTO_USED(MLKEM_public_key_new);
-LCRYPTO_USED(MLKEM768_parse_public_key);
+LCRYPTO_USED(MLKEM_public_key_free);
-LCRYPTO_USED(MLKEM768_private_key_from_seed);
+LCRYPTO_USED(MLKEM_public_key_ciphertext_length);
-LCRYPTO_USED(MLKEM768_parse_private_key);
+LCRYPTO_USED(MLKEM_public_key_encoded_length);
-LCRYPTO_USED(MLKEM1024_generate_key);
+LCRYPTO_USED(MLKEM_generate_key);
-LCRYPTO_USED(MLKEM1024_public_from_private);
+LCRYPTO_USED(MLKEM_private_key_from_seed);
-LCRYPTO_USED(MLKEM1024_encap);
+LCRYPTO_USED(MLKEM_public_from_private);
-LCRYPTO_USED(MLKEM1024_decap);
+LCRYPTO_USED(MLKEM_encap);
-LCRYPTO_USED(MLKEM1024_marshal_public_key);
+LCRYPTO_USED(MLKEM_decap);
-LCRYPTO_USED(MLKEM1024_parse_public_key);
+LCRYPTO_USED(MLKEM_marshal_public_key);
-LCRYPTO_USED(MLKEM1024_private_key_from_seed);
+LCRYPTO_USED(MLKEM_parse_public_key);
-LCRYPTO_USED(MLKEM1024_parse_private_key);
+LCRYPTO_USED(MLKEM_marshal_private_key);
-#endif /* LIBRESSL_HAS_MLKEM */
+LCRYPTO_USED(MLKEM_parse_private_key);
 #endif /* _LIBCRYPTO_MLKEM_H */
diff --git a/src/lib/libcrypto/hidden/openssl/pem.h b/src/lib/libcrypto/hidden/openssl/pem.h
index 5838f07f4d..233fd8859b 100644
--- a/src/lib/libcrypto/hidden/openssl/pem.h
+++ b/src/lib/libcrypto/hidden/openssl/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.2 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: pem.h,v 1.3 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -33,12 +33,10 @@ LCRYPTO_USED(PEM_bytes_read_bio);
 LCRYPTO_USED(PEM_ASN1_read_bio);
 LCRYPTO_USED(PEM_ASN1_write_bio);
 LCRYPTO_USED(PEM_X509_INFO_read_bio);
-LCRYPTO_USED(PEM_X509_INFO_write_bio);
 LCRYPTO_USED(PEM_read);
 LCRYPTO_USED(PEM_write);
 LCRYPTO_USED(PEM_ASN1_read);
 LCRYPTO_USED(PEM_ASN1_write);
-LCRYPTO_USED(PEM_X509_INFO_read);
 LCRYPTO_USED(PEM_SignInit);
 LCRYPTO_USED(PEM_SignUpdate);
 LCRYPTO_USED(PEM_SignFinal);
diff --git a/src/lib/libcrypto/hidden/openssl/x509.h b/src/lib/libcrypto/hidden/openssl/x509.h
index e6104cd451..5e78f7af97 100644
--- a/src/lib/libcrypto/hidden/openssl/x509.h
+++ b/src/lib/libcrypto/hidden/openssl/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.15 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.16 2025/07/16 15:59:26 tb Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -401,8 +401,6 @@ LCRYPTO_USED(i2d_X509_CRL);
 LCRYPTO_USED(X509_CRL_add0_revoked);
 LCRYPTO_USED(X509_CRL_get0_by_serial);
 LCRYPTO_USED(X509_CRL_get0_by_cert);
-LCRYPTO_USED(X509_PKEY_new);
-LCRYPTO_USED(X509_PKEY_free);
 LCRYPTO_USED(NETSCAPE_SPKI_new);
 LCRYPTO_USED(NETSCAPE_SPKI_free);
 LCRYPTO_USED(d2i_NETSCAPE_SPKI);
diff --git a/src/lib/libcrypto/hidden/openssl/x509_vfy.h b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
index cc0991518f..d0c46b655e 100644
--- a/src/lib/libcrypto/hidden/openssl/x509_vfy.h
+++ b/src/lib/libcrypto/hidden/openssl/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.10 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.11 2025/10/24 11:33:38 tb Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
 *
@@ -122,6 +122,7 @@ LCRYPTO_USED(X509_VERIFY_PARAM_set1_name);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_flags);
 LCRYPTO_USED(X509_VERIFY_PARAM_clear_flags);
 LCRYPTO_USED(X509_VERIFY_PARAM_get_flags);
+LCRYPTO_USED(X509_VERIFY_PARAM_get_hostflags);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_purpose);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_trust);
 LCRYPTO_USED(X509_VERIFY_PARAM_set_depth);
diff --git a/src/lib/libcrypto/hkdf/hkdf.c b/src/lib/libcrypto/hkdf/hkdf.c
index 6104ef0cc7..f68df4bea4 100644
--- a/src/lib/libcrypto/hkdf/hkdf.c
+++ b/src/lib/libcrypto/hkdf/hkdf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hkdf.c,v 1.11 2024/03/25 13:09:13 jsing Exp $ */
+/* $OpenBSD: hkdf.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2014, Google Inc.
 *
@@ -19,10 +19,10 @@
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/hmac.h>
 #include "bytestring.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
diff --git a/src/lib/libcrypto/hmac/hmac.c b/src/lib/libcrypto/hmac/hmac.c
index dc1614d3ce..e3d5664143 100644
--- a/src/lib/libcrypto/hmac/hmac.c
+++ b/src/lib/libcrypto/hmac/hmac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.c,v 1.36 2024/08/31 10:42:21 tb Exp $ */
+/* $OpenBSD: hmac.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,9 +60,9 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/hmac.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
diff --git a/src/lib/libcrypto/idea/idea.h b/src/lib/libcrypto/idea/idea.h
index 2bdd3647fd..fccef8fc73 100644
--- a/src/lib/libcrypto/idea/idea.h
+++ b/src/lib/libcrypto/idea/idea.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: idea.h,v 1.13 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: idea.h,v 1.14 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,7 +59,12 @@
 #ifndef HEADER_IDEA_H
 #define HEADER_IDEA_H
-#include <openssl/opensslconf.h> /* IDEA_INT, OPENSSL_NO_IDEA */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_IDEA */
+#ifndef IDEA_INT
+/* XXX - typedef */
+#define IDEA_INT unsigned int
+#endif
 #define IDEA_ENCRYPT    1
 #define IDEA_DECRYPT    0
diff --git a/src/lib/libcrypto/idea/idea_local.h b/src/lib/libcrypto/idea/idea_local.h
index c7fd3271a7..c0a592ab1c 100644
--- a/src/lib/libcrypto/idea/idea_local.h
+++ b/src/lib/libcrypto/idea/idea_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: idea_local.h,v 1.2 2023/07/07 12:51:58 beck Exp $ */
+/* $OpenBSD: idea_local.h,v 1.3 2025/11/26 10:19:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,6 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#ifndef HEADER_IDEA_LOCAL_H
+#define HEADER_IDEA_LOCAL_H
 /* The new form of this macro (check if the a*b == 0) was suggested by
 * Colin Plumb <colin@nyx10.cs.du.edu> */
 /* Removal of the inner if from from Wei Dai 24/4/96 */
@@ -147,3 +150,5 @@ else									\
        ul=x2^t0; /* do the swap to x3 */                               \
        x2=x3^t1;                                                       \
        x3=ul;
+#endif /* HEADER_IDEA_LOCAL_H */
diff --git a/src/lib/libcrypto/kdf/hkdf_evp.c b/src/lib/libcrypto/kdf/hkdf_evp.c
index b33e2e0a26..dee6e35d82 100644
--- a/src/lib/libcrypto/kdf/hkdf_evp.c
+++ b/src/lib/libcrypto/kdf/hkdf_evp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hkdf_evp.c,v 1.20 2023/06/26 08:57:17 tb Exp $ */
+/*      $OpenBSD: hkdf_evp.c,v 1.22 2025/05/21 03:53:20 kenjiro Exp $ */
 /* ====================================================================
 * Copyright (c) 2016-2018 The OpenSSL Project.  All rights reserved.
 *
@@ -50,12 +50,11 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/hkdf.h>
 #include <openssl/kdf.h>
+#include "err_local.h"
 #include "evp_local.h"
 #define HKDF_MAXBUF 1024
@@ -91,6 +90,9 @@ pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx)
 {
        HKDF_PKEY_CTX *kctx = ctx->data;
+        if (kctx == NULL)
+                return;
        freezero(kctx->salt, kctx->salt_len);
        freezero(kctx->key, kctx->key_len);
        freezero(kctx, sizeof(*kctx));
diff --git a/src/lib/libcrypto/kdf/tls1_prf.c b/src/lib/libcrypto/kdf/tls1_prf.c
index 7d6231e3c7..2b86ff744f 100644
--- a/src/lib/libcrypto/kdf/tls1_prf.c
+++ b/src/lib/libcrypto/kdf/tls1_prf.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
+/*      $OpenBSD: tls1_prf.c,v 1.42 2025/05/21 03:53:20 kenjiro Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2016.
@@ -61,10 +61,10 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/kdf.h>
+#include "err_local.h"
 #include "evp_local.h"
 #define TLS1_PRF_MAXBUF 1024
@@ -96,6 +96,9 @@ pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx)
 {
        struct tls1_prf_ctx *kctx = ctx->data;
+        if (kctx == NULL)
+                return;
        freezero(kctx->secret, kctx->secret_len);
        freezero(kctx, sizeof(*kctx));
 }
diff --git a/src/lib/libcrypto/lhash/lhash.c b/src/lib/libcrypto/lhash/lhash.c
index aa532267de..ad6ece543b 100644
--- a/src/lib/libcrypto/lhash/lhash.c
+++ b/src/lib/libcrypto/lhash/lhash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.c,v 1.28 2024/07/14 14:32:45 jsing Exp $ */
+/* $OpenBSD: lhash.c,v 1.29 2025/05/01 00:35:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -115,11 +115,11 @@ expand(_LHASH *lh)
 #endif
                if ((hash % nni) != p) { /* move it */
                        *n1 = (*n1)->next;
-                        np->next= *n2;
+                        np->next = *n2;
                        *n2 = np;
                } else
                        n1 = &((*n1)->next);
-                np= *n1;
+                np = *n1;
        }
        if ((lh->p) >= lh->pmax) {
@@ -305,7 +305,7 @@ lh_delete(_LHASH *lh, const void *data)
        if (*rn == NULL) {
                return (NULL);
        } else {
-                nn= *rn;
+                nn = *rn;
                *rn = nn->next;
                ret = nn->data;
                free(nn);
diff --git a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3 b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
index 15156ffca3..bfa915c8af 100644
--- a/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
+++ b/src/lib/libcrypto/man/ACCESS_DESCRIPTION_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.6 2022/03/31 17:27:16 naddy Exp $
+.\"     $OpenBSD: ACCESS_DESCRIPTION_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ACCESS_DESCRIPTION_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm AUTHORITY_INFO_ACCESS_free
 .Nd X.509 information access extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ACCESS_DESCRIPTION *
 .Fn ACCESS_DESCRIPTION_new void
diff --git a/src/lib/libcrypto/man/AES_encrypt.3 b/src/lib/libcrypto/man/AES_encrypt.3
index f022848a61..0a3c63dce2 100644
--- a/src/lib/libcrypto/man/AES_encrypt.3
+++ b/src/lib/libcrypto/man/AES_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: AES_encrypt.3,v 1.1 2019/08/28 10:37:42 schwarze Exp $
+.\" $OpenBSD: AES_encrypt.3,v 1.3 2025/12/20 08:51:56 tb Exp $
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 28 2019 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt AES_ENCRYPT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm AES_cbc_encrypt
 .Nd low-level interface to the AES symmetric cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/aes.h
 .Ft int
 .Fo AES_set_encrypt_key
@@ -60,7 +61,7 @@
 .Fa "const int enc"
 .Fc
 .Sh DESCRIPTION
-These function provide a low-level interface to the AES symmetric
+These functions provide a low-level interface to the AES symmetric
 cipher algorithm, also called Rijndael.
 For reasons of flexibility, it is recommended that application
 programs use the high-level interface described in
diff --git a/src/lib/libcrypto/man/ASIdentifiers_new.3 b/src/lib/libcrypto/man/ASIdentifiers_new.3
index d8473b81a0..f5f4a1215e 100644
--- a/src/lib/libcrypto/man/ASIdentifiers_new.3
+++ b/src/lib/libcrypto/man/ASIdentifiers_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASIdentifiers_new.3,v 1.11 2023/09/30 18:16:44 tb Exp $
+.\" $OpenBSD: ASIdentifiers_new.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASIDENTIFIERS_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_ASIdentifiers
 .Nd RFC 3779 autonomous system identifier delegation extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ASIdentifiers *
 .Fo ASIdentifiers_new
diff --git a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3 b/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
index a916ca3ab2..d3ab3b1ee0 100644
--- a/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
+++ b/src/lib/libcrypto/man/ASN1_BIT_STRING_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.5 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: ASN1_BIT_STRING_set.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_BIT_STRING_SET 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm ASN1_BIT_STRING_get_bit
 .Nd ASN.1 BIT STRING accessors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_BIT_STRING_set
diff --git a/src/lib/libcrypto/man/ASN1_INTEGER_get.3 b/src/lib/libcrypto/man/ASN1_INTEGER_get.3
index 84f566eda9..985e2e5084 100644
--- a/src/lib/libcrypto/man/ASN1_INTEGER_get.3
+++ b/src/lib/libcrypto/man/ASN1_INTEGER_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_INTEGER_get.3,v 1.7 2023/05/22 19:38:04 tb Exp $
+.\" $OpenBSD: ASN1_INTEGER_get.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/ASN1_INTEGER_get_int64 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_INTEGER_GET 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm ASN1_ENUMERATED_to_BN
 .Nd ASN.1 INTEGER and ENUMERATED utilities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_INTEGER_get_uint64
diff --git a/src/lib/libcrypto/man/ASN1_NULL_new.3 b/src/lib/libcrypto/man/ASN1_NULL_new.3
index b4d2428ed1..1244f2e252 100644
--- a/src/lib/libcrypto/man/ASN1_NULL_new.3
+++ b/src/lib/libcrypto/man/ASN1_NULL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_NULL_new.3,v 1.3 2021/12/09 18:42:35 schwarze Exp $
+.\" $OpenBSD: ASN1_NULL_new.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_NULL_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_NULL_free
 .Nd ASN.1 NULL value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_NULL *
 .Fn ASN1_NULL_new void
diff --git a/src/lib/libcrypto/man/ASN1_OBJECT_new.3 b/src/lib/libcrypto/man/ASN1_OBJECT_new.3
index 3e2eac02ee..3df3dd8e68 100644
--- a/src/lib/libcrypto/man/ASN1_OBJECT_new.3
+++ b/src/lib/libcrypto/man/ASN1_OBJECT_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.16 2023/09/05 15:01:39 schwarze Exp $
+.\" $OpenBSD: ASN1_OBJECT_new.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d4 Mar 19 12:28:58 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_OBJECT_NEW 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm ASN1_OBJECT_free
 .Nd ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OBJECT *
 .Fo ASN1_OBJECT_new
diff --git a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3 b/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
index 391dd32e66..47288ee960 100644
--- a/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
+++ b/src/lib/libcrypto/man/ASN1_PRINTABLE_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_PRINTABLE_type.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
+.\" $OpenBSD: ASN1_PRINTABLE_type.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PRINTABLE_TYPE 3
 .Os
 .Sh NAME
 .Nm ASN1_PRINTABLE_type
 .Nd classify a single-byte character string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_PRINTABLE_type
diff --git a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3 b/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
index 2bf8831c12..f9e69a89e5 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_TABLE_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.4 2023/12/21 21:23:37 tb Exp $
+.\" $OpenBSD: ASN1_STRING_TABLE_get.3,v 1.6 2025/12/31 13:48:01 tb Exp $
 .\" checked up to:
 .\" OpenSSL ASN1_STRING_TABLE_add.pod 7b608d08 Jul 27 01:18:50 2017 +0800
 .\"
@@ -16,17 +16,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 21 2023 $
+.Dd $Mdocdate: December 31 2025 $
 .Dt ASN1_STRING_TABLE_GET 3
 .Os
 .Sh NAME
-.\" .Nm ASN1_STRING_TABLE_add0 and
-.\" .Nm ASN1_STRING_TABLE_cleanup are intentionally undocumented
-.\" because they will be removed in the next major bump
-.\" .Dv STABLE_FLAGS_MALLOC is intentionally undocumented because it is unused
 .Nm ASN1_STRING_TABLE_get
 .Nd retrieve an entry from the global ASN.1 string table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING_TABLE *
 .Fo ASN1_STRING_TABLE_get
diff --git a/src/lib/libcrypto/man/ASN1_STRING_length.3 b/src/lib/libcrypto/man/ASN1_STRING_length.3
index 0c397607a9..922ae89ac6 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_length.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_length.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_length.3,v 1.30 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: ASN1_STRING_length.3,v 1.31 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_LENGTH 3
 .Os
 .Sh NAME
@@ -84,10 +84,9 @@
 .Nm ASN1_STRING_copy ,
 .Nm ASN1_STRING_to_UTF8 ,
 .Nm ASN1_STRING_type
-.\" deprecated aliases, intentionally undocumented:
-.\" M_ASN1_STRING_data, M_ASN1_STRING_length
 .Nd ASN1_STRING utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_STRING_cmp
diff --git a/src/lib/libcrypto/man/ASN1_STRING_new.3 b/src/lib/libcrypto/man/ASN1_STRING_new.3
index 212bacd413..d653b70dda 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_new.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_STRING_new.3,v 1.27 2024/12/27 15:30:17 schwarze Exp $
+.\"     $OpenBSD: ASN1_STRING_new.3,v 1.28 2025/06/08 22:37:23 schwarze Exp $
 .\"     OpenSSL 99d63d46 Tue Mar 24 07:52:24 2015 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_NEW 3
 .Os
 .Sh NAME
@@ -58,10 +58,9 @@
 .Nm ASN1_UTCTIME_free ,
 .Nm ASN1_TIME_new ,
 .Nm ASN1_TIME_free
-.\" deprecated aliases, intentionally undocumented: M_ASN1_IA5STRING_new,
-.\" M_ASN1_ENUMERATED_free, M_ASN1_INTEGER_free, M_ASN1_OCTET_STRING_free
 .Nd allocate and free ASN1_STRING objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING *
 .Fn ASN1_STRING_new void
diff --git a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3 b/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
index eb43b2fe5c..8295b3e9dd 100644
--- a/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
+++ b/src/lib/libcrypto/man/ASN1_STRING_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.18 2021/12/14 19:36:18 schwarze Exp $
+.\" $OpenBSD: ASN1_STRING_print_ex.3,v 1.19 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_STRING_PRINT_EX 3
 .Os
 .Sh NAME
@@ -58,9 +58,9 @@
 .Nm ASN1_STRING_print_ex_fp ,
 .Nm ASN1_STRING_print ,
 .Nm ASN1_tag2str
-.\" M_ASN1_OCTET_STRING_print is a deprecated alias, intentionally undocumented
 .Nd ASN1_STRING output routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_STRING_print_ex
diff --git a/src/lib/libcrypto/man/ASN1_TIME_set.3 b/src/lib/libcrypto/man/ASN1_TIME_set.3
index 233cb13f2c..8cfcf4339b 100644
--- a/src/lib/libcrypto/man/ASN1_TIME_set.3
+++ b/src/lib/libcrypto/man/ASN1_TIME_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_TIME_set.3,v 1.23 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: ASN1_TIME_set.3,v 1.24 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 3d0f1cb9 Jul 11 03:01:24 2017 +0800
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_TIME_SET 3
 .Os
 .Sh NAME
@@ -101,6 +101,7 @@
 .Nm OPENSSL_tm_to_posix
 .Nd ASN.1 Time functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TIME *
 .Fo ASN1_TIME_set
diff --git a/src/lib/libcrypto/man/ASN1_TYPE_get.3 b/src/lib/libcrypto/man/ASN1_TYPE_get.3
index 16af168d91..3b3359b6ff 100644
--- a/src/lib/libcrypto/man/ASN1_TYPE_get.3
+++ b/src/lib/libcrypto/man/ASN1_TYPE_get.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_TYPE_get.3,v 1.19 2023/10/09 16:06:01 tb Exp $
+.\" $OpenBSD: ASN1_TYPE_get.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_TYPE_GET 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm ASN1_TYPE_cmp
 .Nd ASN.1 objects of arbitrary type
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TYPE *
 .Fn ASN1_TYPE_new void
diff --git a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3 b/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
index 2af675295b..c76956107f 100644
--- a/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
+++ b/src/lib/libcrypto/man/ASN1_UNIVERSALSTRING_to_string.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_UNIVERSALSTRING_to_string.3,v 1.1 2021/11/15 13:39:40 schwarze Exp $
+.\" $OpenBSD: ASN1_UNIVERSALSTRING_to_string.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_UNIVERSALSTRING_TO_STRING 3
 .Os
 .Sh NAME
 .Nm ASN1_UNIVERSALSTRING_to_string
 .Nd recode UTF-32 to ISO Latin-1
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_UNIVERSALSTRING_to_string
diff --git a/src/lib/libcrypto/man/ASN1_generate_nconf.3 b/src/lib/libcrypto/man/ASN1_generate_nconf.3
index b15d4295a9..ed92bb13b6 100644
--- a/src/lib/libcrypto/man/ASN1_generate_nconf.3
+++ b/src/lib/libcrypto/man/ASN1_generate_nconf.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: ASN1_generate_nconf.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 05ea606a Fri May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_GENERATE_NCONF 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ASN1_generate_v3
 .Nd ASN.1 generation functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_TYPE *
 .Fo ASN1_generate_nconf
diff --git a/src/lib/libcrypto/man/ASN1_get_object.3 b/src/lib/libcrypto/man/ASN1_get_object.3
index 781b12ad5a..7f92ff6d05 100644
--- a/src/lib/libcrypto/man/ASN1_get_object.3
+++ b/src/lib/libcrypto/man/ASN1_get_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_get_object.3,v 1.2 2021/07/11 19:03:45 schwarze Exp $
+.\" $OpenBSD: ASN1_get_object.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_GET_OBJECT 3
 .Os
 .Sh NAME
 .Nm ASN1_get_object
 .Nd parse identifier and length octets
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_get_object
diff --git a/src/lib/libcrypto/man/ASN1_item_d2i.3 b/src/lib/libcrypto/man/ASN1_item_d2i.3
index bc99f4a6da..cb5fd19f28 100644
--- a/src/lib/libcrypto/man/ASN1_item_d2i.3
+++ b/src/lib/libcrypto/man/ASN1_item_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_d2i.3,v 1.18 2023/05/01 07:37:45 tb Exp $
+.\" $OpenBSD: ASN1_item_d2i.3,v 1.19 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL doc/man3/d2i_X509.pod 256989ce Jun 19 15:00:32 2020 +0200
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_D2I 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm ASN1_item_print
 .Nd decode and encode ASN.1 objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_VALUE *
 .Fo ASN1_item_d2i
diff --git a/src/lib/libcrypto/man/ASN1_item_digest.3 b/src/lib/libcrypto/man/ASN1_item_digest.3
index 56a97555e9..829b82a56b 100644
--- a/src/lib/libcrypto/man/ASN1_item_digest.3
+++ b/src/lib/libcrypto/man/ASN1_item_digest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_digest.3,v 1.2 2022/09/11 04:39:46 jsg Exp $
+.\" $OpenBSD: ASN1_item_digest.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 11 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_DIGEST 3
 .Os
 .Sh NAME
 .Nm ASN1_item_digest
 .Nd DER-encode and hash an ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_digest
diff --git a/src/lib/libcrypto/man/ASN1_item_new.3 b/src/lib/libcrypto/man/ASN1_item_new.3
index 7015ed6319..42e9dd8f68 100644
--- a/src/lib/libcrypto/man/ASN1_item_new.3
+++ b/src/lib/libcrypto/man/ASN1_item_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_new.3,v 1.11 2022/01/12 17:54:51 tb Exp $
+.\" $OpenBSD: ASN1_item_new.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 12 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_free
 .Nd generic ASN.1 value constructor and destructor
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_VALUE *
 .Fo ASN1_item_new
diff --git a/src/lib/libcrypto/man/ASN1_item_pack.3 b/src/lib/libcrypto/man/ASN1_item_pack.3
index 4c87530622..d0023f599d 100644
--- a/src/lib/libcrypto/man/ASN1_item_pack.3
+++ b/src/lib/libcrypto/man/ASN1_item_pack.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_pack.3,v 1.1 2021/11/15 11:51:09 schwarze Exp $
+.\" $OpenBSD: ASN1_item_pack.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_PACK 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_unpack
 .Nd pack an ASN.1 object into an ASN1_STRING
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_STRING *
 .Fo ASN1_item_pack
diff --git a/src/lib/libcrypto/man/ASN1_item_sign.3 b/src/lib/libcrypto/man/ASN1_item_sign.3
index 8c09fe77ff..72e317c310 100644
--- a/src/lib/libcrypto/man/ASN1_item_sign.3
+++ b/src/lib/libcrypto/man/ASN1_item_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_sign.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: ASN1_item_sign.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_SIGN 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_item_sign_ctx
 .Nd DER-encode and sign an ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_sign
diff --git a/src/lib/libcrypto/man/ASN1_item_verify.3 b/src/lib/libcrypto/man/ASN1_item_verify.3
index d2810879e3..282db875bb 100644
--- a/src/lib/libcrypto/man/ASN1_item_verify.3
+++ b/src/lib/libcrypto/man/ASN1_item_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_item_verify.3,v 1.3 2021/12/18 17:47:44 schwarze Exp $
+.\" $OpenBSD: ASN1_item_verify.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 18 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_ITEM_VERIFY 3
 .Os
 .Sh NAME
 .Nm ASN1_item_verify
 .Nd signature verification for ASN.1 values
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo ASN1_item_verify
diff --git a/src/lib/libcrypto/man/ASN1_mbstring_copy.3 b/src/lib/libcrypto/man/ASN1_mbstring_copy.3
index e0b48aaa62..6a64bc7464 100644
--- a/src/lib/libcrypto/man/ASN1_mbstring_copy.3
+++ b/src/lib/libcrypto/man/ASN1_mbstring_copy.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_mbstring_copy.3,v 1.6 2022/02/21 00:22:03 jsg Exp $
+.\" $OpenBSD: ASN1_mbstring_copy.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 21 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_MBSTRING_COPY 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm ASN1_tag2bit
 .Nd copy a multibyte string into an ASN.1 string object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_mbstring_copy
diff --git a/src/lib/libcrypto/man/ASN1_parse_dump.3 b/src/lib/libcrypto/man/ASN1_parse_dump.3
index 50761f38aa..45aa673d4c 100644
--- a/src/lib/libcrypto/man/ASN1_parse_dump.3
+++ b/src/lib/libcrypto/man/ASN1_parse_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_parse_dump.3,v 1.3 2021/12/09 18:52:09 schwarze Exp $
+.\" $OpenBSD: ASN1_parse_dump.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PARSE_DUMP 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm ASN1_parse
 .Nd parse BER and print information about it
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo ASN1_parse_dump
diff --git a/src/lib/libcrypto/man/ASN1_put_object.3 b/src/lib/libcrypto/man/ASN1_put_object.3
index 97a352724c..94fa55366a 100644
--- a/src/lib/libcrypto/man/ASN1_put_object.3
+++ b/src/lib/libcrypto/man/ASN1_put_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASN1_put_object.3,v 1.5 2022/01/12 17:54:51 tb Exp $
+.\" $OpenBSD: ASN1_put_object.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 12 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ASN1_PUT_OBJECT 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm ASN1_object_size
 .Nd start and end the BER encoding of an arbitrary ASN.1 data element
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft void
 .Fo ASN1_put_object
diff --git a/src/lib/libcrypto/man/ASRange_new.3 b/src/lib/libcrypto/man/ASRange_new.3
index dc58c98e58..b507213b48 100644
--- a/src/lib/libcrypto/man/ASRange_new.3
+++ b/src/lib/libcrypto/man/ASRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ASRange_new.3,v 1.8 2023/10/11 12:06:11 tb Exp $
+.\" $OpenBSD: ASRange_new.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 11 2023 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt ASRANGE_NEW 3
 .Os
 .Sh NAME
@@ -32,8 +32,9 @@
 .Nm i2d_ASIdentifierChoice
 .Nd RFC 3779 autonomous system identifiers and ranges
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
-.Ft "ASRange *"
+.Ft ASRange *
 .Fn ASRange_new void
 .Ft void
 .Fn ASRange_free "ASRange *asrange"
@@ -48,7 +49,7 @@
 .Fa "ASRange *asrange"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "ASIdOrRange *"
+.Ft ASIdOrRange *
 .Fn ASIdOrRange_new void
 .Ft void
 .Fn ASIdOrRange_free "ASIdOrRange *aor"
@@ -63,7 +64,7 @@
 .Fa "ASIdOrRange *aor"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "ASIdentifierChoice *"
+.Ft ASIdentifierChoice *
 .Fn ASIdentifierChoice_new void
 .Ft void
 .Fn ASIdentifierChoice_free "ASIdentifierChoice *aic"
diff --git a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3 b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
index bff451ff36..982685d17f 100644
--- a/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
+++ b/src/lib/libcrypto/man/AUTHORITY_KEYID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: AUTHORITY_KEYID_new.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt AUTHORITY_KEYID_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm AUTHORITY_KEYID_free
 .Nd X.509 authority key identifier extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft AUTHORITY_KEYID *
 .Fn AUTHORITY_KEYID_new void
diff --git a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
index e60b0d223c..f1b1486a8a 100644
--- a/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/BASIC_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
+.\" $OpenBSD: BASIC_CONSTRAINTS_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BASIC_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BASIC_CONSTRAINTS_free
 .Nd X.509 extension to mark CA certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft BASIC_CONSTRAINTS *
 .Fn BASIC_CONSTRAINTS_new void
diff --git a/src/lib/libcrypto/man/BF_set_key.3 b/src/lib/libcrypto/man/BF_set_key.3
index 5f4c7a689b..1299a0f2ef 100644
--- a/src/lib/libcrypto/man/BF_set_key.3
+++ b/src/lib/libcrypto/man/BF_set_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BF_set_key.3,v 1.12 2023/08/05 18:27:55 jmc Exp $
+.\"     $OpenBSD: BF_set_key.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BF_SET_KEY 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BF_ofb64_encrypt
 .Nd Blowfish encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/blowfish.h
 .Ft void
 .Fo BF_set_key
diff --git a/src/lib/libcrypto/man/BIO_accept.3 b/src/lib/libcrypto/man/BIO_accept.3
index e2547ac0dd..73b415017f 100644
--- a/src/lib/libcrypto/man/BIO_accept.3
+++ b/src/lib/libcrypto/man/BIO_accept.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_accept.3,v 1.2 2023/04/30 13:38:48 schwarze Exp $
+.\" $OpenBSD: BIO_accept.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_ACCEPT 3
 .Os
 .Sh NAME
@@ -43,6 +43,7 @@
 .\" .Nm BIO_sock_cleanup
 .Nd wrappers for socket operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_get_host_ip
diff --git a/src/lib/libcrypto/man/BIO_ctrl.3 b/src/lib/libcrypto/man/BIO_ctrl.3
index 2c537956e1..ca13f2067b 100644
--- a/src/lib/libcrypto/man/BIO_ctrl.3
+++ b/src/lib/libcrypto/man/BIO_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_ctrl.3,v 1.25 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_ctrl.3,v 1.26 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535eaf Tue Sep 22 13:14:20 2020 +0100
 .\" selective merge up to: OpenSSL 0c5bc96f Tue Mar 15 13:57:22 2022 +0000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_CTRL 3
 .Os
 .Sh NAME
@@ -91,6 +91,7 @@
 .Nm bio_info_cb
 .Nd BIO control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft long
 .Fo BIO_ctrl
diff --git a/src/lib/libcrypto/man/BIO_dump.3 b/src/lib/libcrypto/man/BIO_dump.3
index 8817f0c4ca..2c06c8cc9c 100644
--- a/src/lib/libcrypto/man/BIO_dump.3
+++ b/src/lib/libcrypto/man/BIO_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_dump.3,v 1.4 2022/12/20 15:34:03 schwarze Exp $
+.\" $OpenBSD: BIO_dump.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,19 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 20 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_DUMP 3
 .Os
 .Sh NAME
 .Nm BIO_dump ,
-.Nm BIO_dump_indent ,
+.Nm BIO_dump_indent
-.Nm BIO_dump_fp ,
-.Nm BIO_dump_indent_fp
-.\" intentionally undocumented because nothing uses these two functions:
-.\" .Nm BIO_dump_cb
-.\" .Nm BIO_dump_indent_cb
 .Nd hexadecimal printout of arbitrary byte arrays
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_dump
@@ -41,19 +37,6 @@
 .Fa "int len"
 .Fa "int indent"
 .Fc
-.Ft int
-.Fo BIO_dump_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fc
-.Ft int
-.Fo BIO_dump_indent_fp
-.Fa "FILE *fp"
-.Fa "const char *s"
-.Fa "int len"
-.Fa "int indent"
-.Fc
 .Sh DESCRIPTION
 .Fn BIO_dump
 prints
@@ -92,14 +75,6 @@ If
 .Fa indent
 is 7 or more, the number of data columns is reduced such that the
 total width of the output does not exceed 79 characters per line.
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-are similar except that
-.Xr fwrite 3
-is used instead of
-.Xr BIO_write 3 .
 .Sh RETURN VALUES
 On success these functions return the total number of bytes written by
 .Xr BIO_write 3
@@ -120,9 +95,3 @@ first appeared in SSLeay 0.6.5 and has been available since
 .Fn BIO_dump_indent
 first appeared in OpenSSL 0.9.6 and has been available since
 .Ox 2.9 .
-.Pp
-.Fn BIO_dump_fp
-and
-.Fn BIO_dump_indent_fp
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/BIO_dup_chain.3 b/src/lib/libcrypto/man/BIO_dup_chain.3
index 5c5e8c6533..ad753e71a5 100644
--- a/src/lib/libcrypto/man/BIO_dup_chain.3
+++ b/src/lib/libcrypto/man/BIO_dup_chain.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_dup_chain.3,v 1.2 2023/04/09 06:27:52 jsg Exp $
+.\" $OpenBSD: BIO_dup_chain.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_DUP_CHAIN 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BIO_dup_state
 .Nd copy a BIO chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fn BIO_dup_chain "BIO *b"
diff --git a/src/lib/libcrypto/man/BIO_f_base64.3 b/src/lib/libcrypto/man/BIO_f_base64.3
index e4589de035..f652dac100 100644
--- a/src/lib/libcrypto/man/BIO_f_base64.3
+++ b/src/lib/libcrypto/man/BIO_f_base64.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_f_base64.3,v 1.15 2023/09/11 04:00:40 jsg Exp $
+.\"     $OpenBSD: BIO_f_base64.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL fc1d88f0 Wed Jul 2 22:42:40 2014 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_BASE64 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .\" and practically unused outside evp/bio_b64.c.
 .Nd base64 BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_buffer.3 b/src/lib/libcrypto/man/BIO_f_buffer.3
index a3012c5c5d..28c4f3166f 100644
--- a/src/lib/libcrypto/man/BIO_f_buffer.3
+++ b/src/lib/libcrypto/man/BIO_f_buffer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_buffer.3,v 1.17 2023/04/29 12:22:08 schwarze Exp $
+.\" $OpenBSD: BIO_f_buffer.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_BUFFER 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .\" whatever that is supposed to be, but are NOOPs, and nothing uses them.
 .Nd buffering BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_f_buffer
diff --git a/src/lib/libcrypto/man/BIO_f_cipher.3 b/src/lib/libcrypto/man/BIO_f_cipher.3
index c5d00c6981..3f7fe7bfaf 100644
--- a/src/lib/libcrypto/man/BIO_f_cipher.3
+++ b/src/lib/libcrypto/man/BIO_f_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_cipher.3,v 1.16 2023/04/29 12:01:53 schwarze Exp $
+.\" $OpenBSD: BIO_f_cipher.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_CIPHER 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .\" .Nm BIO_CTRL_SET is intentionally undocumented because it has no effect.
 .Nd cipher BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_md.3 b/src/lib/libcrypto/man/BIO_f_md.3
index 279aabc980..ba5a0d9b85 100644
--- a/src/lib/libcrypto/man/BIO_f_md.3
+++ b/src/lib/libcrypto/man/BIO_f_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_md.3,v 1.15 2023/04/28 16:20:01 schwarze Exp $
+.\" $OpenBSD: BIO_f_md.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 28 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_MD 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm BIO_set_md_ctx
 .Nd message digest BIO filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/evp.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libcrypto/man/BIO_f_null.3 b/src/lib/libcrypto/man/BIO_f_null.3
index 687d991b52..ea75a242a4 100644
--- a/src/lib/libcrypto/man/BIO_f_null.3
+++ b/src/lib/libcrypto/man/BIO_f_null.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_null.3,v 1.12 2023/04/11 16:58:43 schwarze Exp $
+.\" $OpenBSD: BIO_f_null.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_NULL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .\" except in openssl(1) s_client/s_server -nbio_test.
 .Nd null filter
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_f_null
diff --git a/src/lib/libcrypto/man/BIO_find_type.3 b/src/lib/libcrypto/man/BIO_find_type.3
index 4a9eee7832..88f36032c7 100644
--- a/src/lib/libcrypto/man/BIO_find_type.3
+++ b/src/lib/libcrypto/man/BIO_find_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_find_type.3,v 1.12 2023/07/26 20:01:04 tb Exp $
+.\" $OpenBSD: BIO_find_type.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_FIND_TYPE 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm BIO_method_name
 .Nd BIO chain traversal
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_find_type
diff --git a/src/lib/libcrypto/man/BIO_get_data.3 b/src/lib/libcrypto/man/BIO_get_data.3
index 63750ac37b..26783929b1 100644
--- a/src/lib/libcrypto/man/BIO_get_data.3
+++ b/src/lib/libcrypto/man/BIO_get_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_get_data.3,v 1.8 2023/11/16 20:27:43 schwarze Exp $
+.\" $OpenBSD: BIO_get_data.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_GET_DATA 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm BIO_get_shutdown
 .Nd manage BIO state information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft void
 .Fo BIO_set_data
diff --git a/src/lib/libcrypto/man/BIO_get_ex_new_index.3 b/src/lib/libcrypto/man/BIO_get_ex_new_index.3
index 54d00775e7..13d20e14a8 100644
--- a/src/lib/libcrypto/man/BIO_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/BIO_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.17 2023/11/19 10:26:36 tb Exp $
+.\" $OpenBSD: BIO_get_ex_new_index.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm EC_KEY_set_ex_data
 .Nd application-specific data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .In openssl/ui.h
 .In openssl/x509.h
diff --git a/src/lib/libcrypto/man/BIO_meth_new.3 b/src/lib/libcrypto/man/BIO_meth_new.3
index 2159560596..98feac5bcc 100644
--- a/src/lib/libcrypto/man/BIO_meth_new.3
+++ b/src/lib/libcrypto/man/BIO_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_meth_new.3,v 1.5 2018/07/09 09:52:18 tb Exp $
+.\" $OpenBSD: BIO_meth_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_METH_NEW 3
 .Os
 .Sh NAME
@@ -91,6 +91,7 @@
 .Nm BIO_meth_set_callback_ctrl
 .Nd manipulate BIO_METHOD structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fn BIO_get_new_index void
diff --git a/src/lib/libcrypto/man/BIO_new.3 b/src/lib/libcrypto/man/BIO_new.3
index f97a314826..f0079948fb 100644
--- a/src/lib/libcrypto/man/BIO_new.3
+++ b/src/lib/libcrypto/man/BIO_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_new.3,v 1.28 2023/07/26 20:01:04 tb Exp $
+.\" $OpenBSD: BIO_new.3,v 1.29 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/BIO_new.pod fb46be03 Feb 26 11:51:31 2016 +0000
 .\" OpenSSL man7/bio.pod 631c37be Dec 12 16:56:50 2017 +0100
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_NEW 3
 .Os
 .Sh NAME
@@ -64,6 +64,7 @@
 .Nm BIO_free_all
 .Nd construct and destruct I/O abstraction objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_new
diff --git a/src/lib/libcrypto/man/BIO_new_CMS.3 b/src/lib/libcrypto/man/BIO_new_CMS.3
index ab93e1c00c..0279f704f4 100644
--- a/src/lib/libcrypto/man/BIO_new_CMS.3
+++ b/src/lib/libcrypto/man/BIO_new_CMS.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_new_CMS.3,v 1.9 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: BIO_new_CMS.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bfc Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_NEW_CMS 3
 .Os
 .Sh NAME
 .Nm BIO_new_CMS
 .Nd CMS streaming filter BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft BIO *
 .Fo BIO_new_CMS
diff --git a/src/lib/libcrypto/man/BIO_printf.3 b/src/lib/libcrypto/man/BIO_printf.3
index 32dec0a828..6df31ad24c 100644
--- a/src/lib/libcrypto/man/BIO_printf.3
+++ b/src/lib/libcrypto/man/BIO_printf.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_printf.3,v 1.4 2024/03/02 09:18:28 tb Exp $
+.\"     $OpenBSD: BIO_printf.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 2ca2e917 Mon Mar 20 16:25:22 2017 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,13 +15,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_PRINTF 3
 .Os
 .Sh NAME
 .Nm BIO_printf
 .Nd formatted output to a BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_printf
diff --git a/src/lib/libcrypto/man/BIO_push.3 b/src/lib/libcrypto/man/BIO_push.3
index 46c736e2c2..21b798a54f 100644
--- a/src/lib/libcrypto/man/BIO_push.3
+++ b/src/lib/libcrypto/man/BIO_push.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_push.3,v 1.14 2022/12/16 16:02:17 schwarze Exp $
+.\" $OpenBSD: BIO_push.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/man3/BIO_push.pod 791bfd91 Nov 19 20:38:27 2021 +0100
 .\" OpenSSL doc/man7/bio.pod 1cb7eff4 Sep 10 13:56:40 2019 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_PUSH 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm BIO_set_next
 .Nd manipulate BIO chains
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft BIO *
 .Fo BIO_push
diff --git a/src/lib/libcrypto/man/BIO_read.3 b/src/lib/libcrypto/man/BIO_read.3
index 5fea9f728a..2a65b18535 100644
--- a/src/lib/libcrypto/man/BIO_read.3
+++ b/src/lib/libcrypto/man/BIO_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_read.3,v 1.11 2022/12/18 17:40:55 schwarze Exp $
+.\" $OpenBSD: BIO_read.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 18 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_READ 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm BIO_number_written
 .Nd BIO I/O functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_read
diff --git a/src/lib/libcrypto/man/BIO_s_accept.3 b/src/lib/libcrypto/man/BIO_s_accept.3
index 8e88fe1c52..c5a8f6d293 100644
--- a/src/lib/libcrypto/man/BIO_s_accept.3
+++ b/src/lib/libcrypto/man/BIO_s_accept.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_accept.3,v 1.16 2023/04/29 13:06:10 schwarze Exp $
+.\" $OpenBSD: BIO_s_accept.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL c03726ca Thu Aug 27 12:28:08 2015 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_ACCEPT 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BIO_do_accept
 .Nd accept BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_accept
diff --git a/src/lib/libcrypto/man/BIO_s_bio.3 b/src/lib/libcrypto/man/BIO_s_bio.3
index efda019df3..6590ff81ec 100644
--- a/src/lib/libcrypto/man/BIO_s_bio.3
+++ b/src/lib/libcrypto/man/BIO_s_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_bio.3,v 1.20 2024/05/19 07:12:50 jsg Exp $
+.\" $OpenBSD: BIO_s_bio.3,v 1.21 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by
@@ -53,7 +53,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_BIO 3
 .Os
 .Sh NAME
@@ -71,6 +71,7 @@
 .Nm BIO_ctrl_reset_read_request
 .Nd BIO pair BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_bio
diff --git a/src/lib/libcrypto/man/BIO_s_connect.3 b/src/lib/libcrypto/man/BIO_s_connect.3
index bce68a26b9..ca7ee6d988 100644
--- a/src/lib/libcrypto/man/BIO_s_connect.3
+++ b/src/lib/libcrypto/man/BIO_s_connect.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_connect.3,v 1.19 2023/04/30 13:53:54 schwarze Exp $
+.\" $OpenBSD: BIO_s_connect.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 0e474b8b Nov 1 15:45:49 2015 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_CONNECT 3
 .Os
 .Sh NAME
@@ -83,6 +83,7 @@
 .Nm BIO_do_connect
 .Nd connect BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_connect
diff --git a/src/lib/libcrypto/man/BIO_s_datagram.3 b/src/lib/libcrypto/man/BIO_s_datagram.3
index 104823e7a7..bbe80b259c 100644
--- a/src/lib/libcrypto/man/BIO_s_datagram.3
+++ b/src/lib/libcrypto/man/BIO_s_datagram.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_datagram.3,v 1.3 2023/04/28 16:49:00 schwarze Exp $
+.\" $OpenBSD: BIO_s_datagram.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 28 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_DATAGRAM 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .\" They are almost unused, and OpenBSD does not appear to support them.
 .Nd datagram socket BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fn BIO_s_datagram void
diff --git a/src/lib/libcrypto/man/BIO_s_fd.3 b/src/lib/libcrypto/man/BIO_s_fd.3
index 852a06756a..b1165f30a1 100644
--- a/src/lib/libcrypto/man/BIO_s_fd.3
+++ b/src/lib/libcrypto/man/BIO_s_fd.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_fd.3,v 1.13 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_fd.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_FD 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm BIO_fd_should_retry
 .Nd file descriptor BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_fd
diff --git a/src/lib/libcrypto/man/BIO_s_file.3 b/src/lib/libcrypto/man/BIO_s_file.3
index 14950cad13..d59e157c33 100644
--- a/src/lib/libcrypto/man/BIO_s_file.3
+++ b/src/lib/libcrypto/man/BIO_s_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_file.3,v 1.17 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_file.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_FILE 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .\" Nm BIO_CTRL_SET_FILENAME is unused and intentionally undocumented.
 .Nd FILE BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_file
diff --git a/src/lib/libcrypto/man/BIO_s_mem.3 b/src/lib/libcrypto/man/BIO_s_mem.3
index d7bbf6af43..e43be66e2f 100644
--- a/src/lib/libcrypto/man/BIO_s_mem.3
+++ b/src/lib/libcrypto/man/BIO_s_mem.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_mem.3,v 1.19 2023/11/16 20:19:23 schwarze Exp $
+.\" $OpenBSD: BIO_s_mem.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 8711efb4 Mon Apr 20 11:33:12 2009 +0000
 .\" selective merge up to: OpenSSL 36359cec Mar 7 14:37:23 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_MEM 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm BIO_new_mem_buf
 .Nd memory BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_mem
diff --git a/src/lib/libcrypto/man/BIO_s_null.3 b/src/lib/libcrypto/man/BIO_s_null.3
index 6e7cad6d37..7198797b99 100644
--- a/src/lib/libcrypto/man/BIO_s_null.3
+++ b/src/lib/libcrypto/man/BIO_s_null.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_s_null.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
+.\" $OpenBSD: BIO_s_null.3,v 1.12 2025/07/16 18:10:53 tb Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,14 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt BIO_S_NULL 3
 .Os
 .Sh NAME
 .Nm BIO_s_null
-.\" .Nm BIO_s_log is intentionally undocumented because it is unused
 .Nd null data sink
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_null
diff --git a/src/lib/libcrypto/man/BIO_s_socket.3 b/src/lib/libcrypto/man/BIO_s_socket.3
index 402622b3bd..aebf399b2b 100644
--- a/src/lib/libcrypto/man/BIO_s_socket.3
+++ b/src/lib/libcrypto/man/BIO_s_socket.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BIO_s_socket.3,v 1.10 2023/04/11 16:58:43 schwarze Exp $
+.\"     $OpenBSD: BIO_s_socket.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL bbdc9c98 Oct 19 22:02:21 2000 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 11 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_S_SOCKET 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm BIO_new_socket
 .Nd socket BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft const BIO_METHOD *
 .Fo BIO_s_socket
diff --git a/src/lib/libcrypto/man/BIO_set_callback.3 b/src/lib/libcrypto/man/BIO_set_callback.3
index 56a0102be6..f3f40cba8e 100644
--- a/src/lib/libcrypto/man/BIO_set_callback.3
+++ b/src/lib/libcrypto/man/BIO_set_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_set_callback.3,v 1.12 2023/04/30 13:57:29 schwarze Exp $
+.\" $OpenBSD: BIO_set_callback.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_SET_CALLBACK 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" .Nm BIO_cb_post
 .Nd BIO callback functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft typedef long
 .Fo (*BIO_callback_fn_ex)
diff --git a/src/lib/libcrypto/man/BIO_should_retry.3 b/src/lib/libcrypto/man/BIO_should_retry.3
index 9b93743516..4a0948ff86 100644
--- a/src/lib/libcrypto/man/BIO_should_retry.3
+++ b/src/lib/libcrypto/man/BIO_should_retry.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_should_retry.3,v 1.11 2023/04/30 14:03:47 schwarze Exp $
+.\" $OpenBSD: BIO_should_retry.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 57fd5170 May 13 11:24:11 2018 +0200
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_SHOULD_RETRY 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BIO_set_retry_reason
 .Nd BIO retry functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bio.h
 .Ft int
 .Fo BIO_should_read
diff --git a/src/lib/libcrypto/man/BN_CTX_new.3 b/src/lib/libcrypto/man/BN_CTX_new.3
index 336b918896..0d5a3e847c 100644
--- a/src/lib/libcrypto/man/BN_CTX_new.3
+++ b/src/lib/libcrypto/man/BN_CTX_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_CTX_new.3,v 1.10 2023/04/25 17:21:51 tb Exp $
+.\"     $OpenBSD: BN_CTX_new.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL aafbe1cc Jun 12 23:42:08 2013 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CTX_NEW 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm BN_CTX_free
 .Nd allocate and free BN_CTX structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BN_CTX *
 .Fo BN_CTX_new
diff --git a/src/lib/libcrypto/man/BN_CTX_start.3 b/src/lib/libcrypto/man/BN_CTX_start.3
index a2b62eff5c..27159ce90d 100644
--- a/src/lib/libcrypto/man/BN_CTX_start.3
+++ b/src/lib/libcrypto/man/BN_CTX_start.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_CTX_start.3,v 1.8 2019/08/20 10:59:09 schwarze Exp $
+.\" $OpenBSD: BN_CTX_start.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CTX_START 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm BN_CTX_end
 .Nd use temporary BIGNUM variables
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_CTX_start
diff --git a/src/lib/libcrypto/man/BN_add.3 b/src/lib/libcrypto/man/BN_add.3
index e7de441b7a..32378f6940 100644
--- a/src/lib/libcrypto/man/BN_add.3
+++ b/src/lib/libcrypto/man/BN_add.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_add.3,v 1.20 2023/04/27 09:47:03 tb Exp $
+.\" $OpenBSD: BN_add.3,v 1.21 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_ADD 3
 .Os
 .Sh NAME
@@ -94,13 +94,11 @@
 .\" The following are public, but intentionally undocumented for now:
 .\" .Nm BN_mod_exp_mont ,  r \(== a ^ p (mod m)
 .\" .Nm BN_mod_exp_mont_consttime ,
-.\" .Nm BN_mod_exp_mont_word ,
-.\" .Nm BN_mod_exp_simple ,
-.\" .Nm BN_mod_exp2_mont   r \(== (a1 ^ p1) * (a2 ^ p2) (mod m)
 .\" Maybe they should be deleted from <openssl/bn.h>.
 .Nm BN_gcd
 .Nd arithmetic operations on BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_add
diff --git a/src/lib/libcrypto/man/BN_add_word.3 b/src/lib/libcrypto/man/BN_add_word.3
index 161029c302..b8b45bfb2c 100644
--- a/src/lib/libcrypto/man/BN_add_word.3
+++ b/src/lib/libcrypto/man/BN_add_word.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_add_word.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
+.\" $OpenBSD: BN_add_word.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_ADD_WORD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm BN_mod_word
 .Nd arithmetic functions on BIGNUMs with integers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_add_word
diff --git a/src/lib/libcrypto/man/BN_bn2bin.3 b/src/lib/libcrypto/man/BN_bn2bin.3
index 0fe9a90738..cf72e6dd1b 100644
--- a/src/lib/libcrypto/man/BN_bn2bin.3
+++ b/src/lib/libcrypto/man/BN_bn2bin.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_bn2bin.3,v 1.16 2023/07/09 06:45:03 tb Exp $
+.\" $OpenBSD: BN_bn2bin.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_BN2BIN 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BN_mpi2bn
 .Nd format conversions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_bn2bin
diff --git a/src/lib/libcrypto/man/BN_cmp.3 b/src/lib/libcrypto/man/BN_cmp.3
index ba973313f0..3837ffcd1a 100644
--- a/src/lib/libcrypto/man/BN_cmp.3
+++ b/src/lib/libcrypto/man/BN_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_cmp.3,v 1.10 2022/11/22 19:02:07 schwarze Exp $
+.\" $OpenBSD: BN_cmp.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5b31b9df Aug 4 10:45:52 2021 +0300
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_CMP 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm BN_is_odd
 .Nd BIGNUM comparison and test functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_cmp
diff --git a/src/lib/libcrypto/man/BN_copy.3 b/src/lib/libcrypto/man/BN_copy.3
index 383255e382..5481431e97 100644
--- a/src/lib/libcrypto/man/BN_copy.3
+++ b/src/lib/libcrypto/man/BN_copy.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_copy.3,v 1.10 2021/12/06 19:45:27 schwarze Exp $
+.\"     $OpenBSD: BN_copy.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_COPY 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm BN_with_flags
 .Nd copy BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_copy
diff --git a/src/lib/libcrypto/man/BN_generate_prime.3 b/src/lib/libcrypto/man/BN_generate_prime.3
index d9144155c6..55eed14e75 100644
--- a/src/lib/libcrypto/man/BN_generate_prime.3
+++ b/src/lib/libcrypto/man/BN_generate_prime.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_generate_prime.3,v 1.25 2023/12/29 19:12:46 tb Exp $
+.\" $OpenBSD: BN_generate_prime.3,v 1.26 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL f987a4dd Jun 27 10:12:08 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_GENERATE_PRIME 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .\" because it should not be used outside of libcrypto.
 .Nd generate primes and test for primality
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_is_prime_ex
diff --git a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3 b/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
index abaf80ef20..41345de274 100644
--- a/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
+++ b/src/lib/libcrypto/man/BN_get_rfc3526_prime_8192.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_get_rfc3526_prime_8192.3,v 1.1 2023/07/20 16:26:40 tb Exp $
+.\" $OpenBSD: BN_get_rfc3526_prime_8192.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\" checked up to: OpenSSL DH_get_1024_160 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 20 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_GET_RFC3526_PRIME_8192 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm BN_get_rfc3526_prime_8192
 .Nd standard moduli for Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fn BN_get_rfc2409_prime_768 "BIGNUM *bn"
diff --git a/src/lib/libcrypto/man/BN_kronecker.3 b/src/lib/libcrypto/man/BN_kronecker.3
index 90b7f43230..6a5b7ecd88 100644
--- a/src/lib/libcrypto/man/BN_kronecker.3
+++ b/src/lib/libcrypto/man/BN_kronecker.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_kronecker.3,v 1.2 2022/11/15 17:55:00 schwarze Exp $
+.\" $OpenBSD: BN_kronecker.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_KRONECKER 3
 .Os
 .Sh NAME
 .Nm BN_kronecker
 .Nd Kronecker symbol
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_kronecker
diff --git a/src/lib/libcrypto/man/BN_mod_inverse.3 b/src/lib/libcrypto/man/BN_mod_inverse.3
index d0a4b458f4..ce10fa216e 100644
--- a/src/lib/libcrypto/man/BN_mod_inverse.3
+++ b/src/lib/libcrypto/man/BN_mod_inverse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_mod_inverse.3,v 1.13 2023/10/21 13:53:43 schwarze Exp $
+.\"     $OpenBSD: BN_mod_inverse.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_INVERSE 3
 .Os
 .Sh NAME
 .Nm BN_mod_inverse
 .Nd compute inverse modulo m
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_mod_inverse
diff --git a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3 b/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
index ed004c2549..2f9e3a532e 100644
--- a/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
+++ b/src/lib/libcrypto/man/BN_mod_mul_montgomery.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.16 2025/03/09 15:24:25 tb Exp $
+.\" $OpenBSD: BN_mod_mul_montgomery.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_MUL_MONTGOMERY 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm BN_to_montgomery
 .Nd Montgomery multiplication
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BN_MONT_CTX *
 .Fo BN_MONT_CTX_new
diff --git a/src/lib/libcrypto/man/BN_mod_sqrt.3 b/src/lib/libcrypto/man/BN_mod_sqrt.3
index 7247d907a0..f2cd80e658 100644
--- a/src/lib/libcrypto/man/BN_mod_sqrt.3
+++ b/src/lib/libcrypto/man/BN_mod_sqrt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_mod_sqrt.3,v 1.2 2022/12/06 22:22:42 tb Exp $
+.\" $OpenBSD: BN_mod_sqrt.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_MOD_SQRT 3
 .Os
 .Sh NAME
 .Nm BN_mod_sqrt
 .Nd square root in a prime field
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_mod_sqrt
diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3
index 088048c622..8e61a1fcc3 100644
--- a/src/lib/libcrypto/man/BN_new.3
+++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_new.3,v 1.31 2023/07/26 20:08:59 tb Exp $
+.\" $OpenBSD: BN_new.3,v 1.33 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
 .\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
 .\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_NEW 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm BN_clear_free
 .Nd allocate and free BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft BIGNUM *
 .Fo BN_new
@@ -91,8 +92,6 @@ memory allocation error has occurred.
 The basic object in this library is a
 .Vt BIGNUM .
 It is used to hold a single large integer.
-This type should be considered opaque and fields should not be modified
-or accessed directly.
 .Pp
 .Fn BN_new
 allocates and initializes a
diff --git a/src/lib/libcrypto/man/BN_num_bytes.3 b/src/lib/libcrypto/man/BN_num_bytes.3
index 785f43e2f0..608bb2ebb8 100644
--- a/src/lib/libcrypto/man/BN_num_bytes.3
+++ b/src/lib/libcrypto/man/BN_num_bytes.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_num_bytes.3,v 1.9 2022/11/22 18:55:04 schwarze Exp $
+.\" $OpenBSD: BN_num_bytes.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 9e183d22 Mar 11 08:56:44 2017 -0500
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 22 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_NUM_BYTES 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm BN_num_bytes
 .Nd get BIGNUM size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_num_bits_word
diff --git a/src/lib/libcrypto/man/BN_rand.3 b/src/lib/libcrypto/man/BN_rand.3
index 3d4401a429..b21155af0d 100644
--- a/src/lib/libcrypto/man/BN_rand.3
+++ b/src/lib/libcrypto/man/BN_rand.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_rand.3,v 1.18 2021/11/30 18:34:35 tb Exp $
+.\"     $OpenBSD: BN_rand.3,v 1.19 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_RAND 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm BN_pseudo_rand_range
 .Nd generate pseudo-random number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_rand
diff --git a/src/lib/libcrypto/man/BN_set_bit.3 b/src/lib/libcrypto/man/BN_set_bit.3
index 2c53066777..c13122b729 100644
--- a/src/lib/libcrypto/man/BN_set_bit.3
+++ b/src/lib/libcrypto/man/BN_set_bit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_bit.3,v 1.8 2021/11/30 18:34:35 tb Exp $
+.\"     $OpenBSD: BN_set_bit.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_BIT 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BN_rshift1
 .Nd bit operations on BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft int
 .Fo BN_set_bit
diff --git a/src/lib/libcrypto/man/BN_set_flags.3 b/src/lib/libcrypto/man/BN_set_flags.3
index 1285ae2b28..eb4840a54b 100644
--- a/src/lib/libcrypto/man/BN_set_flags.3
+++ b/src/lib/libcrypto/man/BN_set_flags.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_flags.3,v 1.6 2023/04/27 07:22:22 tb Exp $
+.\"     $OpenBSD: BN_set_flags.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BN_get_flags
 .Nd enable and inspect flags on BIGNUM objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_set_flags
diff --git a/src/lib/libcrypto/man/BN_set_negative.3 b/src/lib/libcrypto/man/BN_set_negative.3
index 6cdff5c974..579bcf2123 100644
--- a/src/lib/libcrypto/man/BN_set_negative.3
+++ b/src/lib/libcrypto/man/BN_set_negative.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BN_set_negative.3,v 1.6 2021/12/06 19:45:27 schwarze Exp $
+.\"     $OpenBSD: BN_set_negative.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SET_NEGATIVE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm BN_is_negative
 .Nd change and inspect the sign of a BIGNUM
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_set_negative
diff --git a/src/lib/libcrypto/man/BN_swap.3 b/src/lib/libcrypto/man/BN_swap.3
index 218ca1cf02..a6a5fa95ba 100644
--- a/src/lib/libcrypto/man/BN_swap.3
+++ b/src/lib/libcrypto/man/BN_swap.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_swap.3,v 1.6 2021/12/19 22:06:35 schwarze Exp $
+.\" $OpenBSD: BN_swap.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BN_SWAP 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm BN_consttime_swap
 .Nd exchange BIGNUMs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
 .Ft void
 .Fo BN_swap
diff --git a/src/lib/libcrypto/man/BN_zero.3 b/src/lib/libcrypto/man/BN_zero.3
index 0b677b246f..d94a2a10da 100644
--- a/src/lib/libcrypto/man/BN_zero.3
+++ b/src/lib/libcrypto/man/BN_zero.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_zero.3,v 1.13 2023/04/30 19:23:54 tb Exp $
+.\" $OpenBSD: BN_zero.3,v 1.16 2025/12/15 12:09:46 tb Exp $
 .\" full merge up to: OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL b713c4ff Jan 22 14:41:09 2018 -0500
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: December 15 2025 $
 .Dt BN_ZERO 3
 .Os
 .Sh NAME
@@ -78,8 +78,9 @@
 .Nm BN_get_word
 .Nd BIGNUM assignment operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/bn.h
-.Ft int
+.Ft void
 .Fo BN_zero
 .Fa "BIGNUM *a"
 .Fc
@@ -131,13 +132,12 @@ This constant is useful for comparisons and assignments.
 .Fn BN_get_word
 returns the value
 .Fa a ,
-or a number with all bits set if
+or (BN_ULONG)\-1 if
 .Fa a
 cannot be represented as a
 .Vt BN_ULONG .
 .Pp
-.Fn BN_zero ,
+.Fn BN_one
-.Fn BN_one ,
 and
 .Fn BN_set_word
 return 1 on success, 0 otherwise.
diff --git a/src/lib/libcrypto/man/BUF_MEM_new.3 b/src/lib/libcrypto/man/BUF_MEM_new.3
index 8c72091abe..ef9e473cc3 100644
--- a/src/lib/libcrypto/man/BUF_MEM_new.3
+++ b/src/lib/libcrypto/man/BUF_MEM_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: BUF_MEM_new.3,v 1.19 2024/07/24 08:57:58 tb Exp $
+.\"     $OpenBSD: BUF_MEM_new.3,v 1.20 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/crypto/buffer.pod 18edda0f Sep 20 03:28:54 2000 +0000
 .\"     not merged: 74924dcb, 58e3457a, 21b0fa91, 7644a9ae
 .\"     OpenSSL doc/crypto/BUF_MEM_new.pod 53934822 Jun 9 16:39:19 2016 -0400
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BUF_MEM_NEW 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm BUF_MEM_grow_clean
 .Nd simple character arrays structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/buffer.h
 .Ft BUF_MEM *
 .Fo BUF_MEM_new
diff --git a/src/lib/libcrypto/man/CMAC_Init.3 b/src/lib/libcrypto/man/CMAC_Init.3
index fd32ca085a..b1b62a6359 100644
--- a/src/lib/libcrypto/man/CMAC_Init.3
+++ b/src/lib/libcrypto/man/CMAC_Init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMAC_Init.3,v 1.9 2024/11/12 00:42:28 schwarze Exp $
+.\" $OpenBSD: CMAC_Init.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMAC_INIT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm CMAC_CTX_free
 .Nd Cipher-based message authentication code
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cmac.h
 .Ft CMAC_CTX *
 .Fn CMAC_CTX_new void
diff --git a/src/lib/libcrypto/man/CMS_ContentInfo_new.3 b/src/lib/libcrypto/man/CMS_ContentInfo_new.3
index d5117fa4ae..611521193d 100644
--- a/src/lib/libcrypto/man/CMS_ContentInfo_new.3
+++ b/src/lib/libcrypto/man/CMS_ContentInfo_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.4 2024/01/22 14:00:13 tb Exp $
+.\" $OpenBSD: CMS_ContentInfo_new.3,v 1.7 2025/12/20 11:51:28 tb Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 22 2024 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt CMS_CONTENTINFO_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm CMS_ReceiptRequest_free
 .Nd Cryptographic Message Syntax data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fn CMS_ContentInfo_new void
@@ -131,5 +132,5 @@ and
 first appeared in OpenSSL 0.9.8h and
 .Fn CMS_ContentInfo_print_ctx
 in OpenSSL 1.0.0.
-This functions have been available since
+This function has been available since
 .Ox 6.7 .
diff --git a/src/lib/libcrypto/man/CMS_add0_cert.3 b/src/lib/libcrypto/man/CMS_add0_cert.3
index be9357cc9a..d0e9be6bd5 100644
--- a/src/lib/libcrypto/man/CMS_add0_cert.3
+++ b/src/lib/libcrypto/man/CMS_add0_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add0_cert.3,v 1.10 2024/11/30 21:21:40 tb Exp $
+.\" $OpenBSD: CMS_add0_cert.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD0_CERT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm CMS_get1_crls
 .Nd CMS certificate and CRL utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_add0_cert
diff --git a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3 b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
index 465119397d..7c0c3fae90 100644
--- a/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
+++ b/src/lib/libcrypto/man/CMS_add1_recipient_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_add1_recipient_cert.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD1_RECIPIENT_CERT 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm CMS_add0_recipient_key
 .Nd add recipients to a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_RecipientInfo *
 .Fo CMS_add1_recipient_cert
diff --git a/src/lib/libcrypto/man/CMS_add1_signer.3 b/src/lib/libcrypto/man/CMS_add1_signer.3
index 316d63c5ad..68bdb12c73 100644
--- a/src/lib/libcrypto/man/CMS_add1_signer.3
+++ b/src/lib/libcrypto/man/CMS_add1_signer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_add1_signer.3,v 1.10 2024/04/18 16:50:22 tb Exp $
+.\" $OpenBSD: CMS_add1_signer.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ADD1_SIGNER 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm CMS_SignerInfo_sign
 .Nd add a signer to a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_SignerInfo *
 .Fo CMS_add1_signer
diff --git a/src/lib/libcrypto/man/CMS_compress.3 b/src/lib/libcrypto/man/CMS_compress.3
index 242e4e96cb..9026837fc8 100644
--- a/src/lib/libcrypto/man/CMS_compress.3
+++ b/src/lib/libcrypto/man/CMS_compress.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_compress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_compress.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_COMPRESS 3
 .Os
 .Sh NAME
 .Nm CMS_compress
 .Nd create a CMS CompressedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_compress
diff --git a/src/lib/libcrypto/man/CMS_decrypt.3 b/src/lib/libcrypto/man/CMS_decrypt.3
index 243ab2f30e..2141098084 100644
--- a/src/lib/libcrypto/man/CMS_decrypt.3
+++ b/src/lib/libcrypto/man/CMS_decrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_decrypt.3,v 1.8 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_decrypt.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_DECRYPT 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm CMS_decrypt_set1_key
 .Nd decrypt content from a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_decrypt
diff --git a/src/lib/libcrypto/man/CMS_encrypt.3 b/src/lib/libcrypto/man/CMS_encrypt.3
index 03d8b4edbb..5eda883857 100644
--- a/src/lib/libcrypto/man/CMS_encrypt.3
+++ b/src/lib/libcrypto/man/CMS_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_encrypt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_encrypt.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_ENCRYPT 3
 .Os
 .Sh NAME
 .Nm CMS_encrypt
 .Nd create a CMS EnvelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_encrypt
diff --git a/src/lib/libcrypto/man/CMS_final.3 b/src/lib/libcrypto/man/CMS_final.3
index 4ca8945923..f2b5755fa9 100644
--- a/src/lib/libcrypto/man/CMS_final.3
+++ b/src/lib/libcrypto/man/CMS_final.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_final.3,v 1.6 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_final.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 25ccb589 Jul 1 02:02:06 2019 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_FINAL 3
 .Os
 .Sh NAME
 .Nm CMS_final
 .Nd finalise a CMS_ContentInfo structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_final
diff --git a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3 b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
index 094d6ec487..beb54bdccc 100644
--- a/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
+++ b/src/lib/libcrypto/man/CMS_get0_RecipientInfos.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.8 2022/03/31 17:27:16 naddy Exp $
+.\" $OpenBSD: CMS_get0_RecipientInfos.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_RECIPIENTINFOS 3
 .Os
 .Sh NAME
@@ -64,6 +64,7 @@
 .Nm CMS_RecipientInfo_encrypt
 .Nd CMS EnvelopedData RecipientInfo routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft STACK_OF(CMS_RecipientInfo) *
 .Fo CMS_get0_RecipientInfos
diff --git a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3 b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
index 017fdd40f2..f141508eb1 100644
--- a/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
+++ b/src/lib/libcrypto/man/CMS_get0_SignerInfos.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.9 2024/01/22 14:00:13 tb Exp $
+.\" $OpenBSD: CMS_get0_SignerInfos.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_SIGNERINFOS 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm CMS_SignerInfo_set1_signer_cert
 .Nd CMS SignedData signer functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft STACK_OF(CMS_SignerInfo) *
 .Fo CMS_get0_SignerInfos
diff --git a/src/lib/libcrypto/man/CMS_get0_type.3 b/src/lib/libcrypto/man/CMS_get0_type.3
index 55adacd86d..5547de494a 100644
--- a/src/lib/libcrypto/man/CMS_get0_type.3
+++ b/src/lib/libcrypto/man/CMS_get0_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get0_type.3,v 1.9 2023/07/27 05:31:28 tb Exp $
+.\" $OpenBSD: CMS_get0_type.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 27 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET0_TYPE 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm CMS_get0_content
 .Nd get and set CMS content types and content
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft const ASN1_OBJECT *
 .Fo CMS_get0_type
diff --git a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
index 9feedd13a2..17a14c47e3 100644
--- a/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
+++ b/src/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_get1_ReceiptRequest.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_GET1_RECEIPTREQUEST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm CMS_ReceiptRequest_get0_values
 .Nd CMS signed receipt request functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ReceiptRequest *
 .Fo CMS_ReceiptRequest_create0
diff --git a/src/lib/libcrypto/man/CMS_sign.3 b/src/lib/libcrypto/man/CMS_sign.3
index 5261c190a6..82f9ff9896 100644
--- a/src/lib/libcrypto/man/CMS_sign.3
+++ b/src/lib/libcrypto/man/CMS_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_sign.3,v 1.11 2024/04/18 16:50:22 tb Exp $
+.\" $OpenBSD: CMS_sign.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_SIGN 3
 .Os
 .Sh NAME
 .Nm CMS_sign
 .Nd create a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_sign
@@ -176,7 +177,7 @@ added before finalization.
 .Pp
 If a signer is specified, it will use the default digest for the signing
 algorithm.
-This is SHA1 for both RSA and DSA keys.
+This is SHA-1 for both RSA and DSA keys.
 .Pp
 If
 .Fa signcert
diff --git a/src/lib/libcrypto/man/CMS_sign_receipt.3 b/src/lib/libcrypto/man/CMS_sign_receipt.3
index 6394957846..7702ab365d 100644
--- a/src/lib/libcrypto/man/CMS_sign_receipt.3
+++ b/src/lib/libcrypto/man/CMS_sign_receipt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_sign_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_sign_receipt.3,v 1.9 2025/12/20 08:40:47 tb Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt CMS_SIGN_RECEIPT 3
 .Os
 .Sh NAME
 .Nm CMS_sign_receipt
 .Nd create a CMS signed receipt
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo CMS_sign_receipt
@@ -83,7 +84,7 @@ is the corresponding private key.
 is an optional additional set of certificates to include in the CMS
 structure (for example any intermediate CAs in the chain).
 .Pp
-This functions behaves in a similar way to
+This function behaves in a similar way to
 .Xr CMS_sign 3
 except that the
 .Fa flags
diff --git a/src/lib/libcrypto/man/CMS_signed_add1_attr.3 b/src/lib/libcrypto/man/CMS_signed_add1_attr.3
index 1a50c0b9d1..10a959bba6 100644
--- a/src/lib/libcrypto/man/CMS_signed_add1_attr.3
+++ b/src/lib/libcrypto/man/CMS_signed_add1_attr.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.5 2024/09/02 07:54:21 tb Exp $
+.\" $OpenBSD: CMS_signed_add1_attr.3,v 1.7 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Job Snijders <job@openbsd.org>
 .\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt CMS_SIGNED_ADD1_ATTR 3
 .Os
 .Sh NAME
@@ -42,6 +42,7 @@
 .Nm CMS_unsigned_get_attr_count
 .Nd change signed and unsigned attributes of a CMS SignerInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_signed_add1_attr
@@ -72,19 +73,19 @@
 .Fa "const void *bytes"
 .Fa "int len"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_signed_delete_attr
 .Fa "CMS_SignerInfo *si"
 .Fa "int loc"
 .Fc
-.Ft "void *"
+.Ft void *
 .Fo CMS_signed_get0_data_by_OBJ
 .Fa "CMS_SignerInfo *si"
 .Fa "const ASN1_OBJECT *oid"
 .Fa "int start_after"
 .Fa "int type"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_signed_get_attr
 .Fa "const CMS_SignerInfo *si"
 .Fa "int loc"
@@ -134,19 +135,19 @@
 .Fa "const void *bytes"
 .Fa "int len"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_unsigned_delete_attr
 .Fa "CMS_SignerInfo *si"
 .Fa "int loc"
 .Fc
-.Ft "void *"
+.Ft void *
 .Fo CMS_unsigned_get0_data_by_OBJ
 .Fa "CMS_SignerInfo *si"
 .Fa "ASN1_OBJECT *oid"
 .Fa "int start_after"
 .Fa "int type"
 .Fc
-.Ft "X509_ATTRIBUTE *"
+.Ft X509_ATTRIBUTE *
 .Fo CMS_unsigned_get_attr
 .Fa "const CMS_SignerInfo *si"
 .Fa "int loc"
diff --git a/src/lib/libcrypto/man/CMS_uncompress.3 b/src/lib/libcrypto/man/CMS_uncompress.3
index ed2172521e..2a5e2f593b 100644
--- a/src/lib/libcrypto/man/CMS_uncompress.3
+++ b/src/lib/libcrypto/man/CMS_uncompress.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_uncompress.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_uncompress.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_UNCOMPRESS 3
 .Os
 .Sh NAME
 .Nm CMS_uncompress
 .Nd uncompress a CMS CompressedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_uncompress
diff --git a/src/lib/libcrypto/man/CMS_verify.3 b/src/lib/libcrypto/man/CMS_verify.3
index 63f1b8bb18..a8803b0595 100644
--- a/src/lib/libcrypto/man/CMS_verify.3
+++ b/src/lib/libcrypto/man/CMS_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_verify.3,v 1.10 2024/03/29 06:43:12 tb Exp $
+.\" $OpenBSD: CMS_verify.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CMS_VERIFY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm CMS_get0_signers
 .Nd verify a CMS SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_verify
diff --git a/src/lib/libcrypto/man/CMS_verify_receipt.3 b/src/lib/libcrypto/man/CMS_verify_receipt.3
index ac50087a4c..738d976c15 100644
--- a/src/lib/libcrypto/man/CMS_verify_receipt.3
+++ b/src/lib/libcrypto/man/CMS_verify_receipt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CMS_verify_receipt.3,v 1.7 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: CMS_verify_receipt.3,v 1.9 2025/12/20 08:40:47 tb Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt CMS_VERIFY_RECEIPT 3
 .Os
 .Sh NAME
 .Nm CMS_verify_receipt
 .Nd verify a CMS signed receipt
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo CMS_verify_receipt
@@ -78,7 +79,7 @@ is a set of certificates in which to search for the signing certificate.
 .Fa store
 is a trusted certificate store (used for chain verification).
 .Pp
-This functions behaves in a similar way to
+This function behaves in a similar way to
 .Xr CMS_verify 3
 except that the
 .Fa flags
diff --git a/src/lib/libcrypto/man/CONF_modules_free.3 b/src/lib/libcrypto/man/CONF_modules_free.3
index c5fb840942..ab299bcbda 100644
--- a/src/lib/libcrypto/man/CONF_modules_free.3
+++ b/src/lib/libcrypto/man/CONF_modules_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CONF_modules_free.3,v 1.6 2023/07/21 10:46:54 tb Exp $
+.\"     $OpenBSD: CONF_modules_free.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CONF_MODULES_FREE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm CONF_modules_unload
 .Nd OpenSSL configuration cleanup functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft void
 .Fo CONF_modules_free
diff --git a/src/lib/libcrypto/man/CONF_modules_load_file.3 b/src/lib/libcrypto/man/CONF_modules_load_file.3
index d1bcd49a38..78cfc32f0d 100644
--- a/src/lib/libcrypto/man/CONF_modules_load_file.3
+++ b/src/lib/libcrypto/man/CONF_modules_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CONF_modules_load_file.3,v 1.14 2023/11/19 20:58:07 tb Exp $
+.\" $OpenBSD: CONF_modules_load_file.3,v 1.16 2025/06/09 12:43:53 schwarze Exp $
 .\" full merge up to: e9b77246 Jan 20 19:58:49 2017 +0100
 .\" selective merge up to: d090fc00 Feb 26 13:11:10 2019 +0800
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt CONF_MODULES_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm X509_get_default_cert_area
 .Nd OpenSSL configuration functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft int
 .Fo CONF_modules_load_file
@@ -222,7 +223,6 @@ Load custom configuration file and section instead of the standard one,
 only print warnings on error, missing configuration file ignored:
 .Bd -literal
 OPENSSL_no_config();
-OPENSSL_load_builtin_modules();
 if (CONF_modules_load_file("/something/app.cnf", "myapp",
    CONF_MFLAGS_IGNORE_MISSING_FILE) <= 0) {
        fprintf(stderr, "WARNING: error loading configuration file\en");
@@ -233,11 +233,7 @@ if (CONF_modules_load_file("/something/app.cnf", "myapp",
 In the previous example, the call to
 .Xr OPENSSL_no_config 3
 is required first to suppress automatic loading
-of the standard configuration file, and the call to
+of the standard configuration file.
-.Xr OPENSSL_load_builtin_modules 3
-is needed so that the configuration of builtin modules
-is loaded in addition to the configuration of
-.Qq myapp .
 .Pp
 Load and parse configuration file manually, custom error handling:
 .Bd -literal
@@ -268,8 +264,7 @@ if (fp == NULL) {
 .Sh SEE ALSO
 .Xr CONF_modules_free 3 ,
 .Xr ERR 3 ,
-.Xr OPENSSL_config 3 ,
+.Xr OPENSSL_config 3
-.Xr OPENSSL_load_builtin_modules 3
 .Sh HISTORY
 .Fn X509_get_default_cert_area
 first appeared in SSLeay 0.4.1 and has been available since
diff --git a/src/lib/libcrypto/man/CRYPTO_lock.3 b/src/lib/libcrypto/man/CRYPTO_lock.3
index afc5eb54c5..7877dd5804 100644
--- a/src/lib/libcrypto/man/CRYPTO_lock.3
+++ b/src/lib/libcrypto/man/CRYPTO_lock.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CRYPTO_lock.3,v 1.3 2024/03/14 22:09:40 tb Exp $
+.\"     $OpenBSD: CRYPTO_lock.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/crypto/threads.pod fb552ac6 Sep 30 23:43:01 2009 +0000
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_LOCK 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm CRYPTO_add
 .Nd thread support
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void
 .Fo CRYPTO_lock
diff --git a/src/lib/libcrypto/man/CRYPTO_memcmp.3 b/src/lib/libcrypto/man/CRYPTO_memcmp.3
index cbc0030c55..fbe092cb90 100644
--- a/src/lib/libcrypto/man/CRYPTO_memcmp.3
+++ b/src/lib/libcrypto/man/CRYPTO_memcmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CRYPTO_memcmp.3,v 1.1 2019/08/25 06:20:22 schwarze Exp $
+.\" $OpenBSD: CRYPTO_memcmp.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1075139c Jun 24 09:18:48 2019 +1000
 .\"
 .\" This file was written by Pauli <paul.dale@oracle.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 25 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_MEMCMP 3
 .Os
 .Sh NAME
 .Nm CRYPTO_memcmp
 .Nd constant time memory comparison
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_memcmp
diff --git a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3 b/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
index c22fb22352..57cdbfb4ca 100644
--- a/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
+++ b/src/lib/libcrypto/man/CRYPTO_set_ex_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.15 2023/09/18 14:49:43 schwarze Exp $
+.\" $OpenBSD: CRYPTO_set_ex_data.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_SET_EX_DATA 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm CRYPTO_free_ex_data
 .Nd low-level functions for application specific data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_get_ex_new_index
diff --git a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3 b/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
index d020d10ff6..4fc88339a8 100644
--- a/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
+++ b/src/lib/libcrypto/man/CRYPTO_set_mem_functions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: CRYPTO_set_mem_functions.3,v 1.2 2025/03/08 17:17:09 tb Exp $
+.\"     $OpenBSD: CRYPTO_set_mem_functions.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CRYPTO_SET_MEM_FUNCTIONS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm CRYPTO_mem_leaks_cb
 .Nd legacy OpenSSL memory allocation control
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo CRYPTO_set_mem_functions
diff --git a/src/lib/libcrypto/man/ChaCha.3 b/src/lib/libcrypto/man/ChaCha.3
index 9aae6d70cf..54cd597f6c 100644
--- a/src/lib/libcrypto/man/ChaCha.3
+++ b/src/lib/libcrypto/man/ChaCha.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ChaCha.3,v 1.3 2022/02/18 10:24:32 jsg Exp $
+.\" $OpenBSD: ChaCha.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 18 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt CHACHA 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm CRYPTO_xchacha_20
 .Nd ChaCha20 stream cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/chacha.h
 .Ft void
 .Fo ChaCha_set_key
diff --git a/src/lib/libcrypto/man/DES_set_key.3 b/src/lib/libcrypto/man/DES_set_key.3
index fd09d77730..3794285006 100644
--- a/src/lib/libcrypto/man/DES_set_key.3
+++ b/src/lib/libcrypto/man/DES_set_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DES_set_key.3,v 1.17 2024/05/24 19:18:07 tb Exp $
+.\" $OpenBSD: DES_set_key.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/DES_random_key 521738e9 Oct 5 14:58:30 2018 -0400
 .\"
@@ -115,7 +115,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: May 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DES_SET_KEY 3
 .Os
 .Sh NAME
@@ -151,6 +151,7 @@
 .Nm DES_crypt
 .Nd DES encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/des.h
 .Ft void
 .Fo DES_random_key
diff --git a/src/lib/libcrypto/man/DH_generate_key.3 b/src/lib/libcrypto/man/DH_generate_key.3
index 076b49f7a1..c3158b8132 100644
--- a/src/lib/libcrypto/man/DH_generate_key.3
+++ b/src/lib/libcrypto/man/DH_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_generate_key.3,v 1.12 2019/08/19 13:08:26 schwarze Exp $
+.\"     $OpenBSD: DH_generate_key.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GENERATE_KEY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm DH_compute_key
 .Nd perform Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_generate_key
diff --git a/src/lib/libcrypto/man/DH_generate_parameters.3 b/src/lib/libcrypto/man/DH_generate_parameters.3
index ac29521ec4..f47475e3b1 100644
--- a/src/lib/libcrypto/man/DH_generate_parameters.3
+++ b/src/lib/libcrypto/man/DH_generate_parameters.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_generate_parameters.3,v 1.14 2022/07/13 13:47:59 schwarze Exp $
+.\" $OpenBSD: DH_generate_parameters.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GENERATE_PARAMETERS 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm DH_generate_parameters
 .Nd generate and check Diffie-Hellman parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_generate_parameters_ex
diff --git a/src/lib/libcrypto/man/DH_get0_pqg.3 b/src/lib/libcrypto/man/DH_get0_pqg.3
index eb012980f9..e30d628c7f 100644
--- a/src/lib/libcrypto/man/DH_get0_pqg.3
+++ b/src/lib/libcrypto/man/DH_get0_pqg.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_get0_pqg.3,v 1.8 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: DH_get0_pqg.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DH_GET0_PQG 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm DH_set_length
 .Nd get data from and set data in a DH object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft void
 .Fo DH_get0_pqg
@@ -76,15 +77,15 @@
 .Fa "const BIGNUM **q"
 .Fa "const BIGNUM **g"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_p
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_q
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_g
 .Fa "const DH *dh"
 .Fc
@@ -101,11 +102,11 @@
 .Fa "const BIGNUM **pub_key"
 .Fa "const BIGNUM **priv_key"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_pub_key
 .Fa "const DH *dh"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DH_get0_priv_key
 .Fa "const DH *dh"
 .Fc
diff --git a/src/lib/libcrypto/man/DH_get_ex_new_index.3 b/src/lib/libcrypto/man/DH_get_ex_new_index.3
index 81a0aff8ec..e0d1f1b813 100644
--- a/src/lib/libcrypto/man/DH_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/DH_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_get_ex_new_index.3,v 1.5 2018/03/23 23:18:17 schwarze Exp $
+.\"     $OpenBSD: DH_get_ex_new_index.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_get_ex_data
 .Nd add application specific data to DH structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_get_ex_new_index
diff --git a/src/lib/libcrypto/man/DH_new.3 b/src/lib/libcrypto/man/DH_new.3
index 4993456897..0e01a26733 100644
--- a/src/lib/libcrypto/man/DH_new.3
+++ b/src/lib/libcrypto/man/DH_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_new.3,v 1.12 2022/07/13 21:51:35 schwarze Exp $
+.\"     $OpenBSD: DH_new.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_free
 .Nd allocate and free DH objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft DH*
 .Fn DH_new void
diff --git a/src/lib/libcrypto/man/DH_set_method.3 b/src/lib/libcrypto/man/DH_set_method.3
index 70cf367c9d..3491cf8f6e 100644
--- a/src/lib/libcrypto/man/DH_set_method.3
+++ b/src/lib/libcrypto/man/DH_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DH_set_method.3,v 1.9 2023/11/19 10:34:26 tb Exp $
+.\"     $OpenBSD: DH_set_method.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_SET_METHOD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm DH_OpenSSL
 .Nd select DH method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft void
 .Fo DH_set_default_method
diff --git a/src/lib/libcrypto/man/DH_size.3 b/src/lib/libcrypto/man/DH_size.3
index 4e6dbc0cba..09c019f366 100644
--- a/src/lib/libcrypto/man/DH_size.3
+++ b/src/lib/libcrypto/man/DH_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DH_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
+.\" $OpenBSD: DH_size.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DH_SIZE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DH_bits
 .Nd get Diffie-Hellman prime size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft int
 .Fo DH_size
diff --git a/src/lib/libcrypto/man/DIST_POINT_new.3 b/src/lib/libcrypto/man/DIST_POINT_new.3
index 6a5cc40468..e5aeb2a5d5 100644
--- a/src/lib/libcrypto/man/DIST_POINT_new.3
+++ b/src/lib/libcrypto/man/DIST_POINT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DIST_POINT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: DIST_POINT_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DIST_POINT_NEW 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm ISSUING_DIST_POINT_free
 .Nd X.509 CRL distribution point extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft DIST_POINT *
 .Fn DIST_POINT_new void
diff --git a/src/lib/libcrypto/man/DSA_SIG_new.3 b/src/lib/libcrypto/man/DSA_SIG_new.3
index 160b453939..003f71f0f1 100644
--- a/src/lib/libcrypto/man/DSA_SIG_new.3
+++ b/src/lib/libcrypto/man/DSA_SIG_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_SIG_new.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
+.\" $OpenBSD: DSA_SIG_new.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIG_NEW 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm DSA_SIG_set0
 .Nd manipulate DSA signature objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_SIG *
 .Fn DSA_SIG_new void
diff --git a/src/lib/libcrypto/man/DSA_do_sign.3 b/src/lib/libcrypto/man/DSA_do_sign.3
index 4602bed872..f7de537bf9 100644
--- a/src/lib/libcrypto/man/DSA_do_sign.3
+++ b/src/lib/libcrypto/man/DSA_do_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_do_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: DSA_do_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_DO_SIGN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm DSA_do_verify
 .Nd raw DSA signature operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_SIG *
 .Fo DSA_do_sign
diff --git a/src/lib/libcrypto/man/DSA_dup_DH.3 b/src/lib/libcrypto/man/DSA_dup_DH.3
index d6163fd3c3..a3ec94f628 100644
--- a/src/lib/libcrypto/man/DSA_dup_DH.3
+++ b/src/lib/libcrypto/man/DSA_dup_DH.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_dup_DH.3,v 1.9 2023/08/12 08:26:38 tb Exp $
+.\"     $OpenBSD: DSA_dup_DH.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 12 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_DUP_DH 3
 .Os
 .Sh NAME
 .Nm DSA_dup_DH
 .Nd create a DH structure out of DSA structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DH *
 .Fo DSA_dup_DH
diff --git a/src/lib/libcrypto/man/DSA_generate_key.3 b/src/lib/libcrypto/man/DSA_generate_key.3
index 37d8ec1c0f..161e0680cc 100644
--- a/src/lib/libcrypto/man/DSA_generate_key.3
+++ b/src/lib/libcrypto/man/DSA_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_generate_key.3,v 1.11 2023/12/29 19:12:47 tb Exp $
+.\"     $OpenBSD: DSA_generate_key.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GENERATE_KEY 3
 .Os
 .Sh NAME
 .Nm DSA_generate_key
 .Nd generate DSA key pair
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_generate_key
diff --git a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3 b/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
index a318bf8298..fb610b8191 100644
--- a/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
+++ b/src/lib/libcrypto/man/DSA_generate_parameters_ex.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_generate_parameters_ex.3,v 1.1 2023/12/29 19:15:15 tb Exp $
+.\"     $OpenBSD: DSA_generate_parameters_ex.3,v 1.2 2025/06/08 22:37:23 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 7 22:14:47 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -49,15 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GENERATE_PARAMETERS_EX 3
 .Os
 .Sh NAME
-.\" .Nm DSA_generate_parameters is intentionally undocumented
-.\" because it will be removed in the next major bump
 .Nm DSA_generate_parameters_ex
 .Nd generate DSA parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_generate_parameters_ex
diff --git a/src/lib/libcrypto/man/DSA_get0_pqg.3 b/src/lib/libcrypto/man/DSA_get0_pqg.3
index b82affba66..e609b6250d 100644
--- a/src/lib/libcrypto/man/DSA_get0_pqg.3
+++ b/src/lib/libcrypto/man/DSA_get0_pqg.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_get0_pqg.3,v 1.11 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: DSA_get0_pqg.3,v 1.13 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL e90fc053 Jul 15 09:39:45 2017 -0400
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt DSA_GET0_PQG 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm DSA_get0_engine
 .Nd get data from and set data in a DSA object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft void
 .Fo DSA_get0_pqg
@@ -75,15 +76,15 @@
 .Fa "const BIGNUM **q"
 .Fa "const BIGNUM **g"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_p
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_q
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_g
 .Fa "const DSA *d"
 .Fc
@@ -100,11 +101,11 @@
 .Fa "const BIGNUM **pub_key"
 .Fa "const BIGNUM **priv_key"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_pub_key
 .Fa "const DSA *d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo DSA_get0_priv_key
 .Fa "const DSA *d"
 .Fc
diff --git a/src/lib/libcrypto/man/DSA_get_ex_new_index.3 b/src/lib/libcrypto/man/DSA_get_ex_new_index.3
index 8fe055f337..477c011c53 100644
--- a/src/lib/libcrypto/man/DSA_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/DSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_get_ex_new_index.3,v 1.5 2018/03/22 16:06:33 schwarze Exp $
+.\"     $OpenBSD: DSA_get_ex_new_index.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_get_ex_data
 .Nd add application specific data to DSA structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_get_ex_new_index
diff --git a/src/lib/libcrypto/man/DSA_meth_new.3 b/src/lib/libcrypto/man/DSA_meth_new.3
index d89cd397b0..abd023346e 100644
--- a/src/lib/libcrypto/man/DSA_meth_new.3
+++ b/src/lib/libcrypto/man/DSA_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_meth_new.3,v 1.3 2022/07/10 13:41:59 schwarze Exp $
+.\" $OpenBSD: DSA_meth_new.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL c4d3c19b Apr 3 13:57:12 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_METH_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm DSA_meth_set_finish
 .Nd build up DSA methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA_METHOD *
 .Fo DSA_meth_new
diff --git a/src/lib/libcrypto/man/DSA_new.3 b/src/lib/libcrypto/man/DSA_new.3
index 5a958b58c4..5340bec4bd 100644
--- a/src/lib/libcrypto/man/DSA_new.3
+++ b/src/lib/libcrypto/man/DSA_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_new.3,v 1.14 2023/12/29 19:12:47 tb Exp $
+.\"     $OpenBSD: DSA_new.3,v 1.15 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_free
 .Nd allocate and free DSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA*
 .Fn DSA_new void
diff --git a/src/lib/libcrypto/man/DSA_set_method.3 b/src/lib/libcrypto/man/DSA_set_method.3
index c60a3e29c3..f2a6eca57c 100644
--- a/src/lib/libcrypto/man/DSA_set_method.3
+++ b/src/lib/libcrypto/man/DSA_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_set_method.3,v 1.12 2024/05/11 06:53:19 tb Exp $
+.\"     $OpenBSD: DSA_set_method.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SET_METHOD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm DSA_OpenSSL
 .Nd select DSA method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft void
 .Fo DSA_set_default_method
diff --git a/src/lib/libcrypto/man/DSA_sign.3 b/src/lib/libcrypto/man/DSA_sign.3
index 59f9042ba6..787dc903ea 100644
--- a/src/lib/libcrypto/man/DSA_sign.3
+++ b/src/lib/libcrypto/man/DSA_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DSA_sign.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: DSA_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm DSA_verify
 .Nd DSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_sign
diff --git a/src/lib/libcrypto/man/DSA_size.3 b/src/lib/libcrypto/man/DSA_size.3
index 4786acc7e9..09ce80e132 100644
--- a/src/lib/libcrypto/man/DSA_size.3
+++ b/src/lib/libcrypto/man/DSA_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: DSA_size.3,v 1.8 2022/07/13 21:44:23 schwarze Exp $
+.\" $OpenBSD: DSA_size.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DSA_SIZE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm DSA_bits
 .Nd get DSA signature or key size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft int
 .Fo DSA_size
diff --git a/src/lib/libcrypto/man/ECDH_compute_key.3 b/src/lib/libcrypto/man/ECDH_compute_key.3
index c49988e141..b0ae6ad34c 100644
--- a/src/lib/libcrypto/man/ECDH_compute_key.3
+++ b/src/lib/libcrypto/man/ECDH_compute_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ECDH_compute_key.3,v 1.3 2023/08/29 10:07:42 tb Exp $
+.\" $OpenBSD: ECDH_compute_key.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ECDH_COMPUTE_KEY 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm ECDH_size
 .Nd Elliptic Curve Diffie-Hellman key exchange
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft int
 .Fo ECDH_compute_key
@@ -74,7 +75,7 @@ returns the number of bytes needed to store an affine coordinate.
 .Sh SEE ALSO
 .Xr DH_generate_key 3 ,
 .Xr DH_size 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
 .Xr EC_KEY_new 3 ,
 .Xr EC_POINT_new 3 ,
 .Xr X25519 3
diff --git a/src/lib/libcrypto/man/ECDSA_SIG_new.3 b/src/lib/libcrypto/man/ECDSA_SIG_new.3
index 2b72e6f1b9..4554af035c 100644
--- a/src/lib/libcrypto/man/ECDSA_SIG_new.3
+++ b/src/lib/libcrypto/man/ECDSA_SIG_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ECDSA_SIG_new.3,v 1.21 2024/11/15 20:14:58 tb Exp $
+.\" $OpenBSD: ECDSA_SIG_new.3,v 1.24 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\" selective merge up to: OpenSSL da4ea0cf Aug 5 16:13:24 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 15 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt ECDSA_SIG_NEW 3
 .Os
 .Sh NAME
@@ -69,8 +69,9 @@
 .Nm ECDSA_do_verify
 .Nd Elliptic Curve Digital Signature Algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo ECDSA_SIG_new
 .Fa void
 .Fc
@@ -84,11 +85,11 @@
 .Fa "const BIGNUM **r"
 .Fa "const BIGNUM **s"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo ECDSA_SIG_get0_r
 .Fa "const ECDSA_SIG *sig"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo ECDSA_SIG_get0_s
 .Fa "const ECDSA_SIG *sig"
 .Fc
@@ -103,7 +104,7 @@
 .Fa "const ECDSA_SIG *sig_in"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo d2i_ECDSA_SIG
 .Fa "ECDSA_SIG **sig_out"
 .Fa "const unsigned char **der_in"
@@ -131,7 +132,7 @@
 .Fa "int siglen"
 .Fa "EC_KEY *eckey"
 .Fc
-.Ft ECDSA_SIG*
+.Ft ECDSA_SIG *
 .Fo ECDSA_do_sign
 .Fa "const unsigned char *dgst"
 .Fa "int dgst_len"
@@ -413,7 +414,7 @@ if (ret == -1) {
 .Xr crypto 3 ,
 .Xr d2i_ECPKParameters 3 ,
 .Xr DSA_new 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
 .Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_KEY_new 3 ,
 .Xr EC_KEY_set_ex_data 3 ,
diff --git a/src/lib/libcrypto/man/EC_GROUP_check.3 b/src/lib/libcrypto/man/EC_GROUP_check.3
new file mode 100644
index 0000000000..146c3d255d
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_check.3
@@ -0,0 +1,160 @@
+.\" $OpenBSD: EC_GROUP_check.3,v 1.6 2025/07/04 05:16:56 jsg Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: July 4 2025 $
+.Dt EC_GROUP_CHECK 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_check_discriminant ,
+.Nm EC_GROUP_check
+.Nd partially check validity of
+.Vt EC_GROUP
+objects
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Pp
+Deprecated:
+.Pp
+.Ft int
+.Fo EC_GROUP_check_discriminant
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_check
+.Fa "const EC_GROUP *group"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+These functions are deprecated.
+Only standardized curves built into the library should be used, see
+.Xr EC_GROUP_new_by_curve_name 3 .
+Builtin curves went through far more thorough checking than
+the minimal, incomplete tests performed by these functions.
+.Pp
+These functions have an optional
+.Fa ctx
+argument which is used to avoid the cost of repeated allocation of
+auxiliary
+.Vt BIGNUM
+objects.
+.Pp
+.Fn EC_GROUP_check_discriminant
+can be called after
+.Xr EC_GROUP_new_curve_GFp 3
+to verify that
+.Fa group Ns 's
+parameters have non-zero discriminant 4a^3 + 27b^2 modulo p.
+Assuming that
+.Fa p
+is a prime number larger than three
+this implies that the Weierstrass equation defines an elliptic curve.
+.Pp
+.Fn EC_GROUP_check
+partially verifies that
+.Fa group
+represents an elliptic curve and that
+.Fa generator
+is a point on the curve whose order divides
+.Fa order .
+It checks with
+.Fn EC_GROUP_check_discriminant
+that the discriminant is non-zero
+and then verifies that that
+.Fa order
+is non-zero and that the product
+.Fa generator No * Fa order
+is the point at infinity.
+This implies that the
+.Fa order
+set on
+.Fa group
+is an integer multiple of the
+.Fa generator Ns 's
+order.
+The verification that
+.Fa p
+is a prime
+and that
+.Fa order
+is equal to the
+.Fa generator Ns 's
+order are skipped because they are too expensive.
+.Sh RETURN VALUES
+.Fn EC_GROUP_check_discriminant
+returns 1 on success and 0 on failure.
+Failure modes include that the discriminant is zero modulo
+.Fa p
+and memory allocation failure.
+.Pp
+.Fn EC_GROUP_check
+returns 1 on success and 0 on failure.
+.Sh ERRORS
+Diagnostics for
+.Fn EC_GROUP_check
+that can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3
+include:
+.Bl -tag -width Ds
+.It Dv EC_R_DISCRIMINANT_IS_ZERO Qq "discriminant is zero"
+.Fn EC_GROUP_check_discriminant
+failed because the discriminant is zero or for some other reason.
+.It Dv EC_R_UNDEFINED_GENERATOR Qq "undefined generator"
+no generator is set on
+.Fa group ,
+for example because a call to
+.Xr EC_GROUP_set_generator 3
+is missing.
+.It Dv EC_R_POINT_IS_NOT_ON_CURVE Qq "point is not on curve"
+a generator is set, but it is not a point on the curve represented by
+.Fa group .
+.It Dv EC_R_UNDEFINED_ORDER Qq "undefined order"
+the
+.Fa order
+set on
+.Fa group
+is zero.
+.It Dv EC_R_INVALID_GROUP_ORDER Qq "invalid group order"
+.Fa generator No * Fa order
+is not the point at infinity.
+.El
+.Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh HISTORY
+.Fn EC_GROUP_check
+and
+.Fn EC_GROUP_check_discriminant
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_copy.3 b/src/lib/libcrypto/man/EC_GROUP_copy.3
deleted file mode 100644
index 2e5e798236..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_copy.3
+++ /dev/null
@@ -1,492 +0,0 @@
-.\" $OpenBSD: EC_GROUP_copy.3,v 1.16 2025/03/08 16:40:59 tb Exp $
-.\" full merge up to: OpenSSL d900a015 Oct 8 14:40:42 2015 +0200
-.\" selective merge up to: OpenSSL 24c23e1f Aug 22 10:51:25 2019 +0530
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>,
-.\" Dr. Stephen Henson <steve@openssl.org>,
-.\" and Jayaram X Matta <jayaramx.matta@intel.com>.
-.\" Copyright (c) 2013, 2015, 2019 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_COPY 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_copy ,
-.Nm EC_GROUP_dup ,
-.Nm EC_GROUP_set_generator ,
-.Nm EC_GROUP_get0_generator ,
-.Nm EC_GROUP_get_order ,
-.Nm EC_GROUP_order_bits ,
-.Nm EC_GROUP_get_cofactor ,
-.Nm EC_GROUP_set_curve_name ,
-.Nm EC_GROUP_get_curve_name ,
-.Nm EC_GROUP_set_asn1_flag ,
-.Nm EC_GROUP_get_asn1_flag ,
-.Nm EC_GROUP_set_point_conversion_form ,
-.Nm EC_GROUP_get_point_conversion_form ,
-.Nm EC_GROUP_get0_seed ,
-.Nm EC_GROUP_get_seed_len ,
-.Nm EC_GROUP_set_seed ,
-.Nm EC_GROUP_get_degree ,
-.Nm EC_GROUP_check ,
-.Nm EC_GROUP_check_discriminant ,
-.Nm EC_GROUP_cmp ,
-.Nm EC_GROUP_get_basis_type
-.Nd manipulate EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft int
-.Fo EC_GROUP_copy
-.Fa "EC_GROUP *dst"
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_dup
-.Fa "const EC_GROUP *src"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_generator
-.Fa "EC_GROUP *group"
-.Fa "const EC_POINT *generator"
-.Fa "const BIGNUM *order"
-.Fa "const BIGNUM *cofactor"
-.Fc
-.Ft const EC_POINT *
-.Fo EC_GROUP_get0_generator
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_order
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *order"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_order_bits
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_cofactor
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *cofactor"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_curve_name
-.Fa "EC_GROUP *group"
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_name
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_asn1_flag
-.Fa "EC_GROUP *group"
-.Fa "int flag"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_asn1_flag
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_set_point_conversion_form
-.Fa "EC_GROUP *group"
-.Fa "point_conversion_form_t form"
-.Fc
-.Ft point_conversion_form_t
-.Fo EC_GROUP_get_point_conversion_form
-.Fa "const EC_GROUP *"
-.Fc
-.Ft unsigned char *
-.Fo EC_GROUP_get0_seed
-.Fa "const EC_GROUP *x"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_get_seed_len
-.Fa "const EC_GROUP *"
-.Fc
-.Ft size_t
-.Fo EC_GROUP_set_seed
-.Fa "EC_GROUP *"
-.Fa "const unsigned char *"
-.Fa "size_t len"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_degree
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_GROUP_check
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_check_discriminant
-.Fa "const EC_GROUP *group"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_cmp
-.Fa "const EC_GROUP *a"
-.Fa "const EC_GROUP *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_basis_type
-.Fa "const EC_GROUP *"
-.Fc
-.Sh DESCRIPTION
-These functions operate on
-.Vt EC_GROUP
-objects created by the functions described in
-.Xr EC_GROUP_new 3 .
-.Pp
-.Fn EC_GROUP_copy
-copies the curve
-.Fa src
-into
-.Fa dst .
-Both
-.Fa src
-and
-.Fa dst
-must use the same
-.Vt EC_METHOD .
-.Pp
-.Fn EC_GROUP_dup
-creates a new
-.Vt EC_GROUP
-object and copies the content from
-.Fa src
-to the newly created
-.Vt EC_GROUP
-object.
-.Pp
-.Fn EC_GROUP_set_generator
-sets curve parameters that must be agreed by all participants using
-the curve.
-These parameters include the
-.Fa generator ,
-the
-.Fa order
-and the
-.Fa cofactor .
-The
-.Fa generator
-is a well defined point on the curve chosen for cryptographic
-operations.
-Integers used for point multiplications will be between 0 and
-.Fa order No - 1 .
-The
-.Fa order
-multiplied by the
-.Fa cofactor
-gives the number of points on the curve.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the identified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_order
-retrieves the order of the
-.Fa group
-and copies its value into
-.Fa order .
-It fails if the order of the
-.Fa group
-is not set or set to zero.
-.Pp
-.Fn EC_GROUP_get_cofactor
-retrieves the cofactor of the
-.Fa group
-and copies its value into
-.Fa cofactor .
-It fails if the cofactor of the
-.Fa group
-is not set or set to zero.
-.Pp
-The functions
-.Fn EC_GROUP_set_curve_name
-and
-.Fn EC_GROUP_get_curve_name
-set and get the NID for the curve, respectively (see
-.Xr EC_GROUP_new 3 ) .
-If a curve does not have a NID associated with it, then
-.Fn EC_GROUP_get_curve_name
-will return
-.Dv NID_undef .
-.Pp
-The asn1_flag value is used to determine whether the curve encoding
-uses explicit parameters or a named curve using an ASN.1 OID:
-many applications only support the latter form.
-If asn1_flag is the default value
-.Dv OPENSSL_EC_NAMED_CURVE ,
-then the named curve form is used and the parameters must have a
-corresponding named curve NID set.
-If asn1_flags is
-.Dv OPENSSL_EC_EXPLICIT_CURVE ,
-the parameters are explicitly encoded.
-The functions
-.Fn EC_GROUP_get_asn1_flag
-and
-.Fn EC_GROUP_set_asn1_flag
-get and set the status of the asn1_flag for the curve.
-.Pp
-The point_conversion_form for a curve controls how
-.Vt EC_POINT
-data is encoded as ASN.1 as defined in X9.62 (ECDSA).
-.Vt point_conversion_form_t
-is an enum defined as follows:
-.Bd -literal
-typedef enum {
-        /** the point is encoded as z||x, where the octet z specifies
-         *   which solution of the quadratic equation y is  */
-        POINT_CONVERSION_COMPRESSED = 2,
-        /** the point is encoded as z||x||y, where z is the octet 0x04  */
-        POINT_CONVERSION_UNCOMPRESSED = 4,
-        /** the point is encoded as z||x||y, where the octet z specifies
-         *  which solution of the quadratic equation y is  */
-        POINT_CONVERSION_HYBRID = 6
-} point_conversion_form_t;
-.Ed
-.Pp
-For
-.Dv POINT_CONVERSION_UNCOMPRESSED
-the point is encoded as an octet signifying the UNCOMPRESSED form
-has been used followed by the octets for x, followed by the octets
-for y.
-.Pp
-For any given x coordinate for a point on a curve it is possible to
-derive two possible y values.
-For
-.Dv POINT_CONVERSION_COMPRESSED
-the point is encoded as an octet signifying that the COMPRESSED
-form has been used AND which of the two possible solutions for y
-has been used, followed by the octets for x.
-.Pp
-For
-.Dv POINT_CONVERSION_HYBRID
-the point is encoded as an octet signifying the HYBRID form has
-been used AND which of the two possible solutions for y has been
-used, followed by the octets for x, followed by the octets for y.
-.Pp
-The functions
-.Fn EC_GROUP_set_point_conversion_form
-and
-.Fn EC_GROUP_get_point_conversion_form
-set and get the point_conversion_form for the curve, respectively.
-.Pp
-ANSI X9.62 (ECDSA standard) defines a method of generating the curve
-parameter b from a random number.
-This provides advantages in that a parameter obtained in this way is
-highly unlikely to be susceptible to special purpose attacks, or have
-any trapdoors in it.
-If the seed is present for a curve then the b parameter was generated in
-a verifiable fashion using that seed.
-The OpenSSL EC library does not use this seed value but does enable you
-to inspect it using
-.Fn EC_GROUP_get0_seed .
-This returns a pointer to a memory block containing the seed that was
-used.
-The length of the memory block can be obtained using
-.Fn EC_GROUP_get_seed_len .
-A number of the builtin curves within the library provide seed values
-that can be obtained.
-It is also possible to set a custom seed using
-.Fn EC_GROUP_set_seed
-and passing a pointer to a memory block, along with the length of
-the seed.
-Again, the EC library will not use this seed value, although it will be
-preserved in any ASN.1 based communications.
-.Pp
-.Fn EC_GROUP_get_degree
-gets the degree of the field.
-For Fp fields this will be the number of bits in p.
-For F2^m fields this will be the value m.
-.Pp
-The function
-.Fn EC_GROUP_check_discriminant
-calculates the discriminant for the curve and verifies that it is
-valid.
-For a curve defined over Fp the discriminant is given by the formula
-4*a^3 + 27*b^2 whilst for F2^m curves the discriminant is simply b.
-In either case for the curve to be valid the discriminant must be
-non-zero.
-.Pp
-The function
-.Fn EC_GROUP_check
-performs a number of checks on a curve to verify that it is valid.
-Checks performed include verifying that the discriminant is non-zero;
-that a generator has been defined; that the generator is on the curve
-and has the correct order.
-.Pp
-.Fn EC_GROUP_cmp
-compares
-.Fa a
-and
-.Fa b
-to determine whether they represent the same curve or not.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0 and is only provided for compatibility.
-.Sh RETURN VALUES
-The following functions return 1 on success or 0 on error:
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_check ,
-and
-.Fn EC_GROUP_check_discriminant .
-.Pp
-.Fn EC_GROUP_dup
-returns a pointer to the duplicated curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get0_generator
-returns the generator for the given curve or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_GROUP_get_order
-returns 0 if the order is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa order
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_order_bits
-returns the number of bits in the group order.
-.Pp
-.Fn EC_GROUP_get_cofactor
-returns 0 if the cofactor is not set or set to zero for the
-.Fa group
-or if copying into
-.Fa cofactor
-fails, or 1 otherwise.
-.Pp
-.Fn EC_GROUP_get_curve_name
-returns the curve name (NID) for the
-.Fa group
-or
-.Dv NID_undef
-if no curve name is associated.
-.Pp
-.Fn EC_GROUP_get_asn1_flag
-returns the ASN.1 flag for the specified
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_point_conversion_form
-returns the point_conversion_form for the
-.Fa group .
-.Pp
-.Fn EC_GROUP_get_degree
-returns the degree for the
-.Fa group
-or 0 if the operation is not supported
-by the underlying group implementation.
-.Pp
-.Fn EC_GROUP_get0_seed
-returns a pointer to the seed that was used to generate the parameter
-b, or
-.Dv NULL
-if the seed is not specified.
-.Fn EC_GROUP_get_seed_len
-returns the length of the seed or 0 if the seed is not specified.
-.Pp
-.Fn EC_GROUP_set_seed
-returns the length of the seed that has been set.
-If the supplied seed is
-.Dv NULL
-or the supplied seed length is 0, the return value will be 1.
-On error 0 is returned.
-.Pp
-.Fn EC_GROUP_cmp
-returns 0 if the curves are equal, 1 if they are not equal,
-or -1 on error.
-.Pp
-.Fn EC_GROUP_get_basis_type
-always returns 0.
-.Sh SEE ALSO
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_new 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3
-.Sh HISTORY
-.Fn EC_GROUP_copy ,
-.Fn EC_GROUP_set_generator ,
-.Fn EC_GROUP_get0_generator ,
-.Fn EC_GROUP_get_order ,
-and
-.Fn EC_GROUP_get_cofactor
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_dup ,
-.Fn EC_GROUP_set_curve_name ,
-.Fn EC_GROUP_get_curve_name ,
-.Fn EC_GROUP_set_asn1_flag ,
-.Fn EC_GROUP_get_asn1_flag ,
-.Fn EC_GROUP_set_point_conversion_form ,
-.Fn EC_GROUP_get_point_conversion_form ,
-.Fn EC_GROUP_get0_seed ,
-.Fn EC_GROUP_get_seed_len ,
-.Fn EC_GROUP_set_seed ,
-.Fn EC_GROUP_get_degree ,
-.Fn EC_GROUP_check ,
-.Fn EC_GROUP_check_discriminant ,
-.Fn EC_GROUP_cmp ,
-and
-.Fn EC_GROUP_get_basis_type
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Pp
-.Fn EC_GROUP_order_bits
-first appeared in OpenSSL 1.1.0 and has been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
new file mode 100644
index 0000000000..940aa3c1a1
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_get_curve_name.3
@@ -0,0 +1,266 @@
+.\" $OpenBSD: EC_GROUP_get_curve_name.3,v 1.4 2025/06/13 18:34:00 schwarze Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 13 2025 $
+.Dt EC_GROUP_GET_CURVE_NAME 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_get_curve_name ,
+.Nm EC_GROUP_set_curve_name ,
+.Nm EC_GROUP_get_asn1_flag ,
+.Nm EC_GROUP_set_asn1_flag ,
+.Nm EC_GROUP_get0_seed ,
+.Nm EC_GROUP_get_seed_len ,
+.Nm EC_GROUP_set_seed ,
+.Nm EC_GROUP_get_point_conversion_form ,
+.Nm EC_GROUP_set_point_conversion_form ,
+.Nm EC_GROUP_get_basis_type
+.Nd configure and inspect details of the ASN.1 encoding of
+.Vt EC_GROUP
+and related objects
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/ec.h
+.Ft int
+.Fo EC_GROUP_get_curve_name
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft void
+.Fo EC_GROUP_set_curve_name
+.Fa "EC_GROUP *group"
+.Fa "int nid"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_asn1_flag
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft void
+.Fo EC_GROUP_set_asn1_flag
+.Fa "EC_GROUP *group"
+.Fa "int flag"
+.Fc
+.Ft unsigned char *
+.Fo EC_GROUP_get0_seed
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft size_t
+.Fo EC_GROUP_get_seed_len
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft size_t
+.Fo EC_GROUP_set_seed
+.Fa "EC_GROUP *group"
+.Fa "const unsigned char *seed"
+.Fa "size_t len"
+.Fc
+.Bd -literal
+typedef enum {
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+.Ed
+.Ft point_conversion_form_t
+.Fo EC_GROUP_get_point_conversion_form
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft void
+.Fo EC_GROUP_set_point_conversion_form
+.Fa "EC_GROUP *group"
+.Fa "point_conversion_form_t form"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft int
+.Fo EC_GROUP_get_basis_type
+.Fa "const EC_GROUP *group"
+.Fc
+.Sh DESCRIPTION
+The functions in this manual affect or allow the inspection of
+the details of the ASN.1 encoding produced by the
+.Xr i2d_ECPKParameters 3
+family of functions.
+Modern applications use named curves and uncompressed point encoding,
+which are the default for
+.Xr EC_GROUP_new_by_curve_name 3 .
+.Pp
+In this library, Elliptic curve parameters are either encoded as a
+.Em named curve ,
+using an ASN.1 Object Identifier (OID) to refer to
+standardized parameters that need to be built into the library,
+or using
+.Em explicit curve parameters
+where the field, the curve equation, the base point's coordinates
+and other data are encoded explicitly.
+The
+.Em implicitly CA
+variant is not supported.
+.Pp
+.Fn EC_GROUP_get_curve_name
+gets the Numerical Identifier (NID) representation of the
+ASN.1 Object Identifier used for the named curve encoding of
+.Fa group .
+.Fn EC_GROUP_set_curve_name
+sets it to
+.Fa nid .
+.Pp
+.Fn EC_GROUP_get_asn1_flag
+retrieves the value of the
+.Fa asn1_flag
+member of
+.Fa group .
+If the bit corresponding to
+.Dv OPENSSL_EC_NAMED_CURVE
+is set, named curve encoding is used for
+.Fa group ,
+otherwise explicit encoding is used.
+.Fn EC_GROUP_set_asn1_flag
+sets the
+.Fa asn1_flag
+member of group to
+.Fa flag ,
+which should be either
+.Dv OPENSSL_EC_NAMED_CURVE
+to use named curve encoding or
+.Dv OPENSSL_EC_EXPLICIT_CURVE
+to use explicit encoding.
+.Pp
+The ASN.1 encoding of explicit curve parameters includes
+an optional seed value for parameters generated verifiably at random.
+If a seed value is set on
+.Fa group ,
+.Fn EC_GROUP_get0_seed
+returns a pointer to the internal byte string whose length is returned by
+.Fn EC_GROUP_get_seed_len .
+.Pp
+.Fn EC_GROUP_set_seed
+first clears any seed and length already stored in
+.Fa group .
+If
+.Fa seed
+is not
+.Dv NULL
+and
+.Fa len
+is not zero, it stores a copy of them in
+.Fa group .
+The
+.Fa seed
+should be a random byte string of
+.Fa len
+at least 20 bytes.
+The seed can be unset by passing
+.Dv NULL
+as a
+.Fa seed
+and a
+.Fa len
+of zero.
+The library does not perform any computation or validation with this seed,
+it only includes it in its ASN.1 encoded parameters,
+whether it contains a sensible value or not.
+.Pp
+Points on an elliptic curve, such as the generator or a public key,
+can be encoded in compressed form, uncompressed form,
+or in a hybrid form encompassing both, see
+.Xr EC_POINT_point2oct 3 .
+.Fn EC_GROUP_get_point_conversion_form
+retrieves the encoding used for points on
+.Fa group
+and
+.Fn EC_GROUP_set_point_conversion_form
+sets it to
+.Fa form .
+.Pp
+The deprecated
+.Fn EC_GROUP_get_basis_type
+only makes sense for curves over binary fields.
+It is provided for compatibility only.
+.Sh RETURN VALUES
+.Fn EC_GROUP_get_curve_name
+returns the NID to be used for named curve encoding of
+.Fa group
+or
+.Dv NID_undef
+if no NID is set.
+.Pp
+.Fn EC_GROUP_get_asn1_flag
+returns the value most recently set by
+.Fn EC_GROUP_set_asn1_flag
+on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get0_seed
+returns an internal pointer to the
+.Fa seed
+on
+.Fa group
+or
+.Dv NULL
+if none is set.
+.Pp
+.Fn EC_GROUP_get_seed_len
+returns the byte length of the seed set on
+.Fa group
+or zero if none is set.
+.Pp
+.Fn EC_GROUP_set_seed
+returns 0 on memory allocation failure.
+It returns
+.Fa len
+on success unless
+.Fa seed
+is
+.Dv NULL
+or
+.Fa len
+is zero, in which case it returns 1.
+.Pp
+.Fn EC_GROUP_get_point_conversion_form
+returns the point conversion form last set by
+.Fn EC_GROUP_set_point_conversion_form
+on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_basis_type
+always returns
+.Dv NID_undef .
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3 ,
+.Xr OBJ_obj2nid 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Sh BUGS
+Most of the setters cannot report errors and none of them perform proper
+input validation and accept most of the values passed in.
+This can result in invalid or nonsensical ASN.1 encoding produced by
+.Xr i2d_ECPKParameters 3
+and related functions.
diff --git a/src/lib/libcrypto/man/EC_GROUP_new.3 b/src/lib/libcrypto/man/EC_GROUP_new.3
deleted file mode 100644
index 83e3e4c870..0000000000
--- a/src/lib/libcrypto/man/EC_GROUP_new.3
+++ /dev/null
@@ -1,353 +0,0 @@
-.\"     $OpenBSD: EC_GROUP_new.3,v 1.18 2025/03/08 16:38:13 tb Exp $
-.\"     OpenSSL 6328d367 Sat Jul 4 21:58:30 2020 +0200
-.\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
-.\" Copyright (c) 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
-.Dt EC_GROUP_NEW 3
-.Os
-.Sh NAME
-.Nm EC_GROUP_new ,
-.Nm EC_GROUP_free ,
-.Nm EC_GROUP_clear_free ,
-.Nm EC_GROUP_new_curve_GFp ,
-.Nm EC_GROUP_new_by_curve_name ,
-.Nm EC_GROUP_set_curve ,
-.Nm EC_GROUP_get_curve ,
-.Nm EC_GROUP_set_curve_GFp ,
-.Nm EC_GROUP_get_curve_GFp ,
-.Nm EC_get_builtin_curves ,
-.Nm EC_curve_nid2nist ,
-.Nm EC_curve_nist2nid
-.Nd create and destroy EC_GROUP objects
-.Sh SYNOPSIS
-.In openssl/ec.h
-.In openssl/bn.h
-.Ft EC_GROUP *
-.Fo EC_GROUP_new
-.Fa "const EC_METHOD *meth"
-.Fc
-.Ft void
-.Fo EC_GROUP_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft void
-.Fo EC_GROUP_clear_free
-.Fa "EC_GROUP *group"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_curve_GFp
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft EC_GROUP *
-.Fo EC_GROUP_new_by_curve_name
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_set_curve_GFp
-.Fa "EC_GROUP *group"
-.Fa "const BIGNUM *p"
-.Fa "const BIGNUM *a"
-.Fa "const BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_GROUP_get_curve_GFp
-.Fa "const EC_GROUP *group"
-.Fa "BIGNUM *p"
-.Fa "BIGNUM *a"
-.Fa "BIGNUM *b"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_get_builtin_curves
-.Fa "EC_builtin_curve *r"
-.Fa "size_t nitems"
-.Fc
-.Ft "const char *"
-.Fo EC_curve_nid2nist
-.Fa "int nid"
-.Fc
-.Ft int
-.Fo EC_curve_nist2nid
-.Fa "const char *name"
-.Fc
-.Sh DESCRIPTION
-The EC library provides functions for performing operations on
-elliptic curves in Weierstrass form.
-Such curves are defined over the prime field of order
-.Fa p
-and satisfy the Weierstrass equation with coefficients
-.Fa a
-and
-.Fa b
-.Pp
-.Dl y^2 = x^3 + ax + b
-.Pp
-An
-.Vt EC_GROUP
-structure is used to represent the definition of an elliptic curve.
-A new curve can be constructed by calling
-.Fn EC_GROUP_new ,
-using the implementation provided by
-.Fa meth .
-It is then necessary to call
-.Fn EC_GROUP_set_curve
-to set the curve parameters.
-.Pp
-.Fn EC_GROUP_set_curve
-sets the curve parameters
-.Fa p ,
-.Fa a ,
-and
-.Fa b ,
-where
-.Fa a
-and
-.Fa b
-represent the coefficients of the curve equation.
-.Pp
-.Fn EC_GROUP_set_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_set_curve .
-.Pp
-.Fn EC_GROUP_get_curve
-obtains the previously set curve parameters.
-.Pp
-.Fn EC_GROUP_get_curve_GFp
-is a deprecated synonym for
-.Fn EC_GROUP_get_curve .
-.Pp
-The function
-.Fn EC_GROUP_new_curve_GFp
-is a shortcut for calling
-.Fn EC_GROUP_new
-and
-.Fn EC_GROUP_set_curve .
-An appropriate default implementation method will be used.
-.Pp
-Whilst the library can be used to create any curve using the functions
-described above, there are also a number of predefined curves that are
-available.
-In order to obtain a list of all of the predefined curves, call the
-function
-.Fn EC_get_builtin_curves .
-The parameter
-.Fa r
-should be an array of
-.Vt EC_builtin_cure
-structures of size
-.Fa nitems .
-The function will populate the
-.Fa r
-array with information about the builtin curves.
-If
-.Fa nitems
-is less than the total number of curves available, then the first
-.Fa nitems
-curves will be returned.
-Otherwise the total number of curves will be provided.
-The return value is the total number of curves available (whether that
-number has been populated in
-.Fa r
-or not).
-Passing a
-.Dv NULL
-.Fa r ,
-or setting
-.Fa nitems
-to 0, will do nothing other than return the total number of curves
-available.
-The
-.Vt EC_builtin_curve
-structure is defined as follows:
-.Bd -literal
-typedef struct {
-        int nid;
-        const char *comment;
-} EC_builtin_curve;
-.Ed
-.Pp
-Each
-.Vt EC_builtin_curve
-item has a unique integer ID
-.Pq Fa nid
-and a human readable comment string describing the curve.
-.Pp
-In order to construct a builtin curve, use the function
-.Fn EC_GROUP_new_by_curve_name
-and provide the
-.Fa nid
-of the curve to be constructed.
-.Pp
-.Fn EC_GROUP_free
-frees the memory associated with the
-.Vt EC_GROUP .
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-.Fn EC_GROUP_clear_free
-destroys any sensitive data held within the
-.Vt EC_GROUP
-and then frees its memory.
-If
-.Fa group
-is a
-.Dv NULL
-pointer, no action occurs.
-.Pp
-Some builtin curves can be identified by their NIST name
-in addition to a numerical identifier (NID).
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-translate between the two.
-The five built-in prime curves are:
-.Pp
-.Bl -column "NIST name" NID_X9_62_prime256v1 "deprecated in SP800-186" -compact
-.It No NIST Fa name Ta Em ASN.1 NID       Ta Em notes
-.It Qq P-192   Ta Dv NID_X9_62_prime192v1 Ta No deprecated in SP800-186
-.It Qq P-224   Ta Dv NID_secp224r1        Ta
-.It Qq P-256   Ta Dv NID_X9_62_prime256v1 Ta
-.It Qq P-384   Ta Dv NID_secp384r1        Ta
-.It Qq P-521   Ta Dv NID_secp521r1        Ta
-.El
-.Pp
-.Fn EC_curve_nid2nist
-and
-.Fn EC_curve_nist2nid
-also accept the ten binary curves defined in FIPS\& 186-4
-and deprecated in SP800-186,
-although they no longer correspond to builtin curves in LibreSSL.
-.Sh RETURN VALUES
-All
-.Fn EC_GROUP_new*
-functions return a pointer to the newly constructed group or
-.Dv NULL
-on error.
-.Pp
-.Fn EC_get_builtin_curves
-returns the number of builtin curves that are available.
-.Pp
-.Fn EC_curve_nid2nist
-returns a string constant containing the NIST name if
-.Fa nid
-identifies a NIST curve or
-.Dv NULL
-otherwise.
-.Pp
-.Fn EC_curve_nist2nid
-returns the NID corresponding to the NIST curve
-.Fa name ,
-or
-.Dv NID_undef .
-.Pp
-.Fn EC_GROUP_set_curve ,
-.Fn EC_GROUP_get_curve ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-return 1 on success or 0 on error.
-.Sh SEE ALSO
-.Xr crypto 3 ,
-.Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
-.Xr EC_KEY_new 3 ,
-.Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
-.Xr ECDH_compute_key 3 ,
-.Xr ECDSA_SIG_new 3
-.Sh HISTORY
-.Fn EC_GROUP_new ,
-.Fn EC_GROUP_free ,
-.Fn EC_GROUP_clear_free ,
-.Fn EC_GROUP_new_curve_GFp ,
-.Fn EC_GROUP_set_curve_GFp ,
-and
-.Fn EC_GROUP_get_curve_GFp
-first appeared in OpenSSL 0.9.7 and have been available since
-.Ox 3.2 .
-.Pp
-.Fn EC_GROUP_new_by_curve_name
-and
-.Fn EC_get_builtin_curves
-first appeared in OpenSSL 0.9.8 and have been available since
-.Ox 4.5 .
-.Fn EC_curve_nid2nist ,
-and
-.Fn EC_curve_nist2nid
-first appeared in OpenSSL 1.1.0 and have been available since
-.Ox 5.8 .
-.Pp
-.Fn EC_GROUP_set_curve
-and
-.Fn EC_GROUP_get_curve
-first appeared in OpenSSL 1.1.1 and have been available since
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3 b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
new file mode 100644
index 0000000000..e05365874f
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_new_by_curve_name.3
@@ -0,0 +1,311 @@
+.\" $OpenBSD: EC_GROUP_new_by_curve_name.3,v 1.4 2025/06/13 18:34:00 schwarze Exp $
+.\"
+.\" Copyright (c) 2024, 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 13 2025 $
+.Dt EC_GROUP_NEW_BY_CURVE_NAME 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_new_by_curve_name ,
+.Nm EC_GROUP_free ,
+.Nm EC_GROUP_dup ,
+.Nm EC_GROUP_cmp ,
+.Nm EC_get_builtin_curves ,
+.Nm EC_curve_nid2nist ,
+.Nm EC_curve_nist2nid
+.Nd instantiate named curves built into libcrypto
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.In openssl/objects.h
+.Ft EC_GROUP *
+.Fo EC_GROUP_new_by_curve_name
+.Fa "int nid"
+.Fc
+.Ft void
+.Fo EC_GROUP_free
+.Fa "EC_GROUP *group"
+.Fc
+.Ft EC_GROUP *
+.Fo EC_GROUP_dup
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_cmp
+.Fa "const EC_GROUP *group1"
+.Fa "const EC_GROUP *group2"
+.Fa "BN_CTX *ctx"
+.Fc
+.Bd -literal
+typedef struct {
+        int nid;
+        const char *comment;
+} EC_builtin_curve;
+.Ed
+.Ft size_t
+.Fo EC_get_builtin_curves
+.Fa "EC_builtin_curve *curves"
+.Fa "size_t ncurves"
+.Fc
+.Ft int
+.Fo EC_curve_nist2nid
+.Fa "const char *name"
+.Fc
+.Ft const char *
+.Fo EC_curve_nid2nist
+.Fa "int nid"
+.Fc
+.Sh DESCRIPTION
+Most elliptic curves used in cryptographic protocols have a
+standardized representation as a
+.Em named curve ,
+where an ASN.1 Object Identifier (OID) is used instead of
+detailed domain parameters.
+This OID is represented internally by a Numerical Identifier (NID),
+and the parameters themselves must be built into the library.
+In the EC library the
+.Em curve name
+refers to this NID.
+.Pp
+.Fn EC_GROUP_new_by_curve_name
+returns a new
+.Vt EC_GROUP
+object representing the named curve corresponding to
+.Fa nid ,
+using the parameters built into the library.
+It is equivalent to passing the appropriate parameters to
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_GROUP_set_curve_name 3 ,
+.Xr EC_GROUP_set_generator 3
+and
+.Xr EC_GROUP_set_seed 3 .
+.Pp
+.Fn EC_GROUP_free
+frees
+.Fa group
+and all the memory associated with it.
+If
+.Fa group
+is
+.Dv NULL ,
+no action occurs.
+.Pp
+.Fn EC_GROUP_dup
+creates a deep copy of
+.Fa group .
+.Pp
+.Fn EC_GROUP_cmp
+is intended to determine whether
+.Fa group1
+and
+.Fa group2
+represent the same elliptic curve,
+making use of the optional
+.Fa ctx .
+If the curve name is set on both curves, they are compared as integers,
+then the prime field,
+the coefficients of the Weierstrass equation,
+the generators, their order and their cofactors are compared
+using
+.Xr BN_cmp 3
+or
+.Xr EC_POINT_cmp 3 ,
+respectively.
+.Pp
+.Fn EC_get_builtin_curves
+returns the number of builtin curves.
+If
+.Fa curves
+is
+.Dv NULL
+or
+.Fa ncurves
+is zero, it performs no other action.
+Otherwise, after reducing
+.Fa ncurves
+to the number of builtin curves if necessary,
+it copies the
+.Fa nid
+and a pointer to the
+.Fa comment
+of the first
+.Fa ncurves
+built-in curves to the array of
+.Vt EC_builtin_curve
+objects pointed to by
+.Fa curves
+and leaves the remainder of the array uninitialized.
+.Pp
+Some curves can be identified by their NIST name
+in addition to the numerical identifier (NID).
+.Fn EC_curve_nist2nid
+and
+.Fn EC_curve_nid2nist
+translate between the two.
+The builtin NIST curves over a prime field are:
+.Pp
+.Bl -column "NIST name" NID_X9_62_prime256v1 "deprecated in SP800-186" -compact
+.It No NIST Fa name Ta Em ASN.1 NID       Ta Em notes
+.It Qq P-224   Ta Dv NID_secp224r1        Ta
+.It Qq P-256   Ta Dv NID_X9_62_prime256v1 Ta also known as secp256r1
+.It Qq P-384   Ta Dv NID_secp384r1        Ta
+.It Qq P-521   Ta Dv NID_secp521r1        Ta
+.El
+.Pp
+.Fn EC_curve_nist2nid
+and
+.Fn EC_curve_nid2nist
+also accept the binary curves defined in FIPS\& 186-4
+and deprecated in SP800-186,
+as well as
+.Qq P-192
+and
+.Dv NID_X9_62_prime192v1 ,
+although all these no longer correspond to builtin curves in LibreSSL.
+.Sh RETURN VALUES
+.Fn EC_GROUP_new_by_curve_name
+returns a newly allocated group or
+.Dv NULL
+if there is no built-in group with NID
+.Fa nid ,
+or if memory allocation fails.
+.Pp
+.Fn EC_GROUP_dup
+returns a newly allocated group or
+.Dv NULL
+if memory allocation fails.
+.Pp
+.Fn EC_GROUP_cmp
+returns 1 if the groups are distinct, 0 if the groups are
+considered identical and \-1 on memory allocation error.
+.Pp
+.Fn EC_get_builtin_curves
+returns the number of builtin curves.
+.Pp
+.Fn EC_curve_nid2nist
+returns a string constant containing the NIST name if
+.Fa nid
+identifies a NIST curve or
+.Dv NULL
+otherwise.
+.Pp
+.Fn EC_curve_nist2nid
+returns the NID corresponding to the NIST curve
+.Fa name ,
+or
+.Dv NID_undef .
+.Sh EXAMPLES
+Print the list of builtin curves, their NIDs, their NIST name and
+a comment describing each curve:
+.Bd -literal
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <openssl/ec.h>
+int
+main(void)
+{
+        EC_builtin_curve *curves;
+        size_t ncurves, i;
+        if (pledge("stdio", NULL) == \-1)
+                err(1, "pledge");
+        ncurves = EC_get_builtin_curves(NULL, 0);
+        if ((curves = calloc(ncurves, sizeof(*curves))) == NULL)
+                err(1, NULL);
+        (void)EC_get_builtin_curves(curves, ncurves);
+        printf("curve\etnid\etNIST\etcomment\en");
+        for (i = 0; i < ncurves; i++) {
+                const char *nist_name = EC_curve_nid2nist(curves[i].nid);
+                printf("%2zu\et%d\et%s\et%s\en", i, curves[i].nid,
+                    nist_name != NULL ? nist_name : "", curves[i].comment);
+        }
+        free(curves);
+        return 0;
+}
+.Ed
+.Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3 ,
+.Xr OBJ_nid2obj 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Pp
+.Rs
+.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
+.%U https://www.secg.org/sec2-v2.pdf
+.%D Jan 27, 2010
+.Re
+.Sh HISTORY
+.Fn EC_GROUP_free
+first appeared in OpenSSL 0.9.7 and has been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_GROUP_new_by_curve_name ,
+.Fn EC_GROUP_cmp ,
+.Fn EC_GROUP_dup ,
+and
+.Fn EC_get_builtin_curves
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Pp
+.Fn EC_curve_nid2nist
+and
+.Fn EC_curve_nist2nid
+first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 5.8 .
+.Sh BUGS
+.Fn EC_GROUP_cmp
+compares the coefficients of the Weierstrass equation as
+integers, not as elements of the prime field.
+It also treats the generator as mandatory while it is generally
+optional in the EC library.
+Aspects of the ASN.1 encoding controlled by the functions in
+.Xr EC_GROUP_get_asn1_flag 3 ,
+in particular seed, ASN.1 flag, and point conversion form,
+are ignored in the comparison.
+Group objects may therefore compare as equal and produce
+completely different ASN.1 encodings via
+.Xr i2d_ECPKParameters 3
+and related functions.
+In fact, either of these encodings might be valid or not,
+accepted or rejected by
+.Xr d2i_ECPKParameters 3 ,
+or the encoding might fail on one or both of the group objects.
diff --git a/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3 b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
new file mode 100644
index 0000000000..bf586bcb41
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_GROUP_new_curve_GFp.3
@@ -0,0 +1,463 @@
+.\" $OpenBSD: EC_GROUP_new_curve_GFp.3,v 1.6 2025/08/31 11:32:03 tb Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: August 31 2025 $
+.Dt EC_GROUP_NEW_CURVE_GFP 3
+.Os
+.Sh NAME
+.Nm EC_GROUP_new_curve_GFp ,
+.Nm EC_GROUP_set_curve ,
+.Nm EC_GROUP_get_curve ,
+.Nm EC_GROUP_set_generator ,
+.Nm EC_GROUP_get0_generator ,
+.Nm EC_GROUP_get_degree ,
+.Nm EC_GROUP_get_order ,
+.Nm EC_GROUP_order_bits ,
+.Nm EC_GROUP_get_cofactor ,
+.Nm EC_GROUP_clear_free ,
+.Nm EC_GROUP_set_curve_GFp ,
+.Nm EC_GROUP_get_curve_GFp
+.Nd define elliptic curves and retrieve information from them
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Ft EC_GROUP *
+.Fo EC_GROUP_new_curve_GFp
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_generator
+.Fa "EC_GROUP *group"
+.Fa "const EC_POINT *generator"
+.Fa "const BIGNUM *order"
+.Fa "const BIGNUM *cofactor"
+.Fc
+.Ft const EC_POINT *
+.Fo EC_GROUP_get0_generator
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_degree
+.Fa "const EC_GROUP *"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_order
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *order"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_order_bits
+.Fa "const EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_cofactor
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *cofactor"
+.Fa "BN_CTX *ctx"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft void
+.Fo EC_GROUP_clear_free
+.Fa "EC_GROUP *group"
+.Fc
+.Ft int
+.Fo EC_GROUP_set_curve_GFp
+.Fa "EC_GROUP *group"
+.Fa "const BIGNUM *p"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_GROUP_get_curve_GFp
+.Fa "const EC_GROUP *group"
+.Fa "BIGNUM *p"
+.Fa "BIGNUM *a"
+.Fa "BIGNUM *b"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+With the exception of the getters
+the functions in this manual should not be used.
+Use
+.Xr EC_GROUP_new_by_curve_name 3
+instead.
+.Pp
+The EC library uses
+.Vt EC_GROUP
+objects to represent
+elliptic curves in Weierstrass form.
+These curves are defined over the prime field of order
+.Fa p
+via the Weierstrass equation
+.Pp
+.Dl y^2 = x^3 + ax + b
+.Pp
+where
+.Fa a
+and
+.Fa b
+are such that the discriminant 4a^3 - 27b^2 is non-zero.
+They consist of
+.Em affine points ,
+which are pairs of field elements (x, y) satisfying
+the Weierstrass equation, and an extra
+.Em point at infinity .
+.Pp
+The points on an elliptic curve form a group.
+Cryptographic applications usually depend on the choice of a
+.Fa generator
+whose multiples form a cyclic subgroup of a certain
+.Fa order .
+By Lagrange's theorem, the number of points on the elliptic curve is
+the product of
+.Fa order
+and another integer called the
+.Fa cofactor .
+Hasse's theorem is the inequality
+.Pp
+.Dl | Ns Fa order No * Fa cofactor No - (p + 1)| <= 2 sqrt(p)
+.Pp
+which implies an upper bound on
+.Fa order
+in terms of
+.Fa p
+and allows the computation of
+.Fa cofactor
+provided that
+.Fa order
+is large enough.
+.Pp
+.Fn EC_GROUP_new_curve_GFp
+instantiates a new
+.Vt EC_GROUP
+object over the prime field of size
+.Fa p
+with Weierstrass equation given by the coefficients
+.Fa a
+and
+.Fa b .
+The optional
+.Fa ctx
+is used to transform the other arguments into internal representation.
+It is the caller's responsibility to ensure that
+.Fa p
+is a prime number greater than three and that
+the discriminant is non-zero.
+This can be done with
+.Xr EC_GROUP_check_discriminant 3
+or as part of
+.Xr EC_GROUP_check 3
+after
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_set_curve
+sets the curve parameters of
+.Fa group
+to
+.Fa p ,
+.Fa a ,
+.Fa b
+using the optional
+.Fa ctx
+and the comments in
+.Fn EC_GROUP_new_curve_GFp
+apply.
+Existing
+.Fa generator ,
+.Fa order ,
+or
+.Fa cofactor
+on
+.Fa group
+are left unmodified and become most likely invalid.
+They must therefore be set to legitimate values using
+.Fn EC_GROUP_set_generator .
+.Pp
+.Fn EC_GROUP_get_curve
+copies the curve parameters of
+.Fa group
+into the caller-owned
+.Fa p ,
+.Fa a ,
+and
+.Fa b ,
+possibly making use of the
+.Fa ctx
+for conversion from internal representations.
+Except for
+.Fa group ,
+all arguments are optional.
+.Pp
+.Fn EC_GROUP_set_generator
+performs sanity checks based on Hasse's theorem
+and copies
+.Fa generator ,
+.Fa order
+and the optional
+.Fa cofactor
+into
+.Fa group ,
+replacing all existing entries.
+It is the caller's responsibility to ensure that
+.Fa generator
+is a point on the curve and that
+.Fa order
+is its order,
+which can partially be accomplished with a subsequent call to
+.Xr EC_GROUP_check 3 .
+If
+.Fa cofactor
+is
+.Dv NULL ,
+it can be computed on curves of cryptographic interest,
+in which case
+.Fa cofactor
+is set to the computed value, otherwise it is set to zero.
+.Pp
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa group Ns 's
+.Fa generator ,
+which may be
+.Dv NULL
+if no generator was set.
+.Pp
+.Fn EC_GROUP_get_degree
+returns the bit length of the prime
+.Fa p
+set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+copies the value of the
+.Fa group Ns 's
+.Fa order
+into the caller-owned
+.Fa order ,
+returning failure if the
+.Fa group Ns 's
+.Fa order
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+.Fn EC_GROUP_order_bits
+returns the number of bits in the
+.Fa group Ns 's
+.Fa order ,
+which is the result of calling
+.Xr BN_num_bits 3
+on
+.Fa order .
+Unlike
+.Fn EC_GROUP_get_order ,
+it does not fail if
+.Fa order
+is zero.
+.Pp
+.Fn EC_GROUP_get_cofactor
+copies the value of the
+.Fa group Ns 's
+.Fa cofactor
+into the caller-owned
+.Fa cofactor ,
+returning failure if the
+.Fa group Ns 's
+.Fa cofactor
+is zero.
+The
+.Fa ctx
+argument is ignored.
+.Pp
+The deprecated
+.Fn EC_GROUP_clear_free
+uses
+.Xr explicit_bzero 3
+and
+.Xr freezero 3
+to clear and free all data associated with
+.Fa group .
+If
+.Fa group
+is
+.Dv NULL ,
+no action occurs.
+Since there is no secret data in
+.Fa group ,
+this API is useless.
+In LibreSSL,
+.Xr EC_GROUP_free 3
+and
+.Fn EC_GROUP_clear_free
+behave identically.
+.Pp
+.Fn EC_GROUP_set_curve_GFp
+and
+.Fn EC_GROUP_get_curve_GFp
+are deprecated aliases for
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_get_curve ,
+respectively.
+.Sh RETURN VALUES
+.Fn EC_GROUP_new_curve_GFp
+returns a newly allocated group or
+.Dv NULL
+if memory allocation fails,
+or if some minimal sanity checks on
+.Fa p ,
+.Fa a ,
+and
+.Fa b
+fail.
+.Pp
+.Fn EC_GROUP_set_curve
+and
+.Fn EC_GROUP_set_curve_GFp
+return 1 on success and 0 on failure.
+Failure conditions include that
+.Fa p
+is smaller than or equal to three, or even, or
+memory allocation failure.
+.Pp
+.Fn EC_GROUP_get_curve
+and
+.Fn EC_GROUP_get_curve_GFp
+return 1 on success and 0 on memory allocation failure.
+.Pp
+.Fn EC_GROUP_set_generator
+returns 1 on success and 0 on memory allocation failure, or if
+.Fa order
+or
+.Fa cofactor
+are larger than Hasse's theorem allows.
+.Pp
+.Fn EC_GROUP_get0_generator
+returns an internal pointer to the
+.Fa generator
+or
+.Dv NULL
+if none was set on
+.Fa group .
+.Pp
+.Fn EC_GROUP_get_order
+returns 1 on success or 0 on memory allocation failure or if the
+.Fa order
+is zero.
+.Pp
+.Fn EC_GROUP_get_cofactor
+returns 1 on success or 0 on memory allocation failure or if the
+.Fa cofactor
+is zero.
+.Pp
+.Fn EC_GROUP_get_degree ,
+and
+.Fn EC_GROUP_order_bits
+return the number of bits in the
+.Fa group Ns 's
+.Fa p ,
+and
+.Fa order ,
+respectively.
+.Sh SEE ALSO
+.Xr BN_new 3 ,
+.Xr BN_num_bits 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Pp
+.Rs
+.%T SEC 2: Recommended Elliptic Curve Domain Parameters, Version 2.0
+.%U https://www.secg.org/sec2-v2.pdf
+.%D Jan 27, 2010
+.Re
+.Sh HISTORY
+.Fn EC_GROUP_new_curve_GFp ,
+.Fn EC_GROUP_clear_free ,
+.Fn EC_GROUP_set_curve_GFp ,
+.Fn EC_GROUP_get_curve_GFp ,
+.Fn EC_GROUP_set_generator ,
+.Fn EC_GROUP_get0_generator ,
+.Fn EC_GROUP_get_order ,
+and
+.Fn EC_GROUP_get_cofactor
+first appeared in OpenSSL 0.9.7 and
+have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_GROUP_get_degree
+first appeared in OpenSSL 0.9.8 and
+has been available since
+.Ox 4.5 .
+.Pp
+.Fn EC_GROUP_set_curve ,
+.Fn EC_GROUP_get_curve ,
+and
+.Fn EC_GROUP_order_bits
+first appeared in OpenSSL 1.1.1 and
+have been available since
+.Ox 7.0
+.Sh BUGS
+Too many.
+The API is unergonomic and the design is very poor even by
+OpenSSL's standards.
+Naming is inconsistent, especially in regard to the _GFp suffix
+and the _get_ infix.
+Function signatures are inconsistent.
+In particular, functions that should have a
+.Vt BN_CTX
+argument don't have one and functions that don't need it have one.
diff --git a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3 b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
index 79c16ef014..a0ab6bac9e 100644
--- a/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_METHOD_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.4 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: EC_KEY_METHOD_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_KEY_METHOD_NEW 3
 .Os
 .Sh NAME
@@ -37,6 +37,7 @@
 .Nm EC_KEY_get_method
 .Nd custom EC_KEY implementations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft EC_KEY_METHOD *
 .Fo EC_KEY_METHOD_new
@@ -312,7 +313,16 @@ returns 1 for success or 0 for failure.
 returns the EC_KEY implementation used by the given
 .Fa key .
 .Sh SEE ALSO
+.Xr crypto 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
 .Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
 .Xr ECDSA_sign 3
 .Sh HISTORY
 These functions first appeared in OpenSSL 1.1.0
diff --git a/src/lib/libcrypto/man/EC_KEY_new.3 b/src/lib/libcrypto/man/EC_KEY_new.3
index c24cb080ef..41ebbbe878 100644
--- a/src/lib/libcrypto/man/EC_KEY_new.3
+++ b/src/lib/libcrypto/man/EC_KEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EC_KEY_new.3,v 1.21 2025/03/08 16:38:13 tb Exp $
+.\" $OpenBSD: EC_KEY_new.3,v 1.23 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 3aef36ff Jan 5 13:06:03 2016 -0500
 .\" partial merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_KEY_NEW 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm EC_KEY_print_fp
 .Nd create, destroy and manipulate EC_KEY objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .In openssl/bn.h
 .Ft EC_KEY *
@@ -234,7 +235,7 @@ and supplying the
 .Fa nid
 of the associated curve.
 Refer to
-.Xr EC_GROUP_new 3
+.Xr EC_GROUP_new_by_curve_name 3
 for a description of curve names.
 This function simply wraps calls to
 .Fn EC_KEY_new
@@ -357,7 +358,7 @@ The format of the external representation of the public key written by
 such as whether it is stored in a compressed form or not,
 is described by the point_conversion_form.
 See
-.Xr EC_GROUP_copy 3
+.Xr EC_POINT_point2oct 3
 for a description of point_conversion_form.
 .Pp
 When reading a private key encoded without an associated public key,
@@ -378,7 +379,7 @@ and
 get and set the point_conversion_form for the
 .Fa key .
 For a description of point_conversion_form refer to
-.Xr EC_GROUP_copy 3 .
+.Xr EC_POINT_point2oct 3 .
 .Pp
 .Fn EC_KEY_set_flags
 sets the flags in the
@@ -407,7 +408,7 @@ sets the asn1_flag on the underlying
 .Vt EC_GROUP
 object (if set).
 Refer to
-.Xr EC_GROUP_copy 3
+.Xr EC_GROUP_get_curve_name 3
 for further information on the asn1_flag.
 .Pp
 .Fn EC_KEY_precompute_mult
@@ -488,11 +489,14 @@ returns the point_conversion_form for the
 .Vt EC_KEY .
 .Sh SEE ALSO
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
+.Xr EC_GROUP_check 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
 .Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_POINT_add 3 ,
-.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_point2oct 3 ,
 .Xr ECDH_compute_key 3 ,
 .Xr ECDSA_SIG_new 3 ,
 .Xr EVP_PKEY_set1_EC_KEY 3
diff --git a/src/lib/libcrypto/man/EC_POINT_add.3 b/src/lib/libcrypto/man/EC_POINT_add.3
index cc35499c0e..28f3143a8d 100644
--- a/src/lib/libcrypto/man/EC_POINT_add.3
+++ b/src/lib/libcrypto/man/EC_POINT_add.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EC_POINT_add.3,v 1.15 2025/03/08 16:48:22 tb Exp $
+.\"     $OpenBSD: EC_POINT_add.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EC_POINT_ADD 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm EC_POINT_mul
 .Nd perform mathematical operations and tests on EC_POINT objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .In openssl/bn.h
 .Ft int
@@ -177,7 +178,7 @@ in which case the result is just
 .Dl q * m.
 .Pp
 See
-.Xr EC_GROUP_copy 3
+.Xr EC_GROUP_new_curve_GFp 3
 for information about the generator.
 .Sh RETURN VALUES
 The following functions return 1 on success or 0 on error:
@@ -197,11 +198,17 @@ returns 1 if the point is on the curve, 0 if not, or -1 on error.
 .Fn EC_POINT_cmp
 returns 1 if the points are not equal, 0 if they are, or -1 on error.
 .Sh SEE ALSO
+.Xr crypto 3 ,
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
+.Xr EC_GROUP_check 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_KEY_new 3 ,
-.Xr EC_POINT_new 3
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3
 .Sh HISTORY
 .Fn EC_POINT_add ,
 .Fn EC_POINT_dbl ,
diff --git a/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3 b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
new file mode 100644
index 0000000000..76ef516307
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_POINT_get_affine_coordinates.3
@@ -0,0 +1,216 @@
+.\" $OpenBSD: EC_POINT_get_affine_coordinates.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 8 2025 $
+.Dt EC_POINT_GET_AFFINE_COORDINATES 3
+.Os
+.Sh NAME
+.Nm EC_POINT_get_affine_coordinates ,
+.Nm EC_POINT_set_affine_coordinates ,
+.Nm EC_POINT_set_compressed_coordinates ,
+.Nm EC_POINT_set_to_infinity ,
+.Nm EC_POINT_get_affine_coordinates_GFp ,
+.Nm EC_POINT_set_affine_coordinates_GFp ,
+.Nm EC_POINT_set_compressed_coordinates_GFp
+.Nd get and set coordinates of elliptic curve points
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Pp
+.Ft int
+.Fo EC_POINT_get_affine_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "BIGNUM *x"
+.Fa "BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_affine_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "const BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_compressed_coordinates
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "int y_bit"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_to_infinity
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fc
+.Pp
+Deprecated:
+.Pp
+.Ft int
+.Fo EC_POINT_get_affine_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "BIGNUM *x"
+.Fa "BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_affine_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "const BIGNUM *y"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_set_compressed_coordinates_GFp
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const BIGNUM *x"
+.Fa "int y_bit"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+.Fn EC_POINT_get_affine_coordinates
+assumes that
+.Fa point
+is a point on
+.Fa group ,
+calculates its affine coordinates from its internal representation
+using the optional
+.Fa ctx ,
+and copies them into the optional user-provided
+.Fa x
+and
+.Fa y .
+.Pp
+.Fn EC_POINT_set_affine_coordinates
+assumes that
+.Fa x
+and
+.Fa y
+are the affine coordinates of a point on
+.Fa group ,
+converts them into internal representation and sets them on
+.Fa point
+using the optional
+.Fa ctx .
+The user-provided
+.Fa point
+should be the result of
+.Fn EC_POINT_new 3
+with an argument of
+.Fa group .
+It then verifies using
+.Xr EC_POINT_is_on_curve 3
+that
+.Fa x
+and
+.Fa y
+are indeed the affine coordinates of a point on
+.Fa group .
+.Pp
+.Fn EC_POINT_set_compressed_coordinates
+assumes that
+.Fa x
+is the x-coordinate and
+.Fa y_bit
+is the parity bit of a point on
+.Fa group
+and sets
+.Fa point
+to the corresponding point on
+.Fa group .
+It does this by solving the quadratic equation y^2 = x^3 + ax + b using
+.Xr BN_mod_sqrt 3
+and the optional
+.Fa ctx ,
+chooses the solution
+.Fa y
+with parity matching
+.Fa y_bit ,
+and passes
+.Fa x
+and
+.Fa y
+to
+.Fn EC_POINT_set_affine_coordinates .
+The user-provided
+.Fa point
+should be the result of
+.Fn EC_POINT_new
+with argument
+.Fa group .
+.Pp
+.Fn EC_POINT_set_to_infinity
+sets
+.Fa point
+to the internal representation of the point at infinity on
+.Fa group .
+.Pp
+.Fn EC_POINT_get_affine_coordinates_GFp
+is a deprecated alias for
+.Fn EC_POINT_get_affine_coordinates .
+Similarly for
+.Fn EC_POINT_set_affine_coordinates_GFp
+and
+.Fn EC_POINT_set_compressed_coordinates_GFp .
+.Sh RETURN VALUES
+All these functions return 1 on success and 0 on error.
+Error conditions include memory allocation failure,
+that
+.Fa point
+is incompatible with
+.Fa group ,
+and, for the coordinate setters, that the provided coordinates
+do not represent a point on
+.Fa group .
+.Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr BN_mod_sqrt 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh HISTORY
+.Fn EC_POINT_get_affine_coordinates_GFp ,
+.Fn EC_POINT_set_affine_coordinates_GFp ,
+.Fn EC_POINT_set_compressed_coordinates_GFp ,
+and
+.Fn EC_POINT_set_to_infinity
+first appeared in OpenSSL 0.9.7 and have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_POINT_get_affine_coordinates ,
+.Fn EC_POINT_set_affine_coordinates ,
+and
+.Fn EC_POINT_set_compressed_coordinates
+first appeared in OpenSSL 1.1.1 and have been available since
+.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_POINT_new.3 b/src/lib/libcrypto/man/EC_POINT_new.3
index db6280fce7..0a797f8bc9 100644
--- a/src/lib/libcrypto/man/EC_POINT_new.3
+++ b/src/lib/libcrypto/man/EC_POINT_new.3
@@ -1,54 +1,20 @@
-.\" $OpenBSD: EC_POINT_new.3,v 1.17 2025/03/08 17:04:07 tb Exp $
+.\" $OpenBSD: EC_POINT_new.3,v 1.21 2025/06/13 18:34:00 schwarze Exp $
-.\" full merge up to: OpenSSL 50db8163 Jul 30 16:56:41 2018 +0100
 .\"
-.\" This file was written by Matt Caswell <matt@openssl.org>.
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
-.\" Copyright (c) 2013, 2016 The OpenSSL Project.  All rights reserved.
 .\"
-.\" Redistribution and use in source and binary forms, with or without
+.\" Permission to use, copy, modify, and distribute this software for any
-.\" modification, are permitted provided that the following conditions
+.\" purpose with or without fee is hereby granted, provided that the above
-.\" are met:
+.\" copyright notice and this permission notice appear in all copies.
 .\"
-.\" 1. Redistributions of source code must retain the above copyright
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\"    notice, this list of conditions and the following disclaimer.
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
+.Dd $Mdocdate: June 13 2025 $
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: March 8 2025 $
 .Dt EC_POINT_NEW 3
 .Os
 .Sh NAME
@@ -56,24 +22,12 @@
 .Nm EC_POINT_free ,
 .Nm EC_POINT_clear_free ,
 .Nm EC_POINT_copy ,
-.Nm EC_POINT_dup ,
+.Nm EC_POINT_dup
-.Nm EC_POINT_set_to_infinity ,
+.Nd allocate, free and copy elliptic curve points
-.Nm EC_POINT_set_affine_coordinates ,
-.Nm EC_POINT_set_affine_coordinates_GFp ,
-.Nm EC_POINT_get_affine_coordinates ,
-.Nm EC_POINT_get_affine_coordinates_GFp ,
-.Nm EC_POINT_set_compressed_coordinates ,
-.Nm EC_POINT_set_compressed_coordinates_GFp ,
-.Nm EC_POINT_point2oct ,
-.Nm EC_POINT_oct2point ,
-.Nm EC_POINT_point2bn ,
-.Nm EC_POINT_bn2point ,
-.Nm EC_POINT_point2hex ,
-.Nm EC_POINT_hex2point
-.Nd create, destroy, and manipulate EC_POINT objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
-.In openssl/bn.h
+.Pp
 .Ft EC_POINT *
 .Fo EC_POINT_new
 .Fa "const EC_GROUP *group"
@@ -93,126 +47,32 @@
 .Fc
 .Ft EC_POINT *
 .Fo EC_POINT_dup
-.Fa "const EC_POINT *src"
+.Fa "const EC_POINT *point"
-.Fa "const EC_GROUP *group"
-.Fc
-.Ft int
-.Fo EC_POINT_set_to_infinity
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *point"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "const BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates
 .Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_get_affine_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "BIGNUM *x"
-.Fa "BIGNUM *y"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_set_compressed_coordinates_GFp
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const BIGNUM *x"
-.Fa "int y_bit"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft size_t
-.Fo EC_POINT_point2oct
-.Fa "const EC_GROUP *group"
-.Fa "const EC_POINT *p"
-.Fa "point_conversion_form_t form"
-.Fa "unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft int
-.Fo EC_POINT_oct2point
-.Fa "const EC_GROUP *group"
-.Fa "EC_POINT *p"
-.Fa "const unsigned char *buf"
-.Fa "size_t len"
-.Fa "BN_CTX *ctx"
-.Fc
-.Ft BIGNUM *
-.Fo EC_POINT_point2bn
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BIGNUM *"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_bn2point
-.Fa "const EC_GROUP *"
-.Fa "const BIGNUM *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
-.Fc
-.Ft char *
-.Fo EC_POINT_point2hex
-.Fa "const EC_GROUP *"
-.Fa "const EC_POINT *"
-.Fa "point_conversion_form_t form"
-.Fa "BN_CTX *"
-.Fc
-.Ft EC_POINT *
-.Fo EC_POINT_hex2point
-.Fa "const EC_GROUP *"
-.Fa "const char *"
-.Fa "EC_POINT *"
-.Fa "BN_CTX *"
 .Fc
 .Sh DESCRIPTION
 An
 .Vt EC_POINT
-represents a point on a curve.
+object holds a point on the elliptic curve represented by an
-A curve is represented by an
+.Vt EC_GROUP .
-.Vt EC_GROUP
+The details of the internal representation depend on the group
-object created by the functions described in
+and should never be an application's concern since the EC library
-.Xr EC_GROUP_new 3 .
+has API to set a point's coordinates,
+.Xr EC_POINT_set_affine_coordinates 3 .
 .Pp
-A new point is constructed by calling the function
 .Fn EC_POINT_new
-and providing the
+allocates and initializes an
-.Fa group
+.Vt EC_POINT
-object that the point relates to.
+object to be used with the
+.Fa group .
+Before explicitly setting its coordinates, the returned
+.Vt EC_POINT
+is invalid.
 .Pp
 .Fn EC_POINT_free
-frees the memory associated with the
+frees
-.Vt EC_POINT .
+.Fa point
+and all memory associated with it.
 If
 .Fa point
 is a
@@ -220,236 +80,129 @@ is a
 pointer, no action occurs.
 .Pp
 .Fn EC_POINT_clear_free
-destroys any sensitive data held within the
+is intended to destroy sensitive data held in
-.Vt EC_POINT
-and then frees its memory.
-If
 .Fa point
-is a
+in addition to freeing all memory associated with it.
-.Dv NULL
+Since elliptic curve points usually hold public data, this
-pointer, no action occurs.
+is rarely needed.
+In LibreSSL,
+.Fn EC_POINT_free
+and
+.Fn EC_POINT_clear_free
+behave identically.
 .Pp
 .Fn EC_POINT_copy
-copies the point
+copies the internal representation of
 .Fa src
 into
 .Fa dst .
-Both
+If
 .Fa src
 and
 .Fa dst
-must use the same
+are identical, no action occurs.
-.Vt EC_METHOD .
+Both
-.Pp
-.Fn EC_POINT_dup
-creates a new
-.Vt EC_POINT
-object and copies the content from
 .Fa src
-to the newly created
-.Vt EC_POINT
-object.
-.Pp
-A valid point on a curve is the special point at infinity.
-A point is set to be at infinity by calling
-.Fn EC_POINT_set_to_infinity .
-.Pp
-The affine coordinates for a point describe a point in terms of its
-.Fa x
 and
-.Fa y
+.Fa dst
-position.
+should be the result of
-The function
+.Fn EC_POINT_new
-.Fn EC_POINT_set_affine_coordinates
+with the same
-sets the
+.Fa group
-.Fa x
+argument, although
-and
+.Fn EC_POINT_copy
-.Fa y
+cannot check that.
-coordinates for the point
-.Fa p
-defined over the curve given in
-.Fa group .
-The function
-.Fn EC_POINT_get_affine_coordinates
-sets
-.Fa x
-and
-.Fa y ,
-either of which may be
-.Dv NULL ,
-to the corresponding coordinates of
-.Fa p .
-.Pp
-The functions
-.Fn EC_POINT_set_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_affine_coordinates
-and the function
-.Fn EC_POINT_get_affine_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_get_affine_coordinates .
-.Pp
-Points can also be described in terms of their compressed coordinates.
-For a point
-.Pq Fa x , y ,
-for any given value for
-.Fa x
-such that the point is on the curve, there will only ever be two
-possible values for
-.Fa y .
-Therefore, a point can be set using the
-.Fn EC_POINT_set_compressed_coordinates
-function where
-.Fa x
-is the x coordinate and
-.Fa y_bit
-is a value 0 or 1 to identify which of the two possible values for y
-should be used.
-.Pp
-The functions
-.Fn EC_POINT_set_compressed_coordinates_GFp
-is a deprecated synonym for
-.Fn EC_POINT_set_compressed_coordinates .
-.Pp
-In addition
-.Vt EC_POINT Ns s
-can be converted to and from various external representations.
-Supported representations are octet strings,
-.Vt BIGNUM Ns s ,
-and hexadecimal.
-The format of the external representation is described by the
-point_conversion_form.
-See
-.Xr EC_GROUP_copy 3
-for a description of point_conversion_form.
-Octet strings are stored in a buffer along with an associated buffer
-length.
-A point held in a
-.Vt BIGNUM
-is calculated by converting the point to an octet string and then
-converting that octet string into a
-.Vt BIGNUM
-integer.
-Points in hexadecimal format are stored in a NUL terminated character
-string where each character is one of the printable values 0-9 or A-F
-(or a-f).
-.Pp
-The functions
-.Fn EC_POINT_point2oct ,
-.Fn EC_POINT_oct2point ,
-.Fn EC_POINT_point2bn ,
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
-and
-.Fn EC_POINT_hex2point
-convert from and to
-.Vt EC_POINT Ns s
-for the formats octet string,
-.Vt BIGNUM ,
-and hexadecimal, respectively.
-.Pp
-The function
-.Fn EC_POINT_point2oct
-must be supplied with a
-.Fa buf
-long enough to store the octet string.
-The return value provides the number of octets stored.
-Calling the function with a
-.Dv NULL
-.Fa buf
-will not perform the conversion but will still return the required
-buffer length.
 .Pp
-The function
+.Fn EC_POINT_dup
-.Fn EC_POINT_point2hex
+creates a deep copy of
-will allocate sufficient memory to store the hexadecimal string.
+.Fa point
-It is the caller's responsibility to free this memory with a subsequent
+by combining
-call to
+.Fn EC_POINT_new
-.Xr free 3 .
+with
+.Fn EC_GROUP_copy .
 .Sh RETURN VALUES
 .Fn EC_POINT_new
-and
+returns a newly allocated
-.Fn EC_POINT_dup
-return the newly allocated
 .Vt EC_POINT
 or
 .Dv NULL
-on error.
+on memory allocation failure.
-.Pp
-The following functions return 1 on success or 0 on error:
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-and
-.Fn EC_POINT_oct2point .
-.Pp
-.Fn EC_POINT_point2oct
-returns the length of the required buffer, or 0 on error.
-.Pp
-.Fn EC_POINT_point2bn
-returns the pointer to the
-.Vt BIGNUM
-supplied or
-.Dv NULL
-on error.
 .Pp
-.Fn EC_POINT_bn2point
+.Fn EC_POINT_copy
-returns the pointer to the
+returns 1 on success or 0 on error.
-.Vt EC_POINT
+Error conditions include memory allocation failure and that
-supplied or
+.Fa dst
-.Dv NULL
+is incompatible with the group on which
-on error.
+.Fa src
-.Pp
+is defined.
-.Fn EC_POINT_point2hex
-returns a pointer to the hex string or
-.Dv NULL
-on error.
 .Pp
-.Fn EC_POINT_hex2point
+.Fn EC_POINT_dup
-returns the pointer to the
+returns a newly allocated
 .Vt EC_POINT
-supplied or
+or
 .Dv NULL
-on error.
+on failure.
+Error conditions include memory allocation failure or that
+.Fa group
+is incompatible with
+.Fa src .
 .Sh SEE ALSO
+.Xr BN_CTX_new 3 ,
+.Xr BN_is_zero 3 ,
+.Xr crypto 3 ,
 .Xr d2i_ECPKParameters 3 ,
-.Xr EC_GROUP_copy 3 ,
+.Xr EC_GROUP_check 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
 .Xr EC_KEY_new 3 ,
 .Xr EC_POINT_add 3 ,
-.Xr ECDH_compute_key 3
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_point2oct 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
 .Sh HISTORY
 .Fn EC_POINT_new ,
 .Fn EC_POINT_free ,
 .Fn EC_POINT_clear_free ,
-.Fn EC_POINT_copy ,
-.Fn EC_POINT_set_to_infinity ,
-.Fn EC_POINT_set_affine_coordinates_GFp ,
-.Fn EC_POINT_get_affine_coordinates_GFp ,
-.Fn EC_POINT_set_compressed_coordinates_GFp ,
-.Fn EC_POINT_point2oct ,
 and
-.Fn EC_POINT_oct2point
+.Fn EC_POINT_copy
 first appeared in OpenSSL 0.9.7 and have been available since
 .Ox 3.2 .
 .Pp
-.Fn EC_POINT_dup ,
+.Fn EC_POINT_dup
-.Fn EC_POINT_point2bn ,
+first appeared in OpenSSL 0.9.8 and has been available since
-.Fn EC_POINT_bn2point ,
-.Fn EC_POINT_point2hex ,
-and
-.Fn EC_POINT_hex2point
-first appeared in OpenSSL 0.9.8 and have been available since
 .Ox 4.5 .
-.Pp
+.Sh BUGS
-.Fn EC_POINT_set_affine_coordinates ,
+A fundamental flaw in the OpenSSL API toolkit is that
-.Fn EC_POINT_get_affine_coordinates ,
+.Fn *_new
+functions usually create invalid objects that are tricky to
+turn into valid objects.
+One specific flaw in the EC library internals is that
+.Vt EC_POINT
+objects do not hold a reference to the group they live on
+despite the fact that
+.Fn EC_POINT_new
+has a
+.Fa group
+argument.
+This is difficult to fix because
+.Vt EC_GROUP
+objects are not reference counted and
+because of const qualifiers in the API.
+This is the root cause for various contortions in the EC library
+and API and
+there are security implications because not
+only does the library not know whether an
+.Fa EC_POINT
+object represents a valid point,
+even if it did know that it would still not know on what curve.
+.Pp
+The signature of
+.Fn EC_GROUP_dup
+is bizarre and the order of
+.Fa point
 and
-.Fn EC_POINT_set_compressed_coordinates
+.Fa group
-first appeared in OpenSSL 1.1.1 and have been available since
+is inconsistent with the rest of the EC API.
-.Ox 7.0 .
diff --git a/src/lib/libcrypto/man/EC_POINT_point2oct.3 b/src/lib/libcrypto/man/EC_POINT_point2oct.3
new file mode 100644
index 0000000000..ac89c9b1d4
--- /dev/null
+++ b/src/lib/libcrypto/man/EC_POINT_point2oct.3
@@ -0,0 +1,434 @@
+.\" $OpenBSD: EC_POINT_point2oct.3,v 1.6 2025/06/13 18:34:00 schwarze Exp $
+.\"
+.\" Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: June 13 2025 $
+.Dt EC_POINT_POINT2OCT 3
+.Os
+.Sh NAME
+.Nm EC_POINT_point2oct ,
+.Nm EC_POINT_oct2point ,
+.Nm EC_POINT_point2bn ,
+.Nm EC_POINT_bn2point ,
+.Nm EC_POINT_point2hex ,
+.Nm EC_POINT_hex2point
+.Nd encode and decode elliptic curve points
+.Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/bn.h
+.In openssl/ec.h
+.Bd -literal
+typedef enum {
+        POINT_CONVERSION_COMPRESSED = 2,
+        POINT_CONVERSION_UNCOMPRESSED = 4,
+        POINT_CONVERSION_HYBRID = 6
+} point_conversion_form_t;
+.Ed
+.Ft size_t
+.Fo EC_POINT_point2oct
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "unsigned char *buf"
+.Fa "size_t len"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo EC_POINT_oct2point
+.Fa "const EC_GROUP *group"
+.Fa "EC_POINT *point"
+.Fa "const unsigned char *buf"
+.Fa "size_t len"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft BIGNUM *
+.Fo EC_POINT_point2bn
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "BIGNUM *bn"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft EC_POINT *
+.Fo EC_POINT_bn2point
+.Fa "const EC_GROUP *group"
+.Fa "const BIGNUM *bn"
+.Fa "EC_POINT *point"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft char *
+.Fo EC_POINT_point2hex
+.Fa "const EC_GROUP *group"
+.Fa "const EC_POINT *point"
+.Fa "point_conversion_form_t form"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft EC_POINT *
+.Fo EC_POINT_hex2point
+.Fa "const EC_GROUP *group"
+.Fa "const char *hex"
+.Fa "EC_POINT *point"
+.Fa "BN_CTX *ctx"
+.Fc
+.Sh DESCRIPTION
+The
+.Fa ctx
+argument of all functions in this manual is optional.
+.Pp
+An
+.Vt EC_POINT
+object represents a point on the elliptic curve given by an
+.Vt EC_GROUP
+object.
+It is either the point at infinity or it has a representation
+(x, y) in standard affine coordinates,
+in which case it satisfies the curve's Weierstrass equation
+.Pp
+.Dl y^2 = x^3 + ax + b
+.Pp
+in the prime field of size p.
+Thus, y is a square root of x^3 + ax + b.
+Since p > 3 is odd, p - y is another square root
+with different parity, unless y is zero.
+Point compression uses that x and the parity of y are enough
+to compute y using
+.Xr BN_mod_sqrt 3 .
+.Pp
+Field elements are represented as non-negative integers < p
+in big-endian 2-complement form, zero-padded on the left to the byte
+length l of p.
+If X and Y are the representations of x and y, respectively, and P is
+the parity bit of y, the three encodings of the point (x, y) are
+the byte strings:
+.Bl -column "EncodingX" "CompressedX" "UncompressedX" "Hybrid" -offset indent -compact
+.It Ta Em Compressed Ta Em Uncompressed Ta Em Hybrid
+.It Encoding Ta 2+P || X Ta 4 || X || Y Ta 6+P || X || Y
+.It Length Ta 1 + l Ta 1 + 2l Ta 1 + 2l
+.El
+where the first octet is the point conversion form
+combined with the parity bit in the compressed and hybrid encodings.
+The point at infinity is encoded as a single zero byte.
+.Pp
+.Fn EC_POINT_point2oct
+converts
+.Fa point
+into the octet string encoding of type
+.Fa form .
+It assumes without checking that
+.Fa point
+is a point on the elliptic curve represented by
+.Fa group
+and operates in two modes depending on the
+.Fa buf
+argument.
+If
+.Fa buf
+is
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the length of
+.Fa point Ns 's
+encoding of type
+.Fa form
+and ignores the
+.Fa len
+and
+.Fa ctx
+arguments.
+If
+.Fa buf
+is not
+.Dv NULL
+and its length
+.Fa len
+is sufficiently big,
+.Fn EC_POINT_point2oct
+writes the
+.Fa point Ns 's
+encoding of type
+.Fa form
+to
+.Fa buf
+and returns the number of bytes written.
+Unless
+.Fa point
+is the point at infinity, the coordinates to be encoded are calculated using
+.Xr EC_POINT_get_affine_coordinates 3 .
+.Pp
+.Fn EC_POINT_oct2point
+decodes the octet string representation of a point on
+.Fa group
+in
+.Fa buf
+of size
+.Fa len
+and, if it represents a point on
+.Fa group ,
+sets it on the caller-provided
+.Fa point
+using
+.Xr EC_POINT_set_to_infinity 3
+.Xr EC_POINT_set_compressed_coordinates 3 ,
+or
+.Xr EC_POINT_set_affine_coordinates 3 .
+For hybrid encoding the consistency of
+the parity bit in the leading octet is verified.
+.Pp
+.Fn EC_POINT_point2bn
+returns a
+.Vt BIGNUM
+containing the encoding of type
+.Fa form
+of the
+.Fa point
+on
+.Fa group .
+If
+.Fa bn
+is
+.Dv NULL ,
+this
+.Vt BIGNUM
+is newly allocated, otherwise the result is copied into
+.Fa bn
+and returned.
+.Fn EC_POINT_point2bn
+is equivalent to
+.Fn EC_POINT_point2oct
+followed by
+.Xr BN_bin2bn 3 .
+.Pp
+.Fn EC_POINT_bn2point
+assumes that
+.Fa bn
+contains the encoding of a point on
+.Fa group .
+If
+.Fa point
+is
+.Dv NULL ,
+the result is placed in a newly allocated
+.Vt EC_POINT ,
+otherwise the result is placed in
+.Fa point
+which is then returned.
+.Fn EC_POINT_bn2point
+is equivalent to
+.Xr BN_bn2bin 3
+followed by
+.Fn EC_POINT_oct2point .
+.Pp
+.Fn EC_POINT_point2hex
+returns a printable string containing the hexadecimal encoding of
+the point encoding of type
+.Fa form
+of the
+.Fa point
+on
+.Fa group .
+The string must be freed by the caller using
+.Xr free 3 .
+.Fn EC_POINT_point2hex
+is equivalent to
+.Fn EC_POINT_point2bn
+followed by
+.Xr BN_bn2hex 3 .
+.Pp
+.Fn EC_POINT_hex2point
+interprets
+.Fa hex
+as a hexadecimal encoding of the point encoding of a point on
+.Fa group .
+If
+.Fa point
+is
+.Dv NULL ,
+the result is returned in a newly allocated
+.Vt EC_POINT ,
+otherwise the result is copied into
+.Fa point ,
+which is then returned.
+.Fn EC_POINT_hex2point
+is equivalent to
+.Xr BN_hex2bn 3
+followed by
+.Fn EC_POINT_bn2point .
+.Sh RETURN VALUES
+If
+.Fa buf
+is
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the length needed to encode the
+.Fa point
+on
+.Fa group ,
+or 0 on error.
+If
+.Fa buf
+is not
+.Dv NULL ,
+.Fn EC_POINT_point2oct
+returns the number of bytes written to
+.Fa buf
+or 0 on error.
+Error conditions include that
+.Fa form
+is invalid,
+.Fa len
+is too small, and memory allocation failure.
+.Pp
+.Fn EC_POINT_oct2point
+returns 1 on success and 0 on error.
+Error conditions include invalid encoding,
+.Fa buf
+does not represent a point on
+.Fa group ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_point2bn
+returns a
+.Vt BIGNUM
+containing the encoding of
+.Fa point
+or
+.Dv NULL
+on error.
+The returned
+.Vt BIGNUM
+is either
+.Fa bn
+or a newly allocated one which must be freed by the caller.
+Error conditions include those of
+.Fn EC_POINT_point2oct ,
+.Xr BN_bn2bin 3 ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_bn2point
+returns an
+.Vt EC_POINT
+corresponding to the encoding in
+.Fa bn
+or
+.Dv NULL
+on error.
+The returned
+.Vt EC_POINT
+is either
+.Fa point
+or a newly allocated one which must be freed by the caller.
+Error conditions include those of
+.Xr BN_bn2bin 3 ,
+.Fn EC_POINT_oct2point ,
+or memory allocation failure.
+.Pp
+.Fn EC_POINT_point2hex
+returns a newly allocated string or
+.Dv NULL
+on error.
+Error conditions include those of
+.Fn EC_POINT_point2bn
+or
+.Xr BN_bn2hex 3 .
+.Pp
+.Fn EC_POINT_hex2point
+returns an
+.Vt EC_POINT
+containing the decoded point on
+.Fa group
+or
+.Dv NULL
+on error.
+The returned
+.Vt EC_POINT
+is either
+.Fa point
+or a newly allocated one which must be freed by the caller.
+Error conditions are those of
+.Xr BN_hex2bn 3 ,
+or
+.Fn EC_POINT_bn2point .
+.Sh SEE ALSO
+.Xr BN_mod_sqrt 3 ,
+.Xr BN_new 3 ,
+.Xr BN_num_bits 3 ,
+.Xr crypto 3 ,
+.Xr d2i_ECPKParameters 3 ,
+.Xr EC_GROUP_check 3 ,
+.Xr EC_GROUP_get_curve_name 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
+.Xr EC_GROUP_new_curve_GFp 3 ,
+.Xr EC_KEY_METHOD_new 3 ,
+.Xr EC_KEY_new 3 ,
+.Xr EC_POINT_add 3 ,
+.Xr EC_POINT_get_affine_coordinates 3 ,
+.Xr EC_POINT_new 3 ,
+.Xr ECDH_compute_key 3 ,
+.Xr ECDSA_SIG_new 3
+.Sh STANDARDS
+.Rs
+.%T SEC 1: Elliptic Curve Cryptography, Version 2.0
+.%U https://www.secg.org/sec1-v2.pdf
+.%D May 21, 2009
+.Re
+.Sh HISTORY
+.Fn EC_POINT_point2oct
+and
+.Fn EC_POINT_oct2point
+first appeared in OpenSSL 0.9.7 and have been available since
+.Ox 3.2 .
+.Pp
+.Fn EC_POINT_point2bn ,
+.Fn EC_POINT_bn2point ,
+.Fn EC_POINT_point2hex ,
+and
+.Fn EC_POINT_hex2point
+first appeared in OpenSSL 0.9.8 and have been available since
+.Ox 4.5 .
+.Sh BUGS
+The
+.Vt point_conversion_form_t
+is not properly exposed in the API.
+There is no representation for the point at infinity nor is there
+an API interface for the parity bit,
+forcing applications to invent their own and do bit twiddling in buffers.
+.Pp
+The poorly chosen signatures of the functions in this manual result
+in an unergonomic API, particularly so for
+.Fn EC_POINT_point2oct
+and
+.Fn EC_POINT_oct2point .
+Due to fundamental misdesign in the EC library,
+points are not directly linked to the curve they live on.
+Adding checks that
+.Fa point
+lives on
+.Fa group
+is too expensive and intrusive, so it is and will continue to be easy
+to make the EC_POINT_point2* API output nonsense.
+.Pp
+.Fn EC_POINT_point2bn
+and
+.Fn EC_POINT_bn2point
+make no sense.
+They abuse
+.Vt BIGNUM
+as a vector type, which is in poor taste.
+.Pp
+.Fn EC_POINT_point2hex
+and
+.Fn EC_POINT_hex2point
+use a non-standard encoding format.
diff --git a/src/lib/libcrypto/man/ENGINE_new.3 b/src/lib/libcrypto/man/ENGINE_new.3
index 55ed963563..f70adecc17 100644
--- a/src/lib/libcrypto/man/ENGINE_new.3
+++ b/src/lib/libcrypto/man/ENGINE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ENGINE_new.3,v 1.10 2023/11/19 21:13:47 tb Exp $
+.\" $OpenBSD: ENGINE_new.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ENGINE_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm ENGINE_cleanup
 .Nd ENGINE stub functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/engine.h
 .Ft ENGINE *
 .Fn ENGINE_new void
diff --git a/src/lib/libcrypto/man/ERR.3 b/src/lib/libcrypto/man/ERR.3
index 8f17e7a329..7d67c4f556 100644
--- a/src/lib/libcrypto/man/ERR.3
+++ b/src/lib/libcrypto/man/ERR.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR.3,v 1.11 2023/07/26 20:15:51 tb Exp $
+.\"     $OpenBSD: ERR.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 186bb907 Apr 13 11:05:13 2015 -0700
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR 3
 .Os
 .Sh NAME
 .Nm ERR
 .Nd OpenSSL error codes
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Sh DESCRIPTION
 When a call to the OpenSSL library fails, this is usually signaled by
diff --git a/src/lib/libcrypto/man/ERR_GET_LIB.3 b/src/lib/libcrypto/man/ERR_GET_LIB.3
index bc14f0e2ac..754f7fafe3 100644
--- a/src/lib/libcrypto/man/ERR_GET_LIB.3
+++ b/src/lib/libcrypto/man/ERR_GET_LIB.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_GET_LIB.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_GET_LIB.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL doc/man3/ERR_GET_LIB.pod 3dfda1a6 Dec 12 11:14:40 2016 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_GET_LIB 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm ERR_FATAL_ERROR
 .Nd get library, function and reason codes for OpenSSL errors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft int
 .Fo ERR_GET_LIB
diff --git a/src/lib/libcrypto/man/ERR_asprintf_error_data.3 b/src/lib/libcrypto/man/ERR_asprintf_error_data.3
index 4291dea23e..edd8655d6d 100644
--- a/src/lib/libcrypto/man/ERR_asprintf_error_data.3
+++ b/src/lib/libcrypto/man/ERR_asprintf_error_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ERR_asprintf_error_data.3,v 1.3 2024/08/29 20:23:21 tb Exp $
+.\" $OpenBSD: ERR_asprintf_error_data.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Bob Beck <beck@openbsd.org>
 .\"
@@ -13,13 +13,14 @@
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_ASPRINTF_ERROR_DATA 3
 .Os
 .Sh NAME
 .Nm ERR_asprintf_error_data
 .Nd record a LibreSSL error using a formatted string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_asprintf_error_data
diff --git a/src/lib/libcrypto/man/ERR_clear_error.3 b/src/lib/libcrypto/man/ERR_clear_error.3
index 54f563e166..d39ac11956 100644
--- a/src/lib/libcrypto/man/ERR_clear_error.3
+++ b/src/lib/libcrypto/man/ERR_clear_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_clear_error.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_clear_error.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_CLEAR_ERROR 3
 .Os
 .Sh NAME
 .Nm ERR_clear_error
 .Nd clear the OpenSSL error queue
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fn ERR_clear_error void
diff --git a/src/lib/libcrypto/man/ERR_error_string.3 b/src/lib/libcrypto/man/ERR_error_string.3
index 60f9132859..a1df20fe70 100644
--- a/src/lib/libcrypto/man/ERR_error_string.3
+++ b/src/lib/libcrypto/man/ERR_error_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_error_string.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_error_string.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_ERROR_STRING 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm ERR_reason_error_string
 .Nd obtain human-readable OpenSSL error messages
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft char *
 .Fo ERR_error_string
diff --git a/src/lib/libcrypto/man/ERR_get_error.3 b/src/lib/libcrypto/man/ERR_get_error.3
index f3bcc09cbc..c592c34528 100644
--- a/src/lib/libcrypto/man/ERR_get_error.3
+++ b/src/lib/libcrypto/man/ERR_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_get_error.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: ERR_get_error.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_GET_ERROR 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm ERR_peek_last_error_line_data
 .Nd obtain OpenSSL error code and data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft unsigned long
 .Fn ERR_get_error void
diff --git a/src/lib/libcrypto/man/ERR_load_crypto_strings.3 b/src/lib/libcrypto/man/ERR_load_crypto_strings.3
index 2bca8af60f..13da93e22d 100644
--- a/src/lib/libcrypto/man/ERR_load_crypto_strings.3
+++ b/src/lib/libcrypto/man/ERR_load_crypto_strings.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.12 2024/03/05 19:21:31 tb Exp $
+.\" $OpenBSD: ERR_load_crypto_strings.3,v 1.14 2025/06/08 22:58:09 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_LOAD_CRYPTO_STRINGS 3
 .Os
 .Sh NAME
@@ -101,11 +101,14 @@
 .\" ERR_load_X509_strings()
 .\" ERR_load_X509V3_strings()
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fn ERR_load_crypto_strings void
 .Ft void
 .Fn ERR_free_strings void
+.Pp
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_load_error_strings void
diff --git a/src/lib/libcrypto/man/ERR_load_strings.3 b/src/lib/libcrypto/man/ERR_load_strings.3
index 1020743954..9697742404 100644
--- a/src/lib/libcrypto/man/ERR_load_strings.3
+++ b/src/lib/libcrypto/man/ERR_load_strings.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_load_strings.3,v 1.8 2024/07/26 03:40:43 tb Exp $
+.\"     $OpenBSD: ERR_load_strings.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_LOAD_STRINGS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ERR_get_next_error_library
 .Nd load arbitrary OpenSSL error strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_load_strings
diff --git a/src/lib/libcrypto/man/ERR_print_errors.3 b/src/lib/libcrypto/man/ERR_print_errors.3
index a5c7c03287..4d6f8d3717 100644
--- a/src/lib/libcrypto/man/ERR_print_errors.3
+++ b/src/lib/libcrypto/man/ERR_print_errors.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_print_errors.3,v 1.8 2020/03/28 22:40:58 schwarze Exp $
+.\"     $OpenBSD: ERR_print_errors.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 28 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_PRINT_ERRORS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm ERR_print_errors_cb
 .Nd print OpenSSL error messages
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_print_errors
diff --git a/src/lib/libcrypto/man/ERR_put_error.3 b/src/lib/libcrypto/man/ERR_put_error.3
index 37e1b4d1ab..1af0e37826 100644
--- a/src/lib/libcrypto/man/ERR_put_error.3
+++ b/src/lib/libcrypto/man/ERR_put_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_put_error.3,v 1.11 2024/08/29 20:23:21 tb Exp $
+.\"     $OpenBSD: ERR_put_error.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_PUT_ERROR 3
 .Os
 .Sh NAME
 .Nm ERR_put_error
 .Nd record an OpenSSL error
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_put_error
diff --git a/src/lib/libcrypto/man/ERR_remove_state.3 b/src/lib/libcrypto/man/ERR_remove_state.3
index bc28f15dea..c05810d778 100644
--- a/src/lib/libcrypto/man/ERR_remove_state.3
+++ b/src/lib/libcrypto/man/ERR_remove_state.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_remove_state.3,v 1.7 2020/03/28 22:40:58 schwarze Exp $
+.\"     $OpenBSD: ERR_remove_state.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 28 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_REMOVE_STATE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm ERR_remove_state
 .Nd free a thread's OpenSSL error queue
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft void
 .Fo ERR_remove_thread_state
diff --git a/src/lib/libcrypto/man/ERR_set_mark.3 b/src/lib/libcrypto/man/ERR_set_mark.3
index 2f3486d8c0..88b1be88b5 100644
--- a/src/lib/libcrypto/man/ERR_set_mark.3
+++ b/src/lib/libcrypto/man/ERR_set_mark.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ERR_set_mark.3,v 1.4 2018/03/23 00:09:11 schwarze Exp $
+.\"     $OpenBSD: ERR_set_mark.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ERR_SET_MARK 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm ERR_pop_to_mark
 .Nd set marks and pop OpenSSL errors until mark
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/err.h
 .Ft int
 .Fn ERR_set_mark void
diff --git a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3 b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
index 4baabbcd99..7014d008af 100644
--- a/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
+++ b/src/lib/libcrypto/man/ESS_SIGNING_CERT_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.5 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: ESS_SIGNING_CERT_new.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt ESS_SIGNING_CERT_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm ESS_ISSUER_SERIAL_free
 .Nd signing certificates for S/MIME
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft ESS_SIGNING_CERT *
 .Fn ESS_SIGNING_CERT_new void
diff --git a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3 b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
index 8b3b8adb0f..41a829c675 100644
--- a/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_AEAD_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.16 2024/07/21 08:36:43 tb Exp $
+.\" $OpenBSD: EVP_AEAD_CTX_init.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, Google Inc.
 .\" Parts of the text were written by Adam Langley and David Benjamin.
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 21 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AEAD_CTX_INIT 3
 .Os
 .Sh NAME
@@ -37,6 +37,7 @@
 .Nm EVP_aead_xchacha20_poly1305
 .Nd authenticated encryption with additional data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_AEAD_CTX *
 .Fn EVP_AEAD_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_BytesToKey.3 b/src/lib/libcrypto/man/EVP_BytesToKey.3
index 1f78b4de06..060335744e 100644
--- a/src/lib/libcrypto/man/EVP_BytesToKey.3
+++ b/src/lib/libcrypto/man/EVP_BytesToKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_BytesToKey.3,v 1.9 2024/12/05 15:12:37 schwarze Exp $
+.\" $OpenBSD: EVP_BytesToKey.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_BYTESTOKEY 3
 .Os
 .Sh NAME
 .Nm EVP_BytesToKey
 .Nd password based encryption routine
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_BytesToKey
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
index d7ab36e711..8aaf2cc385 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.4 2025/03/25 11:54:34 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_ctrl.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 25 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm EVP_CIPHER_CTX_get_iv
 .Nd configure EVP cipher contexts
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_CTX_ctrl
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
index 4f75c8b008..a549ea25f6 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_get_cipher_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_get_cipher_data.3,v 1.3 2023/08/26 15:12:04 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_get_cipher_data.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_GET_CIPHER_DATA 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm EVP_CIPHER_CTX_buf_noconst
 .Nd inspect and modify EVP_CIPHER_CTX objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void *
 .Fo EVP_CIPHER_CTX_get_cipher_data
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
index 79a8e540af..7b1d81bafa 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.4 2024/12/06 15:01:01 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_init.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_INIT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_Cipher
 .Nd obsolete EVP cipher functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_CTX_init
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3 b/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
index 67ef8679bc..0d86050ae6 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.2 2023/09/06 16:26:49 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_CTX_set_flags.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 6 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm EVP_CIPHER_CTX_set_app_data
 .Nd unusual EVP cipher context configuration
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fo EVP_CIPHER_CTX_set_flags
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3 b/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
index e912044978..342cf372df 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_do_all.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.3 2024/03/14 23:54:55 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_do_all.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023,2024 Theo Buehler <tb@openbsd.org>
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_DO_ALL 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm OBJ_NAME_do_all_sorted
 .Nd iterate over lookup tables for ciphers and digests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fo EVP_CIPHER_do_all
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3 b/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
index 187dab6d8a..f831b20c3d 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_meth_new.3,v 1.6 2024/03/04 09:49:07 tb Exp $
+.\" $OpenBSD: EVP_CIPHER_meth_new.3,v 1.7 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_METH_NEW 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm EVP_CIPHER_meth_set_ctrl
 .Nd Routines to build up EVP_CIPHER methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_CIPHER *
 .Fo EVP_CIPHER_meth_new
diff --git a/src/lib/libcrypto/man/EVP_CIPHER_nid.3 b/src/lib/libcrypto/man/EVP_CIPHER_nid.3
index 1feff4f34e..6152c389c8 100644
--- a/src/lib/libcrypto/man/EVP_CIPHER_nid.3
+++ b/src/lib/libcrypto/man/EVP_CIPHER_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.3 2023/09/05 14:54:21 schwarze Exp $
+.\" $OpenBSD: EVP_CIPHER_nid.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_EncryptInit.pod
 .\"   0874d7f2 Oct 11 13:13:47 2022 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 5 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CIPHER_NID 3
 .Os
 .Sh NAME
@@ -83,6 +83,7 @@
 .Nm EVP_CIPHER_CTX_mode
 .Nd inspect EVP_CIPHER objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_CIPHER_nid
diff --git a/src/lib/libcrypto/man/EVP_DigestInit.3 b/src/lib/libcrypto/man/EVP_DigestInit.3
index 668c189bc1..1457d65e40 100644
--- a/src/lib/libcrypto/man/EVP_DigestInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestInit.3,v 1.37 2024/12/06 15:01:01 schwarze Exp $
+.\" $OpenBSD: EVP_DigestInit.3,v 1.39 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 7f572e95 Dec 2 13:57:04 2015 +0000
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -70,7 +70,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTINIT 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .Nm EVP_get_digestbyobj
 .Nd EVP digest routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_MD_CTX *
 .Fn EVP_MD_CTX_new void
@@ -361,15 +362,16 @@ and
 .Fn EVP_ripemd160
 return
 .Vt EVP_MD
-structures for the SHA224, SHA256, SHA384, SHA512 and
+structures for the SHA-224, SHA-256, SHA-384, SHA-512 and
-RIPEMD160 digest algorithms respectively.
+RIPEMD-160 digest algorithms respectively.
 .Pp
 .Fn EVP_sha512_224
 and
 .Fn EVP_sha512_256
 return an
 .Vt EVP_MD
-structure that provides the truncated SHA512 variants SHA512/224 and SHA512/256,
+structure that provides the truncated SHA-512 variants
+SHA-512/224 and SHA-512/256,
 respectively.
 .Pp
 .Fn EVP_md_null
diff --git a/src/lib/libcrypto/man/EVP_DigestSignInit.3 b/src/lib/libcrypto/man/EVP_DigestSignInit.3
index caf519e28c..46b8acbd3c 100644
--- a/src/lib/libcrypto/man/EVP_DigestSignInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestSignInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestSignInit.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_DigestSignInit.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 28428130 Apr 17 15:18:40 2018 +0200
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTSIGNINIT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_DigestSign
 .Nd EVP signing functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_DigestSignInit
diff --git a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3 b/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
index fa62f5a0a5..3d40f8e916 100644
--- a/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
+++ b/src/lib/libcrypto/man/EVP_DigestVerifyInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.17 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_DigestVerifyInit.3,v 1.18 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to OpenSSL f097e875 Aug 23 11:37:22 2018 +0100
 .\" selective merge up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DIGESTVERIFYINIT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_DigestVerify
 .Nd EVP signature verification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_DigestVerifyInit
diff --git a/src/lib/libcrypto/man/EVP_EncodeInit.3 b/src/lib/libcrypto/man/EVP_EncodeInit.3
index da79af84cf..82f5687c8b 100644
--- a/src/lib/libcrypto/man/EVP_EncodeInit.3
+++ b/src/lib/libcrypto/man/EVP_EncodeInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_EncodeInit.3,v 1.7 2019/06/06 01:06:58 schwarze Exp $
+.\" $OpenBSD: EVP_EncodeInit.3,v 1.8 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL f430ba31 Jun 19 19:39:01 2016 +0200
 .\" selective merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_ENCODEINIT 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm EVP_DecodeBlock
 .Nd EVP base64 encode/decode routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_ENCODE_CTX *
 .Fn EVP_ENCODE_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_EncryptInit.3 b/src/lib/libcrypto/man/EVP_EncryptInit.3
index 7765be2ca6..382c0e2b06 100644
--- a/src/lib/libcrypto/man/EVP_EncryptInit.3
+++ b/src/lib/libcrypto/man/EVP_EncryptInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_EncryptInit.3,v 1.56 2024/12/20 01:54:03 schwarze Exp $
+.\" $OpenBSD: EVP_EncryptInit.3,v 1.57 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 5211e094 Nov 11 14:39:11 2014 -0800
 .\"   EVP_bf_cbc.pod EVP_cast5_cbc.pod EVP_idea_cbc.pod EVP_rc2_cbc.pod
 .\"   7c6d372a Nov 20 13:20:01 2018 +0000
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 20 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_ENCRYPTINIT 3
 .Os
 .Sh NAME
@@ -115,6 +115,7 @@
 .Nm EVP_cast5_ofb
 .Nd EVP cipher routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_CIPHER_CTX *
 .Fn EVP_CIPHER_CTX_new void
diff --git a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
index c8c148faf0..a16bba9bf8 100644
--- a/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_MD_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_MD_CTX_ctrl.3,v 1.3 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_MD_CTX_ctrl.3,v 1.5 2025/06/11 13:48:54 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
 .\" 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt EVP_MD_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm EVP_MD_CTX_md_data
 .Nd configure EVP message digest contexts
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_MD_CTX_ctrl
@@ -154,7 +155,9 @@ when it is no longer needed.
 This
 .Fa command
 is used by
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3
+and
+.Xr SMIME_write_PKCS7 3
 when creating S/MIME multipart/signed messages as specified in RFC 3851.
 .Pp
 .Fn EVP_MD_CTX_set_flags
diff --git a/src/lib/libcrypto/man/EVP_MD_nid.3 b/src/lib/libcrypto/man/EVP_MD_nid.3
index 15806091de..384c043149 100644
--- a/src/lib/libcrypto/man/EVP_MD_nid.3
+++ b/src/lib/libcrypto/man/EVP_MD_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_MD_nid.3,v 1.4 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_MD_nid.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL man3/EVP_DigestInit.pod
 .\" 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_MD_NID 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm EVP_MD_pkey_type
 .Nd inspect EVP_MD objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_MD_nid
diff --git a/src/lib/libcrypto/man/EVP_OpenInit.3 b/src/lib/libcrypto/man/EVP_OpenInit.3
index fbd0e75571..8cdcbda0e9 100644
--- a/src/lib/libcrypto/man/EVP_OpenInit.3
+++ b/src/lib/libcrypto/man/EVP_OpenInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_OpenInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
+.\"     $OpenBSD: EVP_OpenInit.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_OPENINIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_OpenFinal
 .Nd EVP envelope decryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_OpenInit
diff --git a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3 b/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
index 30a43b8dca..a8b7d86808 100644
--- a/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
+++ b/src/lib/libcrypto/man/EVP_PKCS82PKEY.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKCS82PKEY.3,v 1.3 2024/03/05 19:21:31 tb Exp $
+.\" $OpenBSD: EVP_PKCS82PKEY.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKCS82PKEY 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EVP_PKEY2PKCS8
 .Nd convert between EVP_PKEY and PKCS#8 PrivateKeyInfo
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft EVP_PKEY *
 .Fn EVP_PKCS82PKEY "const PKCS8_PRIV_KEY_INFO *keyinfo"
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
index 137e576c46..db65f132bb 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.28 2024/12/10 14:54:20 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_ctrl.3,v 1.30 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\" Parts were split out into RSA_pkey_ctx_ctrl(3).
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -97,6 +97,7 @@
 .Nm EVP_PKEY_CTX_get1_id_len
 .Nd algorithm specific control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_CTX_ctrl
@@ -371,7 +372,7 @@ The
 macro sets the key derivation function message digest to
 .Fa md
 for ECDH key derivation.
-Note that X9.63 specifies that this digest should be SHA1,
+Note that X9.63 specifies that this digest should be SHA-1,
 but OpenSSL tolerates other digests.
 .Pp
 The
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
index 2482c746d4..ce234337bb 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_get_operation.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_get_operation.3,v 1.3 2023/09/12 16:15:23 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_get_operation.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 12 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_GET_OPERATION 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EVP_PKEY_CTX_get0_pkey
 .Nd inspect EVP_PKEY_CTX objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_CTX_get_operation
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
index e74bce9dfb..d0f514d5ea 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.16 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_new.3,v 1.17 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_NEW 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_PKEY_CTX_free
 .Nd public key algorithm context functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY_CTX *
 .Fo EVP_PKEY_CTX_new
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
index 973ae95974..a63744097a 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.4 2024/07/10 07:57:37 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Alessandro Ghedini <alessandro@ghedini.me>,
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_SET_HKDF_MD 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_PKEY_CTX_hkdf_mode
 .Nd HMAC-based Extract-and-Expand key derivation algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .In openssl/kdf.h
 .Ft int
diff --git a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3 b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
index 1b95bbaa98..57a85a78d9 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.2 2024/07/10 10:22:03 tb Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.4 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Dr Stephen Henson <steve@openssl.org>,
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CTX_SET_TLS1_PRF_MD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_CTX_add1_tls1_prf_seed
 .Nd TLS PRF key derivation algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .In openssl/kdf.h
 .Ft int
@@ -87,7 +88,7 @@ It has no associated private key and only implements key derivation using
 sets the message digest associated with the TLS PRF.
 .Xr EVP_md5_sha1 3
 is treated as a special case which uses the PRF algorithm using both
-MD5 and SHA1 as used in TLS 1.0 and 1.1.
+MD5 and SHA-1 as used in TLS 1.0 and 1.1.
 .Pp
 .Fn EVP_PKEY_CTX_set_tls1_prf_secret
 sets the secret value of the TLS PRF to
diff --git a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3 b/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
index f7810789b6..098a5565b2 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_asn1_get_count.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_asn1_get_count.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_ASN1_GET_COUNT 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_PKEY_asn1_get0_info
 .Nd enumerate public key ASN.1 methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fn EVP_PKEY_asn1_get_count void
diff --git a/src/lib/libcrypto/man/EVP_PKEY_cmp.3 b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
index c12843854d..bcd0152dc8 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_cmp.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.15 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_cmp.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_CMP 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .\" resulting in incomplete output without the public key parameters.
 .Nd public key parameter and comparison functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_missing_parameters
diff --git a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
index c063847b10..abac0e6a2e 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_decrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_decrypt.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_DECRYPT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_decrypt
 .Nd decrypt using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_decrypt_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_derive.3 b/src/lib/libcrypto/man/EVP_PKEY_derive.3
index 47f467fea1..d02ef0e9e4 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_derive.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_derive.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_derive.3,v 1.12 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_derive.3,v 1.13 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_DERIVE 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_PKEY_derive
 .Nd derive public key algorithm shared secret
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_derive_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3 b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
index c2e70cb31f..f32d411283 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_encrypt.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_ENCRYPT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_encrypt
 .Nd encrypt using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_encrypt_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3 b/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
index e9ff7c4609..5c5b07bd3c 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_get_default_digest_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.10 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_get_default_digest_nid.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,13 +66,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_GET_DEFAULT_DIGEST_NID 3
 .Os
 .Sh NAME
 .Nm EVP_PKEY_get_default_digest_nid
 .Nd get default signature digest
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_get_default_digest_nid
diff --git a/src/lib/libcrypto/man/EVP_PKEY_keygen.3 b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
index e75859b486..3c000f8cd2 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_keygen.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_keygen.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.15 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_keygen.3,v 1.16 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_KEYGEN 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .Nm EVP_PKEY_CTX_get_data
 .Nd key and parameter generation functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_keygen_init
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new.3 b/src/lib/libcrypto/man/EVP_PKEY_new.3
index 3b1ef029c3..7c13f625bc 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_new.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_new.3,v 1.26 2024/12/10 15:10:26 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_new.3,v 1.27 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 4dcfdfce May 27 11:50:05 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_NEW 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm EVP_PKEY_get_raw_public_key
 .Nd public and private key allocation and raw key handling functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fn EVP_PKEY_new void
diff --git a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3 b/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
index d09af3a012..e4202fab67 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_new_CMAC_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_new_CMAC_key.3,v 1.1 2024/11/12 20:00:36 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_new_CMAC_key.3,v 1.2 2025/06/08 22:40:29 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_NEW_CMAC_KEY 3
 .Os
 .Sh NAME
 .Nm EVP_PKEY_new_CMAC_key
 .Nd CMAC in the EVP framework
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo EVP_PKEY_new_CMAC_key
diff --git a/src/lib/libcrypto/man/EVP_PKEY_print_private.3 b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
index a4b51a4bbb..877385d15b 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_print_private.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_print_private.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.8 2024/12/06 12:51:13 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_print_private.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_PRINT_PRIVATE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_print_params
 .Nd public key algorithm printing routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_print_public
diff --git a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 b/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
index 39404f5286..5e17894bea 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.24 2024/12/09 11:25:25 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_set1_RSA.3,v 1.27 2025/07/02 06:40:28 tb Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 9 2024 $
+.Dd $Mdocdate: July 2 2025 $
 .Dt EVP_PKEY_SET1_RSA 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .\" EVP_PKT_ENC EVP_PKT_EXCH EVP_PKT_EXP EVP_PKT_SIGN
 .Nd EVP_PKEY assignment functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_set1_RSA
@@ -126,35 +127,35 @@
 .Fc
 .Ft RSA *
 .Fo EVP_PKEY_get1_RSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DSA *
 .Fo EVP_PKEY_get1_DSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DH *
 .Fo EVP_PKEY_get1_DH
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft EC_KEY *
 .Fo EVP_PKEY_get1_EC_KEY
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft RSA *
 .Fo EVP_PKEY_get0_RSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DSA *
 .Fo EVP_PKEY_get0_DSA
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft DH *
 .Fo EVP_PKEY_get0_DH
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft EC_KEY *
 .Fo EVP_PKEY_get0_EC_KEY
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft const unsigned char *
 .Fo EVP_PKEY_get0_hmac
@@ -193,11 +194,11 @@
 .Fc
 .Ft int
 .Fo EVP_PKEY_base_id
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo EVP_PKEY_id
-.Fa "EVP_PKEY *pkey"
+.Fa "const EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo EVP_PKEY_type
diff --git a/src/lib/libcrypto/man/EVP_PKEY_sign.3 b/src/lib/libcrypto/man/EVP_PKEY_sign.3
index d73b0abb7b..58d7e34cb6 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_sign.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.9 2024/12/06 14:27:49 schwarze Exp $
+.\"     $OpenBSD: EVP_PKEY_sign.3,v 1.11 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_sign
 .Nd sign using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_sign_init
@@ -134,7 +135,7 @@ return 1 for success and 0 or a negative value for failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Sign data using RSA with PKCS#1 padding and SHA256 digest:
+Sign data using RSA with PKCS#1 padding and SHA-256 digest:
 .Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/EVP_PKEY_size.3 b/src/lib/libcrypto/man/EVP_PKEY_size.3
index cd25eec9c2..dc53de1268 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_size.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_size.3,v 1.4 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_size.3,v 1.5 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL eed9d03b Jan 8 11:04:15 2020 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_SIZE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm EVP_PKEY_security_bits
 .Nd EVP_PKEY information functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_size
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify.3 b/src/lib/libcrypto/man/EVP_PKEY_verify.3
index d096a3a7be..1a1d19a552 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_verify.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_VERIFY 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_verify
 .Nd signature verification using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_verify_init
@@ -120,7 +121,7 @@ failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Verify signature using PKCS#1 and SHA256 digest:
+Verify signature using PKCS#1 and SHA-256 digest:
 .Bd -literal -offset 3n
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3 b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
index 30c034cdb5..840307b41e 100644
--- a/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
+++ b/src/lib/libcrypto/man/EVP_PKEY_verify_recover.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.10 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_verify_recover.3,v 1.12 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 48e5119a Jan 19 10:49:22 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_PKEY_VERIFY_RECOVER 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_PKEY_verify_recover
 .Nd recover signature using a public key algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_PKEY_verify_recover_init
@@ -135,7 +136,7 @@ return 1 for success and 0 or a negative value for failure.
 In particular, a return value of -2 indicates the operation is not
 supported by the public key algorithm.
 .Sh EXAMPLES
-Recover digest originally signed using PKCS#1 and SHA256 digest:
+Recover digest originally signed using PKCS#1 and SHA-256 digest:
 .Bd -literal -offset indent
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
diff --git a/src/lib/libcrypto/man/EVP_SealInit.3 b/src/lib/libcrypto/man/EVP_SealInit.3
index da53535274..f211702ba6 100644
--- a/src/lib/libcrypto/man/EVP_SealInit.3
+++ b/src/lib/libcrypto/man/EVP_SealInit.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: EVP_SealInit.3,v 1.9 2023/11/16 20:27:43 schwarze Exp $
+.\"     $OpenBSD: EVP_SealInit.3,v 1.10 2025/06/08 22:40:29 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SEALINIT 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm EVP_SealFinal
 .Nd EVP envelope encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_SealInit
diff --git a/src/lib/libcrypto/man/EVP_SignInit.3 b/src/lib/libcrypto/man/EVP_SignInit.3
index 8158b21dbf..d3964abd41 100644
--- a/src/lib/libcrypto/man/EVP_SignInit.3
+++ b/src/lib/libcrypto/man/EVP_SignInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_SignInit.3,v 1.21 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: EVP_SignInit.3,v 1.22 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SIGNINIT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm EVP_SignInit
 .Nd EVP signing functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_SignInit_ex
diff --git a/src/lib/libcrypto/man/EVP_VerifyInit.3 b/src/lib/libcrypto/man/EVP_VerifyInit.3
index 0baadfb9fb..9bf1f1e163 100644
--- a/src/lib/libcrypto/man/EVP_VerifyInit.3
+++ b/src/lib/libcrypto/man/EVP_VerifyInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_VerifyInit.3,v 1.13 2024/11/08 22:23:35 schwarze Exp $
+.\" $OpenBSD: EVP_VerifyInit.3,v 1.14 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 8 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_VERIFYINIT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm EVP_VerifyInit
 .Nd EVP signature verification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_VerifyInit_ex
diff --git a/src/lib/libcrypto/man/EVP_aes_128_cbc.3 b/src/lib/libcrypto/man/EVP_aes_128_cbc.3
index 46e3ef0bdc..72f654b73d 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_cbc.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.8 2024/12/20 01:54:03 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_cbc.3,v 1.9 2025/06/08 22:40:29 schwarze Exp $
 .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 20 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_CBC 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .Nm EVP_aes_256_xts
 .Nd EVP AES cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_cbc void
diff --git a/src/lib/libcrypto/man/EVP_aes_128_ccm.3 b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
index e9023a5b67..eaba95c936 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_ccm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_ccm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.5 2024/12/29 12:27:28 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_ccm.3,v 1.6 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_CCM 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_aes_256_ccm
 .Nd EVP AES cipher in Counter with CBC-MAC mode
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_ccm void
diff --git a/src/lib/libcrypto/man/EVP_aes_128_gcm.3 b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
index 53c41ea162..fa4a88619a 100644
--- a/src/lib/libcrypto/man/EVP_aes_128_gcm.3
+++ b/src/lib/libcrypto/man/EVP_aes_128_gcm.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.2 2024/12/29 12:27:28 schwarze Exp $
+.\" $OpenBSD: EVP_aes_128_gcm.3,v 1.3 2025/06/08 22:40:29 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL EVP_EncryptInit.pod 0874d7f2 Oct 11 13:13:47 2022 +0100
 .\" OpenSSL EVP_aes.pod a1ec85c1 Apr 21 10:49:12 2020 +0100
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_AES_128_GCM 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_aes_256_gcm
 .Nd EVP AES cipher in Galois Counter Mode
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_aes_128_gcm void
diff --git a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3 b/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
index 6f15a85f7f..3ff5d5a0e0 100644
--- a/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
+++ b/src/lib/libcrypto/man/EVP_camellia_128_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.3 2024/11/09 22:03:49 schwarze Exp $
+.\" $OpenBSD: EVP_camellia_128_cbc.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL 7c6d372a Nov 20 13:20:01 2018 +0000
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CAMELLIA_128_CBC 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_camellia_256_ofb
 .Nd EVP Camellia cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_camellia_128_cbc void
diff --git a/src/lib/libcrypto/man/EVP_chacha20.3 b/src/lib/libcrypto/man/EVP_chacha20.3
index 8fc79dbf2b..45584f3e86 100644
--- a/src/lib/libcrypto/man/EVP_chacha20.3
+++ b/src/lib/libcrypto/man/EVP_chacha20.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_chacha20.3,v 1.8 2024/12/09 11:55:52 schwarze Exp $
+.\" $OpenBSD: EVP_chacha20.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_CHACHA20 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm EVP_chacha20_poly1305
 .Nd ChaCha20 stream cipher for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_chacha20 void
diff --git a/src/lib/libcrypto/man/EVP_des_cbc.3 b/src/lib/libcrypto/man/EVP_des_cbc.3
index 7c8a08c7db..84ee9aaa61 100644
--- a/src/lib/libcrypto/man/EVP_des_cbc.3
+++ b/src/lib/libcrypto/man/EVP_des_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_des_cbc.3,v 1.2 2024/11/09 22:03:49 schwarze Exp $
+.\" $OpenBSD: EVP_des_cbc.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\"   OpenSSL EVP_desx_cbc.pod 8fa4d95e Oct 21 11:59:09 2017 +0900
 .\" selective merge up to:
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 9 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_DES_CBC 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm EVP_desx_cbc
 .Nd EVP DES cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_des_cbc void
diff --git a/src/lib/libcrypto/man/EVP_rc2_cbc.3 b/src/lib/libcrypto/man/EVP_rc2_cbc.3
index 38c8184260..9a3bc29304 100644
--- a/src/lib/libcrypto/man/EVP_rc2_cbc.3
+++ b/src/lib/libcrypto/man/EVP_rc2_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_rc2_cbc.3,v 1.1 2024/12/08 17:41:23 schwarze Exp $
+.\" $OpenBSD: EVP_rc2_cbc.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 8 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_RC2_CBC 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm EVP_rc2_64_cbc
 .Nd Rivest Cipher 2 in the EVP framework
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_rc2_cbc void
diff --git a/src/lib/libcrypto/man/EVP_rc4.3 b/src/lib/libcrypto/man/EVP_rc4.3
index fda041113c..40dd27e49f 100644
--- a/src/lib/libcrypto/man/EVP_rc4.3
+++ b/src/lib/libcrypto/man/EVP_rc4.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_rc4.3,v 1.1 2019/03/21 13:37:25 schwarze Exp $
+.\" $OpenBSD: EVP_rc4.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 8fa4d95e Oct 21 11:59:09 2017 +0900
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_RC4 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm EVP_rc4_hmac_md5
 .Nd EVP RC4 stream cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_rc4 void
diff --git a/src/lib/libcrypto/man/EVP_sha1.3 b/src/lib/libcrypto/man/EVP_sha1.3
index b28c9f54c3..d1e336cc42 100644
--- a/src/lib/libcrypto/man/EVP_sha1.3
+++ b/src/lib/libcrypto/man/EVP_sha1.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sha1.3,v 1.2 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_sha1.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SHA1 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm EVP_md4
 .Nd legacy message digest algorithms
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sha1 void
diff --git a/src/lib/libcrypto/man/EVP_sha3_224.3 b/src/lib/libcrypto/man/EVP_sha3_224.3
index 3c21ae1a09..19a9114885 100644
--- a/src/lib/libcrypto/man/EVP_sha3_224.3
+++ b/src/lib/libcrypto/man/EVP_sha3_224.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sha3_224.3,v 1.3 2024/03/05 17:21:40 tb Exp $
+.\" $OpenBSD: EVP_sha3_224.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL bbda8ce9 Oct 31 15:43:01 2017 +0800
 .\"
 .\" This file was written by Ronald Tse <ronald.tse@ribose.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SHA3_224 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm EVP_sha3_512
 .Nd Secure Hash Algorithm 3 for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sha3_224 void
diff --git a/src/lib/libcrypto/man/EVP_sm3.3 b/src/lib/libcrypto/man/EVP_sm3.3
index aa6789f249..33621bef81 100644
--- a/src/lib/libcrypto/man/EVP_sm3.3
+++ b/src/lib/libcrypto/man/EVP_sm3.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sm3.3,v 1.1 2019/08/25 17:08:20 schwarze Exp $
+.\" $OpenBSD: EVP_sm3.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 21ebd2fc Aug 24 20:38:04 2018 +0800
 .\"
 .\" This file was written by Jack Lloyd <jack.lloyd@ribose.com>
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 25 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SM3 3
 .Os
 .Sh NAME
 .Nm EVP_sm3
 .Nd SM3 hash function for EVP
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_MD *
 .Fn EVP_sm3 void
diff --git a/src/lib/libcrypto/man/EVP_sm4_cbc.3 b/src/lib/libcrypto/man/EVP_sm4_cbc.3
index 0605a52faa..eba31afff3 100644
--- a/src/lib/libcrypto/man/EVP_sm4_cbc.3
+++ b/src/lib/libcrypto/man/EVP_sm4_cbc.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_sm4_cbc.3,v 1.2 2023/11/16 20:27:43 schwarze Exp $
+.\" $OpenBSD: EVP_sm4_cbc.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 87103969 Oct 1 14:11:57 2018 -0700
 .\"
 .\" Copyright (c) 2017 Ribose Inc
@@ -18,7 +18,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EVP_SM4_CBC 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm EVP_sm4_ctr
 .Nd EVP SM4 cipher
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft const EVP_CIPHER *
 .Fn EVP_sm4_cbc void
diff --git a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3 b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
index 3d1ed17ff3..3258c9793d 100644
--- a/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
+++ b/src/lib/libcrypto/man/EXTENDED_KEY_USAGE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.6 2021/10/27 11:24:47 schwarze Exp $
+.\" $OpenBSD: EXTENDED_KEY_USAGE_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt EXTENDED_KEY_USAGE_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm EXTENDED_KEY_USAGE_free
 .Nd X.509 key usage restrictions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft EXTENDED_KEY_USAGE
 .Fn EXTENDED_KEY_USAGE_new void
diff --git a/src/lib/libcrypto/man/GENERAL_NAME_new.3 b/src/lib/libcrypto/man/GENERAL_NAME_new.3
index a6b7ee56da..84ad2edb3b 100644
--- a/src/lib/libcrypto/man/GENERAL_NAME_new.3
+++ b/src/lib/libcrypto/man/GENERAL_NAME_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.6 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: GENERAL_NAME_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt GENERAL_NAME_NEW 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm OTHERNAME_free
 .Nd names for use in X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft GENERAL_NAME *
 .Fn GENERAL_NAME_new void
diff --git a/src/lib/libcrypto/man/HMAC.3 b/src/lib/libcrypto/man/HMAC.3
index a515014fca..0b9e24a7bd 100644
--- a/src/lib/libcrypto/man/HMAC.3
+++ b/src/lib/libcrypto/man/HMAC.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: HMAC.3,v 1.23 2024/08/29 20:21:53 tb Exp $
+.\" $OpenBSD: HMAC.3,v 1.24 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL crypto/hmac a528d4f0 Oct 27 13:40:11 2015 -0400
 .\" selective merge up to: OpenSSL man3/HMAC b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt HMAC 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm HMAC_size
 .Nd HMAC message authentication code
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/hmac.h
 .Ft unsigned char *
 .Fo HMAC
diff --git a/src/lib/libcrypto/man/IPAddressRange_new.3 b/src/lib/libcrypto/man/IPAddressRange_new.3
index a812107cdf..79e3751b4e 100644
--- a/src/lib/libcrypto/man/IPAddressRange_new.3
+++ b/src/lib/libcrypto/man/IPAddressRange_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: IPAddressRange_new.3,v 1.9 2023/10/03 09:58:06 tb Exp $
+.\" $OpenBSD: IPAddressRange_new.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 3 2023 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt IPADDRESSRANGE_NEW 3
 .Os
 .Sh NAME
@@ -36,8 +36,9 @@
 .Nm i2d_IPAddressFamily
 .Nd RFC 3779 IP address prefixes and ranges
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
-.Ft "IPAddressRange *"
+.Ft IPAddressRange *
 .Fn IPAddressRange_new void
 .Ft void
 .Fn IPAddressRange_free "IPAddressRange *range"
@@ -52,7 +53,7 @@
 .Fa "IPAddressRange *range"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressOrRange *"
+.Ft IPAddressOrRange *
 .Fn IPAddressOrRange_new void
 .Ft void
 .Fn IPAddressOrRange_free "IPAddressOrRange *aor"
@@ -67,7 +68,7 @@
 .Fa "IPAddressOrRange *aor"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressChoice *"
+.Ft IPAddressChoice *
 .Fn IPAddressChoice_new void
 .Ft void
 .Fn IPAddressChoice_free "IPAddressChoice *ac"
@@ -82,7 +83,7 @@
 .Fa "IPAddressChoice *ac"
 .Fa "unsigned char **der_out"
 .Fc
-.Ft "IPAddressFamily *"
+.Ft IPAddressFamily *
 .Fn IPAddressFamily_new void
 .Ft void
 .Fn IPAddressFamily_free "IPAddressFamily *af"
diff --git a/src/lib/libcrypto/man/MD5.3 b/src/lib/libcrypto/man/MD5.3
index 01e715f406..c9c89c33af 100644
--- a/src/lib/libcrypto/man/MD5.3
+++ b/src/lib/libcrypto/man/MD5.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: MD5.3,v 1.9 2024/05/26 09:54:16 tb Exp $
+.\"     $OpenBSD: MD5.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt MD5 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm MD5_Final
 .Nd MD4 and MD5 hash functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/md4.h
 .Ft unsigned char *
 .Fo MD4
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index 9f3d448432..aea939dc2b 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.307 2025/03/08 17:12:55 tb Exp $
+# $OpenBSD: Makefile,v 1.312 2025/07/17 10:31:50 schwarze Exp $
 .include <bsd.own.mk>
@@ -133,12 +133,16 @@ MAN=	\
        DSA_size.3 \
        ECDH_compute_key.3 \
        ECDSA_SIG_new.3 \
-        EC_GROUP_copy.3 \
+        EC_GROUP_check.3 \
-        EC_GROUP_new.3 \
+        EC_GROUP_get_curve_name.3 \
+        EC_GROUP_new_by_curve_name.3 \
+        EC_GROUP_new_curve_GFp.3 \
        EC_KEY_METHOD_new.3 \
        EC_KEY_new.3 \
        EC_POINT_add.3 \
+        EC_POINT_get_affine_coordinates.3 \
        EC_POINT_new.3 \
+        EC_POINT_point2oct.3 \
        ENGINE_new.3 \
        ERR.3 \
        ERR_GET_LIB.3 \
@@ -212,7 +216,6 @@ MAN=	\
        IPAddressRange_new.3 \
        MD5.3 \
        NAME_CONSTRAINTS_new.3 \
-        OBJ_NAME_add.3 \
        OBJ_create.3 \
        OBJ_find_sigid_algs.3 \
        OBJ_nid2obj.3 \
@@ -228,12 +231,11 @@ MAN=	\
        OPENSSL_cleanse.3 \
        OPENSSL_config.3 \
        OPENSSL_init_crypto.3 \
-        OPENSSL_load_builtin_modules.3 \
        OPENSSL_malloc.3 \
        OPENSSL_sk_new.3 \
        OpenSSL_add_all_algorithms.3 \
        PEM_ASN1_read.3 \
-        PEM_X509_INFO_read.3 \
+        PEM_X509_INFO_read_bio.3 \
        PEM_bytes_read_bio.3 \
        PEM_read.3 \
        PEM_read_bio_PrivateKey.3 \
@@ -289,11 +291,9 @@ MAN=	\
        RSA_size.3 \
        SHA1.3 \
        SMIME_crlf_copy.3 \
-        SMIME_read_ASN1.3 \
        SMIME_read_CMS.3 \
        SMIME_read_PKCS7.3 \
        SMIME_text.3 \
-        SMIME_write_ASN1.3 \
        SMIME_write_CMS.3 \
        SMIME_write_PKCS7.3 \
        STACK_OF.3 \
@@ -326,7 +326,6 @@ MAN=	\
        X509_NAME_new.3 \
        X509_NAME_print_ex.3 \
        X509_OBJECT_get0_X509.3 \
-        X509_PKEY_new.3 \
        X509_PUBKEY_new.3 \
        X509_PURPOSE_set.3 \
        X509_REQ_add1_attr.3 \
diff --git a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3 b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
index fec3aba7f7..7d39754858 100644
--- a/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
+++ b/src/lib/libcrypto/man/NAME_CONSTRAINTS_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.4 2020/09/17 08:50:05 schwarze Exp $
+.\" $OpenBSD: NAME_CONSTRAINTS_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 17 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt NAME_CONSTRAINTS_NEW 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" We probably need to deprecate it thoughtfully.
 .Nd X.509 CA name constraints extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft NAME_CONSTRAINTS *
 .Fn NAME_CONSTRAINTS_new void
diff --git a/src/lib/libcrypto/man/OBJ_NAME_add.3 b/src/lib/libcrypto/man/OBJ_NAME_add.3
deleted file mode 100644
index 0b46010c49..0000000000
--- a/src/lib/libcrypto/man/OBJ_NAME_add.3
+++ /dev/null
@@ -1,307 +0,0 @@
-.\" $OpenBSD: OBJ_NAME_add.3,v 1.6 2024/01/31 08:02:53 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: January 31 2024 $
-.Dt OBJ_NAME_ADD 3
-.Os
-.Sh NAME
-.Nm OBJ_NAME_add ,
-.Nm OBJ_NAME_remove ,
-.Nm OBJ_NAME_get ,
-.Nm OBJ_NAME_new_index ,
-.Nm OBJ_NAME_init ,
-.Nm OBJ_NAME_cleanup
-.Nd global associative array
-.Sh SYNOPSIS
-.In openssl/objects.h
-.Ft int
-.Fo OBJ_NAME_add
-.Fa "const char *name"
-.Fa "int type"
-.Fa "const char *value"
-.Fc
-.Ft int
-.Fo OBJ_NAME_remove
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft const char *
-.Fo OBJ_NAME_get
-.Fa "const char *name"
-.Fa "int type"
-.Fc
-.Ft int
-.Fo OBJ_NAME_new_index
-.Fa "unsigned long (*hash_func)(const char *name)"
-.Fa "int (*cmp_func)(const char *name1, const char *name2)"
-.Fa "void (*free_func)(const char *name, int type, const char *value)"
-.Fc
-.Ft int
-.Fn OBJ_NAME_init void
-.Ft void
-.Fn OBJ_NAME_cleanup "int type"
-.Bd -literal
-typedef struct {
-        int         type;
-        int         alias;
-        const char *name;
-        const char *data;
-} OBJ_NAME;
-.Ed
-.Sh DESCRIPTION
-These functions implement a single, static associative array
-with the following properties:
-.Bl -bullet
-.It
-The keys are ordered pairs consisting of a NUL-terminated string
-.Pq called the Fa name
-and an
-.Vt int
-number
-.Pq called the Fa type .
-Two types are predefined and used internally by the library:
-.Dv OBJ_NAME_TYPE_MD_METH
-and
-.Dv OBJ_NAME_TYPE_CIPHER_METH .
-Two additional types are predefined but not used internally:
-.Dv OBJ_NAME_TYPE_PKEY_METH
-and
-.Dv OBJ_NAME_TYPE_COMP_METH .
-All predefined types are greater than
-.Dv OBJ_NAME_TYPE_UNDEF
-and smaller than
-.Dv OBJ_NAME_TYPE_NUM .
-.It
-The values are pointers.
-Formally, they are of the type
-.Vt const char * ,
-but in practice, pointers of other types, for example
-.Vt EVP_CIPHER *
-or
-.Vt EVP_MD * ,
-are often stored as values
-and cast back to the correct type on retrieval.
-.It
-The array supports type-specific aliases for names.
-.El
-.Pp
-.Fn OBJ_NAME_add
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-in the same way as
-.Fn OBJ_NAME_remove
-and inserts a key-value pair with the specified
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, that bit is cleared before using the
-.Fa type
-and the key
-.Pq Fa name , type
-becomes an alias for the key
-.Pq Fa value , type
-instead of setting a value.
-It is not checked whether the key
-.Pq Fa value , type
-already exists.
-Consequently, it is possible to define an alias
-before setting the associated value.
-.Pp
-.Fn OBJ_NAME_remove
-removes the key-value pair or alias with the key
-.Pq Fa name , type
-from the array, if it exists.
-Otherwise, it has no effect.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is ignored and cleared before using the
-.Fa type .
-If the
-.Fa type
-is an application-defined type added with
-.Fn OBJ_NAME_new_index
-and the
-.Fa free_func
-associated with the
-.Fa type
-is not a
-.Dv NULL
-pointer, it is called with the
-.Fa name ,
-.Fa type ,
-and
-.Fa value
-of the key-value pair being removed or with the
-.Fa name ,
-.Fa type ,
-and alias target name of the alias being removed.
-In typical usage, this function might free the
-.Fa name ,
-and it might free the
-.Fa value
-in a type-specific way.
-.Pp
-.Fn OBJ_NAME_get
-looks up the key
-.Pq Fa name , type ,
-recursively resolving up to ten aliases if needed.
-If the bit
-.Dv OBJ_NAME_ALIAS
-is set in the
-.Fa type
-argument, it is cleared before using the
-.Fa type ,
-processing of aliases is disabled, and if
-.Pq Fa name , type
-is an alias, the target name of the alias is returned instead of a value.
-.Pp
-.Fn OBJ_NAME_new_index
-assigns the smallest unassigned positive integer number
-to represent a new, application-defined
-.Fa type .
-The three function pointers will be used, respectively,
-to hash a name for this type, to compare two names for this type,
-and to free the contents of a key-value pair holding the given
-.Fa name ,
-.Fa type ,
-and
-.Fa value .
-If the
-.Fa hash_func
-argument is a
-.Dv NULL
-pointer,
-.Xr lh_strhash 3
-is used instead.
-If the
-.Fa cmp_func
-argument is a
-.Dv NULL
-pointer,
-.Xr strcmp 3
-is used instead.
-If the
-.Fa free_func
-argument is a
-.Dv NULL
-pointer, the
-.Fa name
-and
-.Fa value
-pointers contained in the key-value pair are not freed,
-only the structure representing the pair itself is.
-This default behaviour is also used for the built-in types.
-.Pp
-.Fn OBJ_NAME_init
-initializes the array.
-After initialization, the array is empty.
-Calling
-.Fn OBJ_NAME_init
-when the array is already initialized has no effect.
-Application programs do not need to call this function because
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_get
-automatically call it whenever needed.
-.Pp
-.Fn OBJ_NAME_cleanup
-removes all key-value pairs and aliases of the given
-.Fa type
-from the array by calling
-.Fn OBJ_NAME_remove
-on every such pair and alias.
-If the
-.Fa type
-argument is negative, it removes all key-value pairs and aliases
-of any type and also reverses all effects of
-.Fn OBJ_NAME_new_index
-and
-.Fn OBJ_NAME_init ,
-in particular resetting the list of types to the predefined types
-and releasing all memory reserved by these functions.
-.Pp
-The
-.Vt OBJ_NAME
-structure represents one key-value pair or one alias with the key
-.Pq Fa name , type .
-If the
-.Fa alias
-field is 0, the
-.Fa data
-field contains the value; otherwise, it contains the alias target name.
-.Sh RETURN VALUES
-.Fn OBJ_NAME_add
-and
-.Fn OBJ_NAME_init
-return 1 on success or 0 if memory allocation fails.
-.Pp
-.Fn OBJ_NAME_remove
-returns 1 if one key-value pair or alias was removed or 0 otherwise.
-.Pp
-.Fn OBJ_NAME_get
-returns the
-.Fa value
-associated with the key
-.Pq Fa name , type
-or
-.Dv NULL
-if
-.Fa name
-is
-.Dv NULL ,
-if the array does not contain a value for this key,
-or if more than ten aliases are encountered before finding a value.
-.Pp
-.Fn OBJ_NAME_new_index
-returns a positive integer greater than or equal to
-.Dv OBJ_NAME_TYPE_NUM
-representing the new type or 0 if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
-.Xr EVP_get_cipherbyname 3 ,
-.Xr EVP_get_digestbyname 3 ,
-.Xr lh_new 3 ,
-.Xr OBJ_create 3 ,
-.Xr OBJ_nid2obj 3
-.Sh BUGS
-Calling
-.Fn OBJ_NAME_get
-with the bit
-.Dv OBJ_NAME_ALIAS
-is not very useful because there is no way to tell
-whether the returned pointer points to a value or to a name,
-short of calling the function again without setting the bit
-and comparing the two returned pointers.
-.Pp
-The
-.Fa free_func
-has no way to tell whether its
-.Fa value
-argument is indeed of the given
-.Fa type
-or whether it is merely the target name of an alias.
-Consequently, to use values of a type
-that requires more cleanup than merely calling
-.Xr free 3
-on it, instances of the type need to begin with a magic number or string
-that cannot occur at the beginning of a name.
diff --git a/src/lib/libcrypto/man/OBJ_create.3 b/src/lib/libcrypto/man/OBJ_create.3
index fa5bde3dd3..75d51f4bb8 100644
--- a/src/lib/libcrypto/man/OBJ_create.3
+++ b/src/lib/libcrypto/man/OBJ_create.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_create.3,v 1.10 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_create.3,v 1.11 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL OBJ_nid2obj.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to:
@@ -69,18 +69,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OBJ_CREATE 3
 .Os
 .Sh NAME
 .Nm OBJ_new_nid ,
 .Nm OBJ_add_object ,
 .Nm OBJ_create ,
-.\" OBJ_create_and_add_object is a deprecated, unused alias for OBJ_create(3).
 .Nm OBJ_create_objects ,
 .Nm OBJ_cleanup
 .Nd modify the table of ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft int
 .Fn OBJ_new_nid "int increment"
diff --git a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3 b/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
index 1d7a2b649b..4c071c6c76 100644
--- a/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
+++ b/src/lib/libcrypto/man/OBJ_find_sigid_algs.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.2 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_find_sigid_algs.3,v 1.4 2025/06/09 12:42:46 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OBJ_FIND_SIGID_ALGS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm OBJ_find_sigid_by_algs
 .Nd signature algorithm mappings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft int
 .Fo OBJ_find_sigid_algs
@@ -80,7 +81,6 @@ and
 algorithms is defined or 0 if the definition of such an algorithm
 is not built into the library.
 .Sh SEE ALSO
-.Xr EVP_cleanup 3 ,
 .Xr OBJ_create 3 ,
 .Xr OBJ_nid2obj 3
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/OBJ_nid2obj.3 b/src/lib/libcrypto/man/OBJ_nid2obj.3
index ccab1ed30c..9261ac9a7d 100644
--- a/src/lib/libcrypto/man/OBJ_nid2obj.3
+++ b/src/lib/libcrypto/man/OBJ_nid2obj.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OBJ_nid2obj.3,v 1.22 2024/01/31 08:02:53 tb Exp $
+.\" $OpenBSD: OBJ_nid2obj.3,v 1.23 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL c264592d May 14 11:28:00 2006 +0000
 .\" selective merge up to: OpenSSL 35fd9953 May 28 14:49:38 2019 +0200
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OBJ_NID2OBJ 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm i2a_ASN1_OBJECT
 .Nd inspect and create ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/objects.h
 .Ft ASN1_OBJECT *
 .Fo OBJ_nid2obj
diff --git a/src/lib/libcrypto/man/OCSP_CRLID_new.3 b/src/lib/libcrypto/man/OCSP_CRLID_new.3
index 6feb608654..9b0126fe91 100644
--- a/src/lib/libcrypto/man/OCSP_CRLID_new.3
+++ b/src/lib/libcrypto/man/OCSP_CRLID_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.8 2022/01/15 23:38:50 jsg Exp $
+.\"     $OpenBSD: OCSP_CRLID_new.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_CRLID_NEW 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm OCSP_crlID_new
 .Nd OCSP CRL extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_CRLID *
 .Fn OCSP_CRLID_new void
diff --git a/src/lib/libcrypto/man/OCSP_REQUEST_new.3 b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
index a304f60160..0e4e0ffb38 100644
--- a/src/lib/libcrypto/man/OCSP_REQUEST_new.3
+++ b/src/lib/libcrypto/man/OCSP_REQUEST_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.12 2022/02/19 13:09:36 jsg Exp $
+.\"     $OpenBSD: OCSP_REQUEST_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 19 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_REQUEST_NEW 3
 .Os
 .Sh NAME
@@ -84,6 +84,7 @@
 .Nm OCSP_request_onereq_get0
 .Nd OCSP request functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQUEST *
 .Fn OCSP_REQUEST_new void
diff --git a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3 b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
index 62eb8c320f..42288321a3 100644
--- a/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
+++ b/src/lib/libcrypto/man/OCSP_SERVICELOC_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.8 2019/08/23 12:23:39 schwarze Exp $
+.\" $OpenBSD: OCSP_SERVICELOC_new.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 23 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_SERVICELOC_NEW 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm OCSP_url_svcloc_new
 .Nd OCSP service locator extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_SERVICELOC *
 .Fn OCSP_SERVICELOC_new void
diff --git a/src/lib/libcrypto/man/OCSP_cert_to_id.3 b/src/lib/libcrypto/man/OCSP_cert_to_id.3
index e014a1d262..d0c04fcbb1 100644
--- a/src/lib/libcrypto/man/OCSP_cert_to_id.3
+++ b/src/lib/libcrypto/man/OCSP_cert_to_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.13 2024/08/24 19:31:09 tb Exp $
+.\"     $OpenBSD: OCSP_cert_to_id.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_CERT_TO_ID 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm OCSP_id_get0_info
 .Nd OCSP certificate ID utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_CERTID *
 .Fn OCSP_CERTID_new void
@@ -148,7 +149,7 @@ If
 .Fa dgst
 is
 .Dv NULL
-then SHA1 is used.
+then SHA-1 is used.
 .Pp
 .Fn OCSP_cert_id_new
 creates and returns a new
diff --git a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3 b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
index 036c937c61..304d686ba7 100644
--- a/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
+++ b/src/lib/libcrypto/man/OCSP_request_add1_nonce.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: OCSP_request_add1_nonce.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_REQUEST_ADD1_NONCE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm OCSP_copy_nonce
 .Nd OCSP nonce functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft int
 .Fo OCSP_request_add1_nonce
diff --git a/src/lib/libcrypto/man/OCSP_resp_find_status.3 b/src/lib/libcrypto/man/OCSP_resp_find_status.3
index 06d0354bd6..5e9ce02fd5 100644
--- a/src/lib/libcrypto/man/OCSP_resp_find_status.3
+++ b/src/lib/libcrypto/man/OCSP_resp_find_status.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_resp_find_status.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: OCSP_resp_find_status.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL c952780c Jun 21 07:03:34 2016 -0400
 .\" selective merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_RESP_FIND_STATUS 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm OCSP_basic_verify
 .Nd OCSP response utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_SINGLERESP *
 .Fn OCSP_SINGLERESP_new void
diff --git a/src/lib/libcrypto/man/OCSP_response_status.3 b/src/lib/libcrypto/man/OCSP_response_status.3
index 4e85384fb0..7fd8267d9f 100644
--- a/src/lib/libcrypto/man/OCSP_response_status.3
+++ b/src/lib/libcrypto/man/OCSP_response_status.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_response_status.3,v 1.8 2019/08/27 09:40:29 schwarze Exp $
+.\" $OpenBSD: OCSP_response_status.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\" selective merge up to: OpenSSL 6738bf14 Feb 13 12:51:29 2018 +0000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 27 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_RESPONSE_STATUS 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm OCSP_basic_sign
 .Nd OCSP response functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_RESPONSE *
 .Fn OCSP_RESPONSE_new void
diff --git a/src/lib/libcrypto/man/OCSP_sendreq_new.3 b/src/lib/libcrypto/man/OCSP_sendreq_new.3
index 300f719525..c6608ecce7 100644
--- a/src/lib/libcrypto/man/OCSP_sendreq_new.3
+++ b/src/lib/libcrypto/man/OCSP_sendreq_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OCSP_sendreq_new.3,v 1.10 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: OCSP_sendreq_new.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OCSP_SENDREQ_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm OCSP_sendreq_bio
 .Nd OCSP responder query functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQ_CTX *
 .Fo OCSP_sendreq_new
diff --git a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 b/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
index 76427a864b..929658c28d 100644
--- a/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
+++ b/src/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.13 2023/11/16 20:17:04 schwarze Exp $
+.\" $OpenBSD: OPENSSL_VERSION_NUMBER.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 1f13ad31 Dec 25 17:50:39 2017 +0800
 .\"
 .\" This file is a derived work.
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_VERSION_NUMBER 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm SSLeay_version
 .Nd get OpenSSL version number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/opensslv.h
 .Fd #define OPENSSL_VERSION_NUMBER 0x020000000L
 .Fd #define LIBRESSL_VERSION_NUMBER 0x02nnnn00fL
diff --git a/src/lib/libcrypto/man/OPENSSL_cleanse.3 b/src/lib/libcrypto/man/OPENSSL_cleanse.3
index 95fe6b86fd..cf16405db9 100644
--- a/src/lib/libcrypto/man/OPENSSL_cleanse.3
+++ b/src/lib/libcrypto/man/OPENSSL_cleanse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OPENSSL_cleanse.3,v 1.4 2019/06/10 09:49:48 schwarze Exp $
+.\"     $OpenBSD: OPENSSL_cleanse.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_CLEANSE 3
 .Os
 .Sh NAME
 .Nm OPENSSL_cleanse
 .Nd OpenSSL memory cleaning operation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void
 .Fo OPENSSL_cleanse
diff --git a/src/lib/libcrypto/man/OPENSSL_config.3 b/src/lib/libcrypto/man/OPENSSL_config.3
index f5f31571a1..e21b9817de 100644
--- a/src/lib/libcrypto/man/OPENSSL_config.3
+++ b/src/lib/libcrypto/man/OPENSSL_config.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_config.3,v 1.16 2023/11/19 21:01:27 tb Exp $
+.\" $OpenBSD: OPENSSL_config.3,v 1.18 2025/06/09 12:43:53 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OPENSSL_CONFIG 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm OPENSSL_no_config
 .Nd simple crypto and ssl library configuration
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/conf.h
 .Ft void
 .Fo OPENSSL_config
@@ -117,13 +118,11 @@ To use a non-standard configuration file, refer to
 Internally,
 .Fn OPENSSL_config
 calls
-.Xr OPENSSL_init_crypto 3
+.Xr OPENSSL_init_crypto 3 .
-and
-.Xr OPENSSL_load_builtin_modules 3 .
 .Pp
 If an application is compiled with the preprocessor symbol
 .Dv OPENSSL_LOAD_CONF
-#define'd,
+defined,
 .Xr OpenSSL_add_all_algorithms 3
 automatically calls
 .Fn OPENSSL_config .
@@ -140,7 +139,6 @@ standard configuration file
 .Xr CONF_modules_free 3 ,
 .Xr CONF_modules_load_file 3 ,
 .Xr crypto 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
 .Xr OPENSSL_VERSION_NUMBER 3 ,
 .Xr openssl.cnf 5 ,
 .Xr x509v3.cnf 5
diff --git a/src/lib/libcrypto/man/OPENSSL_init_crypto.3 b/src/lib/libcrypto/man/OPENSSL_init_crypto.3
index 6f38c7bda2..5c29d55aa9 100644
--- a/src/lib/libcrypto/man/OPENSSL_init_crypto.3
+++ b/src/lib/libcrypto/man/OPENSSL_init_crypto.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.5 2020/05/24 12:21:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_crypto.3,v 1.7 2025/06/09 12:43:53 schwarze Exp $
 .\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2020 $
+.Dd $Mdocdate: June 9 2025 $
 .Dt OPENSSL_INIT_CRYPTO 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm OPENSSL_init
 .Nd initialise the crypto library
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft int
 .Fo OPENSSL_init_crypto
@@ -54,10 +55,7 @@ If
 is called before any other crypto or ssl functions, the crypto
 library is initialised by allocating various internal resources,
 in particular calling
-.Xr ERR_load_crypto_strings 3 ,
+.Xr ERR_load_crypto_strings 3 .
-.Xr OpenSSL_add_all_ciphers 3 ,
-and
-.Xr OpenSSL_add_all_digests 3 .
 .Pp
 The following
 .Fa options
@@ -92,7 +90,6 @@ is intended to return 1 on success or 0 on error.
 .Sh SEE ALSO
 .Xr CONF_modules_load_file 3 ,
 .Xr OPENSSL_config 3 ,
-.Xr OPENSSL_load_builtin_modules 3 ,
 .Xr openssl.cnf 5
 .Sh HISTORY
 .Fn OPENSSL_init
diff --git a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 b/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
deleted file mode 100644
index 2b20efaf0e..0000000000
--- a/src/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
+++ /dev/null
@@ -1,101 +0,0 @@
-.\"     $OpenBSD: OPENSSL_load_builtin_modules.3,v 1.8 2023/12/05 02:41:13 jsg Exp $
-.\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2004, 2013 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 5 2023 $
-.Dt OPENSSL_LOAD_BUILTIN_MODULES 3
-.Os
-.Sh NAME
-.Nm OPENSSL_load_builtin_modules ,
-.Nm ASN1_add_oid_module
-.Nd add standard configuration modules
-.Sh SYNOPSIS
-.In openssl/conf.h
-.Ft void
-.Fn OPENSSL_load_builtin_modules void
-.Ft void
-.Fn ASN1_add_oid_module void
-.Sh DESCRIPTION
-The function
-.Fn OPENSSL_load_builtin_modules
-adds all the standard OpenSSL configuration modules to the internal
-list.
-They can then be used by the OpenSSL configuration code.
-.Pp
-.Fn ASN1_add_oid_module
-adds just the ASN.1 OBJECT module.
-.Pp
-If the simple configuration function
-.Xr OPENSSL_config 3
-is called then
-.Fn OPENSSL_load_builtin_modules
-is called automatically.
-.Pp
-Applications which use configuration functions like
-.Xr CONF_modules_load_file 3
-directly need to call
-.Fn OPENSSL_load_builtin_modules
-themselves
-.Em before
-any other configuration code.
-.Pp
-Applications should call
-.Xr OPENSSL_config 3
-or
-.Fn OPENSSL_load_builtin_modules
-to load all configuration modules instead of adding modules selectively:
-otherwise functionality may be missing from the application when
-new modules are added.
-.Sh SEE ALSO
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3
-.Sh HISTORY
-These functions first appeared in OpenSSL 0.9.7
-and have been available since
-.Ox 3.2 .
diff --git a/src/lib/libcrypto/man/OPENSSL_malloc.3 b/src/lib/libcrypto/man/OPENSSL_malloc.3
index a43dc56923..6e87d030d8 100644
--- a/src/lib/libcrypto/man/OPENSSL_malloc.3
+++ b/src/lib/libcrypto/man/OPENSSL_malloc.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: OPENSSL_malloc.3,v 1.13 2024/04/04 09:30:43 tb Exp $
+.\"     $OpenBSD: OPENSSL_malloc.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_MALLOC 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm CRYPTO_strdup
 .Nd legacy OpenSSL memory allocation wrappers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/crypto.h
 .Ft void *
 .Fo OPENSSL_malloc
diff --git a/src/lib/libcrypto/man/OPENSSL_sk_new.3 b/src/lib/libcrypto/man/OPENSSL_sk_new.3
index 8f06bb4212..632bc9d39f 100644
--- a/src/lib/libcrypto/man/OPENSSL_sk_new.3
+++ b/src/lib/libcrypto/man/OPENSSL_sk_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_sk_new.3,v 1.13 2024/03/04 09:47:34 tb Exp $
+.\" $OpenBSD: OPENSSL_sk_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_SK_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm sk_zero
 .Nd variable-sized arrays of void pointers, called OpenSSL stacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/stack.h
 .Ft _STACK *
 .Fn sk_new_null void
diff --git a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 b/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
index 88ecef9768..68d8799bd4 100644
--- a/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
+++ b/src/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
@@ -1,7 +1,24 @@
-.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.16 2024/03/04 19:04:47 tb Exp $
+.\" $OpenBSD: OpenSSL_add_all_algorithms.3,v 1.19 2025/06/12 15:59:30 schwarze Exp $
 .\" full merge up to: OpenSSL b3696a55 Sep 2 09:35:50 2017 -0400
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2018, 2019, 2023, 2025 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2000, 2003, 2013 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -48,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 4 2024 $
+.Dd $Mdocdate: June 12 2025 $
 .Dt OPENSSL_ADD_ALL_ALGORITHMS 3
 .Os
 .Sh NAME
@@ -64,6 +81,7 @@
 .\" because they are unused aliases.
 .Nd add algorithms to internal table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft void
 .Fn OpenSSL_add_all_algorithms void
@@ -79,40 +97,43 @@
 These functions are deprecated.
 It is never useful for any application program
 to call any of them explicitly.
-The library automatically calls them internally whenever needed.
+Most of them have no effect except that they may or may not call
+.Xr OPENSSL_init_crypto 3 .
 .Pp
-OpenSSL keeps an internal table of digest algorithms and ciphers.
+The library contains internal tables of digest algorithms and ciphers.
-It uses this table to look up ciphers via functions such as
+It uses these tables to look up digests and ciphers via
-.Xr EVP_get_cipherbyname 3 .
+.Xr EVP_get_digestbyname 3
+and
+.Xr EVP_get_cipherbyname 3 ,
+respectively.
+In LibreSSL, these tables are static constants and do not require
+initialization.
 .Pp
 .Fn OpenSSL_add_all_algorithms
-adds all algorithms to the table (digests and ciphers).
+used to add all digests and ciphers to the tables.
 If an application is compiled with the preprocessor symbol
 .Dv OPENSSL_LOAD_CONF
-#define'd, it also calls
+defined, it also calls
 .Xr OPENSSL_config 3
 with a
 .Dv NULL
 argument, loading the default configuration file.
+Relying on this behaviour is not recommended.
+If loading a configuration file is desired, call
+.Xr OPENSSL_config 3
+or
+.Xr CONF_modules_load_file 3
+directly.
 .Pp
 .Fn OpenSSL_add_all_digests
-adds all digest algorithms to the table.
+used to add all digest algorithms to the table.
 .Pp
 .Fn OpenSSL_add_all_ciphers
-adds all encryption algorithms to the table including password based
+used to add all encryption algorithms to the table.
-encryption algorithms.
-.Pp
-If any of the above functions is called more than once,
-only the first call has an effect.
 .Pp
 .Fn EVP_cleanup
-removes all ciphers and digests from the table and also calls
+has no effect; it used to remove various kinds of application-supplied
-.Xr OBJ_NAME_cleanup 3
+data that is no longer supported in the first place.
-with an argument of \-1 ,
-thus resetting the global associative array of names
-and all signature algorithm definitions to their default states,
-removing all application-defined types, key-value pairs, and aliases,
-including any that are unrelated to the EVP library.
 .Pp
 .Fn SSLeay_add_all_algorithms
 is a deprecated alias for
@@ -126,8 +147,6 @@ are implemented as macros.
 .Xr evp 3 ,
 .Xr EVP_DigestInit 3 ,
 .Xr EVP_EncryptInit 3 ,
-.Xr OBJ_cleanup 3 ,
-.Xr OBJ_NAME_add 3 ,
 .Xr OPENSSL_config 3
 .Sh HISTORY
 .Fn EVP_cleanup ,
@@ -148,5 +167,3 @@ first appeared in OpenSSL 0.9.5 and have been available since
 .Sh BUGS
 Although the functions do not return error codes, it is possible for them
 to fail.
-This will only happen as a result of a memory allocation failure so this
-is not too much of a problem in practice.
diff --git a/src/lib/libcrypto/man/PEM_ASN1_read.3 b/src/lib/libcrypto/man/PEM_ASN1_read.3
index 53ebe5ada4..016007d405 100644
--- a/src/lib/libcrypto/man/PEM_ASN1_read.3
+++ b/src/lib/libcrypto/man/PEM_ASN1_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_ASN1_read.3,v 1.2 2020/07/23 17:34:53 schwarze Exp $
+.\" $OpenBSD: PEM_ASN1_read.3,v 1.4 2025/07/16 17:59:10 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 23 2020 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_ASN1_READ 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm PEM_ASN1_read_bio
 .Nd PEM and DER decode an arbitrary ASN.1 value
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft typedef void *
 .Fo d2i_of_void
@@ -165,7 +166,7 @@ Additional types of errors can result from
 .Xr PEM_read 3 ,
 .Xr PEM_read_bio_PrivateKey 3 ,
 .Xr PEM_read_SSL_SESSION 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh HISTORY
 These functions first appeared in SSLeay 0.5.1
 and have been available since
diff --git a/src/lib/libcrypto/man/PEM_X509_INFO_read.3 b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
index b3216a89b6..7d34951df0 100644
--- a/src/lib/libcrypto/man/PEM_X509_INFO_read.3
+++ b/src/lib/libcrypto/man/PEM_X509_INFO_read_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_X509_INFO_read.3,v 1.4 2021/10/19 10:39:33 schwarze Exp $
+.\" $OpenBSD: PEM_X509_INFO_read_bio.3,v 1.1 2025/07/17 10:31:50 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,23 +14,16 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 19 2021 $
+.Dd $Mdocdate: July 17 2025 $
-.Dt PEM_X509_INFO_READ 3
+.Dt PEM_X509_INFO_READ_BIO 3
 .Os
 .Sh NAME
-.Nm PEM_X509_INFO_read ,
 .Nm PEM_X509_INFO_read_bio
 .Nd PEM and DER decode X.509 certificates, private keys, and revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft STACK_OF(X509_INFO) *
-.Fo PEM_X509_INFO_read
-.Fa "FILE *in_fp"
-.Fa "STACK_OF(X509_INFO) *sk"
-.Fa "pem_password_cb *cb"
-.Fa "void *u"
-.Fc
-.Ft STACK_OF(X509_INFO) *
 .Fo PEM_X509_INFO_read_bio
 .Fa "BIO *in_bp"
 .Fa "STACK_OF(X509_INFO) *sk"
@@ -38,13 +31,11 @@
 .Fa "void *u"
 .Fc
 .Sh DESCRIPTION
-These functions read zero or more objects
+This function reads zero or more objects
 related to X.509 certificates from
-.Fa in_fp
-or
 .Fa in_bp ,
-perform both PEM and DER decoding,
+performs both PEM and DER decoding,
-and wrap the resulting objects in newly allocated
+and wraps the resulting objects in newly allocated
 .Vt X509_INFO
 containers.
 .Pp
@@ -109,11 +100,11 @@ during the same call are deleted again and
 .Fa sk
 is left unchanged.
 .Sh RETURN VALUES
-These functions return a pointer to the stack
+This function returns a pointer to the stack
 the objects read were pushed onto or
 .Dv NULL
 if an error occurs.
-They fail if
+It fails if
 .Xr PEM_read_bio 3 ,
 .Xr PEM_get_EVP_CIPHER_INFO 3 ,
 .Xr PEM_do_header 3 ,
@@ -128,9 +119,6 @@ include:
 .Bl -tag -width Ds
 .It Dv ERR_R_ASN1_LIB Qq "ASN1 lib"
 DER decoding of a PEM object failed.
-.It Dv ERR_R_BUF_LIB Qq BUF lib
-.Fn PEM_X509_INFO_read
-failed to set up a temporary BIO, for example because memory was exhausted.
 .It Dv ERR_R_MALLOC_FAILURE Qq "malloc failure"
 .Fn PEM_X509_INFO_read_bio
 failed to allocate a new
@@ -147,7 +135,7 @@ Additional types of errors can result from
 and
 .Xr PEM_do_header 3 .
 .Pp
-After these functions failed due to memory exhaustion,
+After this function failed due to memory exhaustion,
 .Xr ERR_get_error 3
 may sometimes return 0 anyway.
 .Sh SEE ALSO
@@ -162,14 +150,10 @@ may sometimes return 0 anyway.
 .Xr X509_CRL_new 3 ,
 .Xr X509_INFO_new 3 ,
 .Xr X509_LOOKUP_new 3 ,
-.Xr X509_new 3 ,
+.Xr X509_new 3
-.Xr X509_PKEY_new 3
 .Sh HISTORY
-.Fn PEM_X509_INFO_read
-first appeared in SSLeay 0.5.1 and
 .Fn PEM_X509_INFO_read_bio
-in SSLeay 0.6.0.
+first appeared in SSLeay 0.6.0 and has been available since
-Both functions have been available since
 .Ox 2.4 .
 .Sh CAVEATS
 It is not an error
@@ -184,6 +168,6 @@ a newly allocated, empty stack is returned.
 The only way to detect this situation is by comparing
 the number of objects on the stack before and after the call.
 .Sh BUGS
-When reaching the end of the input, these functions call
+When reaching the end of the input, this function calls
 .Xr ERR_clear_error 3 ,
-which may hide errors that occurred before calling these functions.
+which may hide errors that occurred before calling it.
diff --git a/src/lib/libcrypto/man/PEM_bytes_read_bio.3 b/src/lib/libcrypto/man/PEM_bytes_read_bio.3
index 20ad6b8a4d..69cb26ce8d 100644
--- a/src/lib/libcrypto/man/PEM_bytes_read_bio.3
+++ b/src/lib/libcrypto/man/PEM_bytes_read_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.6 2020/07/23 17:34:53 schwarze Exp $
+.\" $OpenBSD: PEM_bytes_read_bio.3,v 1.8 2025/07/16 17:59:10 schwarze Exp $
 .\" selective merge up to:
 .\" OpenSSL PEM_bytes_read_bio.pod 7671342e Feb 29 15:47:12 2016 -0600
 .\"
@@ -65,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 23 2020 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_BYTES_READ_BIO 3
 .Os
 .Sh NAME
 .Nm PEM_bytes_read_bio
 .Nd read a PEM-encoded data structure from a BIO
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft int
 .Fo PEM_bytes_read_bio
@@ -175,7 +176,7 @@ Additional types of errors can result from
 .Xr PEM_ASN1_read 3 ,
 .Xr PEM_read 3 ,
 .Xr PEM_read_bio_PrivateKey 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh STANDARDS
 RFC 1421: Privacy Enhancement for Internet Electronic Mail (PEM), Part I
 .Sh HISTORY
diff --git a/src/lib/libcrypto/man/PEM_read.3 b/src/lib/libcrypto/man/PEM_read.3
index 1493d54fc4..de93b3e903 100644
--- a/src/lib/libcrypto/man/PEM_read.3
+++ b/src/lib/libcrypto/man/PEM_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read.3,v 1.15 2023/09/18 15:26:46 schwarze Exp $
+.\" $OpenBSD: PEM_read.3,v 1.17 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_READ 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm pem_password_cb
 .Nd PEM encoding routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft int
 .Fo PEM_write
@@ -395,7 +396,7 @@ to fail may differ.
 .Xr PEM_read_SSL_SESSION 3 ,
 .Xr PEM_write_bio_CMS_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3
+.Xr PEM_X509_INFO_read_bio 3
 .Sh HISTORY
 .Fn PEM_write ,
 .Fn PEM_read ,
diff --git a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3 b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
index 9f45261725..9ef136de7e 100644
--- a/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
+++ b/src/lib/libcrypto/man/PEM_read_bio_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.23 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: PEM_read_bio_PrivateKey.3,v 1.25 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/PEM_read_bio_PrivateKey.pod 18bad535 Apr 9 15:13:55 2019 +0100
 .\" OpenSSL man3/PEM_read_CMS.pod 83cf7abf May 29 13:07:08 2018 +0100
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt PEM_READ_BIO_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -143,6 +143,7 @@
 .Nm PEM_write_bio_CMS
 .Nd PEM routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pem.h
 .Ft EVP_PKEY *
 .Fo PEM_read_bio_PrivateKey
@@ -1183,7 +1184,7 @@ pass_cb(char *buf, int size, int rwflag, void *u)
 .Xr PEM_read_SSL_SESSION 3 ,
 .Xr PEM_write_bio_CMS_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
-.Xr PEM_X509_INFO_read 3 ,
+.Xr PEM_X509_INFO_read_bio 3 ,
 .Xr RSA_new 3 ,
 .Xr X509_CRL_new 3 ,
 .Xr X509_REQ_new 3 ,
diff --git a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
index 88adbba74f..a858874bab 100644
--- a/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
+++ b/src/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: PEM_write_bio_CMS_stream.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_WRITE_BIO_CMS_STREAM 3
 .Os
 .Sh NAME
 .Nm PEM_write_bio_CMS_stream
 .Nd output CMS_ContentInfo structure in PEM format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo PEM_write_bio_CMS_stream
diff --git a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 b/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
index 9050b8562f..a731767049 100644
--- a/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
+++ b/src/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.12 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: PEM_write_bio_PKCS7_stream.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_WRITE_BIO_PKCS7_STREAM 3
 .Os
 .Sh NAME
 .Nm PEM_write_bio_PKCS7_stream
 .Nd output PKCS7 structure in PEM format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PEM_write_bio_PKCS7_stream
diff --git a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3 b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
index e7d20ea7f6..45bdc20bc9 100644
--- a/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
+++ b/src/lib/libcrypto/man/PKCS12_SAFEBAG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: PKCS12_SAFEBAG_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_SAFEBAG_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS12_BAGS_free
 .Nd PKCS#12 container for one piece of information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12_SAFEBAG *
 .Fn PKCS12_SAFEBAG_new void
diff --git a/src/lib/libcrypto/man/PKCS12_create.3 b/src/lib/libcrypto/man/PKCS12_create.3
index 904166da73..80471ca88a 100644
--- a/src/lib/libcrypto/man/PKCS12_create.3
+++ b/src/lib/libcrypto/man/PKCS12_create.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS12_create.3,v 1.13 2024/08/22 12:26:01 tb Exp $
+.\" $OpenBSD: PKCS12_create.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_CREATE 3
 .Os
 .Sh NAME
 .Nm PKCS12_create
 .Nd create a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fo PKCS12_create
diff --git a/src/lib/libcrypto/man/PKCS12_new.3 b/src/lib/libcrypto/man/PKCS12_new.3
index c7ccdb4911..1506eaade3 100644
--- a/src/lib/libcrypto/man/PKCS12_new.3
+++ b/src/lib/libcrypto/man/PKCS12_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_new.3,v 1.4 2019/06/06 01:06:58 schwarze Exp $
+.\"     $OpenBSD: PKCS12_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_NEW 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS12_MAC_DATA_free
 .Nd PKCS#12 personal information exchange (PFX)
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fn PKCS12_new void
diff --git a/src/lib/libcrypto/man/PKCS12_newpass.3 b/src/lib/libcrypto/man/PKCS12_newpass.3
index b5642c96ea..b4d088e0e8 100644
--- a/src/lib/libcrypto/man/PKCS12_newpass.3
+++ b/src/lib/libcrypto/man/PKCS12_newpass.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_newpass.3,v 1.4 2019/06/14 13:59:32 schwarze Exp $
+.\"     $OpenBSD: PKCS12_newpass.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL c95a8b4e May 5 14:26:26 2016 +0100
 .\"
 .\" This file was written by Jeffrey Walton <noloader@gmail.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_NEWPASS 3
 .Os
 .Sh NAME
 .Nm PKCS12_newpass
 .Nd change the password of a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft int
 .Fo PKCS12_newpass
diff --git a/src/lib/libcrypto/man/PKCS12_parse.3 b/src/lib/libcrypto/man/PKCS12_parse.3
index 4e92d303c7..333d86b672 100644
--- a/src/lib/libcrypto/man/PKCS12_parse.3
+++ b/src/lib/libcrypto/man/PKCS12_parse.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS12_parse.3,v 1.7 2021/07/09 12:07:27 schwarze Exp $
+.\"     $OpenBSD: PKCS12_parse.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS12_PARSE 3
 .Os
 .Sh NAME
 .Nm PKCS12_parse
 .Nd parse a PKCS#12 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft int
 .Fo PKCS12_parse
diff --git a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3 b/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
index 3a448b92a7..7c113029ee 100644
--- a/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
+++ b/src/lib/libcrypto/man/PKCS5_PBKDF2_HMAC.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.9 2019/06/07 20:46:25 schwarze Exp $
+.\"     $OpenBSD: PKCS5_PBKDF2_HMAC.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Jeffrey Walton <noloader@gmail.com>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS5_PBKDF2_HMAC 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm PKCS5_PBKDF2_HMAC_SHA1
 .Nd password based derivation routines with salt and iteration count
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo PKCS5_PBKDF2_HMAC
diff --git a/src/lib/libcrypto/man/PKCS7_add_attribute.3 b/src/lib/libcrypto/man/PKCS7_add_attribute.3
index 4a1c350f98..e7c8c734c4 100644
--- a/src/lib/libcrypto/man/PKCS7_add_attribute.3
+++ b/src/lib/libcrypto/man/PKCS7_add_attribute.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_add_attribute.3,v 1.3 2020/06/10 11:39:12 schwarze Exp $
+.\" $OpenBSD: PKCS7_add_attribute.3,v 1.6 2025/07/27 19:31:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: July 27 2025 $
 .Dt PKCS7_ADD_ATTRIBUTE 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm PKCS7_add_attrib_smimecap
 .Nd attributes of SignerInfo objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_add_attribute
@@ -306,6 +307,10 @@ RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0,
 section 5.3: Attribute types for use in PKCS #7 data
 and section 5.6: Attributes defined in S/MIME
 .Pp
+RFC 5652: Cryptographic Message Syntax (CMS),
+section 5.3: SignerInfo Type
+and section 11: Useful Attributes
+.Pp
 RFC 8551: Secure/Multipurpose Internet Mail Extensions (S/MIME)
 Version 4.0 Message Specification,
 section 2.5.2: SMIMECapabilities Attribute
@@ -345,7 +350,7 @@ in a state that violates the standard.
 .Fn PKCS7_add0_attrib_signing_time
 does not validate
 .Fa t
-in any way.
+beyond checking that it is well-formed per RFC 5652, section 11.3.
 In particular, it may set the signing time to the future
 or to the remote past.
 .Sh BUGS
diff --git a/src/lib/libcrypto/man/PKCS7_dataFinal.3 b/src/lib/libcrypto/man/PKCS7_dataFinal.3
index 1a01b2ff61..fdc9da7f9e 100644
--- a/src/lib/libcrypto/man/PKCS7_dataFinal.3
+++ b/src/lib/libcrypto/man/PKCS7_dataFinal.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_dataFinal.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: PKCS7_dataFinal.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DATAFINAL 3
 .Os
 .Sh NAME
 .Nm PKCS7_dataFinal
 .Nd move data from a BIO chain to a ContentInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_dataFinal
diff --git a/src/lib/libcrypto/man/PKCS7_dataInit.3 b/src/lib/libcrypto/man/PKCS7_dataInit.3
index cb54d3f95c..320a227454 100644
--- a/src/lib/libcrypto/man/PKCS7_dataInit.3
+++ b/src/lib/libcrypto/man/PKCS7_dataInit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_dataInit.3,v 1.2 2020/06/03 13:41:27 schwarze Exp $
+.\" $OpenBSD: PKCS7_dataInit.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 3 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DATAINIT 3
 .Os
 .Sh NAME
 .Nm PKCS7_dataInit
 .Nd construct a BIO chain for adding or retrieving content
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft BIO *
 .Fo PKCS7_dataInit
diff --git a/src/lib/libcrypto/man/PKCS7_decrypt.3 b/src/lib/libcrypto/man/PKCS7_decrypt.3
index 8d00499b57..857777bcd6 100644
--- a/src/lib/libcrypto/man/PKCS7_decrypt.3
+++ b/src/lib/libcrypto/man/PKCS7_decrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_decrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: PKCS7_decrypt.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_DECRYPT 3
 .Os
 .Sh NAME
 .Nm PKCS7_decrypt
 .Nd decrypt content from a PKCS#7 envelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_decrypt
diff --git a/src/lib/libcrypto/man/PKCS7_encrypt.3 b/src/lib/libcrypto/man/PKCS7_encrypt.3
index 700498a1de..3e7283839d 100644
--- a/src/lib/libcrypto/man/PKCS7_encrypt.3
+++ b/src/lib/libcrypto/man/PKCS7_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_encrypt.3,v 1.11 2020/06/03 13:41:27 schwarze Exp $
+.\" $OpenBSD: PKCS7_encrypt.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 3 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_ENCRYPT 3
 .Os
 .Sh NAME
 .Nm PKCS7_encrypt
 .Nd create a PKCS#7 envelopedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo PKCS7_encrypt
diff --git a/src/lib/libcrypto/man/PKCS7_final.3 b/src/lib/libcrypto/man/PKCS7_final.3
index 775b84d984..5c2063b1bd 100644
--- a/src/lib/libcrypto/man/PKCS7_final.3
+++ b/src/lib/libcrypto/man/PKCS7_final.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_final.3,v 1.3 2022/12/26 07:18:52 jmc Exp $
+.\" $OpenBSD: PKCS7_final.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 26 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_FINAL 3
 .Os
 .Sh NAME
 .Nm PKCS7_final
 .Nd read data from a BIO into a ContentInfo object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_final
diff --git a/src/lib/libcrypto/man/PKCS7_get_signer_info.3 b/src/lib/libcrypto/man/PKCS7_get_signer_info.3
index 280f373ead..9edf4c63de 100644
--- a/src/lib/libcrypto/man/PKCS7_get_signer_info.3
+++ b/src/lib/libcrypto/man/PKCS7_get_signer_info.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.1 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_get_signer_info.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_GET_SIGNER_INFO 3
 .Os
 .Sh NAME
 .Nm PKCS7_get_signer_info
 .Nd retrieve signerInfos from a SignedData object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft STACK_OF(PKCS7_SIGNER_INFO) *
 .Fn PKCS7_get_signer_info "PKCS7 *p7"
diff --git a/src/lib/libcrypto/man/PKCS7_new.3 b/src/lib/libcrypto/man/PKCS7_new.3
index 151261a312..19f6f1ac81 100644
--- a/src/lib/libcrypto/man/PKCS7_new.3
+++ b/src/lib/libcrypto/man/PKCS7_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_new.3,v 1.12 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_NEW 3
 .Os
 .Sh NAME
@@ -40,6 +40,7 @@
 .Nm PKCS7_ISSUER_AND_SERIAL_free
 .Nd PKCS#7 data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fn PKCS7_new void
diff --git a/src/lib/libcrypto/man/PKCS7_set_content.3 b/src/lib/libcrypto/man/PKCS7_set_content.3
index fa057341d5..bf0eb76786 100644
--- a/src/lib/libcrypto/man/PKCS7_set_content.3
+++ b/src/lib/libcrypto/man/PKCS7_set_content.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_set_content.3,v 1.2 2020/05/24 12:37:30 schwarze Exp $
+.\" $OpenBSD: PKCS7_set_content.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SET_CONTENT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS7_content_new
 .Nd set the nested contentInfo in a PKCS#7 structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_set_content
diff --git a/src/lib/libcrypto/man/PKCS7_set_type.3 b/src/lib/libcrypto/man/PKCS7_set_type.3
index f414b128a2..23eefff972 100644
--- a/src/lib/libcrypto/man/PKCS7_set_type.3
+++ b/src/lib/libcrypto/man/PKCS7_set_type.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_set_type.3,v 1.2 2020/05/20 11:40:26 schwarze Exp $
+.\" $OpenBSD: PKCS7_set_type.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 20 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SET_TYPE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS7_set0_type_other
 .Nd initialize type of PKCS#7 ContentInfo
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_set_type
diff --git a/src/lib/libcrypto/man/PKCS7_sign.3 b/src/lib/libcrypto/man/PKCS7_sign.3
index 37257e60fd..174b385196 100644
--- a/src/lib/libcrypto/man/PKCS7_sign.3
+++ b/src/lib/libcrypto/man/PKCS7_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_sign.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_sign.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SIGN 3
 .Os
 .Sh NAME
 .Nm PKCS7_sign
 .Nd create a PKCS#7 signedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo PKCS7_sign
diff --git a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3 b/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
index 195d6388c9..4b88ff72bd 100644
--- a/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
+++ b/src/lib/libcrypto/man/PKCS7_sign_add_signer.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.13 2020/06/10 11:43:08 schwarze Exp $
+.\" $OpenBSD: PKCS7_sign_add_signer.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS7_SIGN_ADD_SIGNER 3
 .Os
 .Sh NAME
 .Nm PKCS7_sign_add_signer
 .Nd add a signer to a SignedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7_SIGNER_INFO *
 .Fo PKCS7_sign_add_signer
diff --git a/src/lib/libcrypto/man/PKCS7_verify.3 b/src/lib/libcrypto/man/PKCS7_verify.3
index d091c03dfd..53b32f738a 100644
--- a/src/lib/libcrypto/man/PKCS7_verify.3
+++ b/src/lib/libcrypto/man/PKCS7_verify.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS7_verify.3,v 1.11 2022/03/31 17:27:17 naddy Exp $
+.\"     $OpenBSD: PKCS7_verify.3,v 1.13 2025/12/20 07:22:43 tb Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt PKCS7_VERIFY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm PKCS7_get0_signers
 .Nd verify a PKCS#7 signedData structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo PKCS7_verify
@@ -124,6 +125,15 @@ is detached,
 .Fa indata
 cannot be
 .Dv NULL .
+If the content is not detached and
+.Fa indata
+is not
+.Fa NULL ,
+then the structure has both embedded and external content.
+To treat this as an error, use the flag
+.Dv PKCS7_NO_DUAL_CONTENT .
+The default behavior allows this, for compatibility with other
+implementations.
 .Pp
 An attempt is made to locate all the signer's certificates, first
 looking in the
diff --git a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3 b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
index 822968f58d..55eb464a33 100644
--- a/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
+++ b/src/lib/libcrypto/man/PKCS8_PRIV_KEY_INFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.7 2024/12/06 12:51:13 schwarze Exp $
+.\"     $OpenBSD: PKCS8_PRIV_KEY_INFO_new.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS8_PRIV_KEY_INFO_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKCS8_PRIV_KEY_INFO_free
 .Nd PKCS#8 private key information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft PKCS8_PRIV_KEY_INFO *
 .Fn PKCS8_PRIV_KEY_INFO_new void
diff --git a/src/lib/libcrypto/man/PKCS8_pkey_set0.3 b/src/lib/libcrypto/man/PKCS8_pkey_set0.3
index f3d5a294c3..a8a160d544 100644
--- a/src/lib/libcrypto/man/PKCS8_pkey_set0.3
+++ b/src/lib/libcrypto/man/PKCS8_pkey_set0.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.3 2024/09/02 07:45:09 tb Exp $
+.\" $OpenBSD: PKCS8_pkey_set0.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKCS8_PKEY_SET0 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm PKCS8_pkey_get0_attrs
 .Nd change and inspect PKCS#8 PrivateKeyInfo objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo PKCS8_pkey_set0
diff --git a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3 b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
index 40735c6f86..2d4f010bce 100644
--- a/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
+++ b/src/lib/libcrypto/man/PKEY_USAGE_PERIOD_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.5 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: PKEY_USAGE_PERIOD_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PKEY_USAGE_PERIOD_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm PKEY_USAGE_PERIOD_free
 .Nd X.509 certificate private key usage period extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft PKEY_USAGE_PERIOD *
 .Fn PKEY_USAGE_PERIOD_new void
diff --git a/src/lib/libcrypto/man/POLICYINFO_new.3 b/src/lib/libcrypto/man/POLICYINFO_new.3
index 52c004414e..aad2ad3ce5 100644
--- a/src/lib/libcrypto/man/POLICYINFO_new.3
+++ b/src/lib/libcrypto/man/POLICYINFO_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: POLICYINFO_new.3,v 1.11 2023/05/14 08:03:57 tb Exp $
+.\"     $OpenBSD: POLICYINFO_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 14 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt POLICYINFO_NEW 3
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .Nm POLICY_CONSTRAINTS_free
 .Nd X.509 certificate policies
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft POLICYINFO *
 .Fn POLICYINFO_new void
diff --git a/src/lib/libcrypto/man/RAND_add.3 b/src/lib/libcrypto/man/RAND_add.3
index 5404f696a3..b56707a313 100644
--- a/src/lib/libcrypto/man/RAND_add.3
+++ b/src/lib/libcrypto/man/RAND_add.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RAND_add.3,v 1.10 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: RAND_add.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to: OpenSSL c16de9d8 Aug 31 23:16:22 2017 +0200
 .\"
 .\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_ADD 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm RAND_status
 .Nd manipulate the PRNG state
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft void
 .Fo RAND_add
diff --git a/src/lib/libcrypto/man/RAND_bytes.3 b/src/lib/libcrypto/man/RAND_bytes.3
index 19427a82df..ce0773f448 100644
--- a/src/lib/libcrypto/man/RAND_bytes.3
+++ b/src/lib/libcrypto/man/RAND_bytes.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_bytes.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: RAND_bytes.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_BYTES 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RAND_pseudo_bytes
 .Nd generate random data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft int
 .Fo RAND_bytes
diff --git a/src/lib/libcrypto/man/RAND_load_file.3 b/src/lib/libcrypto/man/RAND_load_file.3
index 9227e2721b..1c6f7a27fb 100644
--- a/src/lib/libcrypto/man/RAND_load_file.3
+++ b/src/lib/libcrypto/man/RAND_load_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_load_file.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: RAND_load_file.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RAND_write_file
 .Nd PRNG seed file
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft const char *
 .Fo RAND_file_name
diff --git a/src/lib/libcrypto/man/RAND_set_rand_method.3 b/src/lib/libcrypto/man/RAND_set_rand_method.3
index d94d794daf..2756099c7b 100644
--- a/src/lib/libcrypto/man/RAND_set_rand_method.3
+++ b/src/lib/libcrypto/man/RAND_set_rand_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RAND_set_rand_method.3,v 1.4 2018/03/21 09:03:49 schwarze Exp $
+.\"     $OpenBSD: RAND_set_rand_method.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Miod Vallat <miod@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RAND_SET_RAND_METHOD 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm RAND_SSLeay
 .Nd select RAND method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rand.h
 .Ft int
 .Fo RAND_set_rand_method
diff --git a/src/lib/libcrypto/man/RC2_encrypt.3 b/src/lib/libcrypto/man/RC2_encrypt.3
index a90e0f574b..735c10cbd7 100644
--- a/src/lib/libcrypto/man/RC2_encrypt.3
+++ b/src/lib/libcrypto/man/RC2_encrypt.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RC2_encrypt.3,v 1.2 2024/12/18 04:15:48 jsg Exp $
+.\" $OpenBSD: RC2_encrypt.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RC2_ENCRYPT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm RC2_ofb64_encrypt
 .Nd low-level functions for Rivest Cipher 2
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rc2.h
 .Ft void
 .Fo RC2_set_key
diff --git a/src/lib/libcrypto/man/RC4.3 b/src/lib/libcrypto/man/RC4.3
index 8b20a434b7..ff92cffc78 100644
--- a/src/lib/libcrypto/man/RC4.3
+++ b/src/lib/libcrypto/man/RC4.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RC4.3,v 1.8 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: RC4.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RC4 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RC4
 .Nd RC4 encryption
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rc4.h
 .Ft void
 .Fo RC4_set_key
diff --git a/src/lib/libcrypto/man/RIPEMD160.3 b/src/lib/libcrypto/man/RIPEMD160.3
index 43c6694036..e22f4ed841 100644
--- a/src/lib/libcrypto/man/RIPEMD160.3
+++ b/src/lib/libcrypto/man/RIPEMD160.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RIPEMD160.3,v 1.8 2024/05/26 09:54:16 tb Exp $
+.\" $OpenBSD: RIPEMD160.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 72a7a702 Feb 26 14:05:09 2019 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RIPEMD160 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm RIPEMD160_Final
 .Nd RIPEMD-160 hash function
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ripemd.h
 .Ft unsigned char *
 .Fo RIPEMD160
diff --git a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3 b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
index f69f33dbe5..6532028a57 100644
--- a/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
+++ b/src/lib/libcrypto/man/RSA_PSS_PARAMS_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: RSA_PSS_PARAMS_new.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PSS_PARAMS_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm RSA_PSS_PARAMS_free
 .Nd probabilistic signature scheme with RSA hashing
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA_PSS_PARAMS *
 .Fn RSA_PSS_PARAMS_new void
diff --git a/src/lib/libcrypto/man/RSA_blinding_on.3 b/src/lib/libcrypto/man/RSA_blinding_on.3
index bd2a301377..0dfebf3739 100644
--- a/src/lib/libcrypto/man/RSA_blinding_on.3
+++ b/src/lib/libcrypto/man/RSA_blinding_on.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_blinding_on.3,v 1.7 2023/07/26 20:08:59 tb Exp $
+.\"     $OpenBSD: RSA_blinding_on.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_BLINDING_ON 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_blinding_off
 .Nd protect the RSA operation from timing attacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_blinding_on
diff --git a/src/lib/libcrypto/man/RSA_check_key.3 b/src/lib/libcrypto/man/RSA_check_key.3
index 36b613b3a5..b6c9bc20a1 100644
--- a/src/lib/libcrypto/man/RSA_check_key.3
+++ b/src/lib/libcrypto/man/RSA_check_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_check_key.3,v 1.10 2023/11/19 21:06:15 tb Exp $
+.\"     $OpenBSD: RSA_check_key.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 6859cf74 Sep 25 13:33:28 2002 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_CHECK_KEY 3
 .Os
 .Sh NAME
 .Nm RSA_check_key
 .Nd validate private RSA keys
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_check_key
diff --git a/src/lib/libcrypto/man/RSA_generate_key.3 b/src/lib/libcrypto/man/RSA_generate_key.3
index 83703b1eaa..a72168def9 100644
--- a/src/lib/libcrypto/man/RSA_generate_key.3
+++ b/src/lib/libcrypto/man/RSA_generate_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_generate_key.3,v 1.13 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_generate_key.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_generate_key.pod bb6c5e7f Feb 5 10:29:22 2017 -0500
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_GENERATE_KEY 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_generate_key
 .Nd generate RSA key pair
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_generate_key_ex
diff --git a/src/lib/libcrypto/man/RSA_get0_key.3 b/src/lib/libcrypto/man/RSA_get0_key.3
index f09fb00d2b..cf82b21ce2 100644
--- a/src/lib/libcrypto/man/RSA_get0_key.3
+++ b/src/lib/libcrypto/man/RSA_get0_key.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_get0_key.3,v 1.8 2025/01/05 15:40:42 tb Exp $
+.\" $OpenBSD: RSA_get0_key.3,v 1.10 2025/06/13 18:34:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 665d899f Aug 2 02:19:43 2017 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 5 2025 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt RSA_GET0_KEY 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm RSA_set_flags
 .Nd get and set data in an RSA object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft void
 .Fo RSA_get0_key
@@ -96,15 +97,15 @@
 .Fa "const BIGNUM **e"
 .Fa "const BIGNUM **d"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_n
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_e
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_d
 .Fa "const RSA *r"
 .Fc
@@ -121,11 +122,11 @@
 .Fa "const BIGNUM **p"
 .Fa "const BIGNUM **q"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_p
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_q
 .Fa "const RSA *r"
 .Fc
@@ -142,15 +143,15 @@
 .Fa "const BIGNUM **dmq1"
 .Fa "const BIGNUM **iqmp"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_dmp1
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_dmq1
 .Fa "const RSA *r"
 .Fc
-.Ft "const BIGNUM *"
+.Ft const BIGNUM *
 .Fo RSA_get0_iqmp
 .Fa "const RSA *r"
 .Fc
diff --git a/src/lib/libcrypto/man/RSA_get_ex_new_index.3 b/src/lib/libcrypto/man/RSA_get_ex_new_index.3
index 5f1fb4335f..1b7096faa1 100644
--- a/src/lib/libcrypto/man/RSA_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/RSA_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.13 2023/11/19 21:08:04 tb Exp $
+.\" $OpenBSD: RSA_get_ex_new_index.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm RSA_get_ex_data
 .Nd add application specific data to RSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_get_ex_new_index
diff --git a/src/lib/libcrypto/man/RSA_meth_new.3 b/src/lib/libcrypto/man/RSA_meth_new.3
index a3a5c549e5..9626f1139f 100644
--- a/src/lib/libcrypto/man/RSA_meth_new.3
+++ b/src/lib/libcrypto/man/RSA_meth_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_meth_new.3,v 1.6 2025/01/05 15:40:42 tb Exp $
+.\" $OpenBSD: RSA_meth_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL a970b14f Jul 31 18:58:40 2017 -0400
 .\" selective merge up to: OpenSSL 24907560 Sep 17 07:47:42 2018 +1000
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 5 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_METH_NEW 3
 .Os
 .Sh NAME
@@ -103,6 +103,7 @@
 .Nm RSA_meth_set_keygen
 .Nd build up RSA methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA_METHOD *
 .Fo RSA_meth_new
diff --git a/src/lib/libcrypto/man/RSA_new.3 b/src/lib/libcrypto/man/RSA_new.3
index f5c7929e77..9c69ce27b1 100644
--- a/src/lib/libcrypto/man/RSA_new.3
+++ b/src/lib/libcrypto/man/RSA_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_new.3,v 1.18 2023/11/19 21:03:22 tb Exp $
+.\" $OpenBSD: RSA_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/man3/RSA_new.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\" OpenSSL doc/crypto/rsa.pod 35d2e327 Jun 3 16:19:49 2016 -0400 (final)
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm RSA_free
 .Nd allocate and free RSA objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA *
 .Fn RSA_new void
diff --git a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
index e7c3a2a624..d8a142f3f9 100644
--- a/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
+++ b/src/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.8 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: RSA_padding_add_PKCS1_type_1.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PADDING_ADD_PKCS1_TYPE_1 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm RSA_padding_check_none
 .Nd asymmetric encryption padding
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_padding_add_PKCS1_type_1
diff --git a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3 b/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
index 3d4e79cc47..ca805e5191 100644
--- a/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
+++ b/src/lib/libcrypto/man/RSA_pkey_ctx_ctrl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.8 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: RSA_pkey_ctx_ctrl.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/EVP_PKEY_CTX_ctrl.pod 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" OpenSSL man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.pod
@@ -55,7 +55,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PKEY_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen
 .Nd RSA private key control operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_pkey_ctx_ctrl
diff --git a/src/lib/libcrypto/man/RSA_print.3 b/src/lib/libcrypto/man/RSA_print.3
index 767241ce1c..3f5d927b79 100644
--- a/src/lib/libcrypto/man/RSA_print.3
+++ b/src/lib/libcrypto/man/RSA_print.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_print.3,v 1.9 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: RSA_print.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PRINT 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm DHparams_print_fp
 .Nd print cryptographic parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_print
diff --git a/src/lib/libcrypto/man/RSA_private_encrypt.3 b/src/lib/libcrypto/man/RSA_private_encrypt.3
index 2bf6c57dba..43e94b1fd2 100644
--- a/src/lib/libcrypto/man/RSA_private_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_private_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_private_encrypt.3,v 1.10 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_private_encrypt.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_private_encrypt.pod b41f6b64 Mar 10 15:49:04 2017 +0000
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PRIVATE_ENCRYPT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_public_decrypt
 .Nd low level signature operations
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_private_encrypt
diff --git a/src/lib/libcrypto/man/RSA_public_encrypt.3 b/src/lib/libcrypto/man/RSA_public_encrypt.3
index be3afdf402..f40118846a 100644
--- a/src/lib/libcrypto/man/RSA_public_encrypt.3
+++ b/src/lib/libcrypto/man/RSA_public_encrypt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_public_encrypt.3,v 1.13 2023/09/10 16:04:15 schwarze Exp $
+.\"     $OpenBSD: RSA_public_encrypt.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL RSA_public_encrypt.pod 1e3f62a3 Jul 17 16:47:13 2017 +0200
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_PUBLIC_ENCRYPT 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm EVP_PKEY_decrypt_old
 .Nd RSA public key cryptography
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_public_encrypt
diff --git a/src/lib/libcrypto/man/RSA_security_bits.3 b/src/lib/libcrypto/man/RSA_security_bits.3
index f7024a7956..0766ce61b1 100644
--- a/src/lib/libcrypto/man/RSA_security_bits.3
+++ b/src/lib/libcrypto/man/RSA_security_bits.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_security_bits.3,v 1.1 2022/07/13 17:32:16 schwarze Exp $
+.\" $OpenBSD: RSA_security_bits.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SECURITY_BITS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm BN_security_bits
 .Nd get security strength
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fn RSA_security_bits "const RSA *rsa"
diff --git a/src/lib/libcrypto/man/RSA_set_method.3 b/src/lib/libcrypto/man/RSA_set_method.3
index ffe22c116f..127dc62c60 100644
--- a/src/lib/libcrypto/man/RSA_set_method.3
+++ b/src/lib/libcrypto/man/RSA_set_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_set_method.3,v 1.18 2023/11/19 10:34:26 tb Exp $
+.\"     $OpenBSD: RSA_set_method.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SET_METHOD 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm RSA_new_method
 .Nd select RSA method
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft void
 .Fo RSA_set_default_method
diff --git a/src/lib/libcrypto/man/RSA_sign.3 b/src/lib/libcrypto/man/RSA_sign.3
index 65e9dc99b8..d2a4512302 100644
--- a/src/lib/libcrypto/man/RSA_sign.3
+++ b/src/lib/libcrypto/man/RSA_sign.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_sign.3,v 1.8 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_sign.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL aa90ca11 Aug 20 15:48:56 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIGN 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RSA_verify
 .Nd RSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_sign
@@ -106,7 +107,7 @@ If
 .Fa type
 is
 .Sy NID_md5_sha1 ,
-an SSL signature (MD5 and SHA1 message digests with PKCS #1 padding and
+an SSL signature (MD5 and SHA-1 message digests with PKCS #1 padding and
 no algorithm identifier) is created.
 .Pp
 .Fn RSA_verify
diff --git a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
index 34aef42c48..bd11a0607a 100644
--- a/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
+++ b/src/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.7 2019/06/10 14:58:48 schwarze Exp $
+.\"     $OpenBSD: RSA_sign_ASN1_OCTET_STRING.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 10 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIGN_ASN1_OCTET_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm RSA_verify_ASN1_OCTET_STRING
 .Nd RSA signatures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_sign_ASN1_OCTET_STRING
diff --git a/src/lib/libcrypto/man/RSA_size.3 b/src/lib/libcrypto/man/RSA_size.3
index 8a552b4e67..9988903d55 100644
--- a/src/lib/libcrypto/man/RSA_size.3
+++ b/src/lib/libcrypto/man/RSA_size.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: RSA_size.3,v 1.10 2022/07/13 21:51:35 schwarze Exp $
+.\" $OpenBSD: RSA_size.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt RSA_SIZE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm RSA_bits
 .Nd get the RSA modulus size
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft int
 .Fo RSA_size
diff --git a/src/lib/libcrypto/man/SHA1.3 b/src/lib/libcrypto/man/SHA1.3
index 4ccb08157c..74fd388cd8 100644
--- a/src/lib/libcrypto/man/SHA1.3
+++ b/src/lib/libcrypto/man/SHA1.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SHA1.3,v 1.9 2024/06/01 12:35:23 tb Exp $
+.\"     $OpenBSD: SHA1.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 1 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SHA1 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm SHA512_Final
 .Nd Secure Hash Algorithm
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/sha.h
 .Ft unsigned char *
 .Fo SHA1
diff --git a/src/lib/libcrypto/man/SMIME_crlf_copy.3 b/src/lib/libcrypto/man/SMIME_crlf_copy.3
index 3b46138473..0991d207a1 100644
--- a/src/lib/libcrypto/man/SMIME_crlf_copy.3
+++ b/src/lib/libcrypto/man/SMIME_crlf_copy.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_crlf_copy.3,v 1.3 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: SMIME_crlf_copy.3,v 1.5 2025/06/11 13:48:54 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_CRLF_COPY 3
 .Os
 .Sh NAME
 .Nm SMIME_crlf_copy
 .Nd buffered copy between BIOs
 .Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/asn1.h
 .Ft int
 .Fo SMIME_crlf_copy
 .Fa "BIO *in_bio"
@@ -79,7 +81,8 @@ is intended to return 1 on success or 0 on failure.
 .Xr BIO_push 3 ,
 .Xr BIO_read 3 ,
 .Xr SMIME_text 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_crlf_copy
 first appeared in OpenSSL 1.0.0 and has been available since
diff --git a/src/lib/libcrypto/man/SMIME_read_ASN1.3 b/src/lib/libcrypto/man/SMIME_read_ASN1.3
deleted file mode 100644
index 320064567c..0000000000
--- a/src/lib/libcrypto/man/SMIME_read_ASN1.3
+++ /dev/null
@@ -1,124 +0,0 @@
-.\" $OpenBSD: SMIME_read_ASN1.3,v 1.2 2021/12/14 15:22:49 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL SMIME_read_PKCS7.pod 83cf7abf May 29 13:07:08 2018 +0100
-.\" OpenSSL SMIME_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 2002, 2006, 2008 The OpenSSL Project.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: December 14 2021 $
-.Dt SMIME_READ_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_read_ASN1
-.Nd generic S/MIME message parser
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft ASN1_VALUE *
-.Fo SMIME_read_ASN1
-.Fa "BIO *in_bio"
-.Fa "BIO **out_bio"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_read_ASN1
-reads a message in S/MIME format from
-.Fa in_bio .
-.Pp
-If the message uses cleartext signing, the content is saved in a memory
-.Vt BIO
-which is written to
-.Pf * Fa out_bio .
-Otherwise,
-.Pf * Fa out_bio
-is set to
-.Dv NULL .
-.Pp
-To support future functionality, if
-.Fa out_bio
-is not
-.Dv NULL ,
-.Pf * Fa out_bio
-should be initialized to
-.Dv NULL
-before calling
-.Fn SMIME_read_ASN1 .
-.Sh RETURN VALUES
-.Fn SMIME_read_ASN1
-returns a newly allocated object of type
-.Fa it
-or
-.Dv NULL
-if an error occurred.
-The error can be obtained from
-.Xr ERR_get_error 3 .
-.Sh SEE ALSO
-.Xr ASN1_item_d2i_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_read_CMS 3 ,
-.Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_text 3
-.Sh HISTORY
-.Fn SMIME_read_ASN1
-first appeared in OpenSSL 0.9.8h and has been available since
-.Ox 4.5 .
-.Sh BUGS
-The MIME parser used by
-.Fn SMIME_read_ASN1
-is somewhat primitive.
-While it will handle most S/MIME messages, more complex compound
-formats may not work.
-.Pp
-The parser assumes that the
-structure is always base64 encoded, and it will not handle the case
-where it is in binary format or uses quoted printable format.
-.Pp
-The use of a memory
-to hold the signed content limits the size of the message which can
-be processed due to memory restraints: a streaming single pass
-option should be available.
diff --git a/src/lib/libcrypto/man/SMIME_read_CMS.3 b/src/lib/libcrypto/man/SMIME_read_CMS.3
index e1b1d07499..d37769e5ea 100644
--- a/src/lib/libcrypto/man/SMIME_read_CMS.3
+++ b/src/lib/libcrypto/man/SMIME_read_CMS.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_read_CMS.3,v 1.7 2021/12/14 14:30:50 schwarze Exp $
+.\" $OpenBSD: SMIME_read_CMS.3,v 1.9 2025/06/11 13:41:03 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_READ_CMS 3
 .Os
 .Sh NAME
 .Nm SMIME_read_CMS
 .Nd extract CMS ContentInfo from an S/MIME message
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo SMIME_read_CMS
@@ -103,12 +104,15 @@ if an error occurred.
 The error can be obtained from
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr CMS_ContentInfo_new 3 ,
 .Xr CMS_decrypt 3 ,
 .Xr CMS_get0_type 3 ,
 .Xr CMS_verify 3 ,
 .Xr d2i_CMS_ContentInfo 3 ,
-.Xr SMIME_read_ASN1 3 ,
+.Xr SMIME_read_PKCS7 3 ,
+.Xr SMIME_text 3 ,
 .Xr SMIME_write_CMS 3
 .Sh HISTORY
 .Fn SMIME_read_CMS
diff --git a/src/lib/libcrypto/man/SMIME_read_PKCS7.3 b/src/lib/libcrypto/man/SMIME_read_PKCS7.3
index dbe2765b8b..095115c0dc 100644
--- a/src/lib/libcrypto/man/SMIME_read_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_read_PKCS7.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.8 2021/12/14 14:30:50 schwarze Exp $
+.\" $OpenBSD: SMIME_read_PKCS7.3,v 1.10 2025/06/11 13:41:03 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_READ_PKCS7 3
 .Os
 .Sh NAME
 .Nm SMIME_read_PKCS7
 .Nd extract a PKCS#7 object from an S/MIME message
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo SMIME_read_PKCS7
@@ -124,8 +125,11 @@ if an error occurred.
 The error can be obtained from
 .Xr ERR_get_error 3 .
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr PKCS7_new 3 ,
-.Xr SMIME_read_ASN1 3 ,
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_text 3 ,
 .Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_read_PKCS7
diff --git a/src/lib/libcrypto/man/SMIME_text.3 b/src/lib/libcrypto/man/SMIME_text.3
index a4c9689925..719b3d921f 100644
--- a/src/lib/libcrypto/man/SMIME_text.3
+++ b/src/lib/libcrypto/man/SMIME_text.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SMIME_text.3,v 1.1 2021/12/14 15:22:49 schwarze Exp $
+.\" $OpenBSD: SMIME_text.3,v 1.3 2025/06/11 13:48:54 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_TEXT 3
 .Os
 .Sh NAME
 .Nm SMIME_text
 .Nd remove text/plain MIME headers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo SMIME_text
@@ -47,7 +48,10 @@ header, or if the content type is not
 .Dq text/plain .
 .Sh SEE ALSO
 .Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_read_ASN1 3
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_read_PKCS7 3 ,
+.Xr SMIME_write_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_text
 first appeared in OpenSSL 1.0.0 and has been available since
diff --git a/src/lib/libcrypto/man/SMIME_write_ASN1.3 b/src/lib/libcrypto/man/SMIME_write_ASN1.3
deleted file mode 100644
index a02fa58570..0000000000
--- a/src/lib/libcrypto/man/SMIME_write_ASN1.3
+++ /dev/null
@@ -1,163 +0,0 @@
-.\" $OpenBSD: SMIME_write_ASN1.3,v 1.2 2023/05/01 07:28:11 tb Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: May 1 2023 $
-.Dt SMIME_WRITE_ASN1 3
-.Os
-.Sh NAME
-.Nm SMIME_write_ASN1
-.Nd generate an S/MIME message
-.Sh SYNOPSIS
-.In openssl/asn1.h
-.Ft int
-.Fo SMIME_write_ASN1
-.Fa "BIO *out_bio"
-.Fa "ASN1_VALUE *val_in"
-.Fa "BIO *in_bio"
-.Fa "int flags"
-.Fa "int ctype_nid"
-.Fa "int econt_nid"
-.Fa "STACK_OF(X509_ALGOR) *micalg"
-.Fa "const ASN1_ITEM *it"
-.Fc
-.Sh DESCRIPTION
-.Fn SMIME_write_ASN1
-generates an S/MIME message on
-.Fa out_bio
-by writing MIME 1.0 headers
-followed by a BER- and base64-encoded serialization of
-.Fa val_in ,
-which can be of the type
-.Vt CMS_ContentInfo
-or
-.Vt PKCS7
-and has to match the
-.Fa it
-argument.
-.Pp
-The
-.Fa flags
-can be the logical OR of zero or more of the following bits:
-.Bl -tag -width Ds
-.It Dv PKCS7_REUSE_DIGEST
-Skip the calls to
-.Xr PKCS7_dataInit 3
-and
-.Xr PKCS7_dataFinal 3 .
-This flag has no effect unless
-.Dv SMIME_DETACHED
-is also set.
-It is normally used if
-.Fa out_bio
-is already set up to calculate and finalize the digest when written through.
-.It Dv SMIME_BINARY
-If specified, this flag is passed through to
-.Xr SMIME_crlf_copy 3 .
-.It Dv SMIME_CRLFEOL
-End MIME header lines with pairs of carriage return and newline characters.
-By default, no carriage return characters are written
-and header lines are ended with newline characters only.
-.It Dv SMIME_DETACHED
-Use cleartext signing.
-Generate a
-.Qq multipart/signed
-S/MIME message using the
-.Fa micalg
-argument and ignoring the
-.Fa ctype_nid
-and
-.Fa econt_nid
-arguments.
-The content is read from
-.Fa in_bio .
-If
-.Fa in_bio
-is a
-.Dv NULL
-pointer, this flag is ignored.
-.Pp
-If this flag is ignored or not specified,
-the smime-type is chosen according to
-.Fa ctype_nid
-instead:
-.Bl -tag -width Ds
-.It Dv NID_pkcs7_enveloped
-.Qq enveloped-data
-.It Dv NID_pkcs7_signed
-.Qq signed-receipt
-if
-.Fa econt_nid
-is
-.Dv NID_id_smime_ct_receipt
-.br
-.Qq signed-data
-if
-.Fa micalg
-is not empty
-.br
-.Qq certs-only
-if
-.Fa micalg
-is empty
-.It Dv NID_id_smime_ct_compressedData
-.Qq compressed-data
-.El
-.It Dv SMIME_OLDMIME
-In Content-Type headers, use
-.Qq application/x-pkcs7-mime
-or
-.Qq application/x-pkcs7-signature .
-By default,
-.Qq application/pkcs7-mime
-or
-.Qq application/pkcs7-signature
-are used instead.
-.It Dv SMIME_STREAM
-Perform streaming by reading the content from
-.Fa in_bio .
-This only works if
-.Dv SMIME_DETACHED
-is not specified.
-.It SMIME_TEXT
-Prepend the line
-.Qq Content-Type: text/plain
-to the content.
-This only makes sense if
-.Dv SMIME_DETACHED
-is also set.
-It is ignored if the flag
-.Dv SMIME_BINARY
-is also set.
-.El
-.Sh RETURN VALUES
-.Fn SMIME_write_ASN1
-is intended to return 1 on success or 0 on failure.
-.Sh SEE ALSO
-.Xr ASN1_item_i2d_bio 3 ,
-.Xr BIO_f_base64 3 ,
-.Xr BIO_new 3 ,
-.Xr SMIME_crlf_copy 3 ,
-.Xr SMIME_write_CMS 3 ,
-.Xr SMIME_write_PKCS7 3 ,
-.Xr X509_ALGOR_new 3
-.Sh HISTORY
-.Fn SMIME_write_ASN1
-first appeared in OpenSSL 1.0.0 and has been available since
-.Ox 4.9 .
-.Sh BUGS
-.Fn SMIME_write_ASN1
-ignores most errors and is likely to return 1
-even after producing corrupt or incomplete output.
diff --git a/src/lib/libcrypto/man/SMIME_write_CMS.3 b/src/lib/libcrypto/man/SMIME_write_CMS.3
index c2c6b77e53..5f4c43bb7c 100644
--- a/src/lib/libcrypto/man/SMIME_write_CMS.3
+++ b/src/lib/libcrypto/man/SMIME_write_CMS.3
@@ -1,7 +1,24 @@
-.\" $OpenBSD: SMIME_write_CMS.3,v 1.6 2021/12/13 17:24:39 schwarze Exp $
+.\" $OpenBSD: SMIME_write_CMS.3,v 1.9 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" This file is a derived work.
+.\" The changes are covered by the following Copyright and license:
+.\"
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" The original file was written by Dr. Stephen Henson <steve@openssl.org>.
 .\" Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -48,13 +65,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 13 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_WRITE_CMS 3
 .Os
 .Sh NAME
 .Nm SMIME_write_CMS
 .Nd convert CMS structure to S/MIME format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo SMIME_write_CMS
@@ -65,21 +83,35 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_CMS
-adds the appropriate MIME headers to the
+generates an S/MIME message on
-.Fa cms
+.Fa out
-structure to produce an S/MIME message and writes it to
+by writing MIME 1.0 headers
-.Fa out .
+followed by a BER- and base64-encoded serialization of
+.Fa cms .
+The BER encoding uses the DER format except as described for
+.Dv CMS_STREAM
+below.
 If streaming is enabled, the content must be supplied in the
 .Fa data
 argument.
 .Pp
-The following
+The
 .Fa flags
-can be passed:
+can be the logical OR of zero or more of the following bits:
 .Bl -tag -width Ds
 .It Dv CMS_DETACHED
-Use cleartext signing.
+Use cleartext signing and generate a
-This option only makes sense if
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
+If
+.Fa data
+is a
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported if
 .Fa cms
 is of the type
 .Vt SignedData
@@ -94,13 +126,46 @@ is not set, the data must be read twice:
 once to compute the signature in
 .Xr CMS_sign 3
 and once to output the S/MIME message.
-.It Dv CMS_TEXT
+.Pp
-Add MIME headers for type text/plain to the content.
+If
-This only makes sense if
+.Dv CMS_DETACHED
+is ignored or not specified, the smime-type is chosen according to
+.Xr CMS_get0_type 3 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-receiptM -compact
+.It Qq signed-receipt
+if
+.Xr CMS_get0_eContentType 3
+is
+.Dv NID_id_smime_ct_receipt
+.It Qq signed-data
+if
+.Fa cms
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv CMS_REUSE_DIGEST
+Skip the calls to
+.Xr CMS_dataInit 3
+and
+.Xr CMS_dataFinal 3 .
+This flag has no effect unless
 .Dv CMS_DETACHED
 is also set.
 .It Dv CMS_STREAM
-Perform streaming.
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv CMS_DETACHED
+is not specified.
+.Pp
 This flag should only be set if
 .Dv CMS_STREAM
 was also passed to the function that created
@@ -111,17 +176,38 @@ constructed encoding except in the case of
 .Vt SignedData
 with detached content where the content is absent and DER format is
 used.
+.It Dv CMS_TEXT
+Prepend the line
+.Qq Content-Type: text/plain
+to the content.
+This only makes sense if
+.Dv CMS_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
 .El
 .Sh RETURN VALUES
 .Fn SMIME_write_CMS
-returns 1 for success or 0 for failure.
+is intended to return 1 on success or 0 on failure.
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr CMS_ContentInfo_new 3 ,
 .Xr CMS_encrypt 3 ,
 .Xr CMS_sign 3 ,
 .Xr d2i_CMS_ContentInfo 3 ,
 .Xr ERR_get_error 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_crlf_copy 3 ,
+.Xr SMIME_read_CMS 3 ,
+.Xr SMIME_write_PKCS7 3
 .Sh HISTORY
 .Fn SMIME_write_CMS
 first appeared in OpenSSL 0.9.8h
@@ -129,5 +215,9 @@ and has been available since
 .Ox 6.7 .
 .Sh BUGS
 .Fn SMIME_write_CMS
+ignores most errors and is likely to return 1
+even after producing corrupt or incomplete output.
+.Pp
+.Fn SMIME_write_CMS
 always base64 encodes CMS structures.
 There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/SMIME_write_PKCS7.3 b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
index c1a9f051d0..5e344d9c63 100644
--- a/src/lib/libcrypto/man/SMIME_write_PKCS7.3
+++ b/src/lib/libcrypto/man/SMIME_write_PKCS7.3
@@ -1,10 +1,10 @@
-.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.9 2021/12/14 15:46:48 schwarze Exp $
+.\" $OpenBSD: SMIME_write_PKCS7.3,v 1.12 2025/06/11 23:16:32 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
 .\" The changes are covered by the following Copyright and license:
 .\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+.\" Copyright (c) 2021, 2025 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -66,13 +66,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 14 2021 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt SMIME_WRITE_PKCS7 3
 .Os
 .Sh NAME
 .Nm SMIME_write_PKCS7
 .Nd convert PKCS#7 structure to S/MIME format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo SMIME_write_PKCS7
@@ -83,48 +84,81 @@
 .Fc
 .Sh DESCRIPTION
 .Fn SMIME_write_PKCS7
-adds the appropriate MIME headers to a PKCS#7 structure to produce an
+generates an S/MIME message on
-S/MIME message.
-.Pp
 .Fa out
-is the
+by writing MIME 1.0 headers
-.Vt BIO
+followed by a BER- and base64-encoded serialization of
-to write the data to.
+.Fa p7 .
-.Fa p7
+The BER encoding uses the DER format except as described for
-is the appropriate
+.Dv PKCS7_STREAM
-.Vt PKCS7
+below.
-structure.
 If streaming is enabled, then the content must be supplied in the
 .Fa data
 argument.
-.Fa flags
-is an optional set of flags.
 .Pp
-The following flags can be passed in the
+The
 .Fa flags
-parameter.
+can be the logical OR of zero or more of the following bits:
-.Pp
+.Bl -tag -width Ds
+.It Dv PKCS7_DETACHED
+Use cleartext signing and generate a
+.Qq multipart/signed
+S/MIME message.
+The content is read from
+.Fa data .
 If
-.Dv PKCS7_DETACHED
+.Fa data
-is set, then cleartext signing will be used.
+is a
-This option only makes sense for signedData where
+.Dv NULL
+pointer, this flag is ignored.
+.Pp
+This flag is only supported for signedData where
 .Dv PKCS7_DETACHED
 is also set when
 .Xr PKCS7_sign 3
-is also called.
+is called.
 .Pp
-If the
+If
-.Dv PKCS7_TEXT
+.Dv PKCS7_STREAM
-flag is set, MIME headers for type
+is not set, the data must be read twice: once to compute the
-.Sy text/plain
+signature in
-are added to the content.
+.Xr PKCS7_sign 3
-This only makes sense if
+and once to output the S/MIME message.
+.Pp
+If
+.Dv PKCS7_DETACHED
+is ignored or not specified, the smime-type is chosen according to the type of
+.Fa p7 :
+.Bl -tag -width Ds
+.It Dv NID_pkcs7_enveloped
+.Qq enveloped-data
+.It Dv NID_pkcs7_signed
+.Bl -tag -width Msigned-dataM -compact
+.It Qq signed-data
+if
+.Fa p7
+specifies any digest algorithm
+.It Qq certs-only
+otherwise
+.El
+.It Dv NID_id_smime_ct_compressedData
+.Qq compressed-data
+.El
+.It Dv PKCS7_REUSE_DIGEST
+Skip the calls to
+.Xr PKCS7_dataInit 3
+and
+.Xr PKCS7_dataFinal 3 .
+This flag has no effect unless
 .Dv PKCS7_DETACHED
 is also set.
+.It Dv PKCS7_STREAM
+Perform streaming by reading the content from
+.Fa data .
+This only works if
+.Dv PKCS7_DETACHED
+is not specified.
 .Pp
-If the
-.Dv PKCS7_STREAM
-flag is set, streaming is performed.
 This flag should only be set if
 .Dv PKCS7_STREAM
 was also set in the previous call to
@@ -132,13 +166,28 @@ was also set in the previous call to
 or
 .Xr PKCS7_encrypt 3 .
 .Pp
-The bit
+The content is output in BER format using indefinite length constructed
-.Dv SMIME_OLDMIME
+encoding except in the case of signed data with detached content
-is inverted before passing on the
+where the content is absent and DER format is used.
-.Fa flags
+.It Dv PKCS7_TEXT
-to
+Prepend the line
-.Xr SMIME_write_ASN1 3 .
+.Qq Content-Type: text/plain
-Consequently, if this bit is set in the
+to the content.
+This only makes sense if
+.Dv PKCS7_DETACHED
+is also set.
+It is ignored if the flag
+.Dv SMIME_BINARY
+is also set.
+.It Dv SMIME_BINARY
+If specified, this flag is passed through to
+.Xr SMIME_crlf_copy 3 .
+.It Dv SMIME_CRLFEOL
+End MIME header lines with pairs of carriage return and newline characters.
+By default, no carriage return characters are written
+and header lines are ended with newline characters only.
+.It Dv SMIME_OLDMIME
+If this bit is set in the
 .Fa flags
 argument,
 .Qq application/pkcs7-mime
@@ -150,35 +199,30 @@ Otherwise,
 or
 .Qq application/x-pkcs7-signature
 is used.
-.Pp
+.El
-If cleartext signing is being used and
-.Dv PKCS7_STREAM
-is not set, then the data must be read twice: once to compute the
-signature in
-.Xr PKCS7_sign 3
-and once to output the S/MIME message.
-.Pp
-If streaming is performed, the content is output in BER format using
-indefinite length constructed encoding except in the case of signed
-data with detached content where the content is absent and DER
-format is used.
 .Sh RETURN VALUES
-Upon successful completion, 1 is returned;
+.Fn SMIME_write_PKCS7
-otherwise 0 is returned and an error code can be retrieved with
+is intended to return 1 on success or 0 on failure.
-.Xr ERR_get_error 3 .
 .Sh SEE ALSO
+.Xr BIO_f_base64 3 ,
+.Xr BIO_new 3 ,
 .Xr i2d_PKCS7_bio_stream 3 ,
 .Xr PEM_write_bio_PKCS7_stream 3 ,
 .Xr PEM_write_PKCS7 3 ,
 .Xr PKCS7_final 3 ,
 .Xr PKCS7_new 3 ,
+.Xr SMIME_crlf_copy 3 ,
 .Xr SMIME_read_PKCS7 3 ,
-.Xr SMIME_write_ASN1 3
+.Xr SMIME_write_CMS 3
 .Sh HISTORY
 .Fn SMIME_write_PKCS7
 first appeared in OpenSSL 0.9.5 and has been available since
 .Ox 2.7 .
 .Sh BUGS
 .Fn SMIME_write_PKCS7
+ignores most errors and is likely to return 1
+even after producing corrupt or incomplete output.
+.Pp
+.Fn SMIME_write_PKCS7
 always base64 encodes PKCS#7 structures.
 There should be an option to disable this.
diff --git a/src/lib/libcrypto/man/STACK_OF.3 b/src/lib/libcrypto/man/STACK_OF.3
index 4c627eed9b..38bca99cf6 100644
--- a/src/lib/libcrypto/man/STACK_OF.3
+++ b/src/lib/libcrypto/man/STACK_OF.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: STACK_OF.3,v 1.5 2021/10/24 13:10:46 schwarze Exp $
+.\" $OpenBSD: STACK_OF.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt STACK_OF 3
 .Os
 .Sh NAME
 .Nm STACK_OF
 .Nd variable-sized arrays of pointers, called OpenSSL stacks
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/safestack.h
 .Fn STACK_OF type
 .Sh DESCRIPTION
diff --git a/src/lib/libcrypto/man/TS_REQ_new.3 b/src/lib/libcrypto/man/TS_REQ_new.3
index 8dbd15ea7e..796b58f4f8 100644
--- a/src/lib/libcrypto/man/TS_REQ_new.3
+++ b/src/lib/libcrypto/man/TS_REQ_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: TS_REQ_new.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: TS_REQ_new.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt TS_REQ_NEW 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm TS_MSG_IMPRINT_free
 .Nd X.509 time-stamp protocol
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft TS_REQ *
 .Fn TS_REQ_new void
diff --git a/src/lib/libcrypto/man/UI_create_method.3 b/src/lib/libcrypto/man/UI_create_method.3
index ffd6b98157..a116baaa79 100644
--- a/src/lib/libcrypto/man/UI_create_method.3
+++ b/src/lib/libcrypto/man/UI_create_method.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: UI_create_method.3,v 1.6 2023/05/22 19:38:04 tb Exp $
+.\"     $OpenBSD: UI_create_method.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL UI_create_method.pod 8e3d46e5 Mar 11 10:51:04 2017 +0100
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_CREATE_METHOD 3
 .Os
 .Sh NAME
@@ -68,6 +68,7 @@
 .Nm UI_method_get_prompt_constructor
 .Nd user interface method creation and destruction
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Ft UI_METHOD *
 .Fo UI_create_method
diff --git a/src/lib/libcrypto/man/UI_get_string_type.3 b/src/lib/libcrypto/man/UI_get_string_type.3
index bc0449a90e..84c774d94d 100644
--- a/src/lib/libcrypto/man/UI_get_string_type.3
+++ b/src/lib/libcrypto/man/UI_get_string_type.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: UI_get_string_type.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: UI_get_string_type.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL UI_STRING.pod e9c9971b Jul 1 18:28:50 2017 +0200
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_GET_STRING_TYPE 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm UI_set_result
 .Nd OpenSSL user interface string parsing
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Bd -literal
 enum UI_string_types {
diff --git a/src/lib/libcrypto/man/UI_new.3 b/src/lib/libcrypto/man/UI_new.3
index e55477f31e..853219aac2 100644
--- a/src/lib/libcrypto/man/UI_new.3
+++ b/src/lib/libcrypto/man/UI_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: UI_new.3,v 1.13 2025/03/09 15:25:14 tb Exp $
+.\" $OpenBSD: UI_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 78b19e90 Jan 11 00:12:01 2017 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt UI_NEW 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm UI_null
 .Nd New User Interface
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ui.h
 .Ft UI *
 .Fn UI_new void
diff --git a/src/lib/libcrypto/man/X25519.3 b/src/lib/libcrypto/man/X25519.3
index a327f8c7b2..3686df9bfa 100644
--- a/src/lib/libcrypto/man/X25519.3
+++ b/src/lib/libcrypto/man/X25519.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X25519.3,v 1.7 2022/12/15 17:20:48 schwarze Exp $
+.\" $OpenBSD: X25519.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" contains some text from: BoringSSL curve25519.h, curve25519.c
 .\" content also checked up to: OpenSSL f929439f Mar 15 12:19:16 2018 +0000
 .\"
@@ -24,7 +24,7 @@
 .\" by Daniel J. Bernstein and others that are included in SUPERCOP
 .\" and that Adam Langley's BoringSSL implementation is based on.
 .\"
-.Dd $Mdocdate: December 15 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X25519 3
 .Os
 .Sh NAME
@@ -35,6 +35,7 @@
 .Nm ED25519_verify
 .Nd Elliptic Curve Diffie-Hellman and signature primitives based on Curve25519
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/curve25519.h
 .Ft int
 .Fo X25519
diff --git a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3 b/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
index ad153c36d0..78975874aa 100644
--- a/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
+++ b/src/lib/libcrypto/man/X509V3_EXT_get_nid.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.8 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: X509V3_EXT_get_nid.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXT_GET_NID 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_EXT_get
 .Nd retrieve X.509v3 certificate extension methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft const X509V3_EXT_METHOD *
 .Fo X509V3_EXT_get_nid
diff --git a/src/lib/libcrypto/man/X509V3_EXT_print.3 b/src/lib/libcrypto/man/X509V3_EXT_print.3
index edb97d3a36..8705e4d5ac 100644
--- a/src/lib/libcrypto/man/X509V3_EXT_print.3
+++ b/src/lib/libcrypto/man/X509V3_EXT_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_EXT_print.3,v 1.3 2024/12/28 10:19:45 schwarze Exp $
+.\" $OpenBSD: X509V3_EXT_print.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 28 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXT_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_EXT_print_fp
 .Nd pretty-print an X.509 extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509V3_EXT_print
diff --git a/src/lib/libcrypto/man/X509V3_extensions_print.3 b/src/lib/libcrypto/man/X509V3_extensions_print.3
index 8c43fe9b01..d95a4da01e 100644
--- a/src/lib/libcrypto/man/X509V3_extensions_print.3
+++ b/src/lib/libcrypto/man/X509V3_extensions_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_extensions_print.3,v 1.2 2021/11/26 13:48:21 jsg Exp $
+.\" $OpenBSD: X509V3_extensions_print.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_EXTENSIONS_PRINT 3
 .Os
 .Sh NAME
 .Nm X509V3_extensions_print
 .Nd pretty-print an array of X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509V3_extensions_print
diff --git a/src/lib/libcrypto/man/X509V3_get_d2i.3 b/src/lib/libcrypto/man/X509V3_get_d2i.3
index bf442dc846..7920fca09f 100644
--- a/src/lib/libcrypto/man/X509V3_get_d2i.3
+++ b/src/lib/libcrypto/man/X509V3_get_d2i.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_get_d2i.3,v 1.25 2024/12/31 20:17:00 tb Exp $
+.\" $OpenBSD: X509V3_get_d2i.3,v 1.26 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL ff7fbfd5 Nov 2 11:52:01 2015 +0000
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_GET_D2I 3
 .Os
 .Sh NAME
@@ -87,6 +87,7 @@
 .Nm X509_get0_uids
 .Nd X509 extension decode and encode functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft void *
 .Fo X509V3_get_d2i
diff --git a/src/lib/libcrypto/man/X509V3_parse_list.3 b/src/lib/libcrypto/man/X509V3_parse_list.3
index 447f1a5e94..385f8ad9c8 100644
--- a/src/lib/libcrypto/man/X509V3_parse_list.3
+++ b/src/lib/libcrypto/man/X509V3_parse_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509V3_parse_list.3,v 1.2 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: X509V3_parse_list.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_PARSE_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509V3_conf_free
 .Nd create and destroy CONF_VALUE objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft STACK_OF(CONF_VALUE) *
 .Fn X509V3_parse_list "const char *string"
diff --git a/src/lib/libcrypto/man/X509_ALGOR_dup.3 b/src/lib/libcrypto/man/X509_ALGOR_dup.3
index ef7ca75863..bc9ba4b77d 100644
--- a/src/lib/libcrypto/man/X509_ALGOR_dup.3
+++ b/src/lib/libcrypto/man/X509_ALGOR_dup.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.23 2024/03/19 17:34:05 tb Exp $
+.\"     $OpenBSD: X509_ALGOR_dup.3,v 1.24 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 4692340e Jun 7 15:49:08 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ALGOR_DUP 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm X509_ALGOR_cmp
 .Nd create, change, and inspect algorithm identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ALGOR *
 .Fn X509_ALGOR_new void
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
index 4212e27d7e..b452fcbea2 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_get0_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_get0_object.3,v 1.2 2021/10/21 16:26:34 schwarze Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_get0_object.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 21 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_GET0_OBJECT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd X.501 Attribute read accessors
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft ASN1_OBJECT *
 .Fo X509_ATTRIBUTE_get0_object
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
index cc2b27d4c0..63a5c58169 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.18 2024/09/02 07:57:27 tb Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_NEW 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd generic X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ATTRIBUTE *
 .Fn X509_ATTRIBUTE_new void
diff --git a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3 b/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
index 3555d4b169..d26e7de473 100644
--- a/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
+++ b/src/lib/libcrypto/man/X509_ATTRIBUTE_set1_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ATTRIBUTE_set1_object.3,v 1.3 2021/11/26 13:48:21 jsg Exp $
+.\" $OpenBSD: X509_ATTRIBUTE_set1_object.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ATTRIBUTE_SET1_OBJECT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .\" The type is called "Attribute" with capital "A", not "attribute".
 .Nd modify an X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_ATTRIBUTE_set1_object
diff --git a/src/lib/libcrypto/man/X509_CINF_new.3 b/src/lib/libcrypto/man/X509_CINF_new.3
index 6c09c58545..62399c07f7 100644
--- a/src/lib/libcrypto/man/X509_CINF_new.3
+++ b/src/lib/libcrypto/man/X509_CINF_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_CINF_new.3,v 1.11 2024/09/02 08:04:32 tb Exp $
+.\"     $OpenBSD: X509_CINF_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CINF_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_CERT_AUX_free
 .Nd X.509 certificate information objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CINF *
 .Fn X509_CINF_new void
diff --git a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3 b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
index f5edee6085..5a7d57c3f5 100644
--- a/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
+++ b/src/lib/libcrypto/man/X509_CRL_get0_by_serial.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.13 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_CRL_get0_by_serial.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL cdd6c8c5 Mar 20 12:29:37 2017 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_GET0_BY_SERIAL 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_CRL_sort
 .Nd add, sort, and retrieve CRL entries
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_CRL_get0_by_serial
diff --git a/src/lib/libcrypto/man/X509_CRL_new.3 b/src/lib/libcrypto/man/X509_CRL_new.3
index f9355fcfd3..36a6439269 100644
--- a/src/lib/libcrypto/man/X509_CRL_new.3
+++ b/src/lib/libcrypto/man/X509_CRL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_new.3,v 1.14 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_CRL_new.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_CRL_INFO_free
 .Nd X.509 certificate revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CRL *
 .Fn X509_CRL_new void
diff --git a/src/lib/libcrypto/man/X509_CRL_print.3 b/src/lib/libcrypto/man/X509_CRL_print.3
index 2f4832f0e7..1f1d278968 100644
--- a/src/lib/libcrypto/man/X509_CRL_print.3
+++ b/src/lib/libcrypto/man/X509_CRL_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_CRL_print.3,v 1.1 2021/07/19 13:16:43 schwarze Exp $
+.\" $OpenBSD: X509_CRL_print.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CRL_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_CRL_print_fp
 .Nd pretty-print a certificate revocation list
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_CRL_print
diff --git a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3 b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
index 45cf0dbaa5..f1356c350b 100644
--- a/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
+++ b/src/lib/libcrypto/man/X509_EXTENSION_set_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.19 2024/12/28 11:04:09 schwarze Exp $
+.\" $OpenBSD: X509_EXTENSION_set_object.3,v 1.20 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 28 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_EXTENSION_SET_OBJECT 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" The ASN.1 structure is called "Extension", not "extension".
 .Nd create, change, and inspect X.509 Extension objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_EXTENSION *
 .Fn X509_EXTENSION_new void
diff --git a/src/lib/libcrypto/man/X509_INFO_new.3 b/src/lib/libcrypto/man/X509_INFO_new.3
index 1e9bb832f3..38bf6fe55c 100644
--- a/src/lib/libcrypto/man/X509_INFO_new.3
+++ b/src/lib/libcrypto/man/X509_INFO_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_INFO_new.3,v 1.3 2021/10/19 10:39:33 schwarze Exp $
+.\" $OpenBSD: X509_INFO_new.3,v 1.5 2025/07/16 17:59:10 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 19 2021 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt X509_INFO_NEW 3
 .Os
 .Sh NAME
@@ -21,6 +21,7 @@
 .Nm X509_INFO_free
 .Nd X.509 certificate wrapper object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_INFO *
 .Fn X509_INFO_new void
@@ -60,10 +61,9 @@ object or
 .Dv NULL
 if an error occurs.
 .Sh SEE ALSO
-.Xr PEM_X509_INFO_read 3 ,
+.Xr PEM_X509_INFO_read_bio 3 ,
 .Xr X509_CRL_new 3 ,
-.Xr X509_new 3 ,
+.Xr X509_new 3
-.Xr X509_PKEY_new 3
 .Sh HISTORY
 .Fn X509_INFO_new
 and
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3 b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
index 5980f8f80d..74e3aaed3c 100644
--- a/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
+++ b/src/lib/libcrypto/man/X509_LOOKUP_hash_dir.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.13 2024/09/02 07:20:21 tb Exp $
+.\" $OpenBSD: X509_LOOKUP_hash_dir.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOOKUP_HASH_DIR 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_LOOKUP_mem
 .Nd certificate lookup methods
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft const X509_LOOKUP_METHOD *
 .Fn X509_LOOKUP_hash_dir void
diff --git a/src/lib/libcrypto/man/X509_LOOKUP_new.3 b/src/lib/libcrypto/man/X509_LOOKUP_new.3
index 559dbbb594..5fa9f99d7c 100644
--- a/src/lib/libcrypto/man/X509_LOOKUP_new.3
+++ b/src/lib/libcrypto/man/X509_LOOKUP_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_LOOKUP_new.3,v 1.12 2024/09/06 07:48:20 tb Exp $
+.\" $OpenBSD: X509_LOOKUP_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOOKUP_NEW 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .\" and because it doesn't do much in the first place.
 .Nd certificate lookup object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fn X509_LOOKUP_free "X509_LOOKUP *lookup"
diff --git a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
index 2eadec7b4d..4cf40c78be 100644
--- a/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
+++ b/src/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.16 2021/12/10 16:58:20 schwarze Exp $
+.\" $OpenBSD: X509_NAME_ENTRY_get_object.3,v 1.18 2025/12/21 09:36:35 tb Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL ca34e08d Dec 12 07:38:07 2018 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 10 2021 $
+.Dd $Mdocdate: December 21 2025 $
 .Dt X509_NAME_ENTRY_GET_OBJECT 3
 .Os
 .Sh NAME
@@ -85,6 +85,7 @@
 .\" This object defined in X.501, not in X.509.
 .Nd X.501 relative distinguished name
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME_ENTRY *
 .Fn X509_NAME_ENTRY_new void
@@ -252,14 +253,6 @@ argument and using the
 .Fa nid
 corresponding to
 .Fa ne .
-Otherwise, if the
-.Fa type
-argument is
-.Dv V_ASN1_APP_CHOOSE ,
-the type of
-.Fa ne
-is set to the return value of
-.Xr ASN1_PRINTABLE_type 3 .
 .Pp
 .Fn X509_NAME_ENTRY_create_by_txt ,
 .Fn X509_NAME_ENTRY_create_by_NID ,
diff --git a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
index 3c1237d20e..e2b78150b9 100644
--- a/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
+++ b/src/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.16 2022/03/31 17:27:17 naddy Exp $
+.\"     $OpenBSD: X509_NAME_add_entry_by_txt.3,v 1.18 2025/12/21 09:36:35 tb Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: December 21 2025 $
 .Dt X509_NAME_ADD_ENTRY_BY_TXT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm X509_NAME_delete_entry
 .Nd X509_NAME modification functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_add_entry_by_txt
@@ -271,13 +272,3 @@ and
 .Fn X509_NAME_add_entry_by_NID
 first appeared in OpenSSL 0.9.5 and have been available since
 .Ox 2.7 .
-.Sh BUGS
-.Fa type
-can still be set to
-.Dv V_ASN1_APP_CHOOSE
-to use
-.Xr ASN1_PRINTABLE_type 3
-to determine field types.
-Since this form does not understand multicharacter types, performs
-no length checks, and can result in invalid field types, its use
-is strongly discouraged.
diff --git a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
index a2ceb10eb5..57dd488181 100644
--- a/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
+++ b/src/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.16 2023/05/29 11:54:50 beck Exp $
+.\"     $OpenBSD: X509_NAME_get_index_by_NID.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 29 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_GET_INDEX_BY_NID 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm X509_NAME_get_text_by_OBJ
 .Nd X509_NAME lookup and enumeration functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_get_index_by_NID
diff --git a/src/lib/libcrypto/man/X509_NAME_hash.3 b/src/lib/libcrypto/man/X509_NAME_hash.3
index 8766109525..2e03f41ed2 100644
--- a/src/lib/libcrypto/man/X509_NAME_hash.3
+++ b/src/lib/libcrypto/man/X509_NAME_hash.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_hash.3,v 1.3 2021/07/31 14:54:33 schwarze Exp $
+.\" $OpenBSD: X509_NAME_hash.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 31 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_HASH 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .\" The type is called "Name" with capital "N", not "name".
 .Nd calculate SHA-1 or MD5 hashes of X.501 Name objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft unsigned long
 .Fn X509_NAME_hash "X509_NAME *name"
@@ -86,7 +87,7 @@ rather than an ASCII rendering in SSLeay 0.9.0 and have all been
 available since
 .Ox 2.4 .
 .Pp
-They were switched to using SHA1 instead of MD5 in OpenSSL 1.0.0 and in
+They were switched to using SHA-1 instead of MD5 in OpenSSL 1.0.0 and in
 .Ox 4.9 .
 .Pp
 .Fn X509_NAME_hash_old ,
diff --git a/src/lib/libcrypto/man/X509_NAME_new.3 b/src/lib/libcrypto/man/X509_NAME_new.3
index 3a4786a9ae..279df816fe 100644
--- a/src/lib/libcrypto/man/X509_NAME_new.3
+++ b/src/lib/libcrypto/man/X509_NAME_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_new.3,v 1.9 2021/07/20 17:31:32 schwarze Exp $
+.\" $OpenBSD: X509_NAME_new.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 20 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_NEW 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .\" The type in called "Name" with capital "N", not "name".
 .Nd X.501 Name object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fn X509_NAME_new void
diff --git a/src/lib/libcrypto/man/X509_NAME_print_ex.3 b/src/lib/libcrypto/man/X509_NAME_print_ex.3
index fc06a717cc..845428b3fb 100644
--- a/src/lib/libcrypto/man/X509_NAME_print_ex.3
+++ b/src/lib/libcrypto/man/X509_NAME_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_NAME_print_ex.3,v 1.17 2025/03/09 16:45:31 tb Exp $
+.\" $OpenBSD: X509_NAME_print_ex.3,v 1.18 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_NAME_PRINT_EX 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_NAME_oneline
 .Nd X509_NAME printing routines
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_NAME_print_ex
diff --git a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3 b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
index 56b3926a8b..1b0de39265 100644
--- a/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
+++ b/src/lib/libcrypto/man/X509_OBJECT_get0_X509.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.16 2025/03/08 17:02:59 tb Exp $
+.\" $OpenBSD: X509_OBJECT_get0_X509.3,v 1.17 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 8 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_OBJECT_GET0_X509 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm X509_OBJECT_retrieve_match
 .Nd certificate, CRL, private key, and string wrapper for certificate stores
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_LOOKUP_TYPE
 .Fo X509_OBJECT_get_type
diff --git a/src/lib/libcrypto/man/X509_PKEY_new.3 b/src/lib/libcrypto/man/X509_PKEY_new.3
deleted file mode 100644
index 253b0f6db5..0000000000
--- a/src/lib/libcrypto/man/X509_PKEY_new.3
+++ /dev/null
@@ -1,92 +0,0 @@
-.\" $OpenBSD: X509_PKEY_new.3,v 1.1 2021/10/19 10:39:33 schwarze Exp $
-.\"
-.\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\"
-.Dd $Mdocdate: October 19 2021 $
-.Dt X509_PKEY_NEW 3
-.Os
-.Sh NAME
-.Nm X509_PKEY_new ,
-.Nm X509_PKEY_free
-.Nd X.509 private key wrapper object
-.Sh SYNOPSIS
-.In openssl/x509.h
-.Ft X509_PKEY *
-.Fn X509_PKEY_new void
-.Ft void
-.Fn X509_PKEY_free "X509_PKEY *wrapper"
-.Sh DESCRIPTION
-.Vt X509_PKEY
-is a reference-counted wrapper object that can store
-.Bl -bullet -width 1n
-.It
-a pointer to an encrypted and ASN.1-encoded private key
-.It
-a pointer to an
-.Vt EVP_PKEY
-object representing the same key in decrypted form
-.It
-a pointer to an
-.Vt X509_ALGOR
-object identifying the algorithm used by the key
-.El
-.Pp
-The object may contain only the encrypted key or only the decrypted
-key or both.
-.Pp
-.Vt X509_PKEY
-is used as a sub-object of the
-.Vt X509_INFO
-object created by
-.Xr PEM_X509_INFO_read_bio 3
-if the PEM file contains any RSA, DSA, or EC PRIVATE KEY object.
-.Pp
-.Fn X509_PKEY_new
-allocates and initializes an empty
-.Vt X509_PKEY
-object and sets its reference count to 1.
-.Pp
-.Fn X509_PKEY_free
-decrements the reference count of the
-.Fa wrapper
-object by 1.
-If the reference count reaches 0,
-it frees all internal objects allocated by the
-.Fa wrapper
-as well as the storage needed for the
-.Fa wrapper
-object itself.
-If
-.Fa wrapper
-is a
-.Dv NULL
-pointer, no action occurs.
-.Sh RETURN VALUES
-.Fn X509_PKEY_new
-returns a pointer to the new
-.Vt X509_PKEY
-object or
-.Dv NULL
-if memory allocation fails.
-.Sh SEE ALSO
-.Xr EVP_PKEY_new 3 ,
-.Xr PEM_X509_INFO_read 3 ,
-.Xr X509_INFO_new 3
-.Sh HISTORY
-.Fn X509_PKEY_new
-and
-.Fn X509_PKEY_free
-first appeared in SSLeay 0.6.0 and have been available since
-.Ox 2.4 .
diff --git a/src/lib/libcrypto/man/X509_PUBKEY_new.3 b/src/lib/libcrypto/man/X509_PUBKEY_new.3
index df1c50bda2..1ef1afbc34 100644
--- a/src/lib/libcrypto/man/X509_PUBKEY_new.3
+++ b/src/lib/libcrypto/man/X509_PUBKEY_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_PUBKEY_new.3,v 1.18 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: X509_PUBKEY_new.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_PUBKEY_NEW 3
 .Os
 .Sh NAME
@@ -86,6 +86,7 @@
 .Nm X509_PUBKEY_get0_param
 .Nd X.509 SubjectPublicKeyInfo structure
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_PUBKEY *
 .Fn X509_PUBKEY_new void
diff --git a/src/lib/libcrypto/man/X509_PURPOSE_set.3 b/src/lib/libcrypto/man/X509_PURPOSE_set.3
index 1f723e9b9f..cb955f392c 100644
--- a/src/lib/libcrypto/man/X509_PURPOSE_set.3
+++ b/src/lib/libcrypto/man/X509_PURPOSE_set.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_PURPOSE_set.3,v 1.1 2021/07/23 14:27:32 schwarze Exp $
+.\" $OpenBSD: X509_PURPOSE_set.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_PURPOSE_SET 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .Nm X509_PURPOSE_get_trust
 .Nd purpose objects, indices, and identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_PURPOSE_set
diff --git a/src/lib/libcrypto/man/X509_REQ_add1_attr.3 b/src/lib/libcrypto/man/X509_REQ_add1_attr.3
index f9b602dbef..6beb024039 100644
--- a/src/lib/libcrypto/man/X509_REQ_add1_attr.3
+++ b/src/lib/libcrypto/man/X509_REQ_add1_attr.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.4 2024/09/02 07:56:28 tb Exp $
+.\" $OpenBSD: X509_REQ_add1_attr.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_ADD1_ATTR 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm X509_REQ_get_attr_by_NID
 .Nd X.501 Attributes of PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_REQ_add1_attr
diff --git a/src/lib/libcrypto/man/X509_REQ_add_extensions.3 b/src/lib/libcrypto/man/X509_REQ_add_extensions.3
index ff33edf474..804e787947 100644
--- a/src/lib/libcrypto/man/X509_REQ_add_extensions.3
+++ b/src/lib/libcrypto/man/X509_REQ_add_extensions.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_add_extensions.3,v 1.2 2024/08/18 11:04:55 tb Exp $
+.\" $OpenBSD: X509_REQ_add_extensions.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 18 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_ADD_EXTENSIONS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_REQ_extension_nid
 .Nd extensions in certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_REQ_add_extensions
diff --git a/src/lib/libcrypto/man/X509_REQ_new.3 b/src/lib/libcrypto/man/X509_REQ_new.3
index 0a5828d5d4..a62f2c3acb 100644
--- a/src/lib/libcrypto/man/X509_REQ_new.3
+++ b/src/lib/libcrypto/man/X509_REQ_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_new.3,v 1.11 2021/10/29 09:42:07 schwarze Exp $
+.\" $OpenBSD: X509_REQ_new.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 29 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_NEW 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_REQ_INFO_free
 .Nd PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REQ *
 .Fn X509_REQ_new void
diff --git a/src/lib/libcrypto/man/X509_REQ_print_ex.3 b/src/lib/libcrypto/man/X509_REQ_print_ex.3
index eee06abb21..8d87396b14 100644
--- a/src/lib/libcrypto/man/X509_REQ_print_ex.3
+++ b/src/lib/libcrypto/man/X509_REQ_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REQ_print_ex.3,v 1.3 2025/03/09 14:02:46 tb Exp $
+.\" $OpenBSD: X509_REQ_print_ex.3,v 1.4 2025/06/08 22:30:52 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REQ_PRINT_EX 3
 .Os
 .Sh NAME
@@ -23,6 +23,8 @@
 .Nm X509_REQ_print_fp
 .Nd pretty-print a PKCS#10 certification request
 .Sh SYNOPSIS
+.Lb libcrypto
+.In openssl/x509.h
 .Ft int
 .Fo X509_REQ_print_ex
 .Fa "BIO *bio"
diff --git a/src/lib/libcrypto/man/X509_REVOKED_new.3 b/src/lib/libcrypto/man/X509_REVOKED_new.3
index c1a50d1c9a..6dffcfd03e 100644
--- a/src/lib/libcrypto/man/X509_REVOKED_new.3
+++ b/src/lib/libcrypto/man/X509_REVOKED_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_REVOKED_new.3,v 1.12 2021/07/19 13:16:43 schwarze Exp $
+.\" $OpenBSD: X509_REVOKED_new.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_CRL_get0_by_serial cdd6c8c5 Mar 20 12:29:37 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 19 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_REVOKED_NEW 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm X509_REVOKED_set_revocationDate
 .Nd create, change, and inspect an X.509 CRL revoked entry
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REVOKED *
 .Fn X509_REVOKED_new void
diff --git a/src/lib/libcrypto/man/X509_SIG_get0.3 b/src/lib/libcrypto/man/X509_SIG_get0.3
index 456261ca3f..339fcc0cf5 100644
--- a/src/lib/libcrypto/man/X509_SIG_get0.3
+++ b/src/lib/libcrypto/man/X509_SIG_get0.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_SIG_get0.3,v 1.1 2021/10/23 15:39:06 tb Exp $
+.\" $OpenBSD: X509_SIG_get0.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIG_GET0 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm X509_SIG_getm
 .Nd DigestInfo functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft void
 .Fo X509_SIG_get0
diff --git a/src/lib/libcrypto/man/X509_SIG_new.3 b/src/lib/libcrypto/man/X509_SIG_new.3
index 8e6b29dea5..8fafc00c98 100644
--- a/src/lib/libcrypto/man/X509_SIG_new.3
+++ b/src/lib/libcrypto/man/X509_SIG_new.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_SIG_new.3,v 1.5 2021/10/27 11:24:47 schwarze Exp $
+.\"     $OpenBSD: X509_SIG_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIG_NEW 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_SIG_free
 .Nd PKCS#7 digest information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_SIG *
 .Fn X509_SIG_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index 1f221563cb..5eb2bfe8cb 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.28 2023/06/06 16:20:13 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.29 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -89,6 +89,7 @@
 .Nm X509_verify_cert_error_string
 .Nd get or set certificate verification status information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_error
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
index bfec65a123..1c34efa947 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.6 2021/07/29 08:32:13 schwarze Exp $
+.\"     $OpenBSD: X509_STORE_CTX_get_ex_new_index.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 29 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm X509_STORE_CTX_get_app_data
 .Nd add application specific data to X509_STORE_CTX structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_ex_new_index
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_new.3 b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
index 96af7a8afb..4c0f8c5857 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_new.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.27 2022/11/16 14:55:40 schwarze Exp $
+.\" $OpenBSD: X509_STORE_CTX_new.3,v 1.28 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_NEW 3
 .Os
 .Sh NAME
@@ -89,6 +89,7 @@
 .\" X509_STORE_CTX_set_verify moved to X509_STORE_CTX_set_verify(3)
 .Nd X509_STORE_CTX initialisation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_STORE_CTX *
 .Fn X509_STORE_CTX_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
index 04bb202bac..028d4da810 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.8 2024/08/29 20:21:10 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_flags.3,v 1.9 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL aae41f8c Jun 25 09:47:15 2015 +0100
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 29 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -76,13 +76,12 @@
 .Nm X509_STORE_CTX_set_depth ,
 .Nm X509_STORE_CTX_set_trust ,
 .Nm X509_STORE_CTX_set_purpose ,
-.\" .Nm X509_STORE_CTX_purpose_inherit is intentionally undocumented
-.\" because it will be removed in the next major bump.
 .Nm X509_STORE_CTX_get0_param ,
 .Nm X509_STORE_CTX_set0_param ,
 .Nm X509_STORE_CTX_set_default
 .Nd X509_STORE_CTX parameter initialisation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fo X509_STORE_CTX_set_flags
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
index 8c27deea5d..4a319ed8bb 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.8 2024/06/07 05:51:39 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\" Copyright (c) 2023 Job Snijders <job@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 7 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -31,6 +31,7 @@
 .Nm X509_STORE_CTX_get_check_issued
 .Nd user-defined certificate chain verification function
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft typedef int
 .Fo (*X509_STORE_CTX_verify_fn)
diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
index 0fe086b721..29f1e79b62 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.12 2023/05/30 07:37:34 op Exp $
+.\" $OpenBSD: X509_STORE_CTX_set_verify_cb.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL aebb9aac Jul 19 09:27:53 2016 -0400
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_CTX_SET_VERIFY_CB 3
 .Os
 .Sh NAME
@@ -75,6 +75,7 @@
 .Nm X509_STORE_CTX_get_verify_cb
 .Nd set and retrieve verification callback
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft typedef int
 .Fo (*X509_STORE_CTX_verify_cb)
diff --git a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3 b/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
index 0f6fbd8410..a8379ad5cb 100644
--- a/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
+++ b/src/lib/libcrypto/man/X509_STORE_get_by_subject.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.6 2024/05/12 05:08:59 tb Exp $
+.\" $OpenBSD: X509_STORE_get_by_subject.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 12 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_GET_BY_SUBJECT 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm X509_STORE_get1_crls
 .Nd retrieve objects from a certificate store
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_CTX_get_by_subject
diff --git a/src/lib/libcrypto/man/X509_STORE_load_locations.3 b/src/lib/libcrypto/man/X509_STORE_load_locations.3
index a8177b0fd4..d876ef831a 100644
--- a/src/lib/libcrypto/man/X509_STORE_load_locations.3
+++ b/src/lib/libcrypto/man/X509_STORE_load_locations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_load_locations.3,v 1.12 2024/09/02 07:20:21 tb Exp $
+.\" $OpenBSD: X509_STORE_load_locations.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_LOAD_LOCATIONS 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm X509_STORE_add_lookup
 .Nd configure files and directories used by a certificate store
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_load_locations
diff --git a/src/lib/libcrypto/man/X509_STORE_new.3 b/src/lib/libcrypto/man/X509_STORE_new.3
index a17da03a41..e1d146da43 100644
--- a/src/lib/libcrypto/man/X509_STORE_new.3
+++ b/src/lib/libcrypto/man/X509_STORE_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_new.3,v 1.7 2021/11/17 16:08:32 schwarze Exp $
+.\" $OpenBSD: X509_STORE_new.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 17 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_NEW 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_STORE_free
 .Nd allocate and free X.509 certificate stores
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_STORE *
 .Fn X509_STORE_new void
diff --git a/src/lib/libcrypto/man/X509_STORE_set1_param.3 b/src/lib/libcrypto/man/X509_STORE_set1_param.3
index 527fe652e5..d96a33a8fa 100644
--- a/src/lib/libcrypto/man/X509_STORE_set1_param.3
+++ b/src/lib/libcrypto/man/X509_STORE_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set1_param.3,v 1.22 2024/03/14 22:19:12 tb Exp $
+.\" $OpenBSD: X509_STORE_set1_param.3,v 1.23 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to:
 .\" OpenSSL man3/X509_STORE_add_cert b0edda11 Mar 20 13:00:17 2018 +0000
 .\" OpenSSL man3/X509_STORE_get0_param e90fc053 Jul 15 09:39:45 2017 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -36,6 +36,7 @@
 .Nm X509_STORE_get_ex_data
 .Nd get and set X509_STORE data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_STORE_set1_param
diff --git a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 b/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
index bdd5ea5044..a09e6741a2 100644
--- a/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
+++ b/src/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.12 2022/11/16 14:51:08 schwarze Exp $
+.\" $OpenBSD: X509_STORE_set_verify_cb_func.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\" selective merge up to: OpenSSL 315c47e0 Dec 1 14:22:16 2020 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 16 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_STORE_SET_VERIFY_CB_FUNC 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm X509_STORE_get_verify_cb
 .Nd set verification callback
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft void
 .Fo X509_STORE_set_verify_cb
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
index a22d2b1b4b..333b3860e0 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.5 2023/05/24 09:57:50 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_new.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2018, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 24 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_VERIFY_PARAM_NEW 3
 .Os
 .Sh NAME
@@ -38,6 +38,7 @@
 .\" X509_VP_FLAG_ONCE
 .Nd X509 verification parameter objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft X509_VERIFY_PARAM *
 .Fo X509_VERIFY_PARAM_new
diff --git a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
index a0ae839f9a..4c72be0267 100644
--- a/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
+++ b/src/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.29 2023/04/30 19:40:23 tb Exp $
+.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.32 2025/11/07 19:59:31 schwarze Exp $
 .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500
 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: November 7 2025 $
 .Dt X509_VERIFY_PARAM_SET_FLAGS 3
 .Os
 .Sh NAME
@@ -88,6 +88,7 @@
 .Nm X509_VERIFY_PARAM_set_auth_level ,
 .Nm X509_VERIFY_PARAM_set1_host ,
 .Nm X509_VERIFY_PARAM_add1_host ,
+.Nm X509_VERIFY_PARAM_get_hostflags ,
 .Nm X509_VERIFY_PARAM_set_hostflags ,
 .Nm X509_VERIFY_PARAM_get0_peername ,
 .Nm X509_VERIFY_PARAM_set1_email ,
@@ -95,6 +96,7 @@
 .Nm X509_VERIFY_PARAM_set1_ip_asc
 .Nd X509 verification parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft const char *
 .Fo X509_VERIFY_PARAM_get0_name
@@ -174,6 +176,10 @@
 .Fa "const char *name"
 .Fa "size_t namelen"
 .Fc
+.Ft unsigned int
+.Fo X509_VERIFY_PARAM_get_hostflags
+.Fa "const X509_VERIFY_PARAM *param"
+.Fc
 .Ft void
 .Fo X509_VERIFY_PARAM_set_hostflags
 .Fa "X509_VERIFY_PARAM *param"
@@ -505,6 +511,11 @@ is unset.
 .Fn X509_VERIFY_PARAM_get_depth
 returns the current verification depth.
 .Pp
+.Fn X509_VERIFY_PARAM_get_hostflags
+returns the host flags previously set by a call to
+.Fn X509_VERIFY_PARAM_set_hostflags
+or 0 by default.
+.Pp
 .Fn X509_VERIFY_PARAM_get0_name
 and
 .Fn X509_VERIFY_PARAM_get0_peername
@@ -722,6 +733,10 @@ first appeared in OpenSSL 1.1.0 and
 in OpenSSL 1.1.0d.
 Both functions have been available since
 .Ox 7.2 .
+.Pp
+.Fn X509_VERIFY_PARAM_get_hostflags
+first appeared in OpenSSL 1.1.0i and has been available since
+.Ox 7.9 .
 .Sh BUGS
 Delta CRL checking is currently primitive.
 Only a single delta can be used and (partly due to limitations of
diff --git a/src/lib/libcrypto/man/X509_add1_trust_object.3 b/src/lib/libcrypto/man/X509_add1_trust_object.3
index 067bf64464..e1ca67a8f3 100644
--- a/src/lib/libcrypto/man/X509_add1_trust_object.3
+++ b/src/lib/libcrypto/man/X509_add1_trust_object.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_add1_trust_object.3,v 1.4 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_add1_trust_object.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_ADD1_TRUST_OBJECT 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_reject_clear
 .Nd mark an X.509 certificate as intended for a specific purpose
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_add1_trust_object
diff --git a/src/lib/libcrypto/man/X509_check_ca.3 b/src/lib/libcrypto/man/X509_check_ca.3
index 114bac69e7..2aa496b6ff 100644
--- a/src/lib/libcrypto/man/X509_check_ca.3
+++ b/src/lib/libcrypto/man/X509_check_ca.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_ca.3,v 1.7 2022/05/10 19:44:29 tb Exp $
+.\"     $OpenBSD: X509_check_ca.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_CA 3
 .Os
 .Sh NAME
 .Nm X509_check_ca
 .Nd check whether a certificate is a CA certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_ca
diff --git a/src/lib/libcrypto/man/X509_check_host.3 b/src/lib/libcrypto/man/X509_check_host.3
index dbc56c0d21..be3190b2d2 100644
--- a/src/lib/libcrypto/man/X509_check_host.3
+++ b/src/lib/libcrypto/man/X509_check_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_host.3,v 1.6 2020/09/17 08:04:22 schwarze Exp $
+.\" $OpenBSD: X509_check_host.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL a09e4d24 Jun 12 01:56:31 2014 -0400
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 17 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_HOST 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm X509_check_ip_asc
 .Nd X.509 certificate matching
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_host
diff --git a/src/lib/libcrypto/man/X509_check_issued.3 b/src/lib/libcrypto/man/X509_check_issued.3
index f8c2a5297a..24457674d5 100644
--- a/src/lib/libcrypto/man/X509_check_issued.3
+++ b/src/lib/libcrypto/man/X509_check_issued.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_issued.3,v 1.4 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_check_issued.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Victor B. Wagner <vitus@cryptocom.ru>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_ISSUED 3
 .Os
 .Sh NAME
 .Nm X509_check_issued
 .Nd check whether a certificate was issued using a given CA certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_issued
diff --git a/src/lib/libcrypto/man/X509_check_private_key.3 b/src/lib/libcrypto/man/X509_check_private_key.3
index 31df2126cc..61ff091728 100644
--- a/src/lib/libcrypto/man/X509_check_private_key.3
+++ b/src/lib/libcrypto/man/X509_check_private_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_check_private_key.3,v 1.6 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_check_private_key.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL X509_check_private_key.pod 09ddb878 Jun 5 03:56:07 2017 +0800
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_PRIVATE_KEY 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_REQ_check_private_key
 .Nd compare public key components
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_check_private_key
diff --git a/src/lib/libcrypto/man/X509_check_purpose.3 b/src/lib/libcrypto/man/X509_check_purpose.3
index 8fea6679fc..86ee53f559 100644
--- a/src/lib/libcrypto/man/X509_check_purpose.3
+++ b/src/lib/libcrypto/man/X509_check_purpose.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_check_purpose.3,v 1.12 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_check_purpose.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CHECK_PURPOSE 3
 .Os
 .Sh NAME
 .Nm X509_check_purpose
 .Nd check intended usage of a public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509_check_purpose
diff --git a/src/lib/libcrypto/man/X509_cmp.3 b/src/lib/libcrypto/man/X509_cmp.3
index b1cdec1773..e025f5c8c0 100644
--- a/src/lib/libcrypto/man/X509_cmp.3
+++ b/src/lib/libcrypto/man/X509_cmp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_cmp.3,v 1.4 2024/06/07 14:00:09 job Exp $
+.\" $OpenBSD: X509_cmp.3,v 1.5 2025/06/08 22:37:23 schwarze Exp $
 .\" full merge up to: OpenSSL ea5d4b89 Jun 6 11:42:02 2019 +0800
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CMP 3
 .Os
 .Sh NAME
@@ -79,10 +79,8 @@
 .Nm X509_CRL_cmp ,
 .Nm X509_CRL_match
 .Nd compare X.509 certificates and related values
-.\" The function name_cmp() is intentionally undocumented.
-.\" It was a mistake to make it public in the first place,
-.\" and it is no longer part of the public API in OpenSSL 1.1.
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_cmp
diff --git a/src/lib/libcrypto/man/X509_cmp_time.3 b/src/lib/libcrypto/man/X509_cmp_time.3
index bb430dfbb7..2ac584ad09 100644
--- a/src/lib/libcrypto/man/X509_cmp_time.3
+++ b/src/lib/libcrypto/man/X509_cmp_time.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_cmp_time.3,v 1.12 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: X509_cmp_time.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_CMP_TIME 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm X509_gmtime_adj
 .Nd ASN.1 Time utilities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_cmp_time
diff --git a/src/lib/libcrypto/man/X509_digest.3 b/src/lib/libcrypto/man/X509_digest.3
index 7627e07731..991d1990b2 100644
--- a/src/lib/libcrypto/man/X509_digest.3
+++ b/src/lib/libcrypto/man/X509_digest.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_digest.3,v 1.8 2019/08/20 13:27:19 schwarze Exp $
+.\" $OpenBSD: X509_digest.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 1212818e Sep 11 13:22:14 2018 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 20 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_DIGEST 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm PKCS7_ISSUER_AND_SERIAL_digest
 .Nd get digests of various objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_digest
diff --git a/src/lib/libcrypto/man/X509_find_by_subject.3 b/src/lib/libcrypto/man/X509_find_by_subject.3
index 98a76a1fca..962eb80854 100644
--- a/src/lib/libcrypto/man/X509_find_by_subject.3
+++ b/src/lib/libcrypto/man/X509_find_by_subject.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_find_by_subject.3,v 1.1 2021/07/04 12:56:27 schwarze Exp $
+.\" $OpenBSD: X509_find_by_subject.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 4 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_FIND_BY_SUBJECT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_find_by_issuer_and_serial
 .Nd search an array of X.509 certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fo X509_find_by_subject
diff --git a/src/lib/libcrypto/man/X509_get0_notBefore.3 b/src/lib/libcrypto/man/X509_get0_notBefore.3
index 5e5c08b79a..5ac075fe31 100644
--- a/src/lib/libcrypto/man/X509_get0_notBefore.3
+++ b/src/lib/libcrypto/man/X509_get0_notBefore.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_notBefore.3,v 1.7 2024/03/05 18:30:40 tb Exp $
+.\" $OpenBSD: X509_get0_notBefore.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000
 .\"
 .\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET0_NOTBEFORE 3
 .Os
 .Sh NAME
@@ -39,6 +39,7 @@
 .Nm X509_CRL_set_nextUpdate
 .Nd get and set certificate and CRL validity dates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft const ASN1_TIME *
 .Fo X509_get0_notBefore
diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3
index dc3be2c70a..6cebb94e56 100644
--- a/src/lib/libcrypto/man/X509_get0_signature.3
+++ b/src/lib/libcrypto/man/X509_get0_signature.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $
+.\" $OpenBSD: X509_get0_signature.3,v 1.12 2025/07/06 09:32:08 tb Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 28 2024 $
+.Dd $Mdocdate: July 6 2025 $
 .Dt X509_GET0_SIGNATURE 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm X509_get_signature_info
 .Nd signature information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft void
 .Fo X509_get0_signature
@@ -212,11 +213,11 @@ For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
 this flag is always set.
 For an RSASSA-PSS PSS algorithm this flag is set if
 the parameters are DER encoded,
-the digest algorithm is one of SHA256, SHA384, or SHA512,
+the digest algorithm is one of SHA-256, SHA-384, or SHA-512,
 the same digest algorithm is used in the mask generation function,
 and the salt length is equal to the digest algorithm's output length.
 For all other signature algorithms this flag is set if the digest
-algorithm is one of SHA1, SHA256, SHA384, or SHA512.
+algorithm is one of SHA-1, SHA-256, SHA-384, or SHA-512.
 .El
 .Pp
 .Fn X509_get_signature_info
@@ -276,5 +277,12 @@ refer to the information available from the certificate signature
 (such as the signing digest).
 In some cases the actual security of the signature is smaller
 because the signing key is less secure.
-For example in a certificate signed using SHA512
+For example in a certificate signed using SHA-512
 and a 1024-bit RSA key.
+.Sh BUGS
+The signatures of
+.Fn X509_get0_signature ,
+.Fn X509_REQ_get0_signature ,
+and
+.Fn X509_CRL_get0_signature
+are inconsistent.
diff --git a/src/lib/libcrypto/man/X509_get1_email.3 b/src/lib/libcrypto/man/X509_get1_email.3
index c38a604899..020708d227 100644
--- a/src/lib/libcrypto/man/X509_get1_email.3
+++ b/src/lib/libcrypto/man/X509_get1_email.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get1_email.3,v 1.1 2019/08/23 12:23:39 schwarze Exp $
+.\" $OpenBSD: X509_get1_email.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 23 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET1_EMAIL 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_email_free
 .Nd utilities for stacks of strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Vt typedef char *OPENSSL_STRING ;
 .Ft STACK_OF(OPENSSL_STRING) *
diff --git a/src/lib/libcrypto/man/X509_get_extension_flags.3 b/src/lib/libcrypto/man/X509_get_extension_flags.3
index 1d7f29c687..1d15be407e 100644
--- a/src/lib/libcrypto/man/X509_get_extension_flags.3
+++ b/src/lib/libcrypto/man/X509_get_extension_flags.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_extension_flags.3,v 1.4 2023/04/30 19:40:23 tb Exp $
+.\" $OpenBSD: X509_get_extension_flags.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 361136f4 Sep 1 18:56:58 2015 +0100
 .\" selective merge up to: OpenSSL 2b2e3106f Feb 16 15:04:45 2021 +0000
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_EXTENSION_FLAGS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm X509_get_extended_key_usage
 .Nd retrieve certificate extension data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft uint32_t
 .Fo X509_get_extension_flags
@@ -106,8 +107,8 @@ ASN1 object itself.
 .\" EXFLAG_NO_FINGERPRINT is not available in LibreSSL. Do we need
 .\" https://github.com/openssl/openssl/issues/13698 and the fix it fixes?
 .\".It Dv EXFLAG_NO_FINGERPRINT
-.\" Failed to compute the internal SHA1 hash value of the certificate.
+.\" Failed to compute the internal SHA-1 hash value of the certificate.
-.\" This may be due to malloc failure or because no SHA1 implementation was
+.\" This may be due to malloc failure or because no SHA-1 implementation was
 .\" found.
 .It Dv EXFLAG_INVALID_POLICY
 The
diff --git a/src/lib/libcrypto/man/X509_get_pubkey.3 b/src/lib/libcrypto/man/X509_get_pubkey.3
index 0829397982..9af6f49a33 100644
--- a/src/lib/libcrypto/man/X509_get_pubkey.3
+++ b/src/lib/libcrypto/man/X509_get_pubkey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_pubkey.3,v 1.13 2022/03/31 17:27:17 naddy Exp $
+.\" $OpenBSD: X509_get_pubkey.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" selective merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_PUBKEY 3
 .Os
 .Sh NAME
@@ -81,6 +81,7 @@
 .Nm X509_REQ_extract_key
 .Nd get or set certificate or certificate request public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft EVP_PKEY *
 .Fo X509_get_pubkey
diff --git a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3 b/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
index 181361477e..b2611210d1 100644
--- a/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
+++ b/src/lib/libcrypto/man/X509_get_pubkey_parameters.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_pubkey_parameters.3,v 1.2 2021/11/26 13:35:10 schwarze Exp $
+.\" $OpenBSD: X509_get_pubkey_parameters.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_PUBKEY_PARAMETERS 3
 .Os
 .Sh NAME
 .Nm X509_get_pubkey_parameters
 .Nd copy public key parameters from a chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_get_pubkey_parameters
diff --git a/src/lib/libcrypto/man/X509_get_serialNumber.3 b/src/lib/libcrypto/man/X509_get_serialNumber.3
index 7d757c7a71..56f108f3d7 100644
--- a/src/lib/libcrypto/man/X509_get_serialNumber.3
+++ b/src/lib/libcrypto/man/X509_get_serialNumber.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get_serialNumber.3,v 1.5 2020/06/19 12:01:20 schwarze Exp $
+.\" $OpenBSD: X509_get_serialNumber.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 19 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_SERIALNUMBER 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm X509_set_serialNumber
 .Nd get or set certificate serial number
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft ASN1_INTEGER *
 .Fo X509_get_serialNumber
diff --git a/src/lib/libcrypto/man/X509_get_subject_name.3 b/src/lib/libcrypto/man/X509_get_subject_name.3
index fb9611f645..8dc19080f6 100644
--- a/src/lib/libcrypto/man/X509_get_subject_name.3
+++ b/src/lib/libcrypto/man/X509_get_subject_name.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_get_subject_name.3,v 1.10 2020/10/21 17:17:44 tb Exp $
+.\"     $OpenBSD: X509_get_subject_name.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_SUBJECT_NAME 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm X509_CRL_set_issuer_name
 .Nd get and set issuer or subject names
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fo X509_get_subject_name
diff --git a/src/lib/libcrypto/man/X509_get_version.3 b/src/lib/libcrypto/man/X509_get_version.3
index ee46ff7c8c..d539053d81 100644
--- a/src/lib/libcrypto/man/X509_get_version.3
+++ b/src/lib/libcrypto/man/X509_get_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_get_version.3,v 1.8 2020/10/21 17:17:44 tb Exp $
+.\"     $OpenBSD: X509_get_version.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 21 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_GET_VERSION 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm X509_CRL_set_version
 .Nd get or set certificate, certificate request, or CRL version
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft long
 .Fo X509_get_version
diff --git a/src/lib/libcrypto/man/X509_keyid_set1.3 b/src/lib/libcrypto/man/X509_keyid_set1.3
index c529fc742b..e1668f976a 100644
--- a/src/lib/libcrypto/man/X509_keyid_set1.3
+++ b/src/lib/libcrypto/man/X509_keyid_set1.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_keyid_set1.3,v 1.2 2021/07/09 14:41:14 tb Exp $
+.\" $OpenBSD: X509_keyid_set1.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_KEYID_SET1 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509_alias_get0
 .Nd auxiliary certificate data for PKCS#12
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_keyid_set1
diff --git a/src/lib/libcrypto/man/X509_load_cert_file.3 b/src/lib/libcrypto/man/X509_load_cert_file.3
index 95a83dd00e..04a666da25 100644
--- a/src/lib/libcrypto/man/X509_load_cert_file.3
+++ b/src/lib/libcrypto/man/X509_load_cert_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_load_cert_file.3,v 1.1 2021/11/09 16:23:04 schwarze Exp $
+.\" $OpenBSD: X509_load_cert_file.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_LOAD_CERT_FILE 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm X509_load_cert_crl_file
 .Nd read, decode, and cache certificates and CRLs
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509_vfy.h
 .Ft int
 .Fo X509_load_cert_file
diff --git a/src/lib/libcrypto/man/X509_new.3 b/src/lib/libcrypto/man/X509_new.3
index 7b62363d4d..b6140b24b0 100644
--- a/src/lib/libcrypto/man/X509_new.3
+++ b/src/lib/libcrypto/man/X509_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_new.3,v 1.45 2024/09/02 08:04:32 tb Exp $
+.\" $OpenBSD: X509_new.3,v 1.47 2025/07/16 17:59:10 schwarze Exp $
 .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 2 2024 $
+.Dd $Mdocdate: July 16 2025 $
 .Dt X509_NEW 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm X509_chain_up_ref
 .Nd X.509 certificate object
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fn X509_new void
@@ -230,7 +231,6 @@ if an error occurs.
 .Xr X509_LOOKUP_new 3 ,
 .Xr X509_NAME_new 3 ,
 .Xr X509_OBJECT_new 3 ,
-.Xr X509_PKEY_new 3 ,
 .Xr X509_print_ex 3 ,
 .Xr X509_PUBKEY_new 3 ,
 .Xr X509_PURPOSE_set 3 ,
diff --git a/src/lib/libcrypto/man/X509_ocspid_print.3 b/src/lib/libcrypto/man/X509_ocspid_print.3
index b9b6c92fbb..7b0493c655 100644
--- a/src/lib/libcrypto/man/X509_ocspid_print.3
+++ b/src/lib/libcrypto/man/X509_ocspid_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_ocspid_print.3,v 1.1 2021/08/06 21:45:55 schwarze Exp $
+.\" $OpenBSD: X509_ocspid_print.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 6 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_OCSPID_PRINT 3
 .Os
 .Sh NAME
 .Nm X509_ocspid_print
 .Nd pretty-print hashes of subject name and public key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_ocspid_print
diff --git a/src/lib/libcrypto/man/X509_print_ex.3 b/src/lib/libcrypto/man/X509_print_ex.3
index c769e77c32..627ef25a79 100644
--- a/src/lib/libcrypto/man/X509_print_ex.3
+++ b/src/lib/libcrypto/man/X509_print_ex.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_print_ex.3,v 1.5 2025/03/09 14:02:46 tb Exp $
+.\" $OpenBSD: X509_print_ex.3,v 1.7 2025/07/01 06:47:56 tb Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 9 2025 $
+.Dd $Mdocdate: July 1 2025 $
 .Dt X509_PRINT_EX 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm X509_print_fp
 .Nd pretty-print an X.509 certificate
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_print_ex
@@ -132,6 +133,11 @@ with
 .Xr EVP_PKEY_print_public 3 .
 .Pq Dv X509_FLAG_NO_PUBKEY
 .It
+If an issuer or a subject unique identifier is present, its hex dump
+is printed with
+.Xr X509_signature_dump 3 .
+.Pq Dv X509_FLAG_NO_IDS
+.It
 All X.509 extensions contained in the certificate are printed with
 .Xr X509V3_extensions_print 3 .
 .Pq Dv X509_FLAG_NO_EXTENSIONS
diff --git a/src/lib/libcrypto/man/X509_sign.3 b/src/lib/libcrypto/man/X509_sign.3
index 059d92bac5..9e9df1e98d 100644
--- a/src/lib/libcrypto/man/X509_sign.3
+++ b/src/lib/libcrypto/man/X509_sign.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_sign.3,v 1.11 2024/03/06 02:34:14 tb Exp $
+.\" $OpenBSD: X509_sign.3,v 1.13 2025/07/11 18:42:51 tb Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 6 2024 $
+.Dd $Mdocdate: July 11 2025 $
 .Dt X509_SIGN 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm X509_CRL_verify
 .Nd sign or verify certificate, certificate request, or CRL signature
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_sign
@@ -77,8 +78,8 @@
 .Fc
 .Ft int
 .Fo X509_verify
-.Fa "X509 *a"
+.Fa "X509 *x"
-.Fa "EVP_PKEY *r"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo X509_REQ_sign
@@ -93,8 +94,8 @@
 .Fc
 .Ft int
 .Fo X509_REQ_verify
-.Fa "X509_REQ *a"
+.Fa "X509_REQ *x"
-.Fa "EVP_PKEY *r"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Ft int
 .Fo X509_CRL_sign
@@ -109,8 +110,8 @@
 .Fc
 .Ft int
 .Fo X509_CRL_verify
-.Fa "X509_CRL *a"
+.Fa "X509_CRL *x"
-.Fa "EVP_PKEY *r"
+.Fa "EVP_PKEY *pkey"
 .Fc
 .Sh DESCRIPTION
 .Fn X509_sign
diff --git a/src/lib/libcrypto/man/X509_signature_dump.3 b/src/lib/libcrypto/man/X509_signature_dump.3
index 3333a615bf..c5b9277e0c 100644
--- a/src/lib/libcrypto/man/X509_signature_dump.3
+++ b/src/lib/libcrypto/man/X509_signature_dump.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_signature_dump.3,v 1.3 2024/12/06 12:51:13 schwarze Exp $
+.\" $OpenBSD: X509_signature_dump.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_SIGNATURE_DUMP 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509_signature_print
 .Nd pretty-print ASN.1 strings
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_signature_dump
diff --git a/src/lib/libcrypto/man/X509_verify_cert.3 b/src/lib/libcrypto/man/X509_verify_cert.3
index 9c085d7780..7897e09f80 100644
--- a/src/lib/libcrypto/man/X509_verify_cert.3
+++ b/src/lib/libcrypto/man/X509_verify_cert.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: X509_verify_cert.3,v 1.8 2019/06/06 01:06:59 schwarze Exp $
+.\"     $OpenBSD: X509_verify_cert.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 6 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509_VERIFY_CERT 3
 .Os
 .Sh NAME
 .Nm X509_verify_cert
 .Nd discover and verify X509 certificate chain
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509_verify_cert
diff --git a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3 b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
index 4b2d150c86..d33de1f6a8 100644
--- a/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
+++ b/src/lib/libcrypto/man/X509v3_addr_add_inherit.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.11 2023/10/01 22:46:21 tb Exp $
+.\" $OpenBSD: X509v3_addr_add_inherit.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_ADD_INHERIT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm X509v3_addr_is_canonical
 .Nd RFC 3779 IP address delegation extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509v3_addr_add_inherit
diff --git a/src/lib/libcrypto/man/X509v3_addr_get_range.3 b/src/lib/libcrypto/man/X509v3_addr_get_range.3
index e0d83b1162..7ad279d7cc 100644
--- a/src/lib/libcrypto/man/X509v3_addr_get_range.3
+++ b/src/lib/libcrypto/man/X509v3_addr_get_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_get_range.3,v 1.2 2023/09/30 14:12:40 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_get_range.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_GET_RANGE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_addr_get_range
 .Nd parse helpers for the IP address delegation extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft unsigned
 .Fn X509v3_addr_get_afi "const IPAddressFamily *af"
diff --git a/src/lib/libcrypto/man/X509v3_addr_inherits.3 b/src/lib/libcrypto/man/X509v3_addr_inherits.3
index 8e3cecf7ae..0da24ad10f 100644
--- a/src/lib/libcrypto/man/X509v3_addr_inherits.3
+++ b/src/lib/libcrypto/man/X509v3_addr_inherits.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_inherits.3,v 1.3 2023/09/30 14:21:57 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_inherits.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_INHERITS 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_asid_inherits
 .Nd RFC 3779 inheritance
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_inherits "IPAddrBlocks *addrblocks"
diff --git a/src/lib/libcrypto/man/X509v3_addr_subset.3 b/src/lib/libcrypto/man/X509v3_addr_subset.3
index 93714a26fa..5629d9c3cf 100644
--- a/src/lib/libcrypto/man/X509v3_addr_subset.3
+++ b/src/lib/libcrypto/man/X509v3_addr_subset.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_subset.3,v 1.2 2023/09/30 14:24:00 schwarze Exp $
+.\" $OpenBSD: X509v3_addr_subset.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_SUBSET 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm X509v3_asid_subset
 .Nd RFC 3779 subset relationship
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_subset "IPAddrBlocks *child" "IPAddrBlocks *parent"
diff --git a/src/lib/libcrypto/man/X509v3_addr_validate_path.3 b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
index fe6065d599..5bafc6eba4 100644
--- a/src/lib/libcrypto/man/X509v3_addr_validate_path.3
+++ b/src/lib/libcrypto/man/X509v3_addr_validate_path.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.5 2023/09/30 19:07:38 tb Exp $
+.\" $OpenBSD: X509v3_addr_validate_path.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ADDR_VALIDATE_PATH 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509v3_asid_validate_resource_set
 .Nd RFC 3779 path validation for IP address and AS number delegation
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fn X509v3_addr_validate_path "X509_STORE_CTX *ctx"
diff --git a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3 b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
index 81221ca9bc..6378f45ae8 100644
--- a/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
+++ b/src/lib/libcrypto/man/X509v3_asid_add_id_or_range.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.9 2023/09/30 18:16:44 tb Exp $
+.\" $OpenBSD: X509v3_asid_add_id_or_range.3,v 1.10 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 30 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_ASID_ADD_ID_OR_RANGE 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm X509v3_asid_is_canonical
 .Nd RFC 3779 autonomous system identifier delegation extension
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo X509v3_asid_add_id_or_range
diff --git a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3 b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
index 8c7c159f80..63f8180151 100644
--- a/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
+++ b/src/lib/libcrypto/man/X509v3_get_ext_by_NID.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.15 2024/05/22 09:44:10 tb Exp $
+.\" $OpenBSD: X509v3_get_ext_by_NID.3,v 1.16 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL fd38836b Jun 20 15:25:43 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 22 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt X509V3_GET_EXT_BY_NID 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm X509_REVOKED_add_ext
 .Nd extension stack utility functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft int
 .Fo X509v3_get_ext_count
diff --git a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3 b/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
index 7d36a54be2..ed5e7b21f6 100644
--- a/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
+++ b/src/lib/libcrypto/man/a2d_ASN1_OBJECT.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.3 2023/08/09 17:34:39 schwarze Exp $
+.\" $OpenBSD: a2d_ASN1_OBJECT.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 9 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt A2D_ASN1_OBJECT 3
 .Os
 .Sh NAME
 .Nm a2d_ASN1_OBJECT
 .Nd DER content octets of an ASN.1 object identifier
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo a2d_ASN1_OBJECT
diff --git a/src/lib/libcrypto/man/a2i_ipadd.3 b/src/lib/libcrypto/man/a2i_ipadd.3
index 1372b2acfd..1fea5e1a05 100644
--- a/src/lib/libcrypto/man/a2i_ipadd.3
+++ b/src/lib/libcrypto/man/a2i_ipadd.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: a2i_ipadd.3,v 1.1 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: a2i_ipadd.3,v 1.2 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt A2I_IPADD 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm a2i_IPADDRESS_NC
 .Nd parse Internet Protocol addresses into ASN.1 OCTET STRINGs for X.509
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft int
 .Fo a2i_ipadd
diff --git a/src/lib/libcrypto/man/bn_dump.3 b/src/lib/libcrypto/man/bn_dump.3
deleted file mode 100644
index b4272441e5..0000000000
--- a/src/lib/libcrypto/man/bn_dump.3
+++ /dev/null
@@ -1,415 +0,0 @@
-.\" $OpenBSD: bn_dump.3,v 1.9 2023/11/16 18:10:19 schwarze Exp $
-.\" full merge up to:
-.\" OpenSSL crypto/bn/README.pod aebb9aac Jul 19 09:27:53 2016 -0400
-.\"
-.\" This file was written by Ulf Moeller <ulf@openssl.org>.
-.\" Copyright (c) 2000, 2003, 2006, 2009 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: November 16 2023 $
-.Dt BN_DUMP 3
-.Os
-.Sh NAME
-.Nm bn_mul_words ,
-.Nm bn_mul_add_words ,
-.Nm bn_sqr_words ,
-.Nm bn_div_words ,
-.Nm bn_add_words ,
-.Nm bn_sub_words ,
-.Nm bn_mul_comba4 ,
-.Nm bn_mul_comba8 ,
-.Nm bn_sqr_comba4 ,
-.Nm bn_sqr_comba8 ,
-.Nm bn_mul_normal ,
-.Nm bn_expand ,
-.Nm bn_wexpand
-.Nd BIGNUM library internal functions
-.Sh SYNOPSIS
-.Fd #include "bn_local.h"
-.Ft BN_ULONG
-.Fo bn_mul_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fa "BN_ULONG w"
-.Fc
-.Ft BN_ULONG
-.Fo bn_mul_add_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fa "BN_ULONG w"
-.Fc
-.Ft void
-.Fo bn_sqr_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "int num"
-.Fc
-.Ft BN_ULONG
-.Fo bn_div_words
-.Fa "BN_ULONG h"
-.Fa "BN_ULONG l"
-.Fa "BN_ULONG d"
-.Fc
-.Ft BN_ULONG
-.Fo bn_add_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "BN_ULONG *bp"
-.Fa "int num"
-.Fc
-.Ft BN_ULONG
-.Fo bn_sub_words
-.Fa "BN_ULONG *rp"
-.Fa "BN_ULONG *ap"
-.Fa "BN_ULONG *bp"
-.Fa "int num"
-.Fc
-.Ft void
-.Fo bn_mul_comba4
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "BN_ULONG *b"
-.Fc
-.Ft void
-.Fo bn_mul_comba8
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "BN_ULONG *b"
-.Fc
-.Ft void
-.Fo bn_sqr_comba4
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fc
-.Ft void
-.Fo bn_sqr_comba8
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fc
-.Ft void
-.Fo bn_mul_normal
-.Fa "BN_ULONG *r"
-.Fa "BN_ULONG *a"
-.Fa "int na"
-.Fa "BN_ULONG *b"
-.Fa "int nb"
-.Fc
-.Ft BIGNUM *
-.Fo bn_expand
-.Fa "BIGNUM *a"
-.Fa "int bits"
-.Fc
-.Ft BIGNUM *
-.Fo bn_wexpand
-.Fa "BIGNUM *a"
-.Fa "int n"
-.Fc
-.Sh DESCRIPTION
-This page documents some internal functions used by the
-.Vt BIGNUM
-implementation.
-They are described here to facilitate debugging and extending the
-library.
-They are
-.Em not
-to be used by applications.
-.Ss The BIGNUM structure
-.Bd -literal
-typedef struct bignum_st BIGNUM;
-struct bignum_st {
-        BN_ULONG *d;    /* Pointer to an array of 'BN_BITS2' bit chunks. */
-        int top;        /* Index of last used d +1. */
-        /* The next are internal book keeping for bn_expand. */
-        int dmax;       /* Size of the d array. */
-        int neg;        /* one if the number is negative */
-        int flags;
-};
-.Ed
-.Pp
-The integer value is stored in
-.Fa d ,
-a
-.Xr malloc 3 Ap ed
-array of words
-.Pq Vt BN_ULONG ,
-least significant word first.
-.Vt BN_ULONG
-is a macro that expands to
-.Vt unsigned long Pq = Vt uint64_t
-on
-.Dv _LP64
-platforms and
-.Vt unsigned int Pq = Vt uint32_t
-elsewhere.
-.Pp
-.Fa dmax
-is the size of the
-.Fa d
-array that has been allocated.
-.Fa top
-is the number of words being used, so for a value of 4, bn.d[0]=4 and
-bn.top=1.
-.Fa neg
-is 1 if the number is negative.
-When a
-.Vt BIGNUM
-is 0, the
-.Fa d
-field can be
-.Dv NULL
-and
-.Fa top
-== 0.
-.Pp
-.Fa flags
-is a bit field of flags which are defined in
-.In openssl/bn.h .
-The flags begin with
-.Dv BN_FLG_ .
-The functions
-.Xr BN_set_flags 3
-and
-.Xr BN_get_flags 3
-enable or inspect
-.Fa flags .
-.Pp
-Various routines in this library require the use of temporary
-.Vt BIGNUM
-variables during their execution.
-Since dynamic memory allocation to create
-.Vt BIGNUM Ns s
-is rather expensive when used in conjunction with repeated subroutine
-calls, the
-.Vt BN_CTX
-structure is used.
-This structure contains BN_CTX_NUM
-.Vt BIGNUM Ns s ;
-see
-.Xr BN_CTX_start 3 .
-.Ss Low level arithmetic operations
-These functions are implemented in C and for several platforms in
-assembly language:
-.Pp
-.Fn bn_mul_words rp ap num w
-operates on the
-.Fa num
-word arrays
-.Fa rp
-and
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa w ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_mul_add_words rp ap num w
-operates on the
-.Fa num
-word arrays
-.Fa rp
-and
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa w
-+
-.Fa rp ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_sqr_words rp ap num
-operates on the
-.Fa num
-word array
-.Fa ap
-and the
-.Pf 2* Fa num
-word array
-.Fa ap .
-It computes
-.Fa ap
-*
-.Fa ap
-word-wise, and places the low and high bytes of the result in
-.Fa rp .
-.Pp
-.Fn bn_div_words h l d
-divides the two word number
-.Pq Fa h , Fa l
-by
-.Fa d
-and returns the result.
-.Pp
-.Fn bn_add_words rp ap bp num
-operates on the
-.Fa num
-word arrays
-.Fa ap ,
-.Fa bp
-and
-.Fa rp .
-It computes
-.Fa ap
-+
-.Fa bp ,
-places the result in
-.Fa rp ,
-and returns the high word (carry).
-.Pp
-.Fn bn_sub_words rp ap bp num
-operates on the
-.Fa num
-word arrays
-.Fa ap ,
-.Fa bp
-and
-.Fa rp .
-It computes
-.Fa ap
-
-.Fa bp ,
-places the result in
-.Fa rp ,
-and returns the carry (1 if
-.Fa bp
-\(ra
-.Fa ap ,
-0 otherwise).
-.Pp
-.Fn bn_mul_comba4 r a b
-operates on the 4 word arrays
-.Fa a
-and
-.Fa b
-and the 8-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Fn bn_mul_comba8 r a b
-operates on the 8-word arrays
-.Fa a
-and
-.Fa b
-and the 16-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Fn bn_sqr_comba4 r a b
-operates on the 4-word arrays
-.Fa a
-and
-.Fa b
-and the 8-word array
-.Fa r .
-.Pp
-.Fn bn_sqr_comba8 r a b
-operates on the 8-word arrays
-.Fa a
-and
-.Fa b
-and the 16 word array
-.Fa r .
-.Pp
-The following functions are implemented in C:
-.Pp
-.Fn bn_mul_normal r a na b nb
-operates on the
-.Fa na
-word array
-.Fa a ,
-the
-.Fa nb
-word array
-.Fa b
-and the
-.Fa na Ns + Ns Fa nb
-word array
-.Fa r .
-It computes
-.Fa a Ns * Ns Fa b
-and places the result in
-.Fa r .
-.Pp
-.Xr BN_mul 3
-calls
-.Fn bn_mul_comba4
-if both factors are 4 words long,
-.Fn bn_mul_comba8
-if both factors are 8 words long,
-or
-.Fn bn_mul_normal
-otherwise.
-.Ss Size changes
-.Fn bn_expand
-ensures that
-.Fa b
-has enough space for a
-.Fa bits
-bit number.
-.Fn bn_wexpand
-ensures that
-.Fa b
-has enough space for an
-.Fa n
-word number.
-They return 0 on error or 1 otherwise.
-.Sh SEE ALSO
-.Xr BN_new 3
diff --git a/src/lib/libcrypto/man/crypto.3 b/src/lib/libcrypto/man/crypto.3
index f1367e9e62..ddc8b05686 100644
--- a/src/lib/libcrypto/man/crypto.3
+++ b/src/lib/libcrypto/man/crypto.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: crypto.3,v 1.30 2024/12/07 19:22:15 schwarze Exp $
+.\"     $OpenBSD: crypto.3,v 1.31 2025/04/25 20:04:09 tb Exp $
 .\"     OpenSSL a9c85cea Nov 11 09:33:55 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 7 2024 $
+.Dd $Mdocdate: April 25 2025 $
 .Dt CRYPTO 3
 .Os
 .Sh NAME
@@ -153,7 +153,7 @@ error reporting: see
 include
 .Xr BIO_f_buffer 3 ,
 .Xr BN_new 3 ,
-.Xr EC_GROUP_new 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
 .Xr lh_new 3 ,
 and
 .Xr STACK_OF 3 .
diff --git a/src/lib/libcrypto/man/d2i_ASN1_NULL.3 b/src/lib/libcrypto/man/d2i_ASN1_NULL.3
index 037c9c93e1..06aafc08a2 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_NULL.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_NULL.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ASN1_NULL.3,v 1.5 2023/09/26 09:36:22 tb Exp $
+.\"     $OpenBSD: d2i_ASN1_NULL.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 26 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_NULL 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_ASN1_NULL
 .Nd decode and encode an ASN.1 NULL type
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_NULL *
 .Fo d2i_ASN1_NULL
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3 b/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
index bbb70ad8c6..3d90c60e0b 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_OBJECT.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.15 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_ASN1_OBJECT.3,v 1.16 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2022, 2023 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_OBJECT 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm OBJ_length
 .Nd decode and encode ASN.1 object identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OBJECT *
 .Fo d2i_ASN1_OBJECT
diff --git a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3 b/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
index d544af0fe4..bd4b900193 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_OCTET_STRING.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.20 2024/02/13 12:38:43 job Exp $
+.\"     $OpenBSD: d2i_ASN1_OCTET_STRING.3,v 1.21 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_OCTET_STRING 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm i2d_ASN1_TIME
 .Nd decode and encode ASN1_STRING objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_OCTET_STRING *
 .Fo d2i_ASN1_OCTET_STRING
diff --git a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3 b/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
index 654f0b1e6b..bd54520005 100644
--- a/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
+++ b/src/lib/libcrypto/man/d2i_ASN1_SEQUENCE_ANY.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.3 2021/12/09 19:05:09 schwarze Exp $
+.\" $OpenBSD: d2i_ASN1_SEQUENCE_ANY.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2017, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ASN1_SEQUENCE_ANY 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_ASN1_SET_ANY
 .Nd decode and encode ASN.1 sequences and sets
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft ASN1_SEQUENCE_ANY *
 .Fo d2i_ASN1_SEQUENCE_ANY
diff --git a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3 b/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
index 413f41e179..de1acfb6e1 100644
--- a/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
+++ b/src/lib/libcrypto/man/d2i_AUTHORITY_KEYID.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: d2i_AUTHORITY_KEYID.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_AUTHORITY_KEYID 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_AUTHORITY_KEYID
 .Nd decode and encode X.509 authority key identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft AUTHORITY_KEYID *
 .Fo d2i_AUTHORITY_KEYID
diff --git a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3 b/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
index 2964a1f90e..b90c13df06 100644
--- a/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
+++ b/src/lib/libcrypto/man/d2i_BASIC_CONSTRAINTS.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.3 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: d2i_BASIC_CONSTRAINTS.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_BASIC_CONSTRAINTS 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_EXTENDED_KEY_USAGE
 .Nd decode and encode X.509 key usage purposes
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft BASIC_CONSTRAINTS *
 .Fo d2i_BASIC_CONSTRAINTS
diff --git a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3 b/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
index 0c61047c42..f4238d664d 100644
--- a/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
+++ b/src/lib/libcrypto/man/d2i_CMS_ContentInfo.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.3 2019/11/02 15:39:46 schwarze Exp $
+.\" $OpenBSD: d2i_CMS_ContentInfo.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\" Copyright (c) 2019 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 2 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_CMS_CONTENTINFO 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm i2d_CMS_ReceiptRequest
 .Nd decode and encode Cryptographic Message Syntax data
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft CMS_ContentInfo *
 .Fo d2i_CMS_ContentInfo
diff --git a/src/lib/libcrypto/man/d2i_DHparams.3 b/src/lib/libcrypto/man/d2i_DHparams.3
index 7fd9878dc0..f3cbd21f13 100644
--- a/src/lib/libcrypto/man/d2i_DHparams.3
+++ b/src/lib/libcrypto/man/d2i_DHparams.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_DHparams.3,v 1.8 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: d2i_DHparams.3,v 1.9 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DHPARAMS 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm i2d_DHparams
 .Nd PKCS#3 DH parameter functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dh.h
 .Ft DH *
 .Fo d2i_DHparams
diff --git a/src/lib/libcrypto/man/d2i_DIST_POINT.3 b/src/lib/libcrypto/man/d2i_DIST_POINT.3
index 34bdb26fb4..0e49dfeeb3 100644
--- a/src/lib/libcrypto/man/d2i_DIST_POINT.3
+++ b/src/lib/libcrypto/man/d2i_DIST_POINT.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_DIST_POINT.3,v 1.4 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_DIST_POINT.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DIST_POINT 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_AUTHORITY_INFO_ACCESS
 .Nd decode and encode X.509 data access extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft DIST_POINT *
 .Fo d2i_DIST_POINT
diff --git a/src/lib/libcrypto/man/d2i_DSAPublicKey.3 b/src/lib/libcrypto/man/d2i_DSAPublicKey.3
index 37ef22e1b9..62dcc45082 100644
--- a/src/lib/libcrypto/man/d2i_DSAPublicKey.3
+++ b/src/lib/libcrypto/man/d2i_DSAPublicKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_DSAPublicKey.3,v 1.14 2018/08/26 17:03:32 tb Exp $
+.\"     $OpenBSD: d2i_DSAPublicKey.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 26 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_DSAPUBLICKEY 3
 .Os
 .Sh NAME
@@ -78,6 +78,7 @@
 .Nm i2d_DSA_SIG
 .Nd decode and encode DSA keys
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/dsa.h
 .Ft DSA *
 .Fo d2i_DSAPublicKey
diff --git a/src/lib/libcrypto/man/d2i_ECPKParameters.3 b/src/lib/libcrypto/man/d2i_ECPKParameters.3
index c4ede82f3b..8e824951d6 100644
--- a/src/lib/libcrypto/man/d2i_ECPKParameters.3
+++ b/src/lib/libcrypto/man/d2i_ECPKParameters.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ECPKParameters.3,v 1.13 2024/10/24 21:42:10 tb Exp $
+.\"     $OpenBSD: d2i_ECPKParameters.3,v 1.15 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ECPKPARAMETERS 3
 .Os
 .Sh NAME
@@ -98,6 +98,7 @@
 .Nm i2d_EC_PUBKEY_fp
 .Nd decode and encode ASN.1 representations of elliptic curve entities
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ec.h
 .Ft EC_GROUP *
 .Fo d2i_ECPKParameters
@@ -418,8 +419,7 @@ and
 return 1 for success or 0 if an error occurs.
 .Sh SEE ALSO
 .Xr ASN1_item_d2i 3 ,
-.Xr EC_GROUP_copy 3 ,
+.Xr EC_GROUP_new_by_curve_name 3 ,
-.Xr EC_GROUP_new 3 ,
 .Xr EC_KEY_new 3 ,
 .Xr EVP_PKEY_set1_EC_KEY 3 ,
 .Xr PEM_write_ECPrivateKey 3 ,
diff --git a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3 b/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
index c1d61d3b5e..0305ca78a1 100644
--- a/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
+++ b/src/lib/libcrypto/man/d2i_ESS_SIGNING_CERT.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_ESS_SIGNING_CERT.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_ESS_SIGNING_CERT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm i2d_ESS_ISSUER_SERIAL
 .Nd decode and encode signing certificates for S/MIME
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft ESS_SIGNING_CERT *
 .Fo d2i_ESS_SIGNING_CERT
diff --git a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3 b/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
index bfdcc6c67c..557e5ce353 100644
--- a/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
+++ b/src/lib/libcrypto/man/d2i_GENERAL_NAME.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_GENERAL_NAME.3,v 1.4 2018/03/22 21:08:22 schwarze Exp $
+.\"     $OpenBSD: d2i_GENERAL_NAME.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_GENERAL_NAME 3
 .Os
 .Sh NAME
@@ -28,6 +28,7 @@
 .Nm i2d_OTHERNAME
 .Nd decode and encode names for use in X.509 extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft GENERAL_NAME *
 .Fo d2i_GENERAL_NAME
diff --git a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3 b/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
index 07a990556d..7d27d2b4c1 100644
--- a/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
+++ b/src/lib/libcrypto/man/d2i_OCSP_REQUEST.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_OCSP_REQUEST.3,v 1.3 2021/03/12 05:18:00 jsg Exp $
+.\"     $OpenBSD: d2i_OCSP_REQUEST.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_OCSP_REQUEST 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_OCSP_SERVICELOC
 .Nd decode and encode OCSP requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_REQUEST *
 .Fo d2i_OCSP_REQUEST
diff --git a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3 b/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
index 716e85dc6e..a89c566c12 100644
--- a/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
+++ b/src/lib/libcrypto/man/d2i_OCSP_RESPONSE.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.4 2021/03/12 05:18:00 jsg Exp $
+.\"     $OpenBSD: d2i_OCSP_RESPONSE.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_OCSP_RESPONSE 3
 .Os
 .Sh NAME
@@ -38,6 +38,7 @@
 .Nm i2d_OCSP_CRLID
 .Nd decode and encode OCSP responses
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ocsp.h
 .Ft OCSP_RESPONSE *
 .Fo d2i_OCSP_RESPONSE
diff --git a/src/lib/libcrypto/man/d2i_PKCS12.3 b/src/lib/libcrypto/man/d2i_PKCS12.3
index 55272d1f36..2dda946a3f 100644
--- a/src/lib/libcrypto/man/d2i_PKCS12.3
+++ b/src/lib/libcrypto/man/d2i_PKCS12.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS12.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
+.\"     $OpenBSD: d2i_PKCS12.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS12 3
 .Os
 .Sh NAME
@@ -32,6 +32,7 @@
 .Nm i2d_PKCS12_BAGS
 .Nd decode and encode PKCS#12 structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs12.h
 .Ft PKCS12 *
 .Fo d2i_PKCS12
diff --git a/src/lib/libcrypto/man/d2i_PKCS7.3 b/src/lib/libcrypto/man/d2i_PKCS7.3
index e587787465..6d72433b7d 100644
--- a/src/lib/libcrypto/man/d2i_PKCS7.3
+++ b/src/lib/libcrypto/man/d2i_PKCS7.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS7.3,v 1.7 2023/04/25 18:05:07 tb Exp $
+.\"     $OpenBSD: d2i_PKCS7.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: April 25 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS7 3
 .Os
 .Sh NAME
@@ -44,6 +44,7 @@
 .Nm i2d_PKCS7_SIGN_ENVELOPE
 .Nd decode and encode PKCS#7 data structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft PKCS7 *
 .Fo d2i_PKCS7
diff --git a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3 b/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
index 58dd989fae..41ab7ebcba 100644
--- a/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
+++ b/src/lib/libcrypto/man/d2i_PKCS8PrivateKey_bio.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.11 2019/06/07 19:28:52 schwarze Exp $
+.\" $OpenBSD: d2i_PKCS8PrivateKey_bio.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 7 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS8PRIVATEKEY_BIO 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm i2d_PKCS8PrivateKey_nid_fp
 .Nd PKCS#8 format private key functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo d2i_PKCS8PrivateKey_bio
diff --git a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3 b/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
index 1ac0f2c308..583fd536f2 100644
--- a/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
+++ b/src/lib/libcrypto/man/d2i_PKCS8_PRIV_KEY_INFO.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.3 2018/03/21 21:18:08 schwarze Exp $
+.\"     $OpenBSD: d2i_PKCS8_PRIV_KEY_INFO.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKCS8_PRIV_KEY_INFO 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm i2d_PKCS8_PRIV_KEY_INFO_fp
 .Nd decode and encode PKCS#8 private key
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft PKCS8_PRIV_KEY_INFO *
 .Fo d2i_PKCS8_PRIV_KEY_INFO
diff --git a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3 b/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
index df8639264c..1c3a215a38 100644
--- a/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
+++ b/src/lib/libcrypto/man/d2i_PKEY_USAGE_PERIOD.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.2 2018/03/21 16:09:51 schwarze Exp $
+.\"     $OpenBSD: d2i_PKEY_USAGE_PERIOD.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PKEY_USAGE_PERIOD 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2d_PKEY_USAGE_PERIOD
 .Nd decode and encode X.509 key usage period extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft PKEY_USAGE_PERIOD *
 .Fo d2i_PKEY_USAGE_PERIOD
diff --git a/src/lib/libcrypto/man/d2i_POLICYINFO.3 b/src/lib/libcrypto/man/d2i_POLICYINFO.3
index bae78b17c7..c335edc1df 100644
--- a/src/lib/libcrypto/man/d2i_POLICYINFO.3
+++ b/src/lib/libcrypto/man/d2i_POLICYINFO.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_POLICYINFO.3,v 1.2 2018/03/21 17:57:48 schwarze Exp $
+.\"     $OpenBSD: d2i_POLICYINFO.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_POLICYINFO 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm i2d_NOTICEREF
 .Nd decode and encode X.509 certificate policies
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft POLICYINFO *
 .Fo d2i_POLICYINFO
diff --git a/src/lib/libcrypto/man/d2i_PrivateKey.3 b/src/lib/libcrypto/man/d2i_PrivateKey.3
index b544ea0e9a..48f1b93a19 100644
--- a/src/lib/libcrypto/man/d2i_PrivateKey.3
+++ b/src/lib/libcrypto/man/d2i_PrivateKey.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_PrivateKey.3,v 1.11 2024/10/24 21:42:10 tb Exp $
+.\" $OpenBSD: d2i_PrivateKey.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_PRIVATEKEY 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm i2d_PublicKey
 .Nd decode and encode EVP_PKEY objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft EVP_PKEY *
 .Fo d2i_PrivateKey
diff --git a/src/lib/libcrypto/man/d2i_RSAPublicKey.3 b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
index d6c376d84b..3f738641df 100644
--- a/src/lib/libcrypto/man/d2i_RSAPublicKey.3
+++ b/src/lib/libcrypto/man/d2i_RSAPublicKey.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.13 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_RSAPublicKey.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" This file is a derived work.
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_RSAPUBLICKEY 3
 .Os
 .Sh NAME
@@ -95,6 +95,7 @@
 .Nm i2d_RSA_PUBKEY_fp
 .Nd decode and encode RSA keys and parameters
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/rsa.h
 .Ft RSA *
 .Fo d2i_RSAPublicKey
diff --git a/src/lib/libcrypto/man/d2i_TS_REQ.3 b/src/lib/libcrypto/man/d2i_TS_REQ.3
index 9f7c860fa1..87e9a402b8 100644
--- a/src/lib/libcrypto/man/d2i_TS_REQ.3
+++ b/src/lib/libcrypto/man/d2i_TS_REQ.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_TS_REQ.3,v 1.2 2018/03/23 04:34:23 schwarze Exp $
+.\"     $OpenBSD: d2i_TS_REQ.3,v 1.3 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_TS_REQ 3
 .Os
 .Sh NAME
@@ -48,6 +48,7 @@
 .Nm i2d_TS_MSG_IMPRINT_fp
 .Nd decode and encode X.509 time-stamp protocol structures
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/ts.h
 .Ft TS_REQ *
 .Fo d2i_TS_REQ
diff --git a/src/lib/libcrypto/man/d2i_X509.3 b/src/lib/libcrypto/man/d2i_X509.3
index 6102e49e0e..2905e49aca 100644
--- a/src/lib/libcrypto/man/d2i_X509.3
+++ b/src/lib/libcrypto/man/d2i_X509.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509.3,v 1.11 2021/10/27 10:35:43 schwarze Exp $
+.\" $OpenBSD: d2i_X509.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" OpenSSL d2i_X509.pod checked up to:
 .\" 256989ce4 Jun 19 15:00:32 2020 +0200
 .\" OpenSSL i2d_re_X509_tbs.pod checked up to:
@@ -71,7 +71,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 27 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509 3
 .Os
 .Sh NAME
@@ -94,6 +94,7 @@
 .Nm i2d_re_X509_REQ_tbs
 .Nd decode and encode X.509 certificates
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509 *
 .Fo d2i_X509
diff --git a/src/lib/libcrypto/man/d2i_X509_ALGOR.3 b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
index 252f3fc344..2691ceda85 100644
--- a/src/lib/libcrypto/man/d2i_X509_ALGOR.3
+++ b/src/lib/libcrypto/man/d2i_X509_ALGOR.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.11 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_X509_ALGOR.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_ALGOR 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm i2d_X509_ALGORS
 .Nd decode and encode algorithm identifiers
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ALGOR *
 .Fo d2i_X509_ALGOR
diff --git a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3 b/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
index 6b070e5e51..be4924d3e0 100644
--- a/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
+++ b/src/lib/libcrypto/man/d2i_X509_ATTRIBUTE.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.3 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_ATTRIBUTE.3,v 1.4 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_ATTRIBUTE 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .\" The type in called "Attribute" with capital "A", not "attribute".
 .Nd decode and encode generic X.501 Attribute
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_ATTRIBUTE *
 .Fo d2i_X509_ATTRIBUTE
diff --git a/src/lib/libcrypto/man/d2i_X509_CRL.3 b/src/lib/libcrypto/man/d2i_X509_CRL.3
index 79c1ed9f8c..040ac0395f 100644
--- a/src/lib/libcrypto/man/d2i_X509_CRL.3
+++ b/src/lib/libcrypto/man/d2i_X509_CRL.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_CRL.3,v 1.10 2025/03/15 15:17:41 tb Exp $
+.\" $OpenBSD: d2i_X509_CRL.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 15 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_CRL 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm i2d_X509_REVOKED
 .Nd decode and encode X.509 certificate revocation lists
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_CRL *
 .Fo d2i_X509_CRL
diff --git a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3 b/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
index 46a680c1ba..3e1011d180 100644
--- a/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
+++ b/src/lib/libcrypto/man/d2i_X509_EXTENSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_EXTENSION.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_EXTENSION.3,v 1.5 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_EXTENSION 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .\" The ASN.1 structure is called "Extensions", not "extensions".
 .Nd decode and encode X.509 Extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_EXTENSION *
 .Fo d2i_X509_EXTENSION
diff --git a/src/lib/libcrypto/man/d2i_X509_NAME.3 b/src/lib/libcrypto/man/d2i_X509_NAME.3
index f5cafaee97..c8df55f10d 100644
--- a/src/lib/libcrypto/man/d2i_X509_NAME.3
+++ b/src/lib/libcrypto/man/d2i_X509_NAME.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: d2i_X509_NAME.3,v 1.18 2025/03/14 21:32:15 tb Exp $
+.\" $OpenBSD: d2i_X509_NAME.3,v 1.19 2025/06/08 22:40:30 schwarze Exp $
 .\" checked up to:
 .\" OpenSSL crypto/d2i_X509_NAME 4692340e Jun 7 15:49:08 2016 -0400 and
 .\" OpenSSL man3/X509_NAME_get0_der 99d63d46 Oct 26 13:56:48 2016 -0400
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_NAME 3
 .Os
 .Sh NAME
@@ -34,6 +34,7 @@
 .\" The type is called "Name" with capital "N", not "name".
 .Nd decode and encode X.501 Name objects
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_NAME *
 .Fo d2i_X509_NAME
diff --git a/src/lib/libcrypto/man/d2i_X509_REQ.3 b/src/lib/libcrypto/man/d2i_X509_REQ.3
index 95785a2d25..0f113757ee 100644
--- a/src/lib/libcrypto/man/d2i_X509_REQ.3
+++ b/src/lib/libcrypto/man/d2i_X509_REQ.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_REQ.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: d2i_X509_REQ.3,v 1.8 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL bb9ad09e Jun 6 00:43:05 2016 -0400
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_REQ 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm i2d_X509_REQ_INFO
 .Nd decode and encode PKCS#10 certification requests
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_REQ *
 .Fo d2i_X509_REQ
diff --git a/src/lib/libcrypto/man/d2i_X509_SIG.3 b/src/lib/libcrypto/man/d2i_X509_SIG.3
index c9fbf86633..1700b2d728 100644
--- a/src/lib/libcrypto/man/d2i_X509_SIG.3
+++ b/src/lib/libcrypto/man/d2i_X509_SIG.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_X509_SIG.3,v 1.10 2025/03/14 21:32:15 tb Exp $
+.\"     $OpenBSD: d2i_X509_SIG.3,v 1.11 2025/06/08 22:40:30 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 14 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_X509_SIG 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .\" These functions are misnamed.
 .Nd decode and encode PKCS#7 digest information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft X509_SIG *
 .Fo d2i_X509_SIG
diff --git a/src/lib/libcrypto/man/des_read_pw.3 b/src/lib/libcrypto/man/des_read_pw.3
index 7cb35b47f8..2ffe13bbe9 100644
--- a/src/lib/libcrypto/man/des_read_pw.3
+++ b/src/lib/libcrypto/man/des_read_pw.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: des_read_pw.3,v 1.12 2024/08/24 07:48:37 tb Exp $
+.\" $OpenBSD: des_read_pw.3,v 1.13 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL doc/crypto/des.pod
 .\" 53934822 Jun 9 16:39:19 2016 -0400
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DES_READ_PW 3
 .Os
 .Sh NAME
@@ -76,6 +76,7 @@
 .Nm EVP_get_pw_prompt
 .Nd compatibility user interface functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Ft int
 .Fo EVP_read_pw_string
diff --git a/src/lib/libcrypto/man/evp.3 b/src/lib/libcrypto/man/evp.3
index 2c54c0f981..3a7acf1ff8 100644
--- a/src/lib/libcrypto/man/evp.3
+++ b/src/lib/libcrypto/man/evp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: evp.3,v 1.36 2024/12/06 14:27:49 schwarze Exp $
+.\" $OpenBSD: evp.3,v 1.38 2025/06/11 13:48:54 schwarze Exp $
 .\" full merge up to: OpenSSL man7/evp 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org>,
@@ -51,13 +51,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 6 2024 $
+.Dd $Mdocdate: June 11 2025 $
 .Dt EVP 3
 .Os
 .Sh NAME
 .Nm evp
 .Nd high-level cryptographic functions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/evp.h
 .Sh DESCRIPTION
 The EVP library provides a high-level interface to cryptographic
@@ -75,7 +76,7 @@ in contexts like
 .Xr EVP_SealInit 3 ,
 .Xr PKCS7_encrypt 3 ,
 or
-.Xr SMIME_write_ASN1 3 .
+.Xr SMIME_write_PKCS7 3 .
 .Pp
 .Xr EVP_SealInit 3
 and
diff --git a/src/lib/libcrypto/man/i2a_ASN1_STRING.3 b/src/lib/libcrypto/man/i2a_ASN1_STRING.3
index 7d46474775..c16259e565 100644
--- a/src/lib/libcrypto/man/i2a_ASN1_STRING.3
+++ b/src/lib/libcrypto/man/i2a_ASN1_STRING.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2a_ASN1_STRING.3,v 1.5 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: i2a_ASN1_STRING.3,v 1.6 2025/06/08 22:40:30 schwarze Exp $
 .\"
 .\" Copyright (c) 2019, 2021 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2A_ASN1_STRING 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm a2i_ASN1_ENUMERATED
 .Nd hexadecimal dump of an ASN.1 string
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .Ft int
 .Fo i2a_ASN1_STRING
diff --git a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3 b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
index b60468464c..403f7c2906 100644
--- a/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
+++ b/src/lib/libcrypto/man/i2d_CMS_bio_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.6 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: i2d_CMS_bio_stream.3,v 1.7 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2D_CMS_BIO_STREAM 3
 .Os
 .Sh NAME
 .Nm i2d_CMS_bio_stream
 .Nd output CMS_ContentInfo structure in BER format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/cms.h
 .Ft int
 .Fo i2d_CMS_bio_stream
diff --git a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 b/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
index 7a47ba3026..3636960aa2 100644
--- a/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
+++ b/src/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.11 2023/05/01 07:28:11 tb Exp $
+.\" $OpenBSD: i2d_PKCS7_bio_stream.3,v 1.12 2025/06/08 22:40:30 schwarze Exp $
 .\" OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 1 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt I2D_PKCS7_BIO_STREAM 3
 .Os
 .Sh NAME
 .Nm i2d_PKCS7_bio_stream
 .Nd output PKCS7 structure in BER format
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/pkcs7.h
 .Ft int
 .Fo i2d_PKCS7_bio_stream
diff --git a/src/lib/libcrypto/man/lh_new.3 b/src/lib/libcrypto/man/lh_new.3
index 2550a7d2e7..cc0b3d6b96 100644
--- a/src/lib/libcrypto/man/lh_new.3
+++ b/src/lib/libcrypto/man/lh_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: lh_new.3,v 1.13 2024/03/05 22:15:29 tb Exp $
+.\" $OpenBSD: lh_new.3,v 1.14 2025/06/08 22:40:30 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL doc/crypto/lhash.pod 1bc74519 May 20 08:11:46 2016 -0400
 .\" selective merge up to:
@@ -118,7 +118,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: March 5 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt LH_NEW 3
 .Os
 .Sh NAME
@@ -137,6 +137,7 @@
 .Nm lh_strhash
 .Nd dynamic hash table
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/lhash.h
 .Fn DECLARE_LHASH_OF <type>
 .Ft LHASH *
diff --git a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3 b/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
index a2105bc4bc..16646c69d1 100644
--- a/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
+++ b/src/lib/libcrypto/man/s2i_ASN1_INTEGER.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.9 2024/12/27 15:30:17 schwarze Exp $
+.\" $OpenBSD: s2i_ASN1_INTEGER.3,v 1.11 2025/06/13 18:34:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 27 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt S2I_ASN1_INTEGER 3
 .Os
 .Sh NAME
@@ -26,35 +26,36 @@
 .Nm s2i_ASN1_OCTET_STRING
 .Nd ASN.1 data type conversion utilities for certificate extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/asn1.h
 .In openssl/x509v3.h
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_ENUMERATED
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_ENUMERATED *a"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_INTEGER
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_INTEGER *a"
 .Fc
-.Ft "ASN1_INTEGER *"
+.Ft ASN1_INTEGER *
 .Fo s2i_ASN1_INTEGER
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const char *value"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_OCTET_STRING
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_OCTET_STRING *aos"
 .Fc
-.Ft "ASN1_OCTET_STRING *"
+.Ft ASN1_OCTET_STRING *
 .Fo s2i_ASN1_OCTET_STRING
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "X509V3_CTX *ctx"
 .Fa "const char *value"
 .Fc
-.Ft "char *"
+.Ft char *
 .Fo i2s_ASN1_ENUMERATED_TABLE
 .Fa "X509V3_EXT_METHOD *method"
 .Fa "const ASN1_ENUMERATED *a"
diff --git a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3 b/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
index 36d9f7496b..107a57ae35 100644
--- a/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
+++ b/src/lib/libcrypto/man/v2i_ASN1_BIT_STRING.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: v2i_ASN1_BIT_STRING.3,v 1.1 2024/12/24 09:48:56 schwarze Exp $
+.\" $OpenBSD: v2i_ASN1_BIT_STRING.3,v 1.2 2025/06/08 22:40:31 schwarze Exp $
 .\"
 .\" Copyright (c) 2024 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 24 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt V2I_ASN1_BIT_STRING 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm i2v_ASN1_BIT_STRING
 .Nd ASN.1 BIT STRING utility functions for certificate extensions
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509v3.h
 .Ft ASN1_BIT_STRING *
 .Fo v2i_ASN1_BIT_STRING
diff --git a/src/lib/libcrypto/md5/md5.c b/src/lib/libcrypto/md5/md5.c
index f1c9223d86..f5ad5570a4 100644
--- a/src/lib/libcrypto/md5/md5.c
+++ b/src/lib/libcrypto/md5/md5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: md5.c,v 1.25 2025/01/24 13:35:04 jsing Exp $ */
+/* $OpenBSD: md5.c,v 1.26 2026/01/17 14:53:09 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -70,11 +70,11 @@
 /* Ensure that MD5_LONG and uint32_t are equivalent size. */
 CTASSERT(sizeof(MD5_LONG) == sizeof(uint32_t));
-#ifdef MD5_ASM
+#ifdef HAVE_MD5_BLOCK_DATA_ORDER
 void md5_block_data_order(MD5_CTX *c, const void *p, size_t num);
 #endif
-#ifndef MD5_ASM
+#ifndef HAVE_MD5_BLOCK_DATA_ORDER
 static inline uint32_t
 md5_F(uint32_t x, uint32_t y, uint32_t z)
 {
diff --git a/src/lib/libcrypto/mlkem/mlkem.c b/src/lib/libcrypto/mlkem/mlkem.c
new file mode 100644
index 0000000000..67b6f241a3
--- /dev/null
+++ b/src/lib/libcrypto/mlkem/mlkem.c
@@ -0,0 +1,349 @@
+/*      $OpenBSD: mlkem.c,v 1.7 2026/01/16 18:27:22 tb Exp $ */
+/*
+ * Copyright (c) 2025, Bob Beck <beck@obtuse.com>
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/mlkem.h>
+#include "mlkem_internal.h"
+static inline int
+private_key_is_new(const MLKEM_private_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PRIVATE_KEY_UNINITIALIZED &&
+            (key->rank == MLKEM768_RANK || key->rank == MLKEM1024_RANK));
+}
+static inline int
+private_key_is_valid(const MLKEM_private_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PRIVATE_KEY_INITIALIZED &&
+            (key->rank == MLKEM768_RANK || key->rank == MLKEM1024_RANK));
+}
+static inline int
+public_key_is_new(const MLKEM_public_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PUBLIC_KEY_UNINITIALIZED &&
+            (key->rank == MLKEM768_RANK || key->rank == MLKEM1024_RANK));
+}
+static inline int
+public_key_is_valid(const MLKEM_public_key *key)
+{
+        return (key != NULL &&
+            key->state == MLKEM_PUBLIC_KEY_INITIALIZED &&
+            (key->rank == MLKEM768_RANK || key->rank == MLKEM1024_RANK));
+}
+/*
+ * ML-KEM operations
+ */
+int
+MLKEM_generate_key_external_entropy(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    const uint8_t *entropy)
+{
+        uint8_t *k = NULL;
+        size_t k_len = 0;
+        int ret = 0;
+        if (*out_encoded_public_key != NULL)
+                goto err;
+        if (!private_key_is_new(private_key))
+                goto err;
+        k_len = MLKEM768_PUBLIC_KEY_BYTES;
+        if (private_key->rank == MLKEM1024_RANK)
+                k_len = MLKEM1024_PUBLIC_KEY_BYTES;
+        if ((k = calloc(1, k_len)) == NULL)
+                goto err;
+        if (!mlkem_generate_key_external_entropy(k, private_key, entropy))
+                goto err;
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+        *out_encoded_public_key = k;
+        *out_encoded_public_key_len = k_len;
+        k = NULL;
+        k_len = 0;
+        ret = 1;
+ err:
+        freezero(k, k_len);
+        return ret;
+}
+int
+MLKEM_generate_key(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    uint8_t **out_optional_seed, size_t *out_optional_seed_len)
+{
+        uint8_t *entropy_buf = NULL;
+        int ret = 0;
+        if (*out_encoded_public_key != NULL)
+                goto err;
+        if (out_optional_seed != NULL && *out_optional_seed != NULL)
+                goto err;
+        if ((entropy_buf = calloc(1, MLKEM_SEED_LENGTH)) == NULL)
+                goto err;
+        arc4random_buf(entropy_buf, MLKEM_SEED_LENGTH);
+        if (!MLKEM_generate_key_external_entropy(private_key,
+            out_encoded_public_key, out_encoded_public_key_len,
+            entropy_buf))
+                goto err;
+        if (out_optional_seed != NULL) {
+                *out_optional_seed = entropy_buf;
+                *out_optional_seed_len = MLKEM_SEED_LENGTH;
+                entropy_buf = NULL;
+        }
+        ret = 1;
+ err:
+        freezero(entropy_buf, MLKEM_SEED_LENGTH);
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_generate_key);
+int
+MLKEM_private_key_from_seed(MLKEM_private_key *private_key,
+    const uint8_t *seed, size_t seed_len)
+{
+        int ret = 0;
+        if (!private_key_is_new(private_key))
+                goto err;
+        if (seed_len != MLKEM_SEED_LENGTH)
+                goto err;
+        if (!mlkem_private_key_from_seed(seed, seed_len, private_key))
+                goto err;
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+        ret = 1;
+ err:
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_from_seed);
+int
+MLKEM_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *public_key)
+{
+        if (!private_key_is_valid(private_key))
+                return 0;
+        if (!public_key_is_new(public_key))
+                return 0;
+        if (public_key->rank != private_key->rank)
+                return 0;
+        mlkem_public_from_private(private_key, public_key);
+        public_key->state = MLKEM_PUBLIC_KEY_INITIALIZED;
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_public_from_private);
+int
+MLKEM_encap_external_entropy(const MLKEM_public_key *public_key,
+    const uint8_t *entropy, uint8_t **out_ciphertext,
+    size_t *out_ciphertext_len, uint8_t **out_shared_secret,
+    size_t *out_shared_secret_len)
+{
+        uint8_t *secret = NULL;
+        uint8_t *ciphertext = NULL;
+        size_t ciphertext_len = 0;
+        int ret = 0;
+        if (*out_ciphertext != NULL)
+                goto err;
+        if (*out_shared_secret != NULL)
+                goto err;
+        if (!public_key_is_valid(public_key))
+                goto err;
+        if ((secret = calloc(1, MLKEM_SHARED_SECRET_LENGTH)) == NULL)
+                goto err;
+        ciphertext_len = MLKEM_public_key_ciphertext_length(public_key);
+        if ((ciphertext = calloc(1, ciphertext_len)) == NULL)
+                goto err;
+        mlkem_encap_external_entropy(ciphertext, secret, public_key, entropy);
+        *out_ciphertext = ciphertext;
+        *out_ciphertext_len = ciphertext_len;
+        ciphertext = NULL;
+        *out_shared_secret = secret;
+        *out_shared_secret_len = MLKEM_SHARED_SECRET_LENGTH;
+        secret = NULL;
+        ret = 1;
+ err:
+        freezero(secret, MLKEM_SHARED_SECRET_LENGTH);
+        freezero(ciphertext, ciphertext_len);
+        return ret;
+}
+int
+MLKEM_encap(const MLKEM_public_key *public_key,
+    uint8_t **out_ciphertext, size_t *out_ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len)
+{
+        uint8_t entropy[MLKEM_ENCAP_ENTROPY];
+        int ret;
+        arc4random_buf(entropy, sizeof(entropy));
+        ret = MLKEM_encap_external_entropy(public_key, entropy, out_ciphertext,
+            out_ciphertext_len, out_shared_secret, out_shared_secret_len);
+        explicit_bzero(entropy, sizeof(entropy));
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_encap);
+int
+MLKEM_decap(const MLKEM_private_key *private_key,
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len)
+{
+        uint8_t *s = NULL;
+        int ret = 0;
+        if (*out_shared_secret != NULL)
+                goto err;
+        if (!private_key_is_valid(private_key))
+                goto err;
+        if (ciphertext_len != MLKEM_private_key_ciphertext_length(private_key))
+                goto err;
+        if ((s = calloc(1, MLKEM_SHARED_SECRET_LENGTH)) == NULL)
+                goto err;
+        mlkem_decap(private_key, ciphertext, ciphertext_len, s);
+        *out_shared_secret = s;
+        *out_shared_secret_len = MLKEM_SHARED_SECRET_LENGTH;
+        s = NULL;
+        ret = 1;
+ err:
+        freezero(s, MLKEM_SHARED_SECRET_LENGTH);
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_decap);
+int
+MLKEM_marshal_public_key(const MLKEM_public_key *public_key, uint8_t **out,
+    size_t *out_len)
+{
+        if (*out != NULL)
+                return 0;
+        if (!public_key_is_valid(public_key))
+                return 0;
+        return mlkem_marshal_public_key(public_key, out, out_len);
+}
+LCRYPTO_ALIAS(MLKEM_marshal_public_key);
+/*
+ * Not exposed publicly, because the NIST private key format is gigantisch, and
+ * seeds should be used instead.  Used for the NIST tests.
+ */
+int
+MLKEM_marshal_private_key(const MLKEM_private_key *private_key, uint8_t **out,
+    size_t *out_len)
+{
+        if (*out != NULL)
+                return 0;
+        if (!private_key_is_valid(private_key))
+                return 0;
+        return mlkem_marshal_private_key(private_key, out, out_len);
+}
+LCRYPTO_ALIAS(MLKEM_marshal_private_key);
+int
+MLKEM_parse_public_key(MLKEM_public_key *public_key, const uint8_t *in,
+    size_t in_len)
+{
+        if (!public_key_is_new(public_key))
+                return 0;
+        if (in_len != MLKEM_public_key_encoded_length(public_key))
+                return 0;
+        if (!mlkem_parse_public_key(in, in_len, public_key))
+                return 0;
+        public_key->state = MLKEM_PUBLIC_KEY_INITIALIZED;
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_parse_public_key);
+int
+MLKEM_parse_private_key(MLKEM_private_key *private_key, const uint8_t *in,
+    size_t in_len)
+{
+        if (!private_key_is_new(private_key))
+                return 0;
+        if (in_len != MLKEM_private_key_encoded_length(private_key))
+                return 0;
+        if (!mlkem_parse_private_key(in, in_len, private_key))
+                return 0;
+        private_key->state = MLKEM_PRIVATE_KEY_INITIALIZED;
+        return 1;
+}
+LCRYPTO_ALIAS(MLKEM_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem.h b/src/lib/libcrypto/mlkem/mlkem.h
index 055d92290e..39572e459d 100644
--- a/src/lib/libcrypto/mlkem/mlkem.h
+++ b/src/lib/libcrypto/mlkem/mlkem.h
@@ -1,6 +1,6 @@
-/*      $OpenBSD: mlkem.h,v 1.5 2025/03/28 12:17:16 tb Exp $ */
+/*      $OpenBSD: mlkem.h,v 1.10 2026/01/16 18:28:04 tb Exp $ */
 /*
- * Copyright (c) 2024, Google Inc.
+ * Copyright (c) 2025 Bob Beck <beck@obtuse.com>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -25,258 +25,209 @@
 extern "C" {
 #endif
-/* Hack for now */
-struct cbs_st;
-struct cbb_st;
 /*
- * ML-KEM-768
+ * ML-KEM constants
- *
- * This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
- * https://csrc.nist.gov/pubs/fips/204/final
 */
-/*
+#define MLKEM768_RANK   3
- * MLKEM768_public_key contains a ML-KEM-768 public key. The contents of this
+#define MLKEM1024_RANK  4
- * object should never leave the address space since the format is unstable.
- */
-struct MLKEM768_public_key {
-        union {
-                uint8_t bytes[512 * (3 + 9) + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
 /*
- * MLKEM768_private_key contains a ML-KEM-768 private key. The contents of this
+ * ML-KEM keys
- * object should never leave the address space since the format is unstable.
 */
-struct MLKEM768_private_key {
-        union {
-                uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
-                uint16_t alignment;
-        } opaque;
-};
-/*
+typedef struct MLKEM_private_key_st MLKEM_private_key;
- * MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM768 public
+typedef struct MLKEM_public_key_st MLKEM_public_key;
- * key.
- */
-#define MLKEM768_PUBLIC_KEY_BYTES 1184
-/* MLKEM_SEED_BYTES is the number of bytes in an ML-KEM seed. */
-#define MLKEM_SEED_BYTES 64
 /*
- *  MLKEM_SHARED_SECRET_BYTES is the number of bytes in the ML-KEM768 shared
+ * MLKEM_private_key_new allocates a new uninitialized ML-KEM private key for
- * secret. Although the round-3 specification has a variable-length output, the
+ * |rank|, which must be MLKEM768_RANK or MLKEM1024_RANK. It returns a pointer
- * final ML-KEM construction is expected to use a fixed 32-byte output. To
+ * to an allocated structure suitable for holding a generated private key of the
- * simplify the future transition, we apply the same restriction.
+ * corresponding rank on success, NULL is returned on failure. The caller is
+ * responsible for deallocating the resulting key with |MLKEM_private_key_free|.
 */
-#define MLKEM_SHARED_SECRET_BYTES 32
+MLKEM_private_key *MLKEM_private_key_new(int rank);
 /*
- * MLKEM_generate_key generates a random public/private key pair, writes the
+ * MLKEM_private_key_free zeroes and frees all memory for |key| if |key| is
- * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+ * non NULL. If |key| is NULL it does nothing and returns.
- * the private key. If |optional_out_seed| is not NULL then the seed used to
- * generate the private key is written to it.
 */
-void MLKEM768_generate_key(
+void MLKEM_private_key_free(MLKEM_private_key *key);
-    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM768_private_key *out_private_key);
 /*
- * MLKEM768_private_key_from_seed derives a private key from a seed that was
+ * MLKEM_private_key_encoded_length the number of bytes used by the encoded form
- * generated by |MLKEM768_generate_key|. It fails and returns 0 if |seed_len| is
+ * of |key|. This corresponds to the length of the buffer allocated for the
- * incorrect, otherwise it writes |*out_private_key| and returns 1.
+ * encoded_public_key from |MLKEM_marshal_private_key|. Zero is returned if
+ * |key| is NULL or has an invalid rank.
 */
-int MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key,
+size_t MLKEM_private_key_encoded_length(const MLKEM_private_key *key);
-    const uint8_t *seed, size_t seed_len);
 /*
- * MLKEM_public_from_private sets |*out_public_key| to the public key that
+ * MLKEM_private_key_ciphertext_length returns the number of bytes of ciphertext
- * corresponds to |private_key|. (This is faster than parsing the output of
+ * required to decrypt a shared secret with |key| using |MLKEM_decap|. Zero is
- * |MLKEM_generate_key| if, for some reason, you need to encapsulate to a key
+ * returned if |key| is NULL or has an invalid rank.
- * that was just generated.)
 */
-void MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key,
+size_t MLKEM_private_key_ciphertext_length(const MLKEM_private_key *key);
-    const struct MLKEM768_private_key *private_key);
-/* MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM768 ciphertext. */
-#define MLKEM768_CIPHERTEXT_BYTES 1088
 /*
- * MLKEM768_encap encrypts a random shared secret for |public_key|, writes the
+ * MLKEM_public_key_new allocates a new uninitialized ML-KEM public key for
- * ciphertext to |out_ciphertext|, and writes the random shared secret to
+ * |rank|, which must be MLKEM768_RANK or MLKEM1024_RANK. It returns a pointer
- * |out_shared_secret|.
+ * to an allocated structure suitable for holding a generated public key of the
+ * corresponding rank on success, NULL is returned on failure. The caller is
+ * responsible for deallocating the resulting key with |MLKEM_public_key_free|.
 */
-void MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
+MLKEM_public_key *MLKEM_public_key_new(int rank);
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key);
 /*
- * MLKEM768_decap decrypts a shared secret from |ciphertext| using |private_key|
+ * MLKEM_public_key_free zeros and deallocates all memory for |key| if |key| is
- * and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
+ * non NULL. If |key| is NULL it does nothing and returns.
- * returns 0, otherwise it rreturns 1. If |ciphertext| is invalid,
- * |out_shared_secret| is filled with a key that will always be the same for the
- * same |ciphertext| and |private_key|, but which appears to be random unless
- * one has access to |private_key|. These alternatives occur in constant time.
- * Any subsequent symmetric encryption using |out_shared_secret| must use an
- * authenticated encryption scheme in order to discover the decapsulation
- * failure.
 */
-int MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+void MLKEM_public_key_free(MLKEM_public_key *key);
-    const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM768_private_key *private_key);
-/* Serialisation of keys. */
 /*
- * MLKEM768_marshal_public_key serializes |public_key| to |out| in the standard
+ * MLKEM_public_key_encoded_length the number of bytes used by the encoded form
- * format for ML-KEM public keys. It returns one on success or zero on allocation
+ * of |key|. This corresponds to the length of the buffer allocated for the
- * error.
+ * encoded_public_key from |MLKEM_generate_key| or |MLKEM_marshal_public_key|.
+ * Zero is returned if |key| is NULL or has an invalid rank.
 */
-int MLKEM768_marshal_public_key(struct cbb_st *out,
+size_t MLKEM_public_key_encoded_length(const MLKEM_public_key *key);
-    const struct MLKEM768_public_key *public_key);
 /*
- * MLKEM768_parse_public_key parses a public key, in the format generated by
+ * MLKEM_public_key_cipertext_length returns the number of bytes produced as the
- * |MLKEM_marshal_public_key|, from |in| and writes the result to
+ * ciphertext when encrypting a shared secret with |key| using |MLKEM_encap|.
- * |out_public_key|. It returns one on success or zero on parse error or if
+ * Zero is returned if |key| is NULL or has an invalid rank.
- * there are trailing bytes in |in|.
 */
-int MLKEM768_parse_public_key(struct MLKEM768_public_key *out_public_key,
+size_t MLKEM_public_key_ciphertext_length(const MLKEM_public_key *key);
-    struct cbs_st *in);
 /*
- * MLKEM_parse_private_key parses a private key, in the format generated by
+ * ML-KEM operations
- * |MLKEM_marshal_private_key|, from |in| and writes the result to
- * |out_private_key|. It returns one on success or zero on parse error or if
- * there are trailing bytes in |in|. This formate is verbose and should be avoided.
- * Private keys should be stored as seeds and parsed using |MLKEM768_private_key_from_seed|.
 */
-int MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key,
-    struct cbs_st *in);
 /*
- * ML-KEM-1024
+ * MLKEM_generate_key generates a random private/public key pair, initializing
+ * |private_key|. It returns one on success, and zero on failure or error.
+ * |private_key| must be a new uninitialized key. |*out_encoded_public_key| and
+ * |*out_optional_seed|, if provided, must have the value of NULL. On success, a
+ * pointer to the encoded public key of the correct size for |key| is returned
+ * in |out_encoded_public_key|, and the length in bytes of
+ * |*out_encoded_public_key| is returned in |out_encoded_public_key_len|. If
+ * |out_optional_seed| is not NULL, a pointer to the seed used to generate the
+ * private key is returned in |*out_optional_seed| and the length in bytes of
+ * the seed is returned in |*out_optional_seed_len|. The caller is responsible
+ * for freeing the values returned in |out_encoded_public_key|, and
+ * |out_optional_seed|.
 *
- * ML-KEM-1024 also exists. You should prefer ML-KEM-768 where possible.
+ * In the event a private key needs to be saved, The normal best practice is to
- */
+ * save |out_optional_seed| as the private key, along with the ML-KEM rank value.
+ * An MLKEM_private_key of the correct rank can then be constructed using
-/*
+ * |MLKEM_private_key_from_seed|.
- * MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this
- * object should never leave the address space since the format is unstable.
 */
-struct MLKEM1024_public_key {
+int MLKEM_generate_key(MLKEM_private_key *private_key,
-        union {
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
-                uint8_t bytes[512 * (4 + 16) + 32 + 32];
+    uint8_t **out_optional_seed, size_t *out_optional_seed_len);
-                uint16_t alignment;
-        } opaque;
-};
 /*
- * MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of
+ * MLKEM_private_key_from_seed derives a private key from a seed that was
- * this object should never leave the address space since the format is
+ * generated by |MLKEM_generate_key| initializing |private_key|. It returns one
- * unstable.
+ * on success, and zero on failure or error. |private_key| must be a new
- */
+ * uninitialized key. |seed_len| must be MLKEM_SEED_LENGTH.
-struct MLKEM1024_private_key {
+ *
-        union {
+ * For |private_key| to match the key generated by |MLKEM_generate_key|,
-                uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
+ * |private_key| must have been created with the same rank as used when generating
-                uint16_t alignment;
+ * the key.
-        } opaque;
-};
-/*
- * MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
- * public key.
 */
-#define MLKEM1024_PUBLIC_KEY_BYTES 1568
+int MLKEM_private_key_from_seed(MLKEM_private_key *private_key,
+    const uint8_t *seed, size_t seed_len);
 /*
- * MLKEM1024_generate_key generates a random public/private key pair, writes the
+ * MLKEM_public_from_private initializes |public_key| with the public key that
- * encoded public key to |out_encoded_public_key| and sets |out_private_key| to
+ * corresponds to |private_key|. It returns one on success and zero on
- * the private key. If |optional_out_seed| is not NULL then the seed used to
+ * error. This is faster than parsing the output of |MLKEM_generate_key| if, for
- * generate the private key is written to it.
+ * some reason, you need to encapsulate to a key that was just
+ * generated. |private key| must be a new uninitialized key, of the same rank as
+ * |public_key|.
 */
-void MLKEM1024_generate_key(
+int MLKEM_public_from_private(const MLKEM_private_key *private_key,
-    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
+    MLKEM_public_key *public_key);
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM1024_private_key *out_private_key);
 /*
- * MLKEM1024_private_key_from_seed derives a private key from a seed that was
+ * MLKEM_encap encrypts a random shared secret for an initialized
- * generated by |MLKEM1024_generate_key|. It fails and returns 0 if |seed_len|
+ * |public_key|. It returns one on success, and zero on failure or error. |*out
- * is incorrect, otherwise it writes |*out_private_key| and returns 1.
+ * ciphertext| and |*out_shared_secret| must have the value NULL. On success, a
+ * pointer to the ciphertext of the correct size for |key| is returned in
+ * |out_ciphertext|, the length in bytes of |*out_ciphertext| is returned in
+ * |*out_ciphertext_len|, a pointer to the random shared secret is returned in
+ * |out_shared_secret|, and the length in bytes of |*out_shared_secret| is
+ * returned in |*out_ciphtertext_len|. The caller is responsible for zeroing and
+ * freeing the values returned in |out_ciphertext| and |out_shared_secret|
 */
-int MLKEM1024_private_key_from_seed(
+int MLKEM_encap(const MLKEM_public_key *public_key,
-    struct MLKEM1024_private_key *out_private_key, const uint8_t *seed,
+    uint8_t **out_ciphertext, size_t *out_ciphertext_len,
-    size_t seed_len);
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len);
 /*
- * MLKEM1024_public_from_private sets |*out_public_key| to the public key that
+ * MLKEM_decap decrypts a shared secret from |ciphertext| using an initialized
- * corresponds to |private_key|. (This is faster than parsing the output of
+ * |private_key|. It returns a pointer to the shared secret|out_shared_secret|
- * |MLKEM1024_generate_key| if, for some reason, you need to encapsulate to a
+ * and the length in bytes of |*out_shared_secret| in |*out_shared_secret_len|.
- * key that was just generated.)
+ *
+ * If |ciphertext_len| is incorrect for |private_key|, |*out_shared_secret| is
+ * not NULL, or memory can not be allocated, it returns zero, otherwise it
+ * returns one. If |ciphertext| is invalid, a pointer is returned in
+ * |out_shared_secret| pointing to a key that will always be the same for the
+ * same |ciphertext| and |private_key|, but which appears to be random unless
+ * one has access to |private_key|. These alternatives occur in constant time.
+ * Any subsequent symmetric encryption using |out_shared_secret| must use an
+ * authenticated encryption scheme in order to discover the decapsulation
+ * failure. The caller is responsible for zeroing and freeing the value returned
+ * in |out_shared_secret|.
 */
-void MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key,
+int MLKEM_decap(const MLKEM_private_key *private_key,
-    const struct MLKEM1024_private_key *private_key);
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t **out_shared_secret, size_t *out_shared_secret_len);
-/* MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. */
+/* Serialization of ML-KEM keys. */
-#define MLKEM1024_CIPHERTEXT_BYTES 1568
 /*
- * MLKEM1024_encap encrypts a random shared secret for |public_key|, writes the
+ * MLKEM_marshal_public_key serializes an initialized |public_key| in the
- * ciphertext to |out_ciphertext|, and writes the random shared secret to
+ * standard format for ML-KEM public keys. It returns one on success or zero on
- * |out_shared_secret|.
+ * allocation error or failure. |*out| must have the value NULL. On success a
+ * pointer is returned in |out| to the encoded public key matching |public_key|,
+ * and a pointer to the length in bytes of the encoded public key is stored in
+ * |out_len|. The caller is responsible for freeing the values returned in
+ * |out|.
 */
-void MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+int MLKEM_marshal_public_key(const MLKEM_public_key *public_key, uint8_t **out,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    size_t *out_len);
-    const struct MLKEM1024_public_key *public_key);
 /*
- * MLKEM1024_decap decrypts a shared secret from |ciphertext| using
+ * MLKEM_parse_public_key parses a public key, in the format generated by
- * |private_key| and writes it to |out_shared_secret|. If |ciphertext_len| is
+ * |MLKEM_marshal_public_key|, from |in|. It returns one on success or zero on
- * incorrect it returns 0, otherwise it returns 1. If |ciphertext| is invalid
+ * error or failure. |public_key| must be a new uninitialized key. |in_len| must
- * (but of the correct length), |out_shared_secret| is filled with a key that
+ * be the correct length for the encoded format of |public_key. On success
- * will always be the same for the same |ciphertext| and |private_key|, but
+ * |public_key| is initialized to the value parsed from |in|.
- * which appears to be random unless one has access to |private_key|. These
- * alternatives occur in constant time. Any subsequent symmetric encryption
- * using |out_shared_secret| must use an authenticated encryption scheme in
- * order to discover the decapsulation failure.
 */
-int MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+int MLKEM_parse_public_key(MLKEM_public_key *public_key, const uint8_t *in,
-    const uint8_t *ciphertext, size_t ciphertext_len,
+    size_t in_len);
-    const struct MLKEM1024_private_key *private_key);
 /*
- * Serialisation of ML-KEM-1024 keys.
+ * Marshals a private key to encoded format, used for NIST tests.
- * MLKEM1024_marshal_public_key serializes |public_key| to |out| in the standard
- * format for ML-KEM-1024 public keys. It returns one on success or zero on
- * allocation error.
 */
-int MLKEM1024_marshal_public_key(struct cbb_st *out,
+int MLKEM_marshal_private_key(const MLKEM_private_key *private_key,
-    const struct MLKEM1024_public_key *public_key);
+    uint8_t **out, size_t *out_len);
 /*
- * MLKEM1024_parse_public_key parses a public key, in the format generated by
+ * MLKEM_parse_private_key parses a private key, in the format generated by
- * |MLKEM1024_marshal_public_key|, from |in| and writes the result to
+ * |MLKEM_marshal_private_key|, from |in|. It returns one on success or zero on
- * |out_public_key|. It returns one on success or zero on parse error or if
+ * error or failure. |private_key| must be a new uninitialized key. |in_len|
- * there are trailing bytes in |in|.
+ * must be the correct length for the encoded format of |private_key. On success
- */
+ * |private_key| is initialized to the value parsed from |in|.
-int MLKEM1024_parse_public_key(struct MLKEM1024_public_key *out_public_key,
+ *
-    struct cbs_st *in);
+ * This format is wastefully verbose and should be avoided. Private keys should
+ * be stored as seeds from |MLKEM_generate_key|, and then parsed using
-/*
+ * |MLKEM_private_key_from_seed|.
- * MLKEM1024_parse_private_key parses a private key, in NIST's format for
- * private keys, from |in| and writes the result to |out_private_key|. It
- * returns one on success or zero on parse error or if there are trailing bytes
- * in |in|. This format is verbose and should be avoided. Private keys should be
- * stored as seeds and parsed using |MLKEM1024_private_key_from_seed|.
 */
-int MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
+int MLKEM_parse_private_key(MLKEM_private_key *private_key, const uint8_t *in,
-    struct cbs_st *in);
+    size_t in_len);
 #if defined(__cplusplus)
 }
diff --git a/src/lib/libcrypto/mlkem/mlkem768.c b/src/lib/libcrypto/mlkem/mlkem768.c
deleted file mode 100644
index bacde0c0b7..0000000000
--- a/src/lib/libcrypto/mlkem/mlkem768.c
+++ /dev/null
@@ -1,1138 +0,0 @@
-/* $OpenBSD: mlkem768.c,v 1.7 2025/01/03 08:19:24 tb Exp $ */
-/*
- * Copyright (c) 2024, Google Inc.
- * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
- *
- * Permission to use, copy, modify, and/or distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <assert.h>
-#include <stdlib.h>
-#include <string.h>
-#include "bytestring.h"
-#include "mlkem.h"
-#include "sha3_internal.h"
-#include "mlkem_internal.h"
-#include "constant_time.h"
-#include "crypto_internal.h"
-/* Remove later */
-#undef LCRYPTO_ALIAS
-#define LCRYPTO_ALIAS(A)
-/*
- * See
- * https://csrc.nist.gov/pubs/fips/203/final
- */
-static void
-prf(uint8_t *out, size_t out_len, const uint8_t in[33])
-{
-        sha3_ctx ctx;
-        shake256_init(&ctx);
-        shake_update(&ctx, in, 33);
-        shake_xof(&ctx);
-        shake_out(&ctx, out, out_len);
-}
-/* Section 4.1 */
-static void
-hash_h(uint8_t out[32], const uint8_t *in, size_t len)
-{
-        sha3_ctx ctx;
-        sha3_init(&ctx, 32);
-        sha3_update(&ctx, in, len);
-        sha3_final(out, &ctx);
-}
-static void
-hash_g(uint8_t out[64], const uint8_t *in, size_t len)
-{
-        sha3_ctx ctx;
-        sha3_init(&ctx, 64);
-        sha3_update(&ctx, in, len);
-        sha3_final(out, &ctx);
-}
-/* this is called 'J' in the spec */
-static void
-kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32],
-    const uint8_t *in, size_t len)
-{
-        sha3_ctx ctx;
-        shake256_init(&ctx);
-        shake_update(&ctx, failure_secret, 32);
-        shake_update(&ctx, in, len);
-        shake_xof(&ctx);
-        shake_out(&ctx, out, MLKEM_SHARED_SECRET_BYTES);
-}
-#define DEGREE 256
-#define RANK768 3
-static const size_t kBarrettMultiplier = 5039;
-static const unsigned kBarrettShift = 24;
-static const uint16_t kPrime = 3329;
-static const int kLog2Prime = 12;
-static const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;
-static const int kDU768 = 10;
-static const int kDV768 = 4;
-/*
- * kInverseDegree is 128^-1 mod 3329; 128 because kPrime does not have a 512th
- * root of unity.
- */
-static const uint16_t kInverseDegree = 3303;
-static const size_t kEncodedVectorSize =
-    (/*kLog2Prime=*/12 * DEGREE / 8) * RANK768;
-static const size_t kCompressedVectorSize = /*kDU768=*/ 10 * RANK768 * DEGREE /
-    8;
-typedef struct scalar {
-        /* On every function entry and exit, 0 <= c < kPrime. */
-        uint16_t c[DEGREE];
-} scalar;
-typedef struct vector {
-        scalar v[RANK768];
-} vector;
-typedef struct matrix {
-        scalar v[RANK768][RANK768];
-} matrix;
-/*
- * This bit of Python will be referenced in some of the following comments:
- *
- *  p = 3329
- *
- * def bitreverse(i):
- *     ret = 0
- *     for n in range(7):
- *         bit = i & 1
- *         ret <<= 1
- *         ret |= bit
- *         i >>= 1
- *     return ret
- */
-/* kNTTRoots = [pow(17, bitreverse(i), p) for i in range(128)] */
-static const uint16_t kNTTRoots[128] = {
-        1,    1729, 2580, 3289, 2642, 630,  1897, 848,  1062, 1919, 193,  797,
-        2786, 3260, 569,  1746, 296,  2447, 1339, 1476, 3046, 56,   2240, 1333,
-        1426, 2094, 535,  2882, 2393, 2879, 1974, 821,  289,  331,  3253, 1756,
-        1197, 2304, 2277, 2055, 650,  1977, 2513, 632,  2865, 33,   1320, 1915,
-        2319, 1435, 807,  452,  1438, 2868, 1534, 2402, 2647, 2617, 1481, 648,
-        2474, 3110, 1227, 910,  17,   2761, 583,  2649, 1637, 723,  2288, 1100,
-        1409, 2662, 3281, 233,  756,  2156, 3015, 3050, 1703, 1651, 2789, 1789,
-        1847, 952,  1461, 2687, 939,  2308, 2437, 2388, 733,  2337, 268,  641,
-        1584, 2298, 2037, 3220, 375,  2549, 2090, 1645, 1063, 319,  2773, 757,
-        2099, 561,  2466, 2594, 2804, 1092, 403,  1026, 1143, 2150, 2775, 886,
-        1722, 1212, 1874, 1029, 2110, 2935, 885,  2154,
-};
-/* kInverseNTTRoots = [pow(17, -bitreverse(i), p) for i in range(128)] */
-static const uint16_t kInverseNTTRoots[128] = {
-        1,    1600, 40,   749,  2481, 1432, 2699, 687,  1583, 2760, 69,   543,
-        2532, 3136, 1410, 2267, 2508, 1355, 450,  936,  447,  2794, 1235, 1903,
-        1996, 1089, 3273, 283,  1853, 1990, 882,  3033, 2419, 2102, 219,  855,
-        2681, 1848, 712,  682,  927,  1795, 461,  1891, 2877, 2522, 1894, 1010,
-        1414, 2009, 3296, 464,  2697, 816,  1352, 2679, 1274, 1052, 1025, 2132,
-        1573, 76,   2998, 3040, 1175, 2444, 394,  1219, 2300, 1455, 2117, 1607,
-        2443, 554,  1179, 2186, 2303, 2926, 2237, 525,  735,  863,  2768, 1230,
-        2572, 556,  3010, 2266, 1684, 1239, 780,  2954, 109,  1292, 1031, 1745,
-        2688, 3061, 992,  2596, 941,  892,  1021, 2390, 642,  1868, 2377, 1482,
-        1540, 540,  1678, 1626, 279,  314,  1173, 2573, 3096, 48,   667,  1920,
-        2229, 1041, 2606, 1692, 680,  2746, 568,  3312,
-};
-/* kModRoots = [pow(17, 2*bitreverse(i) + 1, p) for i in range(128)] */
-static const uint16_t kModRoots[128] = {
-        17,   3312, 2761, 568,  583,  2746, 2649, 680,  1637, 1692, 723,  2606,
-        2288, 1041, 1100, 2229, 1409, 1920, 2662, 667,  3281, 48,   233,  3096,
-        756,  2573, 2156, 1173, 3015, 314,  3050, 279,  1703, 1626, 1651, 1678,
-        2789, 540,  1789, 1540, 1847, 1482, 952,  2377, 1461, 1868, 2687, 642,
-        939,  2390, 2308, 1021, 2437, 892,  2388, 941,  733,  2596, 2337, 992,
-        268,  3061, 641,  2688, 1584, 1745, 2298, 1031, 2037, 1292, 3220, 109,
-        375,  2954, 2549, 780,  2090, 1239, 1645, 1684, 1063, 2266, 319,  3010,
-        2773, 556,  757,  2572, 2099, 1230, 561,  2768, 2466, 863,  2594, 735,
-        2804, 525,  1092, 2237, 403,  2926, 1026, 2303, 1143, 2186, 2150, 1179,
-        2775, 554,  886,  2443, 1722, 1607, 1212, 2117, 1874, 1455, 1029, 2300,
-        2110, 1219, 2935, 394,  885,  2444, 2154, 1175,
-};
-/* reduce_once reduces 0 <= x < 2*kPrime, mod kPrime. */
-static uint16_t
-reduce_once(uint16_t x)
-{
-        assert(x < 2 * kPrime);
-        const uint16_t subtracted = x - kPrime;
-        uint16_t mask = 0u - (subtracted >> 15);
-        /*
-         * Although this is a constant-time select, we omit a value barrier here.
-         * Value barriers impede auto-vectorization (likely because it forces the
-         * value to transit through a general-purpose register). On AArch64, this
-         * is a difference of 2x.
-         *
-         * We usually add value barriers to selects because Clang turns
-         * consecutive selects with the same condition into a branch instead of
-         * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it
-         * seems to be safe so far  but see
-         * |scalar_centered_binomial_distribution_eta_2_with_prf|.
-         */
-        return (mask & x) | (~mask & subtracted);
-}
-/*
- * constant time reduce x mod kPrime using Barrett reduction. x must be less
- * than kPrime + 2×kPrime².
- */
-static uint16_t
-reduce(uint32_t x)
-{
-        uint64_t product = (uint64_t)x * kBarrettMultiplier;
-        uint32_t quotient = (uint32_t)(product >> kBarrettShift);
-        uint32_t remainder = x - quotient * kPrime;
-        assert(x < kPrime + 2u * kPrime * kPrime);
-        return reduce_once(remainder);
-}
-static void
-scalar_zero(scalar *out)
-{
-        memset(out, 0, sizeof(*out));
-}
-static void
-vector_zero(vector *out)
-{
-        memset(out, 0, sizeof(*out));
-}
-/*
- * In place number theoretic transform of a given scalar.
- * Note that MLKEM's kPrime 3329 does not have a 512th root of unity, so this
- * transform leaves off the last iteration of the usual FFT code, with the 128
- * relevant roots of unity being stored in |kNTTRoots|. This means the output
- * should be seen as 128 elements in GF(3329^2), with the coefficients of the
- * elements being consecutive entries in |s->c|.
- */
-static void
-scalar_ntt(scalar *s)
-{
-        int offset = DEGREE;
-        int step;
-        /*
-         * `int` is used here because using `size_t` throughout caused a ~5% slowdown
-         * with Clang 14 on Aarch64.
-         */
-        for (step = 1; step < DEGREE / 2; step <<= 1) {
-                int i, j, k = 0;
-                offset >>= 1;
-                for (i = 0; i < step; i++) {
-                        const uint32_t step_root = kNTTRoots[i + step];
-                        for (j = k; j < k + offset; j++) {
-                                uint16_t odd, even;
-                                odd = reduce(step_root * s->c[j + offset]);
-                                even = s->c[j];
-                                s->c[j] = reduce_once(odd + even);
-                                s->c[j + offset] = reduce_once(even - odd +
-                                    kPrime);
-                        }
-                        k += 2 * offset;
-                }
-        }
-}
-static void
-vector_ntt(vector *a)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_ntt(&a->v[i]);
-        }
-}
-/*
- * In place inverse number theoretic transform of a given scalar, with pairs of
- * entries of s->v being interpreted as elements of GF(3329^2). Just as with the
- * number theoretic transform, this leaves off the first step of the normal iFFT
- * to account for the fact that 3329 does not have a 512th root of unity, using
- * the precomputed 128 roots of unity stored in |kInverseNTTRoots|.
- */
-static void
-scalar_inverse_ntt(scalar *s)
-{
-        int i, j, k, offset, step = DEGREE / 2;
-        /*
-         * `int` is used here because using `size_t` throughout caused a ~5% slowdown
-         * with Clang 14 on Aarch64.
-         */
-        for (offset = 2; offset < DEGREE; offset <<= 1) {
-                step >>= 1;
-                k = 0;
-                for (i = 0; i < step; i++) {
-                        uint32_t step_root = kInverseNTTRoots[i + step];
-                        for (j = k; j < k + offset; j++) {
-                                uint16_t odd, even;
-                                odd = s->c[j + offset];
-                                even = s->c[j];
-                                s->c[j] = reduce_once(odd + even);
-                                s->c[j + offset] = reduce(step_root *
-                                    (even - odd + kPrime));
-                        }
-                        k += 2 * offset;
-                }
-        }
-        for (i = 0; i < DEGREE; i++) {
-                s->c[i] = reduce(s->c[i] * kInverseDegree);
-        }
-}
-static void
-vector_inverse_ntt(vector *a)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_inverse_ntt(&a->v[i]);
-        }
-}
-static void
-scalar_add(scalar *lhs, const scalar *rhs)
-{
-        int i;
-        for (i = 0; i < DEGREE; i++) {
-                lhs->c[i] = reduce_once(lhs->c[i] + rhs->c[i]);
-        }
-}
-static void
-scalar_sub(scalar *lhs, const scalar *rhs)
-{
-        int i;
-        for (i = 0; i < DEGREE; i++) {
-                lhs->c[i] = reduce_once(lhs->c[i] - rhs->c[i] + kPrime);
-        }
-}
-/*
- * Multiplying two scalars in the number theoretically transformed state.
- * Since 3329 does not have a 512th root of unity, this means we have to
- * interpret the 2*ith and (2*i+1)th entries of the scalar as elements of
- * GF(3329)[X]/(X^2 - 17^(2*bitreverse(i)+1)).
- * The value of 17^(2*bitreverse(i)+1) mod 3329 is stored in the precomputed
- * |kModRoots| table. Our Barrett transform only allows us to multiply two
- * reduced numbers together, so we need some intermediate reduction steps,
- * even if an uint64_t could hold 3 multiplied numbers.
- */
-static void
-scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs)
-{
-        int i;
-        for (i = 0; i < DEGREE / 2; i++) {
-                uint32_t real_real = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i];
-                uint32_t img_img = (uint32_t)lhs->c[2 * i + 1] *
-                    rhs->c[2 * i + 1];
-                uint32_t real_img = (uint32_t)lhs->c[2 * i] * rhs->c[2 * i + 1];
-                uint32_t img_real = (uint32_t)lhs->c[2 * i + 1] * rhs->c[2 * i];
-                out->c[2 * i] =
-                    reduce(real_real +
-                    (uint32_t)reduce(img_img) * kModRoots[i]);
-                out->c[2 * i + 1] = reduce(img_real + real_img);
-        }
-}
-static void
-vector_add(vector *lhs, const vector *rhs)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_add(&lhs->v[i], &rhs->v[i]);
-        }
-}
-static void
-matrix_mult(vector *out, const matrix *m, const vector *a)
-{
-        int i, j;
-        vector_zero(out);
-        for (i = 0; i < RANK768; i++) {
-                for (j = 0; j < RANK768; j++) {
-                        scalar product;
-                        scalar_mult(&product, &m->v[i][j], &a->v[j]);
-                        scalar_add(&out->v[i], &product);
-                }
-        }
-}
-static void
-matrix_mult_transpose(vector *out, const matrix *m,
-    const vector *a)
-{
-        int i, j;
-        vector_zero(out);
-        for (i = 0; i < RANK768; i++) {
-                for (j = 0; j < RANK768; j++) {
-                        scalar product;
-                        scalar_mult(&product, &m->v[j][i], &a->v[j]);
-                        scalar_add(&out->v[i], &product);
-                }
-        }
-}
-static void
-scalar_inner_product(scalar *out, const vector *lhs,
-    const vector *rhs)
-{
-        int i;
-        scalar_zero(out);
-        for (i = 0; i < RANK768; i++) {
-                scalar product;
-                scalar_mult(&product, &lhs->v[i], &rhs->v[i]);
-                scalar_add(out, &product);
-        }
-}
-/*
- * Algorithm 6 of spec. Rejection samples a Keccak stream to get uniformly
- * distributed elements. This is used for matrix expansion and only operates on
- * public inputs.
- */
-static void
-scalar_from_keccak_vartime(scalar *out, sha3_ctx *keccak_ctx)
-{
-        int i, done = 0;
-        while (done < DEGREE) {
-                uint8_t block[168];
-                shake_out(keccak_ctx, block, sizeof(block));
-                for (i = 0; i < sizeof(block) && done < DEGREE; i += 3) {
-                        uint16_t d1 = block[i] + 256 * (block[i + 1] % 16);
-                        uint16_t d2 = block[i + 1] / 16 + 16 * block[i + 2];
-                        if (d1 < kPrime) {
-                                out->c[done++] = d1;
-                        }
-                        if (d2 < kPrime && done < DEGREE) {
-                                out->c[done++] = d2;
-                        }
-                }
-        }
-}
-/*
- * Algorithm 7 of the spec, with eta fixed to two and the PRF call
- * included. Creates binominally distributed elements by sampling 2*|eta| bits,
- * and setting the coefficient to the count of the first bits minus the count of
- * the second bits, resulting in a centered binomial distribution. Since eta is
- * two this gives -2/2 with a probability of 1/16, -1/1 with probability 1/4,
- * and 0 with probability 3/8.
- */
-static void
-scalar_centered_binomial_distribution_eta_2_with_prf(scalar *out,
-    const uint8_t input[33])
-{
-        uint8_t entropy[128];
-        int i;
-        CTASSERT(sizeof(entropy) == 2 * /*kEta=*/ 2 * DEGREE / 8);
-        prf(entropy, sizeof(entropy), input);
-        for (i = 0; i < DEGREE; i += 2) {
-                uint8_t byte = entropy[i / 2];
-                uint16_t mask;
-                uint16_t value = (byte & 1) + ((byte >> 1) & 1);
-                value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
-                /*
-                 * Add |kPrime| if |value| underflowed. See |reduce_once| for a
-                 * discussion on why the value barrier is omitted. While this
-                 * could have been written reduce_once(value + kPrime), this is
-                 * one extra addition and small range of |value| tempts some
-                 * versions of Clang to emit a branch.
-                 */
-                mask = 0u - (value >> 15);
-                out->c[i] = ((value + kPrime) & mask) | (value & ~mask);
-                byte >>= 4;
-                value = (byte & 1) + ((byte >> 1) & 1);
-                value -= ((byte >> 2) & 1) + ((byte >> 3) & 1);
-                /*  See above. */
-                mask = 0u - (value >> 15);
-                out->c[i + 1] = ((value + kPrime) & mask) | (value & ~mask);
-        }
-}
-/*
- * Generates a secret vector by using
- * |scalar_centered_binomial_distribution_eta_2_with_prf|, using the given seed
- * appending and incrementing |counter| for entry of the vector.
- */
-static void
-vector_generate_secret_eta_2(vector *out, uint8_t *counter,
-    const uint8_t seed[32])
-{
-        uint8_t input[33];
-        int i;
-        memcpy(input, seed, 32);
-        for (i = 0; i < RANK768; i++) {
-                input[32] = (*counter)++;
-                scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i],
-                    input);
-        }
-}
-/* Expands the matrix of a seed for key generation and for encaps-CPA. */
-static void
-matrix_expand(matrix *out, const uint8_t rho[32])
-{
-        uint8_t input[34];
-        int i, j;
-        memcpy(input, rho, 32);
-        for (i = 0; i < RANK768; i++) {
-                for (j = 0; j < RANK768; j++) {
-                        sha3_ctx keccak_ctx;
-                        input[32] = i;
-                        input[33] = j;
-                        shake128_init(&keccak_ctx);
-                        shake_update(&keccak_ctx, input, sizeof(input));
-                        shake_xof(&keccak_ctx);
-                        scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx);
-                }
-        }
-}
-static const uint8_t kMasks[8] = {0x01, 0x03, 0x07, 0x0f,
-        0x1f, 0x3f, 0x7f, 0xff};
-static void
-scalar_encode(uint8_t *out, const scalar *s, int bits)
-{
-        uint8_t out_byte = 0;
-        int i, out_byte_bits = 0;
-        assert(bits <= (int)sizeof(*s->c) * 8 && bits != 1);
-        for (i = 0; i < DEGREE; i++) {
-                uint16_t element = s->c[i];
-                int element_bits_done = 0;
-                while (element_bits_done < bits) {
-                        int chunk_bits = bits - element_bits_done;
-                        int out_bits_remaining = 8 - out_byte_bits;
-                        if (chunk_bits >= out_bits_remaining) {
-                                chunk_bits = out_bits_remaining;
-                                out_byte |= (element &
-                                    kMasks[chunk_bits - 1]) << out_byte_bits;
-                                *out = out_byte;
-                                out++;
-                                out_byte_bits = 0;
-                                out_byte = 0;
-                        } else {
-                                out_byte |= (element &
-                                    kMasks[chunk_bits - 1]) << out_byte_bits;
-                                out_byte_bits += chunk_bits;
-                        }
-                        element_bits_done += chunk_bits;
-                        element >>= chunk_bits;
-                }
-        }
-        if (out_byte_bits > 0) {
-                *out = out_byte;
-        }
-}
-/* scalar_encode_1 is |scalar_encode| specialised for |bits| == 1. */
-static void
-scalar_encode_1(uint8_t out[32], const scalar *s)
-{
-        int i, j;
-        for (i = 0; i < DEGREE; i += 8) {
-                uint8_t out_byte = 0;
-                for (j = 0; j < 8; j++) {
-                        out_byte |= (s->c[i + j] & 1) << j;
-                }
-                *out = out_byte;
-                out++;
-        }
-}
-/*
- * Encodes an entire vector into 32*|RANK768|*|bits| bytes. Note that since 256
- * (DEGREE) is divisible by 8, the individual vector entries will always fill a
- * whole number of bytes, so we do not need to worry about bit packing here.
- */
-static void
-vector_encode(uint8_t *out, const vector *a, int bits)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits);
-        }
-}
-/*
- * scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
- * |out|. It returns one on success and zero if any parsed value is >=
- * |kPrime|.
- */
-static int
-scalar_decode(scalar *out, const uint8_t *in, int bits)
-{
-        uint8_t in_byte = 0;
-        int i, in_byte_bits_left = 0;
-        assert(bits <= (int)sizeof(*out->c) * 8 && bits != 1);
-        for (i = 0; i < DEGREE; i++) {
-                uint16_t element = 0;
-                int element_bits_done = 0;
-                while (element_bits_done < bits) {
-                        int chunk_bits = bits - element_bits_done;
-                        if (in_byte_bits_left == 0) {
-                                in_byte = *in;
-                                in++;
-                                in_byte_bits_left = 8;
-                        }
-                        if (chunk_bits > in_byte_bits_left) {
-                                chunk_bits = in_byte_bits_left;
-                        }
-                        element |= (in_byte & kMasks[chunk_bits - 1]) <<
-                            element_bits_done;
-                        in_byte_bits_left -= chunk_bits;
-                        in_byte >>= chunk_bits;
-                        element_bits_done += chunk_bits;
-                }
-                if (element >= kPrime) {
-                        return 0;
-                }
-                out->c[i] = element;
-        }
-        return 1;
-}
-/* scalar_decode_1 is |scalar_decode| specialised for |bits| == 1. */
-static void
-scalar_decode_1(scalar *out, const uint8_t in[32])
-{
-        int i, j;
-        for (i = 0; i < DEGREE; i += 8) {
-                uint8_t in_byte = *in;
-                in++;
-                for (j = 0; j < 8; j++) {
-                        out->c[i + j] = in_byte & 1;
-                        in_byte >>= 1;
-                }
-        }
-}
-/*
- * Decodes 32*|RANK768|*|bits| bytes from |in| into |out|. It returns one on
- * success or zero if any parsed value is >= |kPrime|.
- */
-static int
-vector_decode(vector *out, const uint8_t *in, int bits)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8,
-                    bits)) {
-                        return 0;
-                }
-        }
-        return 1;
-}
-/*
- * Compresses (lossily) an input |x| mod 3329 into |bits| many bits by grouping
- * numbers close to each other together. The formula used is
- * round(2^|bits|/kPrime*x) mod 2^|bits|.
- * Uses Barrett reduction to achieve constant time. Since we need both the
- * remainder (for rounding) and the quotient (as the result), we cannot use
- * |reduce| here, but need to do the Barrett reduction directly.
- */
-static uint16_t
-compress(uint16_t x, int bits)
-{
-        uint32_t shifted = (uint32_t)x << bits;
-        uint64_t product = (uint64_t)shifted * kBarrettMultiplier;
-        uint32_t quotient = (uint32_t)(product >> kBarrettShift);
-        uint32_t remainder = shifted - quotient * kPrime;
-        /*
-         * Adjust the quotient to round correctly:
-         * 0 <= remainder <= kHalfPrime round to 0
-         * kHalfPrime < remainder <= kPrime + kHalfPrime round to 1
-         * kPrime + kHalfPrime < remainder < 2 * kPrime round to 2
-         */
-        assert(remainder < 2u * kPrime);
-        quotient += 1 & constant_time_lt(kHalfPrime, remainder);
-        quotient += 1 & constant_time_lt(kPrime + kHalfPrime, remainder);
-        return quotient & ((1 << bits) - 1);
-}
-/*
- * Decompresses |x| by using an equi-distant representative. The formula is
- * round(kPrime/2^|bits|*x). Note that 2^|bits| being the divisor allows us to
- * implement this logic using only bit operations.
- */
-static uint16_t
-decompress(uint16_t x, int bits)
-{
-        uint32_t product = (uint32_t)x * kPrime;
-        uint32_t power = 1 << bits;
-        /* This is |product| % power, since |power| is a power of 2. */
-        uint32_t remainder = product & (power - 1);
-        /* This is |product| / power, since |power| is a power of 2. */
-        uint32_t lower = product >> bits;
-        /*
-         * The rounding logic works since the first half of numbers mod |power| have a
-         * 0 as first bit, and the second half has a 1 as first bit, since |power| is
-         * a power of 2. As a 12 bit number, |remainder| is always positive, so we
-         * will shift in 0s for a right shift.
-         */
-        return lower + (remainder >> (bits - 1));
-}
-static void
-scalar_compress(scalar *s, int bits)
-{
-        int i;
-        for (i = 0; i < DEGREE; i++) {
-                s->c[i] = compress(s->c[i], bits);
-        }
-}
-static void
-scalar_decompress(scalar *s, int bits)
-{
-        int i;
-        for (i = 0; i < DEGREE; i++) {
-                s->c[i] = decompress(s->c[i], bits);
-        }
-}
-static void
-vector_compress(vector *a, int bits)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_compress(&a->v[i], bits);
-        }
-}
-static void
-vector_decompress(vector *a, int bits)
-{
-        int i;
-        for (i = 0; i < RANK768; i++) {
-                scalar_decompress(&a->v[i], bits);
-        }
-}
-struct public_key {
-        vector t;
-        uint8_t rho[32];
-        uint8_t public_key_hash[32];
-        matrix m;
-};
-static struct public_key *
-public_key_768_from_external(const struct MLKEM768_public_key *external)
-{
-        return (struct public_key *)external;
-}
-struct private_key {
-        struct public_key pub;
-        vector s;
-        uint8_t fo_failure_secret[32];
-};
-static struct private_key *
-private_key_768_from_external(const struct MLKEM768_private_key *external)
-{
-        return (struct private_key *)external;
-}
-/*
- * Calls |MLKEM768_generate_key_external_entropy| with random bytes from
- * |RAND_bytes|.
- */
-void
-MLKEM768_generate_key(uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM768_private_key *out_private_key)
-{
-        uint8_t entropy_buf[MLKEM_SEED_BYTES];
-        uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
-            entropy_buf;
-        arc4random_buf(entropy, MLKEM_SEED_BYTES);
-        MLKEM768_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-LCRYPTO_ALIAS(MLKEM768_generate_key);
-int
-MLKEM768_private_key_from_seed(struct MLKEM768_private_key *out_private_key,
-    const uint8_t *seed, size_t seed_len)
-{
-        uint8_t public_key_bytes[MLKEM768_PUBLIC_KEY_BYTES];
-        if (seed_len != MLKEM_SEED_BYTES) {
-                return 0;
-        }
-        MLKEM768_generate_key_external_entropy(public_key_bytes,
-            out_private_key, seed);
-        return 1;
-}
-LCRYPTO_ALIAS(MLKEM768_private_key_from_seed);
-static int
-mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
-{
-        uint8_t *vector_output;
-        if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(vector_output, &pub->t, kLog2Prime);
-        if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
-                return 0;
-        }
-        return 1;
-}
-void
-MLKEM768_generate_key_external_entropy(
-    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    struct MLKEM768_private_key *out_private_key,
-    const uint8_t entropy[MLKEM_SEED_BYTES])
-{
-        struct private_key *priv = private_key_768_from_external(
-            out_private_key);
-        uint8_t augmented_seed[33];
-        uint8_t *rho, *sigma;
-        uint8_t counter = 0;
-        uint8_t hashed[64];
-        vector error;
-        CBB cbb;
-        memcpy(augmented_seed, entropy, 32);
-        augmented_seed[32] = RANK768;
-        hash_g(hashed, augmented_seed, 33);
-        rho = hashed;
-        sigma = hashed + 32;
-        memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho));
-        matrix_expand(&priv->pub.m, rho);
-        vector_generate_secret_eta_2(&priv->s, &counter, sigma);
-        vector_ntt(&priv->s);
-        vector_generate_secret_eta_2(&error, &counter, sigma);
-        vector_ntt(&error);
-        matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
-        vector_add(&priv->pub.t, &error);
-        /* XXX - error checking */
-        CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM768_PUBLIC_KEY_BYTES);
-        if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {
-                abort();
-        }
-        CBB_cleanup(&cbb);
-        hash_h(priv->pub.public_key_hash, out_encoded_public_key,
-            MLKEM768_PUBLIC_KEY_BYTES);
-        memcpy(priv->fo_failure_secret, entropy + 32, 32);
-}
-void
-MLKEM768_public_from_private(struct MLKEM768_public_key *out_public_key,
-    const struct MLKEM768_private_key *private_key)
-{
-        struct public_key *const pub = public_key_768_from_external(
-            out_public_key);
-        const struct private_key *const priv = private_key_768_from_external(
-            private_key);
-        *pub = priv->pub;
-}
-LCRYPTO_ALIAS(MLKEM768_public_from_private);
-/*
- * Encrypts a message with given randomness to the ciphertext in |out|. Without
- * applying the Fujisaki-Okamoto transform this would not result in a CCA secure
- * scheme, since lattice schemes are vulnerable to decryption failure oracles.
- */
-static void
-encrypt_cpa(uint8_t out[MLKEM768_CIPHERTEXT_BYTES],
-    const struct public_key *pub, const uint8_t message[32],
-    const uint8_t randomness[32])
-{
-        scalar expanded_message, scalar_error;
-        vector secret, error, u;
-        uint8_t counter = 0;
-        uint8_t input[33];
-        scalar v;
-        vector_generate_secret_eta_2(&secret, &counter, randomness);
-        vector_ntt(&secret);
-        vector_generate_secret_eta_2(&error, &counter, randomness);
-        memcpy(input, randomness, 32);
-        input[32] = counter;
-        scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error,
-            input);
-        matrix_mult(&u, &pub->m, &secret);
-        vector_inverse_ntt(&u);
-        vector_add(&u, &error);
-        scalar_inner_product(&v, &pub->t, &secret);
-        scalar_inverse_ntt(&v);
-        scalar_add(&v, &scalar_error);
-        scalar_decode_1(&expanded_message, message);
-        scalar_decompress(&expanded_message, 1);
-        scalar_add(&v, &expanded_message);
-        vector_compress(&u, kDU768);
-        vector_encode(out, &u, kDU768);
-        scalar_compress(&v, kDV768);
-        scalar_encode(out + kCompressedVectorSize, &v, kDV768);
-}
-/* Calls MLKEM768_encap_external_entropy| with random bytes */
-void
-MLKEM768_encap(uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key)
-{
-        uint8_t entropy[MLKEM_ENCAP_ENTROPY];
-        arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
-        MLKEM768_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-LCRYPTO_ALIAS(MLKEM768_encap);
-/* See section 6.2 of the spec. */
-void
-MLKEM768_encap_external_entropy(
-    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
-{
-        const struct public_key *pub = public_key_768_from_external(public_key);
-        uint8_t key_and_randomness[64];
-        uint8_t input[64];
-        memcpy(input, entropy, MLKEM_ENCAP_ENTROPY);
-        memcpy(input + MLKEM_ENCAP_ENTROPY, pub->public_key_hash,
-            sizeof(input) - MLKEM_ENCAP_ENTROPY);
-        hash_g(key_and_randomness, input, sizeof(input));
-        encrypt_cpa(out_ciphertext, pub, entropy, key_and_randomness + 32);
-        memcpy(out_shared_secret, key_and_randomness, 32);
-}
-static void
-decrypt_cpa(uint8_t out[32], const struct private_key *priv,
-    const uint8_t ciphertext[MLKEM768_CIPHERTEXT_BYTES])
-{
-        scalar mask, v;
-        vector u;
-        vector_decode(&u, ciphertext, kDU768);
-        vector_decompress(&u, kDU768);
-        vector_ntt(&u);
-        scalar_decode(&v, ciphertext + kCompressedVectorSize, kDV768);
-        scalar_decompress(&v, kDV768);
-        scalar_inner_product(&mask, &priv->s, &u);
-        scalar_inverse_ntt(&mask);
-        scalar_sub(&v, &mask);
-        scalar_compress(&v, 1);
-        scalar_encode_1(out, &v);
-}
-/* See section 6.3 */
-int
-MLKEM768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len,
-    const struct MLKEM768_private_key *private_key)
-{
-        const struct private_key *priv = private_key_768_from_external(
-            private_key);
-        uint8_t expected_ciphertext[MLKEM768_CIPHERTEXT_BYTES];
-        uint8_t key_and_randomness[64];
-        uint8_t failure_key[32];
-        uint8_t decrypted[64];
-        uint8_t mask;
-        int i;
-        if (ciphertext_len != MLKEM768_CIPHERTEXT_BYTES) {
-                arc4random_buf(out_shared_secret, MLKEM_SHARED_SECRET_BYTES);
-                return 0;
-        }
-        decrypt_cpa(decrypted, priv, ciphertext);
-        memcpy(decrypted + 32, priv->pub.public_key_hash,
-            sizeof(decrypted) - 32);
-        hash_g(key_and_randomness, decrypted, sizeof(decrypted));
-        encrypt_cpa(expected_ciphertext, &priv->pub, decrypted,
-            key_and_randomness + 32);
-        kdf(failure_key, priv->fo_failure_secret, ciphertext, ciphertext_len);
-        mask = constant_time_eq_int_8(memcmp(ciphertext, expected_ciphertext,
-            sizeof(expected_ciphertext)), 0);
-        for (i = 0; i < MLKEM_SHARED_SECRET_BYTES; i++) {
-                out_shared_secret[i] = constant_time_select_8(mask,
-                    key_and_randomness[i], failure_key[i]);
-        }
-        return 1;
-}
-LCRYPTO_ALIAS(MLKEM768_decap);
-int
-MLKEM768_marshal_public_key(CBB *out,
-    const struct MLKEM768_public_key *public_key)
-{
-        return mlkem_marshal_public_key(out,
-            public_key_768_from_external(public_key));
-}
-LCRYPTO_ALIAS(MLKEM768_marshal_public_key);
-/*
- * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate
- * the value of |pub->public_key_hash|.
- */
-static int
-mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
-{
-        CBS t_bytes;
-        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) ||
-            !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime)) {
-                return 0;
-        }
-        memcpy(pub->rho, CBS_data(in), sizeof(pub->rho));
-        if (!CBS_skip(in, sizeof(pub->rho)))
-                return 0;
-        matrix_expand(&pub->m, pub->rho);
-        return 1;
-}
-int
-MLKEM768_parse_public_key(struct MLKEM768_public_key *public_key, CBS *in)
-{
-        struct public_key *pub = public_key_768_from_external(public_key);
-        CBS orig_in = *in;
-        if (!mlkem_parse_public_key_no_hash(pub, in) ||
-            CBS_len(in) != 0) {
-                return 0;
-        }
-        hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
-        return 1;
-}
-LCRYPTO_ALIAS(MLKEM768_parse_public_key);
-int
-MLKEM768_marshal_private_key(CBB *out,
-    const struct MLKEM768_private_key *private_key)
-{
-        const struct private_key *const priv = private_key_768_from_external(
-            private_key);
-        uint8_t *s_output;
-        if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {
-                return 0;
-        }
-        vector_encode(s_output, &priv->s, kLog2Prime);
-        if (!mlkem_marshal_public_key(out, &priv->pub) ||
-            !CBB_add_bytes(out, priv->pub.public_key_hash,
-            sizeof(priv->pub.public_key_hash)) ||
-            !CBB_add_bytes(out, priv->fo_failure_secret,
-            sizeof(priv->fo_failure_secret))) {
-                return 0;
-        }
-        return 1;
-}
-int
-MLKEM768_parse_private_key(struct MLKEM768_private_key *out_private_key,
-    CBS *in)
-{
-        struct private_key *const priv = private_key_768_from_external(
-            out_private_key);
-        CBS s_bytes;
-        if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||
-            !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
-            !mlkem_parse_public_key_no_hash(&priv->pub, in)) {
-                return 0;
-        }
-        memcpy(priv->pub.public_key_hash, CBS_data(in),
-            sizeof(priv->pub.public_key_hash));
-        if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))
-                return 0;
-        memcpy(priv->fo_failure_secret, CBS_data(in),
-            sizeof(priv->fo_failure_secret));
-        if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))
-                return 0;
-        if (CBS_len(in) != 0)
-                return 0;
-        return 1;
-}
-LCRYPTO_ALIAS(MLKEM768_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem1024.c b/src/lib/libcrypto/mlkem/mlkem_internal.c
index f6fccdf6a8..048b147806 100644
--- a/src/lib/libcrypto/mlkem/mlkem1024.c
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: mlkem1024.c,v 1.6 2025/01/03 08:19:24 tb Exp $ */
+/* $OpenBSD: mlkem_internal.c,v 1.6 2026/01/18 08:49:42 tb Exp $ */
 /*
 * Copyright (c) 2024, Google Inc.
- * Copyright (c) 2024, Bob Beck <beck@obtuse.com>
+ * Copyright (c) 2024, 2025 Bob Beck <beck@obtuse.com>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -19,19 +19,16 @@
 #include <assert.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdio.h>
-#include "bytestring.h"
+#include <openssl/mlkem.h>
-#include "mlkem.h"
+#include "bytestring.h"
 #include "sha3_internal.h"
 #include "mlkem_internal.h"
 #include "constant_time.h"
 #include "crypto_internal.h"
-/* Remove later */
-#undef LCRYPTO_ALIAS
-#define LCRYPTO_ALIAS(A)
 /*
 * See
 * https://csrc.nist.gov/pubs/fips/203/final
@@ -68,7 +65,7 @@ hash_g(uint8_t out[64], const uint8_t *in, size_t len)
 /* this is called 'J' in the spec */
 static void
-kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32],
+kdf(uint8_t out[MLKEM_SHARED_SECRET_LENGTH], const uint8_t failure_secret[32],
    const uint8_t *in, size_t len)
 {
        sha3_ctx ctx;
@@ -76,17 +73,18 @@ kdf(uint8_t out[MLKEM_SHARED_SECRET_BYTES], const uint8_t failure_secret[32],
        shake_update(&ctx, failure_secret, 32);
        shake_update(&ctx, in, len);
        shake_xof(&ctx);
-        shake_out(&ctx, out, MLKEM_SHARED_SECRET_BYTES);
+        shake_out(&ctx, out, MLKEM_SHARED_SECRET_LENGTH);
 }
 #define DEGREE 256
-#define RANK1024 4
 static const size_t kBarrettMultiplier = 5039;
 static const unsigned kBarrettShift = 24;
 static const uint16_t kPrime = 3329;
 static const int kLog2Prime = 12;
 static const uint16_t kHalfPrime = (/*kPrime=*/3329 - 1) / 2;
+static const int kDU768 = 10;
+static const int kDV768 = 4;
 static const int kDU1024 = 11;
 static const int kDV1024 = 5;
@@ -95,23 +93,41 @@ static const int kDV1024 = 5;
 * root of unity.
 */
 static const uint16_t kInverseDegree = 3303;
-static const size_t kEncodedVectorSize =
-    (/*kLog2Prime=*/12 * DEGREE / 8) * RANK1024;
+static inline size_t
-static const size_t kCompressedVectorSize = /*kDU1024=*/ 11 * RANK1024 * DEGREE /
+encoded_vector_size(uint16_t rank)
-    8;
+{
+        return (kLog2Prime * DEGREE / 8) * rank;
+}
+static inline size_t
+compressed_vector_size(uint16_t rank)
+{
+        return ((rank == MLKEM768_RANK) ? kDU768 : kDU1024) * rank * DEGREE / 8;
+}
 typedef struct scalar {
        /* On every function entry and exit, 0 <= c < kPrime. */
        uint16_t c[DEGREE];
 } scalar;
-typedef struct vector {
+/*
-        scalar v[RANK1024];
+ * Retrieve a const scalar from const matrix of |rank| at position [row][col]
-} vector;
+ */
+static inline const scalar *
+const_m2s(const scalar *v, size_t row, size_t col, uint16_t rank)
+{
+        return ((scalar *)v) + row * rank + col;
+}
-typedef struct matrix {
+/*
-        scalar v[RANK1024][RANK1024];
+ * Retrieve a scalar from matrix of |rank| at position [row][col]
-} matrix;
+ */
+static inline scalar *
+m2s(scalar *v, size_t row, size_t col, uint16_t rank)
+{
+        return ((scalar *)v) + row * rank + col;
+}
 /*
 * This bit of Python will be referenced in some of the following comments:
@@ -188,10 +204,10 @@ reduce_once(uint16_t x)
         * is a difference of 2x.
         *
         * We usually add value barriers to selects because Clang turns
-         * consecutive selects with the same condition into a branch instead of
+         * consecutive selects with the same condition into a branch instead of
         * CMOV/CSEL. This condition does not occur in ML-KEM, so omitting it
-         * seems to be safe so far  but see
+         * seems to be safe so far  but see
-         * |scalar_centered_binomial_distribution_eta_2_with_prf|.
+         * |scalar_centered_binomial_distribution_eta_2_with_prf|.
         */
        return (mask & x) | (~mask & subtracted);
 }
@@ -218,9 +234,9 @@ scalar_zero(scalar *out)
 }
 static void
-vector_zero(vector *out)
+vector_zero(scalar *out, size_t rank)
 {
-        memset(out, 0, sizeof(*out));
+        memset(out, 0, sizeof(*out) * rank);
 }
 /*
@@ -262,12 +278,12 @@ scalar_ntt(scalar *s)
 }
 static void
-vector_ntt(vector *a)
+vector_ntt(scalar *v, size_t rank)
 {
-        int i;
+        size_t i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_ntt(&a->v[i]);
+                scalar_ntt(&v[i]);
        }
 }
@@ -309,12 +325,12 @@ scalar_inverse_ntt(scalar *s)
 }
 static void
-vector_inverse_ntt(vector *a)
+vector_inverse_ntt(scalar *v, size_t rank)
 {
-        int i;
+        size_t i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_inverse_ntt(&a->v[i]);
+                scalar_inverse_ntt(&v[i]);
        }
 }
@@ -368,58 +384,58 @@ scalar_mult(scalar *out, const scalar *lhs, const scalar *rhs)
 }
 static void
-vector_add(vector *lhs, const vector *rhs)
+vector_add(scalar *lhs, const scalar *rhs, size_t rank)
 {
-        int i;
+        size_t i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_add(&lhs->v[i], &rhs->v[i]);
+                scalar_add(&lhs[i], &rhs[i]);
        }
 }
 static void
-matrix_mult(vector *out, const matrix *m, const vector *a)
+matrix_mult(scalar *out, const void *m, const scalar *a, size_t rank)
 {
-        int i, j;
+        size_t i, j;
-        vector_zero(out);
+        vector_zero(&out[0], rank);
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                for (j = 0; j < RANK1024; j++) {
+                for (j = 0; j < rank; j++) {
                        scalar product;
-                        scalar_mult(&product, &m->v[i][j], &a->v[j]);
+                        scalar_mult(&product, const_m2s(m, i, j, rank), &a[j]);
-                        scalar_add(&out->v[i], &product);
+                        scalar_add(&out[i], &product);
                }
        }
 }
 static void
-matrix_mult_transpose(vector *out, const matrix *m,
+matrix_mult_transpose(scalar *out, const void *m, const scalar *a, size_t rank)
-    const vector *a)
 {
        int i, j;
-        vector_zero(out);
+        vector_zero(&out[0], rank);
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                for (j = 0; j < RANK1024; j++) {
+                for (j = 0; j < rank; j++) {
                        scalar product;
-                        scalar_mult(&product, &m->v[j][i], &a->v[j]);
+                        scalar_mult(&product, const_m2s(m, j, i, rank), &a[j]);
-                        scalar_add(&out->v[i], &product);
+                        scalar_add(&out[i], &product);
                }
        }
 }
 static void
-scalar_inner_product(scalar *out, const vector *lhs,
+scalar_inner_product(scalar *out, const scalar *lhs,
-    const vector *rhs)
+    const scalar *rhs, size_t rank)
 {
-        int i;
+        size_t i;
        scalar_zero(out);
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
                scalar product;
-                scalar_mult(&product, &lhs->v[i], &rhs->v[i]);
+                scalar_mult(&product, &lhs[i], &rhs[i]);
                scalar_add(out, &product);
        }
 }
@@ -502,30 +518,30 @@ scalar_centered_binomial_distribution_eta_2_with_prf(scalar *out,
 * appending and incrementing |counter| for entry of the vector.
 */
 static void
-vector_generate_secret_eta_2(vector *out, uint8_t *counter,
+vector_generate_secret_eta_2(scalar *out, uint8_t *counter,
-    const uint8_t seed[32])
+    const uint8_t seed[32], size_t rank)
 {
        uint8_t input[33];
-        int i;
+        size_t i;
        memcpy(input, seed, 32);
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
                input[32] = (*counter)++;
-                scalar_centered_binomial_distribution_eta_2_with_prf(&out->v[i],
+                scalar_centered_binomial_distribution_eta_2_with_prf(&out[i],
                    input);
        }
 }
 /* Expands the matrix of a seed for key generation and for encaps-CPA. */
 static void
-matrix_expand(matrix *out, const uint8_t rho[32])
+matrix_expand(void *out, const uint8_t rho[32], size_t rank)
 {
        uint8_t input[34];
-        int i, j;
+        size_t i, j;
        memcpy(input, rho, 32);
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                for (j = 0; j < RANK1024; j++) {
+                for (j = 0; j < rank; j++) {
                        sha3_ctx keccak_ctx;
                        input[32] = i;
@@ -533,7 +549,8 @@ matrix_expand(matrix *out, const uint8_t rho[32])
                        shake128_init(&keccak_ctx);
                        shake_update(&keccak_ctx, input, sizeof(input));
                        shake_xof(&keccak_ctx);
-                        scalar_from_keccak_vartime(&out->v[i][j], &keccak_ctx);
+                        scalar_from_keccak_vartime(m2s(out, i, j, rank),
+                            &keccak_ctx);
                }
        }
 }
@@ -598,20 +615,33 @@ scalar_encode_1(uint8_t out[32], const scalar *s)
 }
 /*
- * Encodes an entire vector into 32*|RANK1024|*|bits| bytes. Note that since 256
+ * Encodes an entire vector into 32*|MLKEM768_RANK|*|bits| bytes. Since 256
 * (DEGREE) is divisible by 8, the individual vector entries will always fill a
 * whole number of bytes, so we do not need to worry about bit packing here.
 */
 static void
-vector_encode(uint8_t *out, const vector *a, int bits)
+vector_encode(uint8_t *out, const scalar *a, int bits, size_t rank)
 {
        int i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_encode(out + i * bits * DEGREE / 8, &a->v[i], bits);
+                scalar_encode(out + i * bits * DEGREE / 8, &a[i], bits);
        }
 }
+/* Encodes an entire vector as above, but adding it to a CBB */
+static int
+vector_encode_cbb(CBB *cbb, const scalar *a, int bits, size_t rank)
+{
+        uint8_t *encoded_vector;
+        if (!CBB_add_space(cbb, &encoded_vector, encoded_vector_size(rank)))
+                return 0;
+        vector_encode(encoded_vector, a, bits, rank);
+        return 1;
+}
 /*
 * scalar_decode parses |DEGREE * bits| bits from |in| into |DEGREE| values in
 * |out|. It returns one on success and zero if any parsed value is >=
@@ -677,16 +707,16 @@ scalar_decode_1(scalar *out, const uint8_t in[32])
 }
 /*
- * Decodes 32*|RANK1024|*|bits| bytes from |in| into |out|. It returns one on
+ * Decodes 32*|MLKEM768_RANK|*|bits| bytes from |in| into |out|. It returns one on
 * success or zero if any parsed value is >= |kPrime|.
 */
 static int
-vector_decode(vector *out, const uint8_t *in, int bits)
+vector_decode(scalar *out, const uint8_t *in, int bits, size_t rank)
 {
-        int i;
+        size_t i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                if (!scalar_decode(&out->v[i], in + i * bits * DEGREE / 8,
+                if (!scalar_decode(&out[i], in + i * bits * DEGREE / 8,
                    bits)) {
                        return 0;
                }
@@ -767,153 +797,194 @@ scalar_decompress(scalar *s, int bits)
 }
 static void
-vector_compress(vector *a, int bits)
+vector_compress(scalar *v, int bits, size_t rank)
 {
-        int i;
+        size_t i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_compress(&a->v[i], bits);
+                scalar_compress(&v[i], bits);
        }
 }
 static void
-vector_decompress(vector *a, int bits)
+vector_decompress(scalar *v, int bits, size_t rank)
 {
        int i;
-        for (i = 0; i < RANK1024; i++) {
+        for (i = 0; i < rank; i++) {
-                scalar_decompress(&a->v[i], bits);
+                scalar_decompress(&v[i], bits);
        }
 }
 struct public_key {
-        vector t;
+        scalar *t;
-        uint8_t rho[32];
+        uint8_t *rho;
-        uint8_t public_key_hash[32];
+        uint8_t *public_key_hash;
-        matrix m;
+        scalar *m;
 };
-static struct public_key *
+static void
-public_key_1024_from_external(const struct MLKEM1024_public_key *external)
+public_key_from_external(const MLKEM_public_key *external,
+    struct public_key *pub)
 {
-        return (struct public_key *)external;
+        size_t vector_size = external->rank * sizeof(scalar);
+        uint8_t *bytes = external->key_768->bytes;
+        size_t offset = 0;
+        if (external->rank == MLKEM1024_RANK)
+                bytes = external->key_1024->bytes;
+        pub->t = (struct scalar *)bytes + offset;
+        offset += vector_size;
+        pub->rho = bytes + offset;
+        offset += 32;
+        pub->public_key_hash = bytes + offset;
+        offset += 32;
+        pub->m = (void *)(bytes + offset);
+        offset += vector_size * external->rank;
 }
 struct private_key {
        struct public_key pub;
-        vector s;
+        scalar *s;
-        uint8_t fo_failure_secret[32];
+        uint8_t *fo_failure_secret;
 };
-static struct private_key *
+static void
-private_key_1024_from_external(const struct MLKEM1024_private_key *external)
+private_key_from_external(const MLKEM_private_key *external,
+    struct private_key *priv)
 {
-        return (struct private_key *)external;
+        size_t vector_size = external->rank * sizeof(scalar);
+        size_t offset = 0;
+        uint8_t *bytes = external->key_768->bytes;
+        if (external->rank == MLKEM1024_RANK)
+                bytes = external->key_1024->bytes;
+        priv->pub.t = (struct scalar *)(bytes + offset);
+        offset += vector_size;
+        priv->pub.rho = bytes + offset;
+        offset += 32;
+        priv->pub.public_key_hash = bytes + offset;
+        offset += 32;
+        priv->pub.m = (void *)(bytes + offset);
+        offset += vector_size * external->rank;
+        priv->s = (void *)(bytes + offset);
+        offset += vector_size;
+        priv->fo_failure_secret = bytes + offset;
+        offset += 32;
 }
-/*
- * Calls |MLKEM1024_generate_key_external_entropy| with random bytes from
- * |RAND_bytes|.
- */
-void
-MLKEM1024_generate_key(uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES],
-    struct MLKEM1024_private_key *out_private_key)
-{
-        uint8_t entropy_buf[MLKEM_SEED_BYTES];
-        uint8_t *entropy = optional_out_seed != NULL ? optional_out_seed :
-            entropy_buf;
-        arc4random_buf(entropy, MLKEM_SEED_BYTES);
-        MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-LCRYPTO_ALIAS(MLKEM1024_generate_key);
 int
-MLKEM1024_private_key_from_seed(struct MLKEM1024_private_key *out_private_key,
+mlkem_private_key_from_seed(const uint8_t *seed, size_t seed_len,
-    const uint8_t *seed, size_t seed_len)
+    MLKEM_private_key *out_private_key)
 {
-        uint8_t public_key_bytes[MLKEM1024_PUBLIC_KEY_BYTES];
+        uint8_t *public_key_buf = NULL;
+        size_t public_key_buf_len = out_private_key->rank == MLKEM768_RANK ?
+            MLKEM768_PUBLIC_KEY_BYTES : MLKEM1024_PUBLIC_KEY_BYTES;
+        int ret = 0;
-        if (seed_len != MLKEM_SEED_BYTES) {
+        if (seed_len != MLKEM_SEED_LENGTH) {
-                return 0;
+                goto err;
        }
-        MLKEM1024_generate_key_external_entropy(public_key_bytes,
+        if ((public_key_buf = calloc(1, public_key_buf_len)) == NULL)
+                goto err;
+        ret = mlkem_generate_key_external_entropy(public_key_buf,
            out_private_key, seed);
-        return 1;
+ err:
+        freezero(public_key_buf, public_key_buf_len);
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM1024_private_key_from_seed);
 static int
-mlkem_marshal_public_key(CBB *out, const struct public_key *pub)
+mlkem_marshal_public_key_internal(CBB *out, const struct public_key *pub,
+    size_t rank)
 {
-        uint8_t *vector_output;
+        if (!vector_encode_cbb(out, &pub->t[0], kLog2Prime, rank))
-        if (!CBB_add_space(out, &vector_output, kEncodedVectorSize)) {
                return 0;
-        }
+        return CBB_add_bytes(out, pub->rho, 32);
-        vector_encode(vector_output, &pub->t, kLog2Prime);
-        if (!CBB_add_bytes(out, pub->rho, sizeof(pub->rho))) {
-                return 0;
-        }
-        return 1;
 }
-void
+int
-MLKEM1024_generate_key_external_entropy(
+mlkem_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
+    MLKEM_private_key *out_private_key,
-    struct MLKEM1024_private_key *out_private_key,
+    const uint8_t entropy[MLKEM_SEED_LENGTH])
-    const uint8_t entropy[MLKEM_SEED_BYTES])
 {
-        struct private_key *priv = private_key_1024_from_external(
+        struct private_key priv;
-            out_private_key);
        uint8_t augmented_seed[33];
        uint8_t *rho, *sigma;
        uint8_t counter = 0;
        uint8_t hashed[64];
-        vector error;
+        scalar error[MLKEM1024_RANK];
        CBB cbb;
+        int ret = 0;
+        private_key_from_external(out_private_key, &priv);
+        memset(&cbb, 0, sizeof(cbb));
        memcpy(augmented_seed, entropy, 32);
-        augmented_seed[32] = RANK1024;
+        augmented_seed[32] = out_private_key->rank;
        hash_g(hashed, augmented_seed, 33);
        rho = hashed;
        sigma = hashed + 32;
-        memcpy(priv->pub.rho, hashed, sizeof(priv->pub.rho));
+        memcpy(priv.pub.rho, hashed, 32);
-        matrix_expand(&priv->pub.m, rho);
+        matrix_expand(priv.pub.m, rho, out_private_key->rank);
-        vector_generate_secret_eta_2(&priv->s, &counter, sigma);
+        vector_generate_secret_eta_2(priv.s, &counter, sigma,
-        vector_ntt(&priv->s);
+            out_private_key->rank);
-        vector_generate_secret_eta_2(&error, &counter, sigma);
+        vector_ntt(priv.s, out_private_key->rank);
-        vector_ntt(&error);
+        vector_generate_secret_eta_2(&error[0], &counter, sigma,
-        matrix_mult_transpose(&priv->pub.t, &priv->pub.m, &priv->s);
+            out_private_key->rank);
-        vector_add(&priv->pub.t, &error);
+        vector_ntt(&error[0], out_private_key->rank);
+        matrix_mult_transpose(priv.pub.t, priv.pub.m, priv.s,
-        /* XXX - error checking. */
+            out_private_key->rank);
-        CBB_init_fixed(&cbb, out_encoded_public_key, MLKEM1024_PUBLIC_KEY_BYTES);
+        vector_add(priv.pub.t, &error[0], out_private_key->rank);
-        if (!mlkem_marshal_public_key(&cbb, &priv->pub)) {
-                abort();
+        if (!CBB_init_fixed(&cbb, out_encoded_public_key,
-        }
+            out_private_key->rank == MLKEM768_RANK ? MLKEM768_PUBLIC_KEY_BYTES :
+            MLKEM1024_PUBLIC_KEY_BYTES))
+                goto err;
+        if (!mlkem_marshal_public_key_internal(&cbb, &priv.pub,
+            out_private_key->rank))
+                goto err;
+        hash_h(priv.pub.public_key_hash, out_encoded_public_key,
+            out_private_key->rank == MLKEM768_RANK ? MLKEM768_PUBLIC_KEY_BYTES :
+            MLKEM1024_PUBLIC_KEY_BYTES);
+        memcpy(priv.fo_failure_secret, entropy + 32, 32);
+        ret = 1;
+ err:
        CBB_cleanup(&cbb);
+        explicit_bzero(&priv, sizeof(priv));
+        explicit_bzero(augmented_seed, sizeof(augmented_seed));
+        explicit_bzero(error, sizeof(error));
+        explicit_bzero(hashed, sizeof(hashed));
-        hash_h(priv->pub.public_key_hash, out_encoded_public_key,
+        return ret;
-            MLKEM1024_PUBLIC_KEY_BYTES);
-        memcpy(priv->fo_failure_secret, entropy + 32, 32);
 }
 void
-MLKEM1024_public_from_private(struct MLKEM1024_public_key *out_public_key,
+mlkem_public_from_private(const MLKEM_private_key *private_key,
-    const struct MLKEM1024_private_key *private_key)
+    MLKEM_public_key *out_public_key)
 {
-        struct public_key *const pub = public_key_1024_from_external(
+        switch (private_key->rank) {
-            out_public_key);
+        case MLKEM768_RANK:
-        const struct private_key *const priv = private_key_1024_from_external(
+                memcpy(out_public_key->key_768->bytes,
-            private_key);
+                    private_key->key_768->bytes,
+                    sizeof(out_public_key->key_768->bytes));
-        *pub = priv->pub;
+                break;
+        case MLKEM1024_RANK:
+                memcpy(out_public_key->key_1024->bytes,
+                    private_key->key_1024->bytes,
+                    sizeof(out_public_key->key_1024->bytes));
+                break;
+        }
 }
-LCRYPTO_ALIAS(MLKEM1024_public_from_private);
 /*
 * Encrypts a message with given randomness to the ciphertext in |out|. Without
@@ -921,219 +992,287 @@ LCRYPTO_ALIAS(MLKEM1024_public_from_private);
 * scheme, since lattice schemes are vulnerable to decryption failure oracles.
 */
 static void
-encrypt_cpa(uint8_t out[MLKEM1024_CIPHERTEXT_BYTES],
+encrypt_cpa(uint8_t *out, const struct public_key *pub,
-    const struct public_key *pub, const uint8_t message[32],
+    const uint8_t message[32], const uint8_t randomness[32],
-    const uint8_t randomness[32])
+    size_t rank)
 {
+        scalar secret[MLKEM1024_RANK], error[MLKEM1024_RANK], u[MLKEM1024_RANK];
        scalar expanded_message, scalar_error;
-        vector secret, error, u;
        uint8_t counter = 0;
        uint8_t input[33];
        scalar v;
+        int u_bits = kDU768;
+        int v_bits = kDV768;
-        vector_generate_secret_eta_2(&secret, &counter, randomness);
+        if (rank == MLKEM1024_RANK) {
-        vector_ntt(&secret);
+                u_bits = kDU1024;
-        vector_generate_secret_eta_2(&error, &counter, randomness);
+                v_bits = kDV1024;
+        }
+        vector_generate_secret_eta_2(&secret[0], &counter, randomness, rank);
+        vector_ntt(&secret[0], rank);
+        vector_generate_secret_eta_2(&error[0], &counter, randomness, rank);
        memcpy(input, randomness, 32);
        input[32] = counter;
        scalar_centered_binomial_distribution_eta_2_with_prf(&scalar_error,
            input);
-        matrix_mult(&u, &pub->m, &secret);
+        matrix_mult(&u[0], pub->m, &secret[0], rank);
-        vector_inverse_ntt(&u);
+        vector_inverse_ntt(&u[0], rank);
-        vector_add(&u, &error);
+        vector_add(&u[0], &error[0], rank);
-        scalar_inner_product(&v, &pub->t, &secret);
+        scalar_inner_product(&v, &pub->t[0], &secret[0], rank);
        scalar_inverse_ntt(&v);
        scalar_add(&v, &scalar_error);
        scalar_decode_1(&expanded_message, message);
        scalar_decompress(&expanded_message, 1);
        scalar_add(&v, &expanded_message);
-        vector_compress(&u, kDU1024);
+        vector_compress(&u[0], u_bits, rank);
-        vector_encode(out, &u, kDU1024);
+        vector_encode(out, &u[0], u_bits, rank);
-        scalar_compress(&v, kDV1024);
+        scalar_compress(&v, v_bits);
-        scalar_encode(out + kCompressedVectorSize, &v, kDV1024);
+        scalar_encode(out + compressed_vector_size(rank), &v, v_bits);
+        explicit_bzero(secret, sizeof(secret));
+        explicit_bzero(error, sizeof(error));
+        explicit_bzero(u, sizeof(u));
+        explicit_bzero(input, sizeof(input));
 }
-/* Calls MLKEM1024_encap_external_entropy| with random bytes */
-void
-MLKEM1024_encap(uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM1024_public_key *public_key)
-{
-        uint8_t entropy[MLKEM_ENCAP_ENTROPY];
-        arc4random_buf(entropy, MLKEM_ENCAP_ENTROPY);
-        MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-LCRYPTO_ALIAS(MLKEM1024_encap);
 /* See section 6.2 of the spec. */
 void
-MLKEM1024_encap_external_entropy(
+mlkem_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const MLKEM_public_key *public_key,
-    const struct MLKEM1024_public_key *public_key,
    const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
 {
-        const struct public_key *pub = public_key_1024_from_external(public_key);
+        struct public_key pub;
        uint8_t key_and_randomness[64];
        uint8_t input[64];
+        public_key_from_external(public_key, &pub);
        memcpy(input, entropy, MLKEM_ENCAP_ENTROPY);
-        memcpy(input + MLKEM_ENCAP_ENTROPY, pub->public_key_hash,
+        memcpy(input + MLKEM_ENCAP_ENTROPY, pub.public_key_hash,
            sizeof(input) - MLKEM_ENCAP_ENTROPY);
        hash_g(key_and_randomness, input, sizeof(input));
-        encrypt_cpa(out_ciphertext, pub, entropy, key_and_randomness + 32);
+        encrypt_cpa(out_ciphertext, &pub, entropy, key_and_randomness + 32,
+            public_key->rank);
        memcpy(out_shared_secret, key_and_randomness, 32);
+        explicit_bzero(key_and_randomness, sizeof(key_and_randomness));
+        explicit_bzero(input, sizeof(input));
 }
 static void
 decrypt_cpa(uint8_t out[32], const struct private_key *priv,
-    const uint8_t ciphertext[MLKEM1024_CIPHERTEXT_BYTES])
+    const uint8_t *ciphertext, size_t rank)
 {
+        scalar u[MLKEM1024_RANK];
        scalar mask, v;
-        vector u;
+        int u_bits = kDU768;
+        int v_bits = kDV768;
-        vector_decode(&u, ciphertext, kDU1024);
-        vector_decompress(&u, kDU1024);
+        if (rank == MLKEM1024_RANK) {
-        vector_ntt(&u);
+                u_bits = kDU1024;
-        scalar_decode(&v, ciphertext + kCompressedVectorSize, kDV1024);
+                v_bits = kDV1024;
-        scalar_decompress(&v, kDV1024);
+        }
-        scalar_inner_product(&mask, &priv->s, &u);
+        vector_decode(&u[0], ciphertext, u_bits, rank);
+        vector_decompress(&u[0], u_bits, rank);
+        vector_ntt(&u[0], rank);
+        scalar_decode(&v, ciphertext + compressed_vector_size(rank), v_bits);
+        scalar_decompress(&v, v_bits);
+        scalar_inner_product(&mask, &priv->s[0], &u[0], rank);
        scalar_inverse_ntt(&mask);
        scalar_sub(&v, &mask);
        scalar_compress(&v, 1);
        scalar_encode_1(out, &v);
+        explicit_bzero(u, sizeof(u));
 }
 /* See section 6.3 */
 int
-MLKEM1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+mlkem_decap(const MLKEM_private_key *private_key, const uint8_t *ciphertext,
-    const uint8_t *ciphertext, size_t ciphertext_len,
+    size_t ciphertext_len, uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH])
-    const struct MLKEM1024_private_key *private_key)
 {
-        const struct private_key *priv = private_key_1024_from_external(
+        struct private_key priv;
-            private_key);
+        size_t expected_ciphertext_length = private_key->rank == MLKEM768_RANK ?
-        uint8_t expected_ciphertext[MLKEM1024_CIPHERTEXT_BYTES];
+            MLKEM768_CIPHERTEXT_BYTES : MLKEM1024_CIPHERTEXT_BYTES;
+        uint8_t *expected_ciphertext = NULL;
        uint8_t key_and_randomness[64];
        uint8_t failure_key[32];
        uint8_t decrypted[64];
        uint8_t mask;
        int i;
+        int ret = 0;
-        if (ciphertext_len != MLKEM1024_CIPHERTEXT_BYTES) {
+        if (ciphertext_len != expected_ciphertext_length) {
-                arc4random_buf(out_shared_secret, MLKEM_SHARED_SECRET_BYTES);
+                arc4random_buf(out_shared_secret, MLKEM_SHARED_SECRET_LENGTH);
-                return 0;
+                goto err;
        }
-        decrypt_cpa(decrypted, priv, ciphertext);
+        if ((expected_ciphertext = calloc(1, expected_ciphertext_length)) ==
-        memcpy(decrypted + 32, priv->pub.public_key_hash,
+            NULL) {
+                arc4random_buf(out_shared_secret, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
+        private_key_from_external(private_key, &priv);
+        decrypt_cpa(decrypted, &priv, ciphertext, private_key->rank);
+        memcpy(decrypted + 32, priv.pub.public_key_hash,
            sizeof(decrypted) - 32);
        hash_g(key_and_randomness, decrypted, sizeof(decrypted));
-        encrypt_cpa(expected_ciphertext, &priv->pub, decrypted,
+        encrypt_cpa(expected_ciphertext, &priv.pub, decrypted,
-            key_and_randomness + 32);
+            key_and_randomness + 32, private_key->rank);
-        kdf(failure_key, priv->fo_failure_secret, ciphertext, ciphertext_len);
+        kdf(failure_key, priv.fo_failure_secret, ciphertext, ciphertext_len);
        mask = constant_time_eq_int_8(memcmp(ciphertext, expected_ciphertext,
-            sizeof(expected_ciphertext)), 0);
+            expected_ciphertext_length), 0);
-        for (i = 0; i < MLKEM_SHARED_SECRET_BYTES; i++) {
+        for (i = 0; i < MLKEM_SHARED_SECRET_LENGTH; i++) {
                out_shared_secret[i] = constant_time_select_8(mask,
                    key_and_randomness[i], failure_key[i]);
        }
-        return 1;
+        ret = 1;
+ err:
+        freezero(expected_ciphertext, expected_ciphertext_length);
+        explicit_bzero(key_and_randomness, sizeof(key_and_randomness));
+        explicit_bzero(decrypted, sizeof(decrypted));
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM1024_decap);
 int
-MLKEM1024_marshal_public_key(CBB *out,
+mlkem_marshal_public_key(const MLKEM_public_key *public_key,
-    const struct MLKEM1024_public_key *public_key)
+    uint8_t **output, size_t *output_len)
 {
-        return mlkem_marshal_public_key(out,
+        struct public_key pub;
-            public_key_1024_from_external(public_key));
+        int ret = 0;
+        CBB cbb;
+        if (!CBB_init(&cbb, public_key->rank == MLKEM768_RANK ?
+            MLKEM768_PUBLIC_KEY_BYTES : MLKEM1024_PUBLIC_KEY_BYTES))
+                goto err;
+        public_key_from_external(public_key, &pub);
+        if (!mlkem_marshal_public_key_internal(&cbb, &pub, public_key->rank))
+                goto err;
+        if (!CBB_finish(&cbb, output, output_len))
+                goto err;
+        ret = 1;
+ err:
+        CBB_cleanup(&cbb);
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM1024_marshal_public_key);
 /*
 * mlkem_parse_public_key_no_hash parses |in| into |pub| but doesn't calculate
 * the value of |pub->public_key_hash|.
 */
 static int
-mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in)
+mlkem_parse_public_key_no_hash(struct public_key *pub, CBS *in, size_t rank)
 {
        CBS t_bytes;
-        if (!CBS_get_bytes(in, &t_bytes, kEncodedVectorSize) ||
+        if (!CBS_get_bytes(in, &t_bytes, encoded_vector_size(rank)))
-            !vector_decode(&pub->t, CBS_data(&t_bytes), kLog2Prime)) {
                return 0;
-        }
+        if (!vector_decode(&pub->t[0], CBS_data(&t_bytes), kLog2Prime, rank))
-        memcpy(pub->rho, CBS_data(in), sizeof(pub->rho));
-        if (!CBS_skip(in, sizeof(pub->rho)))
                return 0;
-        matrix_expand(&pub->m, pub->rho);
-        return 1;
-}
-int
+        memcpy(pub->rho, CBS_data(in), 32);
-MLKEM1024_parse_public_key(struct MLKEM1024_public_key *public_key, CBS *in)
+        if (!CBS_skip(in, 32))
-{
-        struct public_key *pub = public_key_1024_from_external(public_key);
-        CBS orig_in = *in;
-        if (!mlkem_parse_public_key_no_hash(pub, in) ||
-            CBS_len(in) != 0) {
                return 0;
-        }
+        matrix_expand(pub->m, pub->rho, rank);
-        hash_h(pub->public_key_hash, CBS_data(&orig_in), CBS_len(&orig_in));
        return 1;
 }
-LCRYPTO_ALIAS(MLKEM1024_parse_public_key);
 int
-MLKEM1024_marshal_private_key(CBB *out,
+mlkem_parse_public_key(const uint8_t *input, size_t input_len,
-    const struct MLKEM1024_private_key *private_key)
+    MLKEM_public_key *public_key)
 {
-        const struct private_key *const priv = private_key_1024_from_external(
+        struct public_key pub;
-            private_key);
+        CBS cbs;
-        uint8_t *s_output;
-        if (!CBB_add_space(out, &s_output, kEncodedVectorSize)) {
+        public_key_from_external(public_key, &pub);
+        CBS_init(&cbs, input, input_len);
+        if (!mlkem_parse_public_key_no_hash(&pub, &cbs, public_key->rank))
                return 0;
-        }
+        if (CBS_len(&cbs) != 0)
-        vector_encode(s_output, &priv->s, kLog2Prime);
-        if (!mlkem_marshal_public_key(out, &priv->pub) ||
-            !CBB_add_bytes(out, priv->pub.public_key_hash,
-            sizeof(priv->pub.public_key_hash)) ||
-            !CBB_add_bytes(out, priv->fo_failure_secret,
-            sizeof(priv->fo_failure_secret))) {
                return 0;
-        }
+        hash_h(pub.public_key_hash, input, input_len);
        return 1;
 }
 int
-MLKEM1024_parse_private_key(struct MLKEM1024_private_key *out_private_key,
+mlkem_marshal_private_key(const MLKEM_private_key *private_key,
-    CBS *in)
+    uint8_t **out_private_key, size_t *out_private_key_len)
 {
-        struct private_key *const priv = private_key_1024_from_external(
+        struct private_key priv;
-            out_private_key);
+        size_t key_length = private_key->rank == MLKEM768_RANK ?
-        CBS s_bytes;
+            MLKEM768_PRIVATE_KEY_BYTES : MLKEM1024_PRIVATE_KEY_BYTES;
+        CBB cbb;
+        int ret = 0;
-        if (!CBS_get_bytes(in, &s_bytes, kEncodedVectorSize) ||
+        private_key_from_external(private_key, &priv);
-            !vector_decode(&priv->s, CBS_data(&s_bytes), kLog2Prime) ||
+        if (!CBB_init(&cbb, key_length))
-            !mlkem_parse_public_key_no_hash(&priv->pub, in)) {
+                goto err;
-                return 0;
-        }
-        memcpy(priv->pub.public_key_hash, CBS_data(in),
-            sizeof(priv->pub.public_key_hash));
-        if (!CBS_skip(in, sizeof(priv->pub.public_key_hash)))
-                return 0;
-        memcpy(priv->fo_failure_secret, CBS_data(in),
-            sizeof(priv->fo_failure_secret));
-        if (!CBS_skip(in, sizeof(priv->fo_failure_secret)))
-                return 0;
-        if (CBS_len(in) != 0)
-                return 0;
-        return 1;
+        if (!vector_encode_cbb(&cbb, priv.s, kLog2Prime, private_key->rank))
+                goto err;
+        if (!mlkem_marshal_public_key_internal(&cbb, &priv.pub,
+            private_key->rank))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv.pub.public_key_hash, 32))
+                goto err;
+        if (!CBB_add_bytes(&cbb, priv.fo_failure_secret, 32))
+                goto err;
+        if (!CBB_finish(&cbb, out_private_key, out_private_key_len))
+                goto err;
+        ret = 1;
+ err:
+        CBB_cleanup(&cbb);
+        explicit_bzero(&priv, sizeof(priv));
+        return ret;
+}
+int
+mlkem_parse_private_key(const uint8_t *input, size_t input_len,
+    MLKEM_private_key *out_private_key)
+{
+        struct private_key priv;
+        CBS cbs, s_bytes;
+        int ret = 0;
+        private_key_from_external(out_private_key, &priv);
+        CBS_init(&cbs, input, input_len);
+        if (!CBS_get_bytes(&cbs, &s_bytes,
+            encoded_vector_size(out_private_key->rank)))
+                goto err;
+        if (!vector_decode(priv.s, CBS_data(&s_bytes), kLog2Prime,
+            out_private_key->rank))
+                goto err;
+        if (!mlkem_parse_public_key_no_hash(&priv.pub, &cbs,
+            out_private_key->rank))
+                goto err;
+        memcpy(priv.pub.public_key_hash, CBS_data(&cbs), 32);
+        if (!CBS_skip(&cbs, 32))
+                goto err;
+        memcpy(priv.fo_failure_secret, CBS_data(&cbs), 32);
+        if (!CBS_skip(&cbs, 32))
+                goto err;
+        if (CBS_len(&cbs) != 0)
+                goto err;
+        ret = 1;
+ err:
+        explicit_bzero(&priv, sizeof(priv));
+        return ret;
 }
-LCRYPTO_ALIAS(MLKEM1024_parse_private_key);
diff --git a/src/lib/libcrypto/mlkem/mlkem_internal.h b/src/lib/libcrypto/mlkem/mlkem_internal.h
index d3f325932f..42b5ba03b8 100644
--- a/src/lib/libcrypto/mlkem/mlkem_internal.h
+++ b/src/lib/libcrypto/mlkem/mlkem_internal.h
@@ -1,6 +1,7 @@
-/*      $OpenBSD: mlkem_internal.h,v 1.4 2024/12/19 23:52:26 tb Exp $ */
+/*      $OpenBSD: mlkem_internal.h,v 1.14 2026/01/18 08:58:31 tb Exp $ */
 /*
 * Copyright (c) 2023, Google Inc.
+ * Copyright (c) 2025, Bob Beck <beck@obtuse.com>
 *
 * Permission to use, copy, modify, and/or distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -27,6 +28,101 @@ extern "C" {
 __BEGIN_HIDDEN_DECLS
+/* Public opaque ML-KEM key structures. */
+#define MLKEM_PUBLIC_KEY_UNINITIALIZED 1
+#define MLKEM_PUBLIC_KEY_INITIALIZED 2
+#define MLKEM_PRIVATE_KEY_UNINITIALIZED 3
+#define MLKEM_PRIVATE_KEY_INITIALIZED 4
+struct MLKEM_public_key_st {
+        uint16_t rank;
+        int state;
+        struct MLKEM768_public_key *key_768;
+        struct MLKEM1024_public_key *key_1024;
+};
+struct MLKEM_private_key_st {
+        uint16_t rank;
+        int state;
+        struct MLKEM768_private_key *key_768;
+        struct MLKEM1024_private_key *key_1024;
+};
+/*
+ * ML-KEM-768 and ML-KEM-1024
+ *
+ * This implements the Module-Lattice-Based Key-Encapsulation Mechanism from
+ * https://csrc.nist.gov/pubs/fips/204/final
+ *
+ * You should prefer ML-KEM-768 where possible. ML-KEM-1024 is larger and exists
+ * for people who are obsessed with more 'bits of crypto', and who are also
+ * lacking the knowledge to realize that anything that can count to 256 bits
+ * must likely use an equivalent amount of energy to that of an entire star to
+ * do so.
+ *
+ * ML-KEM-768 is adequate to protect against a future cryptographically relevant
+ * quantum computer, VIC 20, abacus, or carefully calibrated reference dog. I
+ * for one plan on welcoming our new Kardashev-II civilization overlords with
+ * open arms. In the meantime will not waste bytes on the wire by to adding
+ * the fear of the possible future existence of a cryptographically relevant
+ * Dyson sphere to the aforementioned list of fear-inducing future
+ * cryptographically relevant hypotheticals.
+ *
+ * If your carefully calibrated reference dog notices the sun starting to dim,
+ * you might need ML-KEM-1024, but you probably have bigger concerns than
+ * the decryption of your stored past TLS sessions at that point.
+ */
+/*
+ * MLKEM1024_public_key contains an ML-KEM-1024 public key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM1024_public_key {
+        uint8_t bytes[512 * (4 + 16) + 32 + 32];
+        uint16_t alignment;
+};
+/*
+ * MLKEM1024_private_key contains a ML-KEM-1024 private key. The contents of
+ * this object should never leave the address space since the format is
+ * unstable.
+ */
+struct MLKEM1024_private_key {
+        uint8_t bytes[512 * (4 + 4 + 16) + 32 + 32 + 32];
+        uint16_t alignment;
+};
+/*
+ * MLKEM768_public_key contains a ML-KEM-768 public key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM768_public_key {
+        uint8_t bytes[512 * (3 + 9) + 32 + 32];
+        uint16_t alignment;
+};
+/*
+ * MLKEM768_private_key contains a ML-KEM-768 private key. The contents of this
+ * object should never leave the address space since the format is unstable.
+ */
+struct MLKEM768_private_key {
+        uint8_t bytes[512 * (3 + 3 + 9) + 32 + 32 + 32];
+        uint16_t alignment;
+};
+/*
+ * MLKEM_SEED_LENGTH is the number of bytes in an ML-KEM seed. An ML-KEM
+ * seed is normally used to represent a private key.
+ */
+#define MLKEM_SEED_LENGTH 64
+/*
+ * MLKEM_SHARED_SECRET_LENGTH is the number of bytes in an ML-KEM shared
+ * secret.
+ */
+#define MLKEM_SHARED_SECRET_LENGTH 32
 /*
 * MLKEM_ENCAP_ENTROPY is the number of bytes of uniformly random entropy
 * necessary to encapsulate a secret. The entropy will be leaked to the
@@ -34,84 +130,171 @@ __BEGIN_HIDDEN_DECLS
 */
 #define MLKEM_ENCAP_ENTROPY 32
+/* MLKEM1024_CIPHERTEXT_BYTES is number of bytes in the ML-KEM-1024 ciphertext. */
+#define MLKEM1024_CIPHERTEXT_BYTES 1568
+/* MLKEM768_CIPHERTEXT_BYTES is number of bytes in the ML-KEM768 ciphertext. */
+#define MLKEM768_CIPHERTEXT_BYTES 1088
 /*
- * MLKEM768_generate_key_external_entropy is a deterministic function to create a
+ * MLKEM768_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM768 public
- * pair of ML-KEM 768 keys, using the supplied entropy. The entropy needs to be
+ * key.
- * uniformly random generated. This function is should only be used for tests,
+ */
- * regular callers should use the non-deterministic |MLKEM_generate_key|
+#define MLKEM768_PUBLIC_KEY_BYTES 1184
- * directly.
+/*
+ * MLKEM1024_PUBLIC_KEY_BYTES is the number of bytes in an encoded ML-KEM-1024
+ * public key.
 */
-void MLKEM768_generate_key_external_entropy(
+#define MLKEM1024_PUBLIC_KEY_BYTES 1568
-    uint8_t out_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES],
-    struct MLKEM768_private_key *out_private_key,
-    const uint8_t entropy[MLKEM_SEED_BYTES]);
 /*
 * MLKEM768_PRIVATE_KEY_BYTES is the length of the data produced by
- * |MLKEM768_marshal_private_key|.
+ * |marshal_private_key| for a RANK768 MLKEM_private_key.
 */
 #define MLKEM768_PRIVATE_KEY_BYTES 2400
 /*
- * MLKEM768_marshal_private_key serializes |private_key| to |out| in the standard
+ * MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by
- * format for ML-KEM private keys. It returns one on success or zero on
+ * |marshal_private_key| for a RANK1024 MLKEM_private_key.
- * allocation error.
 */
-int MLKEM768_marshal_private_key(CBB *out,
+#define MLKEM1024_PRIVATE_KEY_BYTES 3168
-    const struct MLKEM768_private_key *private_key);
 /*
- * MLKEM_encap_external_entropy behaves like |MLKEM_encap|, but uses
+ * Internal MLKEM 768 and MLKEM 1024 functions come largely from BoringSSL, but
- * |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating
+ * converted to C from templated C++. Due to this history, most internal
- * side will be able to recover |entropy| in full. This function should only be
+ * functions do not allocate, and are expected to be handed memory allocated by
- * used for tests, regular callers should use the non-deterministic
+ * the caller. The caller is generally expected to know what sizes to allocate
- * |MLKEM_encap| directly.
+ * based upon the rank of the key (either public or private) that they are
+ * starting with. This avoids the need to handle memory allocation failures
+ * (which boring in C++ just crashes by choice) deep in the implementation, as
+ * what is needed is allocated up front in the public facing functions, and
+ * failure is handled there.
 */
-void MLKEM768_encap_external_entropy(
-    uint8_t out_ciphertext[MLKEM768_CIPHERTEXT_BYTES],
+/* Key generation. */
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const struct MLKEM768_public_key *public_key,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
 /*
- * MLKEM1024_generate_key_external_entropy is a deterministic function to create a
+ * mlkem_private_key_from_seed modifies |out_private_key| to contain a key of
- * pair of ML-KEM 1024 keys, using the supplied entropy. The entropy needs to be
+ * the rank of |*out_private_key| from a seed that was generated by
- * uniformly random generated. This function is should only be used for tests,
+ * |MLKEM_generate_key|. It fails and returns 0 if |seed_len| is incorrect, or
- * regular callers should use the non-deterministic |MLKEM_generate_key|
+ * if |*out_private_key| has not been initialized. otherwise it writes to
- * directly.
+ * |*out_private_key| and returns 1.
 */
-void MLKEM1024_generate_key_external_entropy(
+int mlkem_private_key_from_seed(const uint8_t *seed, size_t seed_len,
-    uint8_t out_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES],
+    MLKEM_private_key *out_private_key);
-    struct MLKEM1024_private_key *out_private_key,
-    const uint8_t entropy[MLKEM_SEED_BYTES]);
 /*
- * MLKEM1024_PRIVATE_KEY_BYTES is the length of the data produced by
+ * mlkem_public_from_private sets |*out_public_key| to the public key that
- * |MLKEM1024_marshal_private_key|.
+ * corresponds to |*private_key|. (This is faster than parsing the output of
+ * |MLKEM_generate_key| if, for some reason, you need to encapsulate to a key
+ * that was just generated.)
 */
-#define MLKEM1024_PRIVATE_KEY_BYTES 3168
+void mlkem_public_from_private(const MLKEM_private_key *private_key,
+    MLKEM_public_key *out_public_key);
+/* Encapsulation and decapsulation of secrets. */
+/*
+ * mlkem_decap decrypts a shared secret from |ciphertext| using |private_key|
+ * and writes it to |out_shared_secret|. If |ciphertext_len| is incorrect it
+ * returns 0, otherwise it returns 1. If |ciphertext| is invalid,
+ * |out_shared_secret| is filled with a key that will always be the same for the
+ * same |ciphertext| and |private_key|, but which appears to be random unless
+ * one has access to |private_key|. These alternatives occur in constant time.
+ * Any subsequent symmetric encryption using |out_shared_secret| must use an
+ * authenticated encryption scheme in order to discover the decapsulation
+ * failure.
+ */
+int mlkem_decap(const MLKEM_private_key *private_key,
+    const uint8_t *ciphertext, size_t ciphertext_len,
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH]);
+/* Serialisation of keys. */
+/*
+ * mlkem_marshal_public_key serializes |public_key| to |output| in the standard
+ * format for ML-KEM public keys. It returns one on success or zero on allocation
+ * error.
+ */
+int mlkem_marshal_public_key(const MLKEM_public_key *public_key,
+    uint8_t **output, size_t *output_len);
+/*
+ * mlkem_parse_public_key parses a public key, in the format generated by
+ * |MLKEM_marshal_public_key|, from |input| and writes the result to
+ * |out_public_key|. It returns one on success or zero on parse error or if
+ * there are trailing bytes in |input|.
+ */
+int mlkem_parse_public_key(const uint8_t *input, size_t input_len,
+    MLKEM_public_key *out_public_key);
+/*
+ * mlkem_parse_private_key parses a private key, in the format generated by
+ * |MLKEM_marshal_private_key|, from |input| and writes the result to
+ * |out_private_key|. It returns one on success or zero on parse error or if
+ * there are trailing bytes in |input|. This format is verbose and should be avoided.
+ * Private keys should be stored as seeds and parsed using |mlkem_private_key_from_seed|.
+ */
+int mlkem_parse_private_key(const uint8_t *input, size_t input_len,
+    MLKEM_private_key *out_private_key);
+/* Functions that are only used for test purposes. */
+/*
+ * mlkem_generate_key_external_entropy is a deterministic function to create a
+ * pair of ML-KEM keys, using the supplied entropy. The entropy needs to be
+ * uniformly random generated. This function should only be used for tests,
+ * regular callers should use the non-deterministic |MLKEM_generate_key|
+ * directly.
+ */
+int mlkem_generate_key_external_entropy(uint8_t *out_encoded_public_key,
+    MLKEM_private_key *out_private_key,
+    const uint8_t entropy[MLKEM_SEED_LENGTH]);
 /*
- * MLKEM1024_marshal_private_key serializes |private_key| to |out| in the
+ * mlkem_marshal_private_key serializes |private_key| to |out_private_key| in the standard
- * standard format for ML-KEM private keys. It returns one on success or zero on
+ * format for ML-KEM private keys. It returns one on success or zero on
 * allocation error.
 */
-int MLKEM1024_marshal_private_key(CBB *out,
+int mlkem_marshal_private_key(const MLKEM_private_key *private_key,
-    const struct MLKEM1024_private_key *private_key);
+    uint8_t **out_private_key, size_t *out_private_key_len);
 /*
- * MLKEM_encap_external_entropy behaves like |MLKEM_encap|, but uses
+ * mlkem_encap_external_entropy behaves like |MLKEM_encap|, but uses
 * |MLKEM_ENCAP_ENTROPY| bytes of |entropy| for randomization. The decapsulating
 * side will be able to recover |entropy| in full. This function should only be
 * used for tests, regular callers should use the non-deterministic
 * |MLKEM_encap| directly.
 */
-void MLKEM1024_encap_external_entropy(
+void mlkem_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_ciphertext[MLKEM1024_CIPHERTEXT_BYTES],
+    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_LENGTH],
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
+    const MLKEM_public_key *public_key,
-    const struct MLKEM1024_public_key *public_key,
    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
+/*
+ * |MLKEM_encap_external_entropy| behaves exactly like the public |MLKEM_encap|
+ * with the entropy provided by the caller. It is directly called internally
+ * and by tests.
+ */
+int MLKEM_encap_external_entropy(const MLKEM_public_key *public_key,
+    const uint8_t *entropy, uint8_t **out_ciphertext,
+    size_t *out_ciphertext_len, uint8_t **out_shared_secret,
+    size_t *out_shared_secret_len);
+/*
+ * |MLKEM_generate_key_external_entropy| behaves exactly like the public
+ * |MLKEM_generate_key| with the entropy provided by the caller.
+ * It is directly called internally and by tests.
+ */
+int MLKEM_generate_key_external_entropy(MLKEM_private_key *private_key,
+    uint8_t **out_encoded_public_key, size_t *out_encoded_public_key_len,
+    const uint8_t *entropy);
 __END_HIDDEN_DECLS
 #if defined(__cplusplus)
diff --git a/src/lib/libcrypto/mlkem/mlkem_key.c b/src/lib/libcrypto/mlkem/mlkem_key.c
new file mode 100644
index 0000000000..d4e3d69d88
--- /dev/null
+++ b/src/lib/libcrypto/mlkem/mlkem_key.c
@@ -0,0 +1,188 @@
+/* $OpenBSD: mlkem_key.c,v 1.5 2026/01/01 12:47:52 tb Exp $ */
+/*
+ * Copyright (c) 2025 Bob Beck <beck@obtuse.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/mlkem.h>
+#include "mlkem_internal.h"
+MLKEM_private_key *
+MLKEM_private_key_new(int rank)
+{
+        MLKEM_private_key *key = NULL;
+        MLKEM_private_key *ret = NULL;
+        if ((key = calloc(1, sizeof(*key))) == NULL)
+                goto err;
+        switch (rank) {
+        case MLKEM768_RANK:
+                if ((key->key_768 = calloc(1, sizeof(*key->key_768))) == NULL)
+                        goto err;
+                break;
+        case MLKEM1024_RANK:
+                if ((key->key_1024 = calloc(1, sizeof(*key->key_1024))) == NULL)
+                        goto err;
+                break;
+        default:
+                goto err;
+        }
+        key->rank = rank;
+        key->state = MLKEM_PRIVATE_KEY_UNINITIALIZED;
+        ret = key;
+        key = NULL;
+ err:
+        MLKEM_private_key_free(key);
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_new);
+void
+MLKEM_private_key_free(MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return;
+        freezero(key->key_768, sizeof(*key->key_768));
+        freezero(key->key_1024, sizeof(*key->key_1024));
+        freezero(key, sizeof(*key));
+}
+LCRYPTO_ALIAS(MLKEM_private_key_free);
+size_t
+MLKEM_private_key_encoded_length(const MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return 0;
+        switch (key->rank) {
+        case MLKEM768_RANK:
+                return MLKEM768_PRIVATE_KEY_BYTES;
+        case MLKEM1024_RANK:
+                return MLKEM1024_PRIVATE_KEY_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_encoded_length);
+size_t
+MLKEM_private_key_ciphertext_length(const MLKEM_private_key *key)
+{
+        if (key == NULL)
+                return 0;
+        switch (key->rank) {
+        case MLKEM768_RANK:
+                return MLKEM768_CIPHERTEXT_BYTES;
+        case MLKEM1024_RANK:
+                return MLKEM1024_CIPHERTEXT_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_private_key_ciphertext_length);
+MLKEM_public_key *
+MLKEM_public_key_new(int rank)
+{
+        MLKEM_public_key *key = NULL;
+        MLKEM_public_key *ret = NULL;
+        if ((key = calloc(1, sizeof(*key))) == NULL)
+                goto err;
+        switch (rank) {
+        case MLKEM768_RANK:
+                if ((key->key_768 = calloc(1, sizeof(*key->key_768))) == NULL)
+                        goto err;
+                break;
+        case MLKEM1024_RANK:
+                if ((key->key_1024 = calloc(1, sizeof(*key->key_1024))) == NULL)
+                        goto err;
+                break;
+        default:
+                goto err;
+        }
+        key->rank = rank;
+        key->state = MLKEM_PUBLIC_KEY_UNINITIALIZED;
+        ret = key;
+        key = NULL;
+ err:
+        MLKEM_public_key_free(key);
+        return ret;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_new);
+void
+MLKEM_public_key_free(MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return;
+        freezero(key->key_768, sizeof(*key->key_768));
+        freezero(key->key_1024, sizeof(*key->key_1024));
+        freezero(key, sizeof(*key));
+}
+LCRYPTO_ALIAS(MLKEM_public_key_free);
+size_t
+MLKEM_public_key_encoded_length(const MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return 0;
+        switch (key->rank) {
+        case MLKEM768_RANK:
+                return MLKEM768_PUBLIC_KEY_BYTES;
+        case MLKEM1024_RANK:
+                return MLKEM1024_PUBLIC_KEY_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_encoded_length);
+size_t
+MLKEM_public_key_ciphertext_length(const MLKEM_public_key *key)
+{
+        if (key == NULL)
+                return 0;
+        switch (key->rank) {
+        case MLKEM768_RANK:
+                return MLKEM768_CIPHERTEXT_BYTES;
+        case MLKEM1024_RANK:
+                return MLKEM1024_CIPHERTEXT_BYTES;
+        default:
+                return 0;
+        }
+        return 0;
+}
+LCRYPTO_ALIAS(MLKEM_public_key_ciphertext_length);
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86.pl b/src/lib/libcrypto/modes/asm/ghash-x86.pl
index 47833582b6..395c680cc5 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86.pl
@@ -119,8 +119,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],"ghash-x86.pl",$x86only = $ARGV[$#ARGV] eq "386");
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 ($Zhh,$Zhl,$Zlh,$Zll) = ("ebp","edx","ecx","ebx");
 $inp  = "edi";
diff --git a/src/lib/libcrypto/modes/cbc128.c b/src/lib/libcrypto/modes/cbc128.c
index f8ebf79a87..1b6858ee25 100644
--- a/src/lib/libcrypto/modes/cbc128.c
+++ b/src/lib/libcrypto/modes/cbc128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cbc128.c,v 1.8 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: cbc128.c,v 1.11 2025/04/23 10:09:08 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 *
@@ -49,15 +49,11 @@
 *
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "modes_local.h"
-# endif
-#endif
 #undef STRICT_ALIGNMENT
 #ifdef __STRICT_ALIGNMENT
@@ -74,7 +70,6 @@ CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
        size_t n;
        const unsigned char *iv = ivec;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (STRICT_ALIGNMENT &&
            ((size_t)in|(size_t)out|(size_t)ivec) % sizeof(size_t) != 0) {
                while (len >= 16) {
@@ -98,7 +93,6 @@ CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
                        out += 16;
                }
        }
-#endif
        while (len) {
                for (n = 0; n < 16 && n < len; ++n)
                        out[n] = in[n] ^ iv[n];
@@ -127,7 +121,6 @@ CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
                unsigned char c[16];
        } tmp;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (in != out) {
                const unsigned char *iv = ivec;
@@ -192,7 +185,6 @@ CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
                        }
                }
        }
-#endif
        while (len) {
                unsigned char c;
                (*block)(in, tmp.c, key);
diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c
index 68c5cce5da..e27681ee62 100644
--- a/src/lib/libcrypto/modes/ccm128.c
+++ b/src/lib/libcrypto/modes/ccm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ccm128.c,v 1.8 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: ccm128.c,v 1.12 2025/05/18 09:21:29 bcook Exp $ */
 /* ====================================================================
 * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
 *
@@ -48,15 +48,11 @@
 * ====================================================================
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "modes_local.h"
-# endif
-#endif
 /* First you setup M and L parameters and pass the key schedule.
 * This is called once per session setup... */
@@ -65,7 +61,7 @@ CRYPTO_ccm128_init(CCM128_CONTEXT *ctx,
    unsigned int M, unsigned int L, void *key, block128_f block)
 {
        memset(ctx->nonce.c, 0, sizeof(ctx->nonce.c));
-        ctx->nonce.c[0] = ((u8)(L - 1) & 7) | (u8)(((M - 2)/2) & 7) << 3;
+        ctx->nonce.c[0] = ((uint8_t)(L - 1) & 7) | (uint8_t)(((M - 2)/2) & 7) << 3;
        ctx->blocks = 0;
        ctx->block = block;
        ctx->key = key;
@@ -85,17 +81,17 @@ CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
                return -1;              /* nonce is too short */
        if (sizeof(mlen) == 8 && L >= 3) {
-                ctx->nonce.c[8] = (u8)(mlen >> (56 % (sizeof(mlen)*8)));
+                ctx->nonce.c[8] = (uint8_t)(mlen >> (56 % (sizeof(mlen)*8)));
-                ctx->nonce.c[9] = (u8)(mlen >> (48 % (sizeof(mlen)*8)));
+                ctx->nonce.c[9] = (uint8_t)(mlen >> (48 % (sizeof(mlen)*8)));
-                ctx->nonce.c[10] = (u8)(mlen >> (40 % (sizeof(mlen)*8)));
+                ctx->nonce.c[10] = (uint8_t)(mlen >> (40 % (sizeof(mlen)*8)));
-                ctx->nonce.c[11] = (u8)(mlen >> (32 % (sizeof(mlen)*8)));
+                ctx->nonce.c[11] = (uint8_t)(mlen >> (32 % (sizeof(mlen)*8)));
        } else
                ctx->nonce.u[1] = 0;
-        ctx->nonce.c[12] = (u8)(mlen >> 24);
+        ctx->nonce.c[12] = (uint8_t)(mlen >> 24);
-        ctx->nonce.c[13] = (u8)(mlen >> 16);
+        ctx->nonce.c[13] = (uint8_t)(mlen >> 16);
-        ctx->nonce.c[14] = (u8)(mlen >> 8);
+        ctx->nonce.c[14] = (uint8_t)(mlen >> 8);
-        ctx->nonce.c[15] = (u8)mlen;
+        ctx->nonce.c[15] = (uint8_t)mlen;
        ctx->nonce.c[0] &= ~0x40;       /* clear Adata flag */
        memcpy(&ctx->nonce.c[1], nonce, 14 - L);
@@ -120,29 +116,29 @@ CRYPTO_ccm128_aad(CCM128_CONTEXT *ctx,
            ctx->blocks++;
        if (alen < (0x10000 - 0x100)) {
-                ctx->cmac.c[0] ^= (u8)(alen >> 8);
+                ctx->cmac.c[0] ^= (uint8_t)(alen >> 8);
-                ctx->cmac.c[1] ^= (u8)alen;
+                ctx->cmac.c[1] ^= (uint8_t)alen;
                i = 2;
        } else if (sizeof(alen) == 8 &&
            alen >= (size_t)1 << (32 % (sizeof(alen)*8))) {
                ctx->cmac.c[0] ^= 0xFF;
                ctx->cmac.c[1] ^= 0xFF;
-                ctx->cmac.c[2] ^= (u8)(alen >> (56 % (sizeof(alen)*8)));
+                ctx->cmac.c[2] ^= (uint8_t)(alen >> (56 % (sizeof(alen)*8)));
-                ctx->cmac.c[3] ^= (u8)(alen >> (48 % (sizeof(alen)*8)));
+                ctx->cmac.c[3] ^= (uint8_t)(alen >> (48 % (sizeof(alen)*8)));
-                ctx->cmac.c[4] ^= (u8)(alen >> (40 % (sizeof(alen)*8)));
+                ctx->cmac.c[4] ^= (uint8_t)(alen >> (40 % (sizeof(alen)*8)));
-                ctx->cmac.c[5] ^= (u8)(alen >> (32 % (sizeof(alen)*8)));
+                ctx->cmac.c[5] ^= (uint8_t)(alen >> (32 % (sizeof(alen)*8)));
-                ctx->cmac.c[6] ^= (u8)(alen >> 24);
+                ctx->cmac.c[6] ^= (uint8_t)(alen >> 24);
-                ctx->cmac.c[7] ^= (u8)(alen >> 16);
+                ctx->cmac.c[7] ^= (uint8_t)(alen >> 16);
-                ctx->cmac.c[8] ^= (u8)(alen >> 8);
+                ctx->cmac.c[8] ^= (uint8_t)(alen >> 8);
-                ctx->cmac.c[9] ^= (u8)alen;
+                ctx->cmac.c[9] ^= (uint8_t)alen;
                i = 10;
        } else {
                ctx->cmac.c[0] ^= 0xFF;
                ctx->cmac.c[1] ^= 0xFE;
-                ctx->cmac.c[2] ^= (u8)(alen >> 24);
+                ctx->cmac.c[2] ^= (uint8_t)(alen >> 24);
-                ctx->cmac.c[3] ^= (u8)(alen >> 16);
+                ctx->cmac.c[3] ^= (uint8_t)(alen >> 16);
-                ctx->cmac.c[4] ^= (u8)(alen >> 8);
+                ctx->cmac.c[4] ^= (uint8_t)(alen >> 8);
-                ctx->cmac.c[5] ^= (u8)alen;
+                ctx->cmac.c[5] ^= (uint8_t)alen;
                i = 6;
        }
@@ -164,7 +160,7 @@ static void
 ctr64_inc(unsigned char *counter)
 {
        unsigned int n = 8;
-        u8 c;
+        uint8_t c;
        counter += 8;
        do {
@@ -188,8 +184,8 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
        block128_f       block = ctx->block;
        void            *key = ctx->key;
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u8 c[16];
+                uint8_t c[16];
        } scratch;
        if (!(flags0 & 0x40))
@@ -215,16 +211,16 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
        while (len >= 16) {
 #ifdef __STRICT_ALIGNMENT
                union {
-                        u64 u[2];
+                        uint64_t u[2];
-                        u8 c[16];
+                        uint8_t c[16];
                } temp;
                memcpy(temp.c, inp, 16);
                ctx->cmac.u[0] ^= temp.u[0];
                ctx->cmac.u[1] ^= temp.u[1];
 #else
-                ctx->cmac.u[0] ^= ((u64 *)inp)[0];
+                ctx->cmac.u[0] ^= ((uint64_t *)inp)[0];
-                ctx->cmac.u[1] ^= ((u64 *)inp)[1];
+                ctx->cmac.u[1] ^= ((uint64_t *)inp)[1];
 #endif
                (*block)(ctx->cmac.c, ctx->cmac.c, key);
                (*block)(ctx->nonce.c, scratch.c, key);
@@ -234,8 +230,8 @@ CRYPTO_ccm128_encrypt(CCM128_CONTEXT *ctx,
                temp.u[1] ^= scratch.u[1];
                memcpy(out, temp.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0];
+                ((uint64_t *)out)[0] = scratch.u[0] ^ ((uint64_t *)inp)[0];
-                ((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1];
+                ((uint64_t *)out)[1] = scratch.u[1] ^ ((uint64_t *)inp)[1];
 #endif
                inp += 16;
                out += 16;
@@ -275,8 +271,8 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
        block128_f       block = ctx->block;
        void            *key = ctx->key;
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u8 c[16];
+                uint8_t c[16];
        } scratch;
        if (!(flags0 & 0x40))
@@ -297,8 +293,8 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
        while (len >= 16) {
 #ifdef __STRICT_ALIGNMENT
                union {
-                        u64 u[2];
+                        uint64_t u[2];
-                        u8 c[16];
+                        uint8_t c[16];
                } temp;
 #endif
                (*block)(ctx->nonce.c, scratch.c, key);
@@ -309,10 +305,10 @@ CRYPTO_ccm128_decrypt(CCM128_CONTEXT *ctx,
                ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
                memcpy(out, scratch.c, 16);
 #else
-                ctx->cmac.u[0] ^= (((u64 *)out)[0] = scratch.u[0] ^
+                ctx->cmac.u[0] ^= (((uint64_t *)out)[0] = scratch.u[0] ^
-                    ((u64 *)inp)[0]);
+                    ((uint64_t *)inp)[0]);
-                ctx->cmac.u[1] ^= (((u64 *)out)[1] = scratch.u[1] ^
+                ctx->cmac.u[1] ^= (((uint64_t *)out)[1] = scratch.u[1] ^
-                    ((u64 *)inp)[1]);
+                    ((uint64_t *)inp)[1]);
 #endif
                (*block)(ctx->cmac.c, ctx->cmac.c, key);
@@ -367,8 +363,8 @@ CRYPTO_ccm128_encrypt_ccm64(CCM128_CONTEXT *ctx,
        block128_f       block = ctx->block;
        void            *key = ctx->key;
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u8 c[16];
+                uint8_t c[16];
        } scratch;
        if (!(flags0 & 0x40))
@@ -434,8 +430,8 @@ CRYPTO_ccm128_decrypt_ccm64(CCM128_CONTEXT *ctx,
        block128_f       block = ctx->block;
        void            *key = ctx->key;
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u8 c[16];
+                uint8_t c[16];
        } scratch;
        if (!(flags0 & 0x40))
diff --git a/src/lib/libcrypto/modes/cfb128.c b/src/lib/libcrypto/modes/cfb128.c
index 931353a620..9a63a46724 100644
--- a/src/lib/libcrypto/modes/cfb128.c
+++ b/src/lib/libcrypto/modes/cfb128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cfb128.c,v 1.7 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: cfb128.c,v 1.10 2025/04/23 10:09:08 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 *
@@ -49,15 +49,11 @@
 *
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "modes_local.h"
-# endif
-#endif
 /* The input and output encrypted as though 128bit cfb mode is being
 * used.  The extra state information to record how much of the
@@ -75,7 +71,6 @@ CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
        n = *num;
        if (enc) {
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
                if (16 % sizeof(size_t) == 0)
                        do {    /* always true actually */
                                while (n && len) {
@@ -111,7 +106,6 @@ CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
                                return;
                        } while (0);
        /* the rest would be commonly eliminated by x86* compiler */
-#endif
                while (l < len) {
                        if (n == 0) {
                                (*block)(ivec, ivec, key);
@@ -122,7 +116,6 @@ CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
                }
                *num = n;
        } else {
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
                if (16 % sizeof(size_t) == 0)
                        do {    /* always true actually */
                                while (n && len) {
@@ -163,7 +156,6 @@ CRYPTO_cfb128_encrypt(const unsigned char *in, unsigned char *out,
                                return;
                        } while (0);
        /* the rest would be commonly eliminated by x86* compiler */
-#endif
                while (l < len) {
                        unsigned char c;
                        if (n == 0) {
diff --git a/src/lib/libcrypto/modes/ctr128.c b/src/lib/libcrypto/modes/ctr128.c
index 6d507dfc3a..87d9abb355 100644
--- a/src/lib/libcrypto/modes/ctr128.c
+++ b/src/lib/libcrypto/modes/ctr128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ctr128.c,v 1.11 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: ctr128.c,v 1.18 2025/05/18 09:05:59 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 *
@@ -49,16 +49,12 @@
 *
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "crypto_internal.h"
-# endif
+#include "modes_local.h"
-#endif
-#include <assert.h>
 /* NOTE: the IV/counter CTR mode is big-endian.  The code itself
 * is endian-neutral. */
@@ -67,8 +63,8 @@
 static void
 ctr128_inc(unsigned char *counter)
 {
-        u32 n = 16;
+        uint32_t n = 16;
-        u8  c;
+        uint8_t  c;
        do {
                --n;
@@ -80,7 +76,6 @@ ctr128_inc(unsigned char *counter)
        } while (n);
 }
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
 static void
 ctr128_inc_aligned(unsigned char *counter)
 {
@@ -100,7 +95,6 @@ ctr128_inc_aligned(unsigned char *counter)
        } while (n);
 #endif
 }
-#endif
 /* The input encrypted as though 128bit counter mode is being
 * used.  The extra state information to record how much of the
@@ -121,14 +115,11 @@ CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
    unsigned char ivec[16], unsigned char ecount_buf[16],
    unsigned int *num, block128_f block)
 {
-        unsigned int n;
+        unsigned int n = *num;
        size_t l = 0;
-        assert(*num < 16);
+        OPENSSL_assert(n < 16);
-        n = *num;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (16 % sizeof(size_t) == 0)
                do { /* always true actually */
                        while (n && len) {
@@ -166,7 +157,6 @@ CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out,
                        return;
                } while (0);
        /* the rest would be commonly eliminated by x86* compiler */
-#endif
        while (l < len) {
                if (n == 0) {
                        (*block)(ivec, ecount_buf, key);
@@ -185,8 +175,8 @@ LCRYPTO_ALIAS(CRYPTO_ctr128_encrypt);
 static void
 ctr96_inc(unsigned char *counter)
 {
-        u32 n = 12;
+        uint32_t n = 12;
-        u8  c;
+        uint8_t  c;
        do {
                --n;
@@ -204,11 +194,10 @@ CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
    unsigned char ivec[16], unsigned char ecount_buf[16],
    unsigned int *num, ctr128_f func)
 {
-        unsigned int n, ctr32;
+        unsigned int n = *num;
+        unsigned int ctr32;
-        assert(*num < 16);
+        OPENSSL_assert(n < 16);
-        n = *num;
        while (n && len) {
                *(out++) = *(in++) ^ ecount_buf[n];
@@ -216,7 +205,8 @@ CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
                n = (n + 1) % 16;
        }
-        ctr32 = GETU32(ivec + 12);
+        ctr32 = crypto_load_be32toh(&ivec[12]);
        while (len >= 16) {
                size_t blocks = len/16;
                /*
@@ -233,14 +223,14 @@ CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
                 * overflow, which is then handled by limiting the
                 * amount of blocks to the exact overflow point...
                 */
-                ctr32 += (u32)blocks;
+                ctr32 += (uint32_t)blocks;
                if (ctr32 < blocks) {
                        blocks -= ctr32;
                        ctr32 = 0;
                }
                (*func)(in, out, blocks, key, ivec);
                /* (*ctr) does not update ivec, caller does: */
-                PUTU32(ivec + 12, ctr32);
+                crypto_store_htobe32(&ivec[12], ctr32);
                /* ... overflow was detected, propagate carry. */
                if (ctr32 == 0)
                        ctr96_inc(ivec);
@@ -253,7 +243,7 @@ CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out,
                memset(ecount_buf, 0, 16);
                (*func)(ecount_buf, ecount_buf, 1, key, ivec);
                ++ctr32;
-                PUTU32(ivec + 12, ctr32);
+                crypto_store_htobe32(&ivec[12], ctr32);
                if (ctr32 == 0)
                        ctr96_inc(ivec);
                while (len--) {
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 6c89bd44b7..a88f589b00 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gcm128.c,v 1.27 2024/09/06 09:57:32 tb Exp $ */
+/* $OpenBSD: gcm128.c,v 1.55 2026/01/17 14:30:37 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -48,293 +48,62 @@
 * ====================================================================
 */
-#define OPENSSL_FIPSAPI
 #include <string.h>
 #include <openssl/crypto.h>
+#include "crypto_arch.h"
 #include "crypto_internal.h"
 #include "modes_local.h"
-#ifndef MODES_DEBUG
+void
-# ifndef NDEBUG
+gcm_init_4bit(u128 Htable[16], uint64_t H[2])
-#  define NDEBUG
-# endif
-#endif
-#if defined(BSWAP4) && defined(__STRICT_ALIGNMENT)
-/* redefine, because alignment is ensured */
-#undef  GETU32
-#define GETU32(p)       BSWAP4(*(const u32 *)(p))
-#endif
-#define PACK(s)         ((size_t)(s)<<(sizeof(size_t)*8-16))
-#define REDUCE1BIT(V)                                                   \
-        do {                                                            \
-                if (sizeof(size_t)==8) {                                \
-                        u64 T = U64(0xe100000000000000) & (0-(V.lo&1)); \
-                        V.lo  = (V.hi<<63)|(V.lo>>1);                   \
-                        V.hi  = (V.hi>>1 )^T;                           \
-                } else {                                                \
-                        u32 T = 0xe1000000U & (0-(u32)(V.lo&1));        \
-                        V.lo  = (V.hi<<63)|(V.lo>>1);                   \
-                        V.hi  = (V.hi>>1 )^((u64)T<<32);                \
-                }                                                       \
-        } while(0)
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8. 8 is effectively reserved for testing purposes.
- * TABLE_BITS>1 are lookup-table-driven implementations referred to as
- * "Shoup's" in GCM specification. In other words OpenSSL does not cover
- * whole spectrum of possible table driven implementations. Why? In
- * non-"Shoup's" case memory access pattern is segmented in such manner,
- * that it's trivial to see that cache timing information can reveal
- * fair portion of intermediate hash value. Given that ciphertext is
- * always available to attacker, it's possible for him to attempt to
- * deduce secret parameter H and if successful, tamper with messages
- * [which is nothing but trivial in CTR mode]. In "Shoup's" case it's
- * not as trivial, but there is no reason to believe that it's resistant
- * to cache-timing attack. And the thing about "8-bit" implementation is
- * that it consumes 16 (sixteen) times more memory, 4KB per individual
- * key + 1KB shared. Well, on pros side it should be twice as fast as
- * "4-bit" version. And for gcc-generated x86[_64] code, "8-bit" version
- * was observed to run ~75% faster, closer to 100% for commercial
- * compilers... Yet "4-bit" procedure is preferred, because it's
- * believed to provide better security-performance balance and adequate
- * all-round performance. "All-round" refers to things like:
- *
- * - shorter setup time effectively improves overall timing for
- *   handling short messages;
- * - larger table allocation can become unbearable because of VM
- *   subsystem penalties (for example on Windows large enough free
- *   results in VM working set trimming, meaning that consequent
- *   malloc would immediately incur working set expansion);
- * - larger table has larger cache footprint, which can affect
- *   performance of other code paths (not necessarily even from same
- *   thread in Hyper-Threading world);
- *
- * Value of 1 is not appropriate for performance reasons.
- */
-#if     TABLE_BITS==8
-static void
-gcm_init_8bit(u128 Htable[256], u64 H[2])
-{
-        int  i, j;
-        u128 V;
-        Htable[0].hi = 0;
-        Htable[0].lo = 0;
-        V.hi = H[0];
-        V.lo = H[1];
-        for (Htable[128] = V, i = 64; i > 0; i >>= 1) {
-                REDUCE1BIT(V);
-                Htable[i] = V;
-        }
-        for (i = 2; i < 256; i <<= 1) {
-                u128 *Hi = Htable + i, H0 = *Hi;
-                for (j = 1; j < i; ++j) {
-                        Hi[j].hi = H0.hi ^ Htable[j].hi;
-                        Hi[j].lo = H0.lo ^ Htable[j].lo;
-                }
-        }
-}
-static void
-gcm_gmult_8bit(u64 Xi[2], const u128 Htable[256])
-{
-        u128 Z = { 0, 0};
-        const u8 *xi = (const u8 *)Xi + 15;
-        size_t rem, n = *xi;
-        static const size_t rem_8bit[256] = {
-                PACK(0x0000), PACK(0x01C2), PACK(0x0384), PACK(0x0246),
-                PACK(0x0708), PACK(0x06CA), PACK(0x048C), PACK(0x054E),
-                PACK(0x0E10), PACK(0x0FD2), PACK(0x0D94), PACK(0x0C56),
-                PACK(0x0918), PACK(0x08DA), PACK(0x0A9C), PACK(0x0B5E),
-                PACK(0x1C20), PACK(0x1DE2), PACK(0x1FA4), PACK(0x1E66),
-                PACK(0x1B28), PACK(0x1AEA), PACK(0x18AC), PACK(0x196E),
-                PACK(0x1230), PACK(0x13F2), PACK(0x11B4), PACK(0x1076),
-                PACK(0x1538), PACK(0x14FA), PACK(0x16BC), PACK(0x177E),
-                PACK(0x3840), PACK(0x3982), PACK(0x3BC4), PACK(0x3A06),
-                PACK(0x3F48), PACK(0x3E8A), PACK(0x3CCC), PACK(0x3D0E),
-                PACK(0x3650), PACK(0x3792), PACK(0x35D4), PACK(0x3416),
-                PACK(0x3158), PACK(0x309A), PACK(0x32DC), PACK(0x331E),
-                PACK(0x2460), PACK(0x25A2), PACK(0x27E4), PACK(0x2626),
-                PACK(0x2368), PACK(0x22AA), PACK(0x20EC), PACK(0x212E),
-                PACK(0x2A70), PACK(0x2BB2), PACK(0x29F4), PACK(0x2836),
-                PACK(0x2D78), PACK(0x2CBA), PACK(0x2EFC), PACK(0x2F3E),
-                PACK(0x7080), PACK(0x7142), PACK(0x7304), PACK(0x72C6),
-                PACK(0x7788), PACK(0x764A), PACK(0x740C), PACK(0x75CE),
-                PACK(0x7E90), PACK(0x7F52), PACK(0x7D14), PACK(0x7CD6),
-                PACK(0x7998), PACK(0x785A), PACK(0x7A1C), PACK(0x7BDE),
-                PACK(0x6CA0), PACK(0x6D62), PACK(0x6F24), PACK(0x6EE6),
-                PACK(0x6BA8), PACK(0x6A6A), PACK(0x682C), PACK(0x69EE),
-                PACK(0x62B0), PACK(0x6372), PACK(0x6134), PACK(0x60F6),
-                PACK(0x65B8), PACK(0x647A), PACK(0x663C), PACK(0x67FE),
-                PACK(0x48C0), PACK(0x4902), PACK(0x4B44), PACK(0x4A86),
-                PACK(0x4FC8), PACK(0x4E0A), PACK(0x4C4C), PACK(0x4D8E),
-                PACK(0x46D0), PACK(0x4712), PACK(0x4554), PACK(0x4496),
-                PACK(0x41D8), PACK(0x401A), PACK(0x425C), PACK(0x439E),
-                PACK(0x54E0), PACK(0x5522), PACK(0x5764), PACK(0x56A6),
-                PACK(0x53E8), PACK(0x522A), PACK(0x506C), PACK(0x51AE),
-                PACK(0x5AF0), PACK(0x5B32), PACK(0x5974), PACK(0x58B6),
-                PACK(0x5DF8), PACK(0x5C3A), PACK(0x5E7C), PACK(0x5FBE),
-                PACK(0xE100), PACK(0xE0C2), PACK(0xE284), PACK(0xE346),
-                PACK(0xE608), PACK(0xE7CA), PACK(0xE58C), PACK(0xE44E),
-                PACK(0xEF10), PACK(0xEED2), PACK(0xEC94), PACK(0xED56),
-                PACK(0xE818), PACK(0xE9DA), PACK(0xEB9C), PACK(0xEA5E),
-                PACK(0xFD20), PACK(0xFCE2), PACK(0xFEA4), PACK(0xFF66),
-                PACK(0xFA28), PACK(0xFBEA), PACK(0xF9AC), PACK(0xF86E),
-                PACK(0xF330), PACK(0xF2F2), PACK(0xF0B4), PACK(0xF176),
-                PACK(0xF438), PACK(0xF5FA), PACK(0xF7BC), PACK(0xF67E),
-                PACK(0xD940), PACK(0xD882), PACK(0xDAC4), PACK(0xDB06),
-                PACK(0xDE48), PACK(0xDF8A), PACK(0xDDCC), PACK(0xDC0E),
-                PACK(0xD750), PACK(0xD692), PACK(0xD4D4), PACK(0xD516),
-                PACK(0xD058), PACK(0xD19A), PACK(0xD3DC), PACK(0xD21E),
-                PACK(0xC560), PACK(0xC4A2), PACK(0xC6E4), PACK(0xC726),
-                PACK(0xC268), PACK(0xC3AA), PACK(0xC1EC), PACK(0xC02E),
-                PACK(0xCB70), PACK(0xCAB2), PACK(0xC8F4), PACK(0xC936),
-                PACK(0xCC78), PACK(0xCDBA), PACK(0xCFFC), PACK(0xCE3E),
-                PACK(0x9180), PACK(0x9042), PACK(0x9204), PACK(0x93C6),
-                PACK(0x9688), PACK(0x974A), PACK(0x950C), PACK(0x94CE),
-                PACK(0x9F90), PACK(0x9E52), PACK(0x9C14), PACK(0x9DD6),
-                PACK(0x9898), PACK(0x995A), PACK(0x9B1C), PACK(0x9ADE),
-                PACK(0x8DA0), PACK(0x8C62), PACK(0x8E24), PACK(0x8FE6),
-                PACK(0x8AA8), PACK(0x8B6A), PACK(0x892C), PACK(0x88EE),
-                PACK(0x83B0), PACK(0x8272), PACK(0x8034), PACK(0x81F6),
-                PACK(0x84B8), PACK(0x857A), PACK(0x873C), PACK(0x86FE),
-                PACK(0xA9C0), PACK(0xA802), PACK(0xAA44), PACK(0xAB86),
-                PACK(0xAEC8), PACK(0xAF0A), PACK(0xAD4C), PACK(0xAC8E),
-                PACK(0xA7D0), PACK(0xA612), PACK(0xA454), PACK(0xA596),
-                PACK(0xA0D8), PACK(0xA11A), PACK(0xA35C), PACK(0xA29E),
-                PACK(0xB5E0), PACK(0xB422), PACK(0xB664), PACK(0xB7A6),
-                PACK(0xB2E8), PACK(0xB32A), PACK(0xB16C), PACK(0xB0AE),
-                PACK(0xBBF0), PACK(0xBA32), PACK(0xB874), PACK(0xB9B6),
-                PACK(0xBCF8), PACK(0xBD3A), PACK(0xBF7C), PACK(0xBEBE) };
-        while (1) {
-                Z.hi ^= Htable[n].hi;
-                Z.lo ^= Htable[n].lo;
-                if ((u8 *)Xi == xi)
-                        break;
-                n = *(--xi);
-                rem = (size_t)Z.lo & 0xff;
-                Z.lo = (Z.hi << 56)|(Z.lo >> 8);
-                Z.hi = (Z.hi >> 8);
-#if SIZE_MAX == 0xffffffffffffffff
-                Z.hi ^= rem_8bit[rem];
-#else
-                Z.hi ^= (u64)rem_8bit[rem] << 32;
-#endif
-        }
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
-}
-#define GCM_MUL(ctx,Xi)   gcm_gmult_8bit(ctx->Xi.u,ctx->Htable)
-#elif   TABLE_BITS==4
-static void
-gcm_init_4bit(u128 Htable[16], u64 H[2])
 {
        u128 V;
-#if defined(OPENSSL_SMALL_FOOTPRINT)
+        uint64_t T;
-        int  i;
+        int i;
-#endif
        Htable[0].hi = 0;
        Htable[0].lo = 0;
        V.hi = H[0];
        V.lo = H[1];
-#if defined(OPENSSL_SMALL_FOOTPRINT)
        for (Htable[8] = V, i = 4; i > 0; i >>= 1) {
-                REDUCE1BIT(V);
+                T = U64(0xe100000000000000) & (0 - (V.lo & 1));
+                V.lo = (V.hi << 63) | (V.lo >> 1);
+                V.hi = (V.hi >> 1 ) ^ T;
                Htable[i] = V;
        }
        for (i = 2; i < 16; i <<= 1) {
                u128 *Hi = Htable + i;
                int   j;
-                for (V = *Hi, j = 1; j < i; ++j) {
+                for (V = *Hi, j = 1; j < i; j++) {
                        Hi[j].hi = V.hi ^ Htable[j].hi;
                        Hi[j].lo = V.lo ^ Htable[j].lo;
                }
        }
-#else
-        Htable[8] = V;
-        REDUCE1BIT(V);
-        Htable[4] = V;
-        REDUCE1BIT(V);
-        Htable[2] = V;
-        REDUCE1BIT(V);
-        Htable[1] = V;
-        Htable[3].hi = V.hi ^ Htable[2].hi, Htable[3].lo = V.lo ^ Htable[2].lo;
-        V = Htable[4];
-        Htable[5].hi = V.hi ^ Htable[1].hi, Htable[5].lo = V.lo ^ Htable[1].lo;
-        Htable[6].hi = V.hi ^ Htable[2].hi, Htable[6].lo = V.lo ^ Htable[2].lo;
-        Htable[7].hi = V.hi ^ Htable[3].hi, Htable[7].lo = V.lo ^ Htable[3].lo;
-        V = Htable[8];
-        Htable[9].hi = V.hi ^ Htable[1].hi, Htable[9].lo = V.lo ^ Htable[1].lo;
-        Htable[10].hi = V.hi ^ Htable[2].hi,
-            Htable[10].lo = V.lo ^ Htable[2].lo;
-        Htable[11].hi = V.hi ^ Htable[3].hi,
-            Htable[11].lo = V.lo ^ Htable[3].lo;
-        Htable[12].hi = V.hi ^ Htable[4].hi,
-            Htable[12].lo = V.lo ^ Htable[4].lo;
-        Htable[13].hi = V.hi ^ Htable[5].hi,
-            Htable[13].lo = V.lo ^ Htable[5].lo;
-        Htable[14].hi = V.hi ^ Htable[6].hi,
-            Htable[14].lo = V.lo ^ Htable[6].lo;
-        Htable[15].hi = V.hi ^ Htable[7].hi,
-            Htable[15].lo = V.lo ^ Htable[7].lo;
-#endif
-#if defined(GHASH_ASM) && (defined(__arm__) || defined(__arm))
-        /*
-         * ARM assembler expects specific dword order in Htable.
-         */
-        {
-                int j;
-#if BYTE_ORDER == LITTLE_ENDIAN
-                for (j = 0; j < 16; ++j) {
-                        V = Htable[j];
-                        Htable[j].hi = V.lo;
-                        Htable[j].lo = V.hi;
-                }
-#else /* BIG_ENDIAN */
-                for (j = 0; j < 16; ++j) {
-                        V = Htable[j];
-                        Htable[j].hi = V.lo << 32|V.lo >> 32;
-                        Htable[j].lo = V.hi << 32|V.hi >> 32;
-                }
-#endif
-        }
-#endif
 }
-#ifndef GHASH_ASM
+#if !defined(HAVE_GCM_GHASH_4BIT) && !defined(HAVE_GCM_GMULT_4BIT)
-static const size_t rem_4bit[16] = {
+static const uint16_t rem_4bit[16] = {
-        PACK(0x0000), PACK(0x1C20), PACK(0x3840), PACK(0x2460),
+        0x0000, 0x1c20, 0x3840, 0x2460, 0x7080, 0x6ca0, 0x48c0, 0x54e0,
-        PACK(0x7080), PACK(0x6CA0), PACK(0x48C0), PACK(0x54E0),
+        0xe100, 0xfd20, 0xd940, 0xc560, 0x9180, 0x8da0, 0xa9c0, 0xb5e0,
-        PACK(0xE100), PACK(0xFD20), PACK(0xD940), PACK(0xC560),
+};
-        PACK(0x9180), PACK(0x8DA0), PACK(0xA9C0), PACK(0xB5E0) };
+#endif
+#ifdef HAVE_GCM_GMULT_4BIT
+void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
+#else
 static void
-gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
+gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16])
 {
        u128 Z;
        int cnt = 15;
        size_t rem, nlo, nhi;
-        nlo = ((const u8 *)Xi)[15];
+        nlo = ((const uint8_t *)Xi)[15];
        nhi = nlo >> 4;
        nlo &= 0xf;
@@ -345,29 +114,21 @@ gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
                rem = (size_t)Z.lo & 0xf;
                Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
+                Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
-                Z.hi ^= rem_4bit[rem];
-#else
-                Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
                Z.hi ^= Htable[nhi].hi;
                Z.lo ^= Htable[nhi].lo;
                if (--cnt < 0)
                        break;
-                nlo = ((const u8 *)Xi)[cnt];
+                nlo = ((const uint8_t *)Xi)[cnt];
                nhi = nlo >> 4;
                nlo &= 0xf;
                rem = (size_t)Z.lo & 0xf;
                Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
+                Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
-                Z.hi ^= rem_4bit[rem];
-#else
-                Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
                Z.hi ^= Htable[nlo].hi;
                Z.lo ^= Htable[nlo].lo;
        }
@@ -375,27 +136,24 @@ gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16])
        Xi[0] = htobe64(Z.hi);
        Xi[1] = htobe64(Z.lo);
 }
+#endif
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
+#ifdef HAVE_GCM_GHASH_4BIT
-/*
+void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
- * Streamed gcm_mult_4bit, see CRYPTO_gcm128_[en|de]crypt for
+    size_t len);
- * details... Compiler-generated code doesn't seem to give any
- * performance improvement, at least not on x86[_64]. It's here
+#else
- * mostly as reference and a placeholder for possible future
- * non-trivial optimization[s]...
- */
 static void
-gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
+gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16],
-    const u8 *inp, size_t len)
+    const uint8_t *inp, size_t len)
 {
        u128 Z;
        int cnt;
        size_t rem, nlo, nhi;
-#if 1
        do {
                cnt = 15;
-                nlo = ((const u8 *)Xi)[15];
+                nlo = ((const uint8_t *)Xi)[15];
                nlo ^= inp[15];
                nhi = nlo >> 4;
                nlo &= 0xf;
@@ -407,18 +165,14 @@ gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
                        rem = (size_t)Z.lo & 0xf;
                        Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                        Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
+                        Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
-                        Z.hi ^= rem_4bit[rem];
-#else
-                        Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
                        Z.hi ^= Htable[nhi].hi;
                        Z.lo ^= Htable[nhi].lo;
                        if (--cnt < 0)
                                break;
-                        nlo = ((const u8 *)Xi)[cnt];
+                        nlo = ((const uint8_t *)Xi)[cnt];
                        nlo ^= inp[cnt];
                        nhi = nlo >> 4;
                        nlo &= 0xf;
@@ -426,222 +180,40 @@ gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16],
                        rem = (size_t)Z.lo & 0xf;
                        Z.lo = (Z.hi << 60)|(Z.lo >> 4);
                        Z.hi = (Z.hi >> 4);
-#if SIZE_MAX == 0xffffffffffffffff
+                        Z.hi ^= (uint64_t)rem_4bit[rem] << 48;
-                        Z.hi ^= rem_4bit[rem];
-#else
-                        Z.hi ^= (u64)rem_4bit[rem] << 32;
-#endif
                        Z.hi ^= Htable[nlo].hi;
                        Z.lo ^= Htable[nlo].lo;
                }
-#else
-    /*
-     * Extra 256+16 bytes per-key plus 512 bytes shared tables
-     * [should] give ~50% improvement... One could have PACK()-ed
-     * the rem_8bit even here, but the priority is to minimize
-     * cache footprint...
-     */
-        u128 Hshr4[16]; /* Htable shifted right by 4 bits */
-        u8 Hshl4[16];   /* Htable shifted left  by 4 bits */
-        static const unsigned short rem_8bit[256] = {
-                0x0000, 0x01C2, 0x0384, 0x0246, 0x0708, 0x06CA, 0x048C, 0x054E,
-                0x0E10, 0x0FD2, 0x0D94, 0x0C56, 0x0918, 0x08DA, 0x0A9C, 0x0B5E,
-                0x1C20, 0x1DE2, 0x1FA4, 0x1E66, 0x1B28, 0x1AEA, 0x18AC, 0x196E,
-                0x1230, 0x13F2, 0x11B4, 0x1076, 0x1538, 0x14FA, 0x16BC, 0x177E,
-                0x3840, 0x3982, 0x3BC4, 0x3A06, 0x3F48, 0x3E8A, 0x3CCC, 0x3D0E,
-                0x3650, 0x3792, 0x35D4, 0x3416, 0x3158, 0x309A, 0x32DC, 0x331E,
-                0x2460, 0x25A2, 0x27E4, 0x2626, 0x2368, 0x22AA, 0x20EC, 0x212E,
-                0x2A70, 0x2BB2, 0x29F4, 0x2836, 0x2D78, 0x2CBA, 0x2EFC, 0x2F3E,
-                0x7080, 0x7142, 0x7304, 0x72C6, 0x7788, 0x764A, 0x740C, 0x75CE,
-                0x7E90, 0x7F52, 0x7D14, 0x7CD6, 0x7998, 0x785A, 0x7A1C, 0x7BDE,
-                0x6CA0, 0x6D62, 0x6F24, 0x6EE6, 0x6BA8, 0x6A6A, 0x682C, 0x69EE,
-                0x62B0, 0x6372, 0x6134, 0x60F6, 0x65B8, 0x647A, 0x663C, 0x67FE,
-                0x48C0, 0x4902, 0x4B44, 0x4A86, 0x4FC8, 0x4E0A, 0x4C4C, 0x4D8E,
-                0x46D0, 0x4712, 0x4554, 0x4496, 0x41D8, 0x401A, 0x425C, 0x439E,
-                0x54E0, 0x5522, 0x5764, 0x56A6, 0x53E8, 0x522A, 0x506C, 0x51AE,
-                0x5AF0, 0x5B32, 0x5974, 0x58B6, 0x5DF8, 0x5C3A, 0x5E7C, 0x5FBE,
-                0xE100, 0xE0C2, 0xE284, 0xE346, 0xE608, 0xE7CA, 0xE58C, 0xE44E,
-                0xEF10, 0xEED2, 0xEC94, 0xED56, 0xE818, 0xE9DA, 0xEB9C, 0xEA5E,
-                0xFD20, 0xFCE2, 0xFEA4, 0xFF66, 0xFA28, 0xFBEA, 0xF9AC, 0xF86E,
-                0xF330, 0xF2F2, 0xF0B4, 0xF176, 0xF438, 0xF5FA, 0xF7BC, 0xF67E,
-                0xD940, 0xD882, 0xDAC4, 0xDB06, 0xDE48, 0xDF8A, 0xDDCC, 0xDC0E,
-                0xD750, 0xD692, 0xD4D4, 0xD516, 0xD058, 0xD19A, 0xD3DC, 0xD21E,
-                0xC560, 0xC4A2, 0xC6E4, 0xC726, 0xC268, 0xC3AA, 0xC1EC, 0xC02E,
-                0xCB70, 0xCAB2, 0xC8F4, 0xC936, 0xCC78, 0xCDBA, 0xCFFC, 0xCE3E,
-                0x9180, 0x9042, 0x9204, 0x93C6, 0x9688, 0x974A, 0x950C, 0x94CE,
-                0x9F90, 0x9E52, 0x9C14, 0x9DD6, 0x9898, 0x995A, 0x9B1C, 0x9ADE,
-                0x8DA0, 0x8C62, 0x8E24, 0x8FE6, 0x8AA8, 0x8B6A, 0x892C, 0x88EE,
-                0x83B0, 0x8272, 0x8034, 0x81F6, 0x84B8, 0x857A, 0x873C, 0x86FE,
-                0xA9C0, 0xA802, 0xAA44, 0xAB86, 0xAEC8, 0xAF0A, 0xAD4C, 0xAC8E,
-                0xA7D0, 0xA612, 0xA454, 0xA596, 0xA0D8, 0xA11A, 0xA35C, 0xA29E,
-                0xB5E0, 0xB422, 0xB664, 0xB7A6, 0xB2E8, 0xB32A, 0xB16C, 0xB0AE,
-                0xBBF0, 0xBA32, 0xB874, 0xB9B6, 0xBCF8, 0xBD3A, 0xBF7C, 0xBEBE };
-    /*
-     * This pre-processing phase slows down procedure by approximately
-     * same time as it makes each loop spin faster. In other words
-     * single block performance is approximately same as straightforward
-     * "4-bit" implementation, and then it goes only faster...
-     */
-        for (cnt = 0; cnt < 16; ++cnt) {
-                Z.hi = Htable[cnt].hi;
-                Z.lo = Htable[cnt].lo;
-                Hshr4[cnt].lo = (Z.hi << 60)|(Z.lo >> 4);
-                Hshr4[cnt].hi = (Z.hi >> 4);
-                Hshl4[cnt] = (u8)(Z.lo << 4);
-        }
-        do {
-                for (Z.lo = 0, Z.hi = 0, cnt = 15; cnt; --cnt) {
-                        nlo = ((const u8 *)Xi)[cnt];
-                        nlo ^= inp[cnt];
-                        nhi = nlo >> 4;
-                        nlo &= 0xf;
-                        Z.hi ^= Htable[nlo].hi;
-                        Z.lo ^= Htable[nlo].lo;
-                        rem = (size_t)Z.lo & 0xff;
-                        Z.lo = (Z.hi << 56)|(Z.lo >> 8);
-                        Z.hi = (Z.hi >> 8);
-                        Z.hi ^= Hshr4[nhi].hi;
-                        Z.lo ^= Hshr4[nhi].lo;
-                        Z.hi ^= (u64)rem_8bit[rem ^ Hshl4[nhi]] << 48;
-                }
-                nlo = ((const u8 *)Xi)[0];
-                nlo ^= inp[0];
-                nhi = nlo >> 4;
-                nlo &= 0xf;
-                Z.hi ^= Htable[nlo].hi;
-                Z.lo ^= Htable[nlo].lo;
-                rem = (size_t)Z.lo & 0xf;
-                Z.lo = (Z.hi << 60)|(Z.lo >> 4);
-                Z.hi = (Z.hi >> 4);
-                Z.hi ^= Htable[nhi].hi;
-                Z.lo ^= Htable[nhi].lo;
-                Z.hi ^= ((u64)rem_8bit[rem << 4]) << 48;
-#endif
                Xi[0] = htobe64(Z.hi);
                Xi[1] = htobe64(Z.lo);
        } while (inp += 16, len -= 16);
 }
 #endif
-#else
-void gcm_gmult_4bit(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#endif
-#define GCM_MUL(ctx,Xi)   gcm_gmult_4bit(ctx->Xi.u,ctx->Htable)
+static inline void
-#if defined(GHASH_ASM) || !defined(OPENSSL_SMALL_FOOTPRINT)
+gcm_mul(GCM128_CONTEXT *ctx, uint64_t u[2])
-#define GHASH(ctx,in,len) gcm_ghash_4bit((ctx)->Xi.u,(ctx)->Htable,in,len)
+{
-/* GHASH_CHUNK is "stride parameter" missioned to mitigate cache
+        ctx->gmult(u, ctx->Htable);
- * trashing effect. In other words idea is to hash data while it's
+}
- * still in L1 cache after encryption pass... */
-#define GHASH_CHUNK       (3*1024)
-#endif
-#else   /* TABLE_BITS */
-static void
+static inline void
-gcm_gmult_1bit(u64 Xi[2], const u64 H[2])
+gcm_ghash(GCM128_CONTEXT *ctx, const uint8_t *in, size_t len)
 {
-        u128 V, Z = { 0,0 };
+        ctx->ghash(ctx->Xi.u, ctx->Htable, in, len);
-        long X;
+}
-        int i, j;
-        const long *xi = (const long *)Xi;
-        V.hi = H[0];    /* H is in host byte order, no byte swapping */
+#ifdef HAVE_GCM128_INIT
-        V.lo = H[1];
+void gcm128_init(GCM128_CONTEXT *ctx);
-        for (j = 0; j < 16/sizeof(long); ++j) {
-#if BYTE_ORDER == LITTLE_ENDIAN
-#if SIZE_MAX == 0xffffffffffffffff
-#ifdef BSWAP8
-                X = (long)(BSWAP8(xi[j]));
-#else
-                const u8 *p = (const u8 *)(xi + j);
-                X = (long)((u64)GETU32(p) << 32|GETU32(p + 4));
-#endif
 #else
-                const u8 *p = (const u8 *)(xi + j);
+static void
-                X = (long)GETU32(p);
+gcm128_init(GCM128_CONTEXT *ctx)
-#endif
+{
-#else /* BIG_ENDIAN */
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
-                X = xi[j];
+        ctx->gmult = gcm_gmult_4bit;
-#endif
+        ctx->ghash = gcm_ghash_4bit;
-                for (i = 0; i < 8*sizeof(long); ++i, X <<= 1) {
-                        u64 M = (u64)(X >> (8*sizeof(long) - 1));
-                        Z.hi ^= V.hi & M;
-                        Z.lo ^= V.lo & M;
-                        REDUCE1BIT(V);
-                }
-        }
-        Xi[0] = htobe64(Z.hi);
-        Xi[1] = htobe64(Z.lo);
 }
-#define GCM_MUL(ctx,Xi)   gcm_gmult_1bit(ctx->Xi.u,ctx->H.u)
-#endif
-#if     defined(GHASH_ASM) &&                                           \
-        (defined(__i386)        || defined(__i386__)    ||              \
-         defined(__x86_64)      || defined(__x86_64__)  ||              \
-         defined(_M_IX86)       || defined(_M_AMD64)    || defined(_M_X64))
-#include "x86_arch.h"
-#endif
-#if     TABLE_BITS==4 && defined(GHASH_ASM)
-# if    (defined(__i386)        || defined(__i386__)    ||              \
-         defined(__x86_64)      || defined(__x86_64__)  ||              \
-         defined(_M_IX86)       || defined(_M_AMD64)    || defined(_M_X64))
-#  define GHASH_ASM_X86_OR_64
-#  define GCM_FUNCREF_4BIT
-void gcm_init_clmul(u128 Htable[16], const u64 Xi[2]);
-void gcm_gmult_clmul(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_clmul(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#  if   defined(__i386) || defined(__i386__) || defined(_M_IX86)
-#   define GHASH_ASM_X86
-void gcm_gmult_4bit_mmx(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit_mmx(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-void gcm_gmult_4bit_x86(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_4bit_x86(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#  endif
-# elif defined(__arm__) || defined(__arm)
-#  include "arm_arch.h"
-#  if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT)
-#   define GHASH_ASM_ARM
-#   define GCM_FUNCREF_4BIT
-void gcm_gmult_neon(u64 Xi[2], const u128 Htable[16]);
-void gcm_ghash_neon(u64 Xi[2], const u128 Htable[16], const u8 *inp,
-    size_t len);
-#  endif
-# endif
-#endif
-#ifdef GCM_FUNCREF_4BIT
-# undef  GCM_MUL
-# define GCM_MUL(ctx,Xi)        (*gcm_gmult_p)(ctx->Xi.u,ctx->Htable)
-# ifdef GHASH
-#  undef  GHASH
-#  define GHASH(ctx,in,len)     (*gcm_ghash_p)(ctx->Xi.u,ctx->Htable,in,len)
-# endif
 #endif
 void
@@ -657,60 +229,35 @@ CRYPTO_gcm128_init(GCM128_CONTEXT *ctx, void *key, block128_f block)
        ctx->H.u[0] = be64toh(ctx->H.u[0]);
        ctx->H.u[1] = be64toh(ctx->H.u[1]);
-#if     TABLE_BITS==8
+        gcm128_init(ctx);
-        gcm_init_8bit(ctx->Htable, ctx->H.u);
-#elif   TABLE_BITS==4
-# if    defined(GHASH_ASM_X86_OR_64)
-#  if   !defined(GHASH_ASM_X86) || defined(OPENSSL_IA32_SSE2)
-        /* check FXSR and PCLMULQDQ bits */
-        if ((crypto_cpu_caps_ia32() & (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) ==
-            (CPUCAP_MASK_FXSR | CPUCAP_MASK_PCLMUL)) {
-                gcm_init_clmul(ctx->Htable, ctx->H.u);
-                ctx->gmult = gcm_gmult_clmul;
-                ctx->ghash = gcm_ghash_clmul;
-                return;
-        }
-#  endif
-        gcm_init_4bit(ctx->Htable, ctx->H.u);
-#  if   defined(GHASH_ASM_X86)                  /* x86 only */
-#   if  defined(OPENSSL_IA32_SSE2)
-        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_SSE) { /* check SSE bit */
-#   else
-        if (crypto_cpu_caps_ia32() & CPUCAP_MASK_MMX) { /* check MMX bit */
-#   endif
-                ctx->gmult = gcm_gmult_4bit_mmx;
-                ctx->ghash = gcm_ghash_4bit_mmx;
-        } else {
-                ctx->gmult = gcm_gmult_4bit_x86;
-                ctx->ghash = gcm_ghash_4bit_x86;
-        }
-#  else
-        ctx->gmult = gcm_gmult_4bit;
-        ctx->ghash = gcm_ghash_4bit;
-#  endif
-# elif  defined(GHASH_ASM_ARM)
-        if (OPENSSL_armcap_P & ARMV7_NEON) {
-                ctx->gmult = gcm_gmult_neon;
-                ctx->ghash = gcm_ghash_neon;
-        } else {
-                gcm_init_4bit(ctx->Htable, ctx->H.u);
-                ctx->gmult = gcm_gmult_4bit;
-                ctx->ghash = gcm_ghash_4bit;
-        }
-# else
-        gcm_init_4bit(ctx->Htable, ctx->H.u);
-# endif
-#endif
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_init);
+GCM128_CONTEXT *
+CRYPTO_gcm128_new(void *key, block128_f block)
+{
+        GCM128_CONTEXT *ctx;
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
+                return NULL;
+        CRYPTO_gcm128_init(ctx, key, block);
+        return ctx;
+}
+LCRYPTO_ALIAS(CRYPTO_gcm128_new);
+void
+CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
+{
+        freezero(ctx, sizeof(*ctx));
+}
+LCRYPTO_ALIAS(CRYPTO_gcm128_release);
 void
 CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len)
 {
        unsigned int ctr;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-#endif
        ctx->Yi.u[0] = 0;
        ctx->Yi.u[1] = 0;
@@ -727,577 +274,277 @@ CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx, const unsigned char *iv, size_t len)
                ctr = 1;
        } else {
                size_t i;
-                u64 len0 = len;
+                uint64_t len0 = len;
                while (len >= 16) {
-                        for (i = 0; i < 16; ++i)
+                        for (i = 0; i < 16; i++)
                                ctx->Yi.c[i] ^= iv[i];
-                        GCM_MUL(ctx, Yi);
+                        gcm_mul(ctx, ctx->Yi.u);
                        iv += 16;
                        len -= 16;
                }
-                if (len) {
+                if (len > 0) {
-                        for (i = 0; i < len; ++i)
+                        for (i = 0; i < len; i++)
                                ctx->Yi.c[i] ^= iv[i];
-                        GCM_MUL(ctx, Yi);
+                        gcm_mul(ctx, ctx->Yi.u);
                }
                len0 <<= 3;
                ctx->Yi.u[1] ^= htobe64(len0);
-                GCM_MUL(ctx, Yi);
+                gcm_mul(ctx, ctx->Yi.u);
                ctr = be32toh(ctx->Yi.d[3]);
        }
        (*ctx->block)(ctx->Yi.c, ctx->EK0.c, ctx->key);
-        ++ctr;
+        ctx->Yi.d[3] = htobe32(++ctr);
-        ctx->Yi.d[3] = htobe32(ctr);
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_setiv);
 int
 CRYPTO_gcm128_aad(GCM128_CONTEXT *ctx, const unsigned char *aad, size_t len)
 {
-        size_t i;
        unsigned int n;
-        u64 alen = ctx->len.u[0];
+        uint64_t alen;
-#ifdef GCM_FUNCREF_4BIT
+        size_t i;
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
-        if (ctx->len.u[1])
+        if (ctx->len.u[1] != 0)
                return -2;
-        alen += len;
+        alen = ctx->len.u[0] + len;
        if (alen > (U64(1) << 61) || (sizeof(len) == 8 && alen < len))
                return -1;
        ctx->len.u[0] = alen;
-        n = ctx->ares;
+        if ((n = ctx->ares) > 0) {
-        if (n) {
+                while (n > 0 && len > 0) {
-                while (n && len) {
                        ctx->Xi.c[n] ^= *(aad++);
-                        --len;
                        n = (n + 1) % 16;
+                        len--;
                }
-                if (n == 0)
+                if (n > 0) {
-                        GCM_MUL(ctx, Xi);
-                else {
                        ctx->ares = n;
                        return 0;
                }
+                gcm_mul(ctx, ctx->Xi.u);
        }
-#ifdef GHASH
+        if ((i = (len & (size_t)-16)) > 0) {
-        if ((i = (len & (size_t)-16))) {
+                gcm_ghash(ctx, aad, i);
-                GHASH(ctx, aad, i);
                aad += i;
                len -= i;
        }
-#else
+        if (len > 0) {
-        while (len >= 16) {
-                for (i = 0; i < 16; ++i)
-                        ctx->Xi.c[i] ^= aad[i];
-                GCM_MUL(ctx, Xi);
-                aad += 16;
-                len -= 16;
-        }
-#endif
-        if (len) {
                n = (unsigned int)len;
-                for (i = 0; i < len; ++i)
+                for (i = 0; i < len; i++)
                        ctx->Xi.c[i] ^= aad[i];
        }
        ctx->ares = n;
        return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_aad);
 int
-CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
+CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
-    const unsigned char *in, unsigned char *out,
+    unsigned char *out, size_t len)
-    size_t len)
 {
        unsigned int n, ctr;
+        uint64_t mlen;
        size_t i;
-        u64 mlen = ctx->len.u[1];
-        block128_f block = ctx->block;
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
        if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                return -1;
        ctx->len.u[1] = mlen;
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                /* First call to encrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                ctx->ares = 0;
        }
        ctr = be32toh(ctx->Yi.d[3]);
        n = ctx->mres;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
-        if (16 % sizeof(size_t) == 0)
-                do {    /* always true actually */
-                        if (n) {
-                                while (n && len) {
-                                        ctx->Xi.c[n] ^= *(out++) = *(in++) ^
-                                            ctx->EKi.c[n];
-                                        --len;
-                                        n = (n + 1) % 16;
-                                }
-                                if (n == 0)
-                                        GCM_MUL(ctx, Xi);
-                                else {
-                                        ctx->mres = n;
-                                        return 0;
-                                }
-                        }
-#ifdef __STRICT_ALIGNMENT
-                        if (((size_t)in|(size_t)out) % sizeof(size_t) != 0)
-                                break;
-#endif
-#if defined(GHASH) && defined(GHASH_CHUNK)
-                        while (len >= GHASH_CHUNK) {
-                                size_t j = GHASH_CHUNK;
-                                while (j) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        j -= 16;
-                                }
-                                GHASH(ctx, out - GHASH_CHUNK, GHASH_CHUNK);
-                                len -= GHASH_CHUNK;
-                        }
-                        if ((i = (len & (size_t)-16))) {
-                                size_t j = i;
-                                while (len >= 16) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        len -= 16;
-                                }
-                                GHASH(ctx, out - j, j);
-                        }
-#else
-                        while (len >= 16) {
-                                size_t *out_t = (size_t *)out;
-                                const size_t *in_t = (const size_t *)in;
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-                                for (i = 0; i < 16/sizeof(size_t); ++i)
-                                        ctx->Xi.t[i] ^=
-                                            out_t[i] = in_t[i] ^ ctx->EKi.t[i];
-                                GCM_MUL(ctx, Xi);
-                                out += 16;
-                                in += 16;
-                                len -= 16;
-                        }
-#endif
-                        if (len) {
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-                                while (len--) {
-                                        ctx->Xi.c[n] ^= out[n] = in[n] ^
-                                            ctx->EKi.c[n];
-                                        ++n;
-                                }
-                        }
-                        ctx->mres = n;
+        for (i = 0; i < len; i++) {
-                        return 0;
-                } while (0);
-#endif
-        for (i = 0; i < len; ++i) {
                if (n == 0) {
-                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
+                        ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
-                        ++ctr;
+                        ctx->Yi.d[3] = htobe32(++ctr);
-                        ctx->Yi.d[3] = htobe32(ctr);
                }
                ctx->Xi.c[n] ^= out[i] = in[i] ^ ctx->EKi.c[n];
                n = (n + 1) % 16;
                if (n == 0)
-                        GCM_MUL(ctx, Xi);
+                        gcm_mul(ctx, ctx->Xi.u);
        }
        ctx->mres = n;
        return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_encrypt);
 int
-CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
+CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, const unsigned char *in,
-    const unsigned char *in, unsigned char *out,
+    unsigned char *out, size_t len)
-    size_t len)
 {
        unsigned int n, ctr;
+        uint64_t mlen;
+        uint8_t c;
        size_t i;
-        u64 mlen = ctx->len.u[1];
-        block128_f block = ctx->block;
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
        if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                return -1;
        ctx->len.u[1] = mlen;
        if (ctx->ares) {
                /* First call to decrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                ctx->ares = 0;
        }
        ctr = be32toh(ctx->Yi.d[3]);
        n = ctx->mres;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
-        if (16 % sizeof(size_t) == 0)
-                do {    /* always true actually */
-                        if (n) {
-                                while (n && len) {
-                                        u8 c = *(in++);
-                                        *(out++) = c ^ ctx->EKi.c[n];
-                                        ctx->Xi.c[n] ^= c;
-                                        --len;
-                                        n = (n + 1) % 16;
-                                }
-                                if (n == 0)
-                                        GCM_MUL(ctx, Xi);
-                                else {
-                                        ctx->mres = n;
-                                        return 0;
-                                }
-                        }
-#ifdef __STRICT_ALIGNMENT
-                        if (((size_t)in|(size_t)out) % sizeof(size_t) != 0)
-                                break;
-#endif
-#if defined(GHASH) && defined(GHASH_CHUNK)
-                        while (len >= GHASH_CHUNK) {
-                                size_t j = GHASH_CHUNK;
-                                GHASH(ctx, in, GHASH_CHUNK);
-                                while (j) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        j -= 16;
-                                }
-                                len -= GHASH_CHUNK;
-                        }
-                        if ((i = (len & (size_t)-16))) {
-                                GHASH(ctx, in, i);
-                                while (len >= 16) {
-                                        size_t *out_t = (size_t *)out;
-                                        const size_t *in_t = (const size_t *)in;
-                                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                        ++ctr;
-                                        ctx->Yi.d[3] = htobe32(ctr);
-                                        for (i = 0; i < 16/sizeof(size_t); ++i)
-                                                out_t[i] = in_t[i] ^
-                                                    ctx->EKi.t[i];
-                                        out += 16;
-                                        in += 16;
-                                        len -= 16;
-                                }
-                        }
-#else
-                        while (len >= 16) {
-                                size_t *out_t = (size_t *)out;
-                                const size_t *in_t = (const size_t *)in;
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-                                for (i = 0; i < 16/sizeof(size_t); ++i) {
-                                        size_t c = in[i];
-                                        out[i] = c ^ ctx->EKi.t[i];
-                                        ctx->Xi.t[i] ^= c;
-                                }
-                                GCM_MUL(ctx, Xi);
-                                out += 16;
-                                in += 16;
-                                len -= 16;
-                        }
-#endif
-                        if (len) {
-                                (*block)(ctx->Yi.c, ctx->EKi.c, key);
-                                ++ctr;
-                                ctx->Yi.d[3] = htobe32(ctr);
-                                while (len--) {
-                                        u8 c = in[n];
-                                        ctx->Xi.c[n] ^= c;
-                                        out[n] = c ^ ctx->EKi.c[n];
-                                        ++n;
-                                }
-                        }
-                        ctx->mres = n;
+        for (i = 0; i < len; i++) {
-                        return 0;
-                } while (0);
-#endif
-        for (i = 0; i < len; ++i) {
-                u8 c;
                if (n == 0) {
-                        (*block)(ctx->Yi.c, ctx->EKi.c, key);
+                        ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
-                        ++ctr;
+                        ctx->Yi.d[3] = htobe32(++ctr);
-                        ctx->Yi.d[3] = htobe32(ctr);
                }
                c = in[i];
                out[i] = c ^ ctx->EKi.c[n];
                ctx->Xi.c[n] ^= c;
                n = (n + 1) % 16;
                if (n == 0)
-                        GCM_MUL(ctx, Xi);
+                        gcm_mul(ctx, ctx->Xi.u);
        }
        ctx->mres = n;
        return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_decrypt);
 int
-CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
+CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in,
-    const unsigned char *in, unsigned char *out,
+    unsigned char *out, size_t len, ctr128_f stream)
-    size_t len, ctr128_f stream)
 {
        unsigned int n, ctr;
-        size_t i;
+        uint64_t mlen;
-        u64 mlen = ctx->len.u[1];
+        size_t i, j;
-        void *key = ctx->key;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
        if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                return -1;
        ctx->len.u[1] = mlen;
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                /* First call to encrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                ctx->ares = 0;
        }
        ctr = be32toh(ctx->Yi.d[3]);
-        n = ctx->mres;
+        if ((n = ctx->mres) > 0) {
-        if (n) {
+                while (n > 0 && len > 0) {
-                while (n && len) {
                        ctx->Xi.c[n] ^= *(out++) = *(in++) ^ ctx->EKi.c[n];
-                        --len;
                        n = (n + 1) % 16;
+                        len--;
                }
-                if (n == 0)
+                if (n > 0) {
-                        GCM_MUL(ctx, Xi);
-                else {
                        ctx->mres = n;
                        return 0;
                }
+                gcm_mul(ctx, ctx->Xi.u);
        }
-#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+        if ((i = (len & (size_t)-16)) > 0) {
-        while (len >= GHASH_CHUNK) {
+                j = i / 16;
-                (*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
+                stream(in, out, j, ctx->key, ctx->Yi.c);
-                ctr += GHASH_CHUNK/16;
-                ctx->Yi.d[3] = htobe32(ctr);
-                GHASH(ctx, out, GHASH_CHUNK);
-                out += GHASH_CHUNK;
-                in += GHASH_CHUNK;
-                len -= GHASH_CHUNK;
-        }
-#endif
-        if ((i = (len & (size_t)-16))) {
-                size_t j = i/16;
-                (*stream)(in, out, j, key, ctx->Yi.c);
                ctr += (unsigned int)j;
                ctx->Yi.d[3] = htobe32(ctr);
+                gcm_ghash(ctx, out, i);
                in += i;
-                len -= i;
-#if defined(GHASH)
-                GHASH(ctx, out, i);
                out += i;
-#else
+                len -= i;
-                while (j--) {
-                        for (i = 0; i < 16; ++i)
-                                ctx->Xi.c[i] ^= out[i];
-                        GCM_MUL(ctx, Xi);
-                        out += 16;
-                }
-#endif
        }
-        if (len) {
+        if (len > 0) {
-                (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
+                ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
-                ++ctr;
+                ctx->Yi.d[3] = htobe32(++ctr);
-                ctx->Yi.d[3] = htobe32(ctr);
+                while (len-- > 0) {
-                while (len--) {
                        ctx->Xi.c[n] ^= out[n] = in[n] ^ ctx->EKi.c[n];
-                        ++n;
+                        n++;
                }
        }
        ctx->mres = n;
        return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_encrypt_ctr32);
 int
-CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
+CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, const unsigned char *in,
-    const unsigned char *in, unsigned char *out,
+    unsigned char *out, size_t len, ctr128_f stream)
-    size_t len, ctr128_f stream)
 {
        unsigned int n, ctr;
-        size_t i;
+        uint64_t mlen;
-        u64 mlen = ctx->len.u[1];
+        size_t i, j;
-        void *key = ctx->key;
+        uint8_t c;
-#ifdef GCM_FUNCREF_4BIT
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
-# ifdef GHASH
-        void (*gcm_ghash_p)(u64 Xi[2], const u128 Htable[16],
-            const u8 *inp, size_t len) = ctx->ghash;
-# endif
-#endif
-        mlen += len;
+        mlen = ctx->len.u[1] + len;
        if (mlen > ((U64(1) << 36) - 32) || (sizeof(len) == 8 && mlen < len))
                return -1;
        ctx->len.u[1] = mlen;
-        if (ctx->ares) {
+        if (ctx->ares > 0) {
                /* First call to decrypt finalizes GHASH(AAD) */
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
                ctx->ares = 0;
        }
        ctr = be32toh(ctx->Yi.d[3]);
-        n = ctx->mres;
+        if ((n = ctx->mres) > 0) {
-        if (n) {
+                while (n > 0 && len > 0) {
-                while (n && len) {
+                        c = *(in++);
-                        u8 c = *(in++);
                        *(out++) = c ^ ctx->EKi.c[n];
                        ctx->Xi.c[n] ^= c;
-                        --len;
                        n = (n + 1) % 16;
+                        len--;
                }
-                if (n == 0)
+                if (n > 0) {
-                        GCM_MUL(ctx, Xi);
-                else {
                        ctx->mres = n;
                        return 0;
                }
+                gcm_mul(ctx, ctx->Xi.u);
        }
-#if defined(GHASH) && !defined(OPENSSL_SMALL_FOOTPRINT)
+        if ((i = (len & (size_t)-16)) > 0) {
-        while (len >= GHASH_CHUNK) {
+                j = i / 16;
-                GHASH(ctx, in, GHASH_CHUNK);
+                gcm_ghash(ctx, in, i);
-                (*stream)(in, out, GHASH_CHUNK/16, key, ctx->Yi.c);
+                stream(in, out, j, ctx->key, ctx->Yi.c);
-                ctr += GHASH_CHUNK/16;
-                ctx->Yi.d[3] = htobe32(ctr);
-                out += GHASH_CHUNK;
-                in += GHASH_CHUNK;
-                len -= GHASH_CHUNK;
-        }
-#endif
-        if ((i = (len & (size_t)-16))) {
-                size_t j = i/16;
-#if defined(GHASH)
-                GHASH(ctx, in, i);
-#else
-                while (j--) {
-                        size_t k;
-                        for (k = 0; k < 16; ++k)
-                                ctx->Xi.c[k] ^= in[k];
-                        GCM_MUL(ctx, Xi);
-                        in += 16;
-                }
-                j = i/16;
-                in -= i;
-#endif
-                (*stream)(in, out, j, key, ctx->Yi.c);
                ctr += (unsigned int)j;
                ctx->Yi.d[3] = htobe32(ctr);
-                out += i;
                in += i;
+                out += i;
                len -= i;
        }
-        if (len) {
+        if (len > 0) {
-                (*ctx->block)(ctx->Yi.c, ctx->EKi.c, key);
+                ctx->block(ctx->Yi.c, ctx->EKi.c, ctx->key);
-                ++ctr;
+                ctx->Yi.d[3] = htobe32(++ctr);
-                ctx->Yi.d[3] = htobe32(ctr);
+                while (len-- > 0) {
-                while (len--) {
+                        c = in[n];
-                        u8 c = in[n];
                        ctx->Xi.c[n] ^= c;
                        out[n] = c ^ ctx->EKi.c[n];
-                        ++n;
+                        n++;
                }
        }
        ctx->mres = n;
        return 0;
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_decrypt_ctr32);
@@ -1306,26 +553,25 @@ int
 CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag,
    size_t len)
 {
-        u64 alen = ctx->len.u[0] << 3;
+        uint64_t alen, clen;
-        u64 clen = ctx->len.u[1] << 3;
-#ifdef GCM_FUNCREF_4BIT
+        alen = ctx->len.u[0] << 3;
-        void (*gcm_gmult_p)(u64 Xi[2], const u128 Htable[16]) = ctx->gmult;
+        clen = ctx->len.u[1] << 3;
-#endif
-        if (ctx->mres || ctx->ares)
+        if (ctx->ares > 0 || ctx->mres > 0)
-                GCM_MUL(ctx, Xi);
+                gcm_mul(ctx, ctx->Xi.u);
        ctx->Xi.u[0] ^= htobe64(alen);
        ctx->Xi.u[1] ^= htobe64(clen);
-        GCM_MUL(ctx, Xi);
+        gcm_mul(ctx, ctx->Xi.u);
        ctx->Xi.u[0] ^= ctx->EK0.u[0];
        ctx->Xi.u[1] ^= ctx->EK0.u[1];
-        if (tag && len <= sizeof(ctx->Xi))
+        if (tag == NULL || len > sizeof(ctx->Xi))
-                return memcmp(ctx->Xi.c, tag, len);
-        else
                return -1;
+        return timingsafe_memcmp(ctx->Xi.c, tag, len);
 }
 LCRYPTO_ALIAS(CRYPTO_gcm128_finish);
@@ -1333,26 +579,10 @@ void
 CRYPTO_gcm128_tag(GCM128_CONTEXT *ctx, unsigned char *tag, size_t len)
 {
        CRYPTO_gcm128_finish(ctx, NULL, 0);
-        memcpy(tag, ctx->Xi.c,
-            len <= sizeof(ctx->Xi.c) ? len : sizeof(ctx->Xi.c));
-}
-LCRYPTO_ALIAS(CRYPTO_gcm128_tag);
-GCM128_CONTEXT *
-CRYPTO_gcm128_new(void *key, block128_f block)
-{
-        GCM128_CONTEXT *ret;
-        if ((ret = malloc(sizeof(GCM128_CONTEXT))))
+        if (len > sizeof(ctx->Xi.c))
-                CRYPTO_gcm128_init(ret, key, block);
+                len = sizeof(ctx->Xi.c);
-        return ret;
+        memcpy(tag, ctx->Xi.c, len);
 }
-LCRYPTO_ALIAS(CRYPTO_gcm128_new);
+LCRYPTO_ALIAS(CRYPTO_gcm128_tag);
-void
-CRYPTO_gcm128_release(GCM128_CONTEXT *ctx)
-{
-        freezero(ctx, sizeof(*ctx));
-}
-LCRYPTO_ALIAS(CRYPTO_gcm128_release);
diff --git a/src/lib/libcrypto/modes/gcm128_amd64.c b/src/lib/libcrypto/modes/gcm128_amd64.c
new file mode 100644
index 0000000000..eaa66fb32f
--- /dev/null
+++ b/src/lib/libcrypto/modes/gcm128_amd64.c
@@ -0,0 +1,44 @@
+/* $OpenBSD: gcm128_amd64.c,v 1.1 2025/06/28 12:39:10 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "crypto_arch.h"
+#include "modes_local.h"
+void gcm_init_4bit(u128 Htable[16], uint64_t H[2]);
+void gcm_gmult_4bit(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
+void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+void
+gcm128_init(GCM128_CONTEXT *ctx)
+{
+        if ((crypto_cpu_caps_amd64 & CRYPTO_CPU_CAPS_AMD64_CLMUL) != 0) {
+                gcm_init_clmul(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_clmul;
+                ctx->ghash = gcm_ghash_clmul;
+                return;
+        }
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
+        ctx->gmult = gcm_gmult_4bit;
+        ctx->ghash = gcm_ghash_4bit;
+}
diff --git a/src/lib/libcrypto/modes/gcm128_i386.c b/src/lib/libcrypto/modes/gcm128_i386.c
new file mode 100644
index 0000000000..14b0b9ce64
--- /dev/null
+++ b/src/lib/libcrypto/modes/gcm128_i386.c
@@ -0,0 +1,56 @@
+/* $OpenBSD: gcm128_i386.c,v 1.2 2025/12/31 10:16:24 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include "crypto_arch.h"
+#include "modes_local.h"
+void gcm_init_4bit(u128 Htable[16], uint64_t H[2]);
+void gcm_gmult_4bit_mmx(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit_mmx(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+void gcm_gmult_4bit_x86(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_4bit_x86(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
+void gcm_gmult_clmul(uint64_t Xi[2], const u128 Htable[16]);
+void gcm_ghash_clmul(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
+    size_t len);
+void
+gcm128_init(GCM128_CONTEXT *ctx)
+{
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_CLMUL) != 0) {
+                gcm_init_clmul(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_clmul;
+                ctx->ghash = gcm_ghash_clmul;
+                return;
+        }
+        if ((crypto_cpu_caps_i386 & CRYPTO_CPU_CAPS_I386_SSE) != 0) {
+                gcm_init_4bit(ctx->Htable, ctx->H.u);
+                ctx->gmult = gcm_gmult_4bit_mmx;
+                ctx->ghash = gcm_ghash_4bit_mmx;
+                return;
+        }
+        gcm_init_4bit(ctx->Htable, ctx->H.u);
+        ctx->gmult = gcm_gmult_4bit_x86;
+        ctx->ghash = gcm_ghash_4bit_x86;
+}
diff --git a/src/lib/libcrypto/modes/modes_local.h b/src/lib/libcrypto/modes/modes_local.h
index 511855f2e0..df699d3e4c 100644
--- a/src/lib/libcrypto/modes/modes_local.h
+++ b/src/lib/libcrypto/modes/modes_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: modes_local.h,v 1.2 2023/07/08 14:55:36 beck Exp $ */
+/* $OpenBSD: modes_local.h,v 1.8 2025/11/26 10:19:57 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -6,6 +6,9 @@
 * ====================================================================
 */
+#ifndef HEADER_MODES_LOCAL_H
+#define HEADER_MODES_LOCAL_H
 #include <endian.h>
 #include <openssl/opensslconf.h>
@@ -15,107 +18,51 @@
 __BEGIN_HIDDEN_DECLS
 #if defined(_LP64)
-typedef long i64;
-typedef unsigned long u64;
 #define U64(C) C##UL
 #else
-typedef long long i64;
-typedef unsigned long long u64;
 #define U64(C) C##ULL
 #endif
-typedef unsigned int u32;
-typedef unsigned char u8;
-#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
-#if defined(__GNUC__) && __GNUC__>=2
-# if defined(__x86_64) || defined(__x86_64__)
-#  define BSWAP8(x) ({  u64 ret=(x);                                    \
-                        asm ("bswapq %0"                                \
-                        : "+r"(ret));   ret;            })
-#  define BSWAP4(x) ({  u32 ret=(x);                                    \
-                        asm ("bswapl %0"                                \
-                        : "+r"(ret));   ret;            })
-# elif (defined(__i386) || defined(__i386__))
-#  define BSWAP8(x) ({  u32 lo=(u64)(x)>>32,hi=(x);                     \
-                        asm ("bswapl %0; bswapl %1"                     \
-                        : "+r"(hi),"+r"(lo));                           \
-                        (u64)hi<<32|lo;                 })
-#  define BSWAP4(x) ({  u32 ret=(x);                                    \
-                        asm ("bswapl %0"                                \
-                        : "+r"(ret));   ret;            })
-# elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
-#  define BSWAP8(x) ({  u32 lo=(u64)(x)>>32,hi=(x);                     \
-                        asm ("rev %0,%0; rev %1,%1"                     \
-                        : "+r"(hi),"+r"(lo));                           \
-                        (u64)hi<<32|lo;                 })
-#  define BSWAP4(x) ({  u32 ret;                                        \
-                        asm ("rev %0,%1"                                \
-                        : "=r"(ret) : "r"((u32)(x)));                   \
-                        ret;                            })
-# endif
-#endif
-#endif
-#if defined(BSWAP4) && !defined(__STRICT_ALIGNMENT)
-#define GETU32(p)       BSWAP4(*(const u32 *)(p))
-#define PUTU32(p,v)     *(u32 *)(p) = BSWAP4(v)
-#else
-#define GETU32(p)       ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
-#define PUTU32(p,v)     ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
-#endif
 /* GCM definitions */
 typedef struct {
-        u64 hi, lo;
+        uint64_t hi, lo;
 } u128;
-#ifdef  TABLE_BITS
-#undef  TABLE_BITS
-#endif
-/*
- * Even though permitted values for TABLE_BITS are 8, 4 and 1, it should
- * never be set to 8 [or 1]. For further information see gcm128.c.
- */
-#define TABLE_BITS 4
 struct gcm128_context {
        /* Following 6 names follow names in GCM specification */
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u32 d[4];
+                uint32_t d[4];
-                u8 c[16];
+                uint8_t c[16];
                size_t t[16/sizeof(size_t)];
        } Yi, EKi, EK0, len, Xi, H;
        /* Relative position of Xi, H and pre-computed Htable is used
         * in some assembler modules, i.e. don't change the order! */
-#if TABLE_BITS==8
-        u128 Htable[256];
-#else
        u128 Htable[16];
-        void (*gmult)(u64 Xi[2], const u128 Htable[16]);
+        void (*gmult)(uint64_t Xi[2], const u128 Htable[16]);
-        void (*ghash)(u64 Xi[2], const u128 Htable[16], const u8 *inp,
+        void (*ghash)(uint64_t Xi[2], const u128 Htable[16], const uint8_t *inp,
            size_t len);
-#endif
        unsigned int mres, ares;
        block128_f block;
        void *key;
 };
 struct xts128_context {
-        void      *key1, *key2;
+        const void *key1, *key2;
        block128_f block1, block2;
 };
 struct ccm128_context {
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u8 c[16];
+                uint8_t c[16];
        } nonce, cmac;
-        u64 blocks;
+        uint64_t blocks;
        block128_f block;
        void *key;
 };
 __END_HIDDEN_DECLS
+#endif /* HEADER_MODES_LOCAL_H */
diff --git a/src/lib/libcrypto/modes/ofb128.c b/src/lib/libcrypto/modes/ofb128.c
index 42afd29d58..8440e7f583 100644
--- a/src/lib/libcrypto/modes/ofb128.c
+++ b/src/lib/libcrypto/modes/ofb128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ofb128.c,v 1.7 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: ofb128.c,v 1.10 2025/04/23 10:09:08 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 *
@@ -49,15 +49,11 @@
 *
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "modes_local.h"
-# endif
-#endif
 /* The input and output encrypted as though 128bit ofb mode is being
 * used.  The extra state information to record how much of the
@@ -74,7 +70,6 @@ CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
        n = *num;
-#if !defined(OPENSSL_SMALL_FOOTPRINT)
        if (16 % sizeof(size_t) == 0)
                do { /* always true actually */
                        while (n && len) {
@@ -109,7 +104,6 @@ CRYPTO_ofb128_encrypt(const unsigned char *in, unsigned char *out,
                        return;
                } while (0);
        /* the rest would be commonly eliminated by x86* compiler */
-#endif
        while (l < len) {
                if (n == 0) {
                        (*block)(ivec, ivec, key);
diff --git a/src/lib/libcrypto/modes/xts128.c b/src/lib/libcrypto/modes/xts128.c
index 7516acf850..9c863e73d6 100644
--- a/src/lib/libcrypto/modes/xts128.c
+++ b/src/lib/libcrypto/modes/xts128.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: xts128.c,v 1.12 2023/07/08 14:56:54 beck Exp $ */
+/* $OpenBSD: xts128.c,v 1.15 2025/05/18 09:05:59 jsing Exp $ */
 /* ====================================================================
 * Copyright (c) 2011 The OpenSSL Project.  All rights reserved.
 *
@@ -48,17 +48,12 @@
 * ====================================================================
 */
-#include <openssl/crypto.h>
-#include "modes_local.h"
 #include <endian.h>
 #include <string.h>
-#ifndef MODES_DEBUG
+#include <openssl/crypto.h>
-# ifndef NDEBUG
-#  define NDEBUG
+#include "modes_local.h"
-# endif
-#endif
 int
 CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
@@ -66,9 +61,9 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
    size_t len, int enc)
 {
        union {
-                u64 u[2];
+                uint64_t u[2];
-                u32 d[4];
+                uint32_t d[4];
-                u8 c[16];
+                uint8_t c[16];
        } tweak, scratch;
        unsigned int i;
@@ -88,8 +83,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                scratch.u[0] ^= tweak.u[0];
                scratch.u[1] ^= tweak.u[1];
 #else
-                scratch.u[0] = ((u64 *)inp)[0] ^ tweak.u[0];
+                scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak.u[0];
-                scratch.u[1] = ((u64 *)inp)[1] ^ tweak.u[1];
+                scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak.u[1];
 #endif
                (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
 #ifdef __STRICT_ALIGNMENT
@@ -97,8 +92,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                scratch.u[1] ^= tweak.u[1];
                memcpy(out, scratch.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^= tweak.u[0];
+                ((uint64_t *)out)[0] = scratch.u[0] ^= tweak.u[0];
-                ((u64 *)out)[1] = scratch.u[1] ^= tweak.u[1];
+                ((uint64_t *)out)[1] = scratch.u[1] ^= tweak.u[1];
 #endif
                inp += 16;
                out += 16;
@@ -120,15 +115,15 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                for (c = 0, i = 0; i < 16; ++i) {
                        /*+ substitutes for |, because c is 1 bit */
                        c += ((size_t)tweak.c[i]) << 1;
-                        tweak.c[i] = (u8)c;
+                        tweak.c[i] = (uint8_t)c;
                        c = c >> 8;
                }
-                tweak.c[0] ^= (u8)(0x87 & (0 - c));
+                tweak.c[0] ^= (uint8_t)(0x87 & (0 - c));
 #endif
        }
        if (enc) {
                for (i = 0; i < len; ++i) {
-                        u8 ch = inp[i];
+                        uint8_t ch = inp[i];
                        out[i] = scratch.c[i];
                        scratch.c[i] = ch;
                }
@@ -140,8 +135,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                memcpy(out - 16, scratch.c, 16);
        } else {
                union {
-                        u64 u[2];
+                        uint64_t u[2];
-                        u8 c[16];
+                        uint8_t c[16];
                } tweak1;
 #if BYTE_ORDER == LITTLE_ENDIAN
@@ -157,25 +152,25 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                for (c = 0, i = 0; i < 16; ++i) {
                        /*+ substitutes for |, because c is 1 bit */
                        c += ((size_t)tweak.c[i]) << 1;
-                        tweak1.c[i] = (u8)c;
+                        tweak1.c[i] = (uint8_t)c;
                        c = c >> 8;
                }
-                tweak1.c[0] ^= (u8)(0x87 & (0 - c));
+                tweak1.c[0] ^= (uint8_t)(0x87 & (0 - c));
 #endif
 #ifdef __STRICT_ALIGNMENT
                memcpy(scratch.c, inp, 16);
                scratch.u[0] ^= tweak1.u[0];
                scratch.u[1] ^= tweak1.u[1];
 #else
-                scratch.u[0] = ((u64 *)inp)[0] ^ tweak1.u[0];
+                scratch.u[0] = ((uint64_t *)inp)[0] ^ tweak1.u[0];
-                scratch.u[1] = ((u64 *)inp)[1] ^ tweak1.u[1];
+                scratch.u[1] = ((uint64_t *)inp)[1] ^ tweak1.u[1];
 #endif
                (*ctx->block1)(scratch.c, scratch.c, ctx->key1);
                scratch.u[0] ^= tweak1.u[0];
                scratch.u[1] ^= tweak1.u[1];
                for (i = 0; i < len; ++i) {
-                        u8 ch = inp[16 + i];
+                        uint8_t ch = inp[16 + i];
                        out[16 + i] = scratch.c[i];
                        scratch.c[i] = ch;
                }
@@ -187,8 +182,8 @@ CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16],
                scratch.u[1] ^= tweak.u[1];
                memcpy(out, scratch.c, 16);
 #else
-                ((u64 *)out)[0] = scratch.u[0] ^ tweak.u[0];
+                ((uint64_t *)out)[0] = scratch.u[0] ^ tweak.u[0];
-                ((u64 *)out)[1] = scratch.u[1] ^ tweak.u[1];
+                ((uint64_t *)out)[1] = scratch.u[1] ^ tweak.u[1];
 #endif
        }
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 2f4012fe15..d4da6be52c 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_dat.c,v 1.94 2025/02/26 10:48:25 tb Exp $ */
+/* $OpenBSD: obj_dat.c,v 1.95 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -66,11 +66,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
 #include "obj_dat.h"
diff --git a/src/lib/libcrypto/objects/obj_lib.c b/src/lib/libcrypto/objects/obj_lib.c
index 45062dbd4c..56b0b10423 100644
--- a/src/lib/libcrypto/objects/obj_lib.c
+++ b/src/lib/libcrypto/objects/obj_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_lib.c,v 1.19 2023/08/17 09:13:01 tb Exp $ */
+/* $OpenBSD: obj_lib.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 ASN1_OBJECT *
 OBJ_dup(const ASN1_OBJECT *o)
diff --git a/src/lib/libcrypto/objects/obj_mac.num b/src/lib/libcrypto/objects/obj_mac.num
index 728bf02400..2f93e12b82 100644
--- a/src/lib/libcrypto/objects/obj_mac.num
+++ b/src/lib/libcrypto/objects/obj_mac.num
@@ -1053,3 +1053,4 @@ RSA_SHA3_512	1052
 acmeIdentifier  1053
 id_ct_rpkiSignedPrefixList      1054
 tls1_prf        1055
+X25519MLKEM768  1056
diff --git a/src/lib/libcrypto/objects/objects.txt b/src/lib/libcrypto/objects/objects.txt
index 4d5a52efcf..933fa51f71 100644
--- a/src/lib/libcrypto/objects/objects.txt
+++ b/src/lib/libcrypto/objects/objects.txt
@@ -1477,3 +1477,8 @@ tc26 1 3 3		: id-tc26-signwithdigest-gost3410-2012-512 : GOST R 34.11-2012 with
                        : AuthECDSA             : auth-ecdsa
                        : AuthGOST01            : auth-gost01
                        : AuthNULL              : auth-null
+# MLKEM/X25519 hybrid for TLS - no OID assigned
+# see https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+# section 7.1
+                        : X25519MLKEM768
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index d8ee33c391..460c1bce5e 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -64,7 +64,6 @@
 #include <stdio.h>
 #include <time.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -73,6 +72,7 @@
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "ocsp_local.h"
 /* Utility functions related to sending OCSP requests and extracting
diff --git a/src/lib/libcrypto/ocsp/ocsp_ht.c b/src/lib/libcrypto/ocsp/ocsp_ht.c
index 69723c2154..db83b35518 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ht.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ht.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_ht.c,v 1.27 2023/11/28 09:29:20 jsg Exp $ */
+/* $OpenBSD: ocsp_ht.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -60,11 +60,13 @@
 #include <stdlib.h>
 #include <ctype.h>
 #include <string.h>
 #include <openssl/asn1.h>
 #include <openssl/ocsp.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
+#include "err_local.h"
 /* Stateful OCSP request code, supporting non-blocking I/O */
 /* Opaque OCSP request status structure */
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 521fb67aed..dfa002a594 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_lib.c,v 1.28 2024/08/28 06:27:19 tb Exp $ */
+/* $OpenBSD: ocsp_lib.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -67,13 +67,13 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "ocsp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/ocsp/ocsp_prn.c b/src/lib/libcrypto/ocsp/ocsp_prn.c
index fb7b9651d9..537d5e3d20 100644
--- a/src/lib/libcrypto/ocsp/ocsp_prn.c
+++ b/src/lib/libcrypto/ocsp/ocsp_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_prn.c,v 1.11 2024/08/28 06:18:44 tb Exp $ */
+/* $OpenBSD: ocsp_prn.c,v 1.12 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -62,7 +62,6 @@
 */
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
diff --git a/src/lib/libcrypto/ocsp/ocsp_srv.c b/src/lib/libcrypto/ocsp/ocsp_srv.c
index 77c5e2e0fd..4b1d73d7ac 100644
--- a/src/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/src/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_srv.c,v 1.13 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_srv.c,v 1.14 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -58,13 +58,13 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "ocsp_local.h"
 /* Utility functions related to sending OCSP responses and extracting
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 27d2283ea7..185839f465 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.24 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -57,9 +57,9 @@
 */
 #include <openssl/ocsp.h>
-#include <openssl/err.h>
 #include <string.h>
+#include "err_local.h"
 #include "ocsp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/opensslconf.h b/src/lib/libcrypto/opensslconf.h
new file mode 100644
index 0000000000..c5b30fbfcb
--- /dev/null
+++ b/src/lib/libcrypto/opensslconf.h
@@ -0,0 +1,16 @@
+/*      $OpenBSD: opensslconf.h,v 1.4 2025/08/29 18:29:42 tb Exp $ */
+/*
+ * Public domain.
+ */
+#include <openssl/opensslfeatures.h>
+#ifndef OPENSSL_FILE
+#ifdef OPENSSL_NO_FILENAMES
+#define OPENSSL_FILE ""
+#define OPENSSL_LINE 0
+#else
+#define OPENSSL_FILE __FILE__
+#define OPENSSL_LINE __LINE__
+#endif
+#endif
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index bf06db8bce..e191a0dec1 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -1,11 +1,11 @@
-/* $OpenBSD: opensslv.h,v 1.80 2025/03/09 15:49:18 tb Exp $ */
+/* $OpenBSD: opensslv.h,v 1.81 2025/09/28 14:17:52 tb Exp $ */
 #ifndef HEADER_OPENSSLV_H
 #define HEADER_OPENSSLV_H
 /* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x4010000fL
+#define LIBRESSL_VERSION_NUMBER 0x4020000fL
 /*                                    ^ Patch starts here   */
-#define LIBRESSL_VERSION_TEXT   "LibreSSL 4.1.0"
+#define LIBRESSL_VERSION_TEXT   "LibreSSL 4.2.0"
 /* These will never change */
 #define OPENSSL_VERSION_NUMBER  0x20000000L
diff --git a/src/lib/libcrypto/pem/pem.h b/src/lib/libcrypto/pem/pem.h
index 4fdab48bb2..709e17308b 100644
--- a/src/lib/libcrypto/pem/pem.h
+++ b/src/lib/libcrypto/pem/pem.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem.h,v 1.28 2024/05/11 05:41:28 tb Exp $ */
+/* $OpenBSD: pem.h,v 1.29 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -338,8 +338,6 @@ int	PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
 STACK_OF(X509_INFO) *   PEM_X509_INFO_read_bio(BIO *bp,
            STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *u);
-int     PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-            unsigned char *kstr, int klen, pem_password_cb *cd, void *u);
 #endif
 int     PEM_read(FILE *fp, char **name, char **header,
@@ -351,8 +349,6 @@ void *  PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x,
 int     PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp,
            void *x, const EVP_CIPHER *enc, unsigned char *kstr,
            int klen, pem_password_cb *callback, void *u);
-STACK_OF(X509_INFO) *   PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
-            pem_password_cb *cb, void *u);
 int    PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type);
 int    PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt);
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index b979c79b33..26061f6f08 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_info.c,v 1.27 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_info.c,v 1.33 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,43 +57,81 @@
 */
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 #include <openssl/opensslconf.h>
-#include <openssl/buffer.h>
+#include <openssl/asn1.h>
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
-#ifndef OPENSSL_NO_DSA
-#include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
-#endif
+#include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
-STACK_OF(X509_INFO) *
+X509_PKEY *
-PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
+X509_PKEY_new(void)
-    void *u)
+{
+        X509_PKEY *x_pkey;
+        if ((x_pkey = calloc(1, sizeof(*x_pkey))) == NULL) {
+                ASN1error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+        return x_pkey;
+}
+void
+X509_PKEY_free(X509_PKEY *x_pkey)
+{
+        if (x_pkey == NULL)
+                return;
+        EVP_PKEY_free(x_pkey->dec_pkey);
+        free(x_pkey);
+}
+X509_INFO *
+X509_INFO_new(void)
 {
-        BIO *b;
+        X509_INFO *ret;
-        STACK_OF(X509_INFO) *ret;
-        if ((b = BIO_new(BIO_s_file())) == NULL) {
+        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                PEMerror(ERR_R_BUF_LIB);
+                ASN1error(ERR_R_MALLOC_FAILURE);
-                return (0);
+                return NULL;
        }
-        BIO_set_fp(b, fp, BIO_NOCLOSE);
+        ret->references = 1;
-        ret = PEM_X509_INFO_read_bio(b, sk, cb, u);
-        BIO_free(b);
+        return ret;
-        return (ret);
+}
+LCRYPTO_ALIAS(X509_INFO_new);
+void
+X509_INFO_free(X509_INFO *x)
+{
+        if (x == NULL)
+                return;
+        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
+                return;
+        X509_free(x->x509);
+        X509_CRL_free(x->crl);
+        X509_PKEY_free(x->x_pkey);
+        free(x->enc_data);
+        free(x);
 }
-LCRYPTO_ALIAS(PEM_X509_INFO_read);
+LCRYPTO_ALIAS(X509_INFO_free);
 STACK_OF(X509_INFO) *
 PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb,
@@ -290,98 +328,3 @@ err:
        return ret;
 }
 LCRYPTO_ALIAS(PEM_X509_INFO_read_bio);
-/* A TJH addition */
-int
-PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc,
-    unsigned char *kstr, int klen, pem_password_cb *cb, void *u)
-{
-        EVP_CIPHER_CTX ctx;
-        int i, ret = 0;
-        unsigned char *data = NULL;
-        const char *objstr = NULL;
-        char buf[PEM_BUFSIZE];
-        unsigned char *iv = NULL;
-        if (enc != NULL) {
-                objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-                if (objstr == NULL) {
-                        PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                        goto err;
-                }
-        }
-        /* now for the fun part ... if we have a private key then
-         * we have to be able to handle a not-yet-decrypted key
-         * being written out correctly ... if it is decrypted or
-         * it is non-encrypted then we use the base code
-         */
-        if (xi->x_pkey != NULL) {
-                if ((xi->enc_data != NULL) && (xi->enc_len > 0) ) {
-                        if (enc == NULL) {
-                                PEMerror(PEM_R_CIPHER_IS_NULL);
-                                goto err;
-                        }
-                        /* copy from weirdo names into more normal things */
-                        iv = xi->enc_cipher.iv;
-                        data = (unsigned char *)xi->enc_data;
-                        i = xi->enc_len;
-                        /* we take the encryption data from the
-                         * internal stuff rather than what the
-                         * user has passed us ... as we have to
-                         * match exactly for some strange reason
-                         */
-                        objstr = OBJ_nid2sn(
-                            EVP_CIPHER_nid(xi->enc_cipher.cipher));
-                        if (objstr == NULL) {
-                                PEMerror(PEM_R_UNSUPPORTED_CIPHER);
-                                goto err;
-                        }
-                        /* create the right magic header stuff */
-                        if (strlen(objstr) + 23 + 2 * enc->iv_len + 13 >
-                            sizeof buf) {
-                                PEMerror(ASN1_R_BUFFER_TOO_SMALL);
-                                goto err;
-                        }
-                        buf[0] = '\0';
-                        PEM_proc_type(buf, PEM_TYPE_ENCRYPTED);
-                        PEM_dek_info(buf, objstr, enc->iv_len, (char *)iv);
-                        /* use the normal code to write things out */
-                        i = PEM_write_bio(bp, PEM_STRING_RSA, buf, data, i);
-                        if (i <= 0)
-                                goto err;
-                } else {
-                        /* Add DSA/DH */
-#ifndef OPENSSL_NO_RSA
-                        /* normal optionally encrypted stuff */
-                        if (PEM_write_bio_RSAPrivateKey(bp,
-                            xi->x_pkey->dec_pkey->pkey.rsa,
-                            enc, kstr, klen, cb, u) <= 0)
-                                goto err;
-#endif
-                }
-        }
-        /* if we have a certificate then write it out now */
-        if ((xi->x509 != NULL) && (PEM_write_bio_X509(bp, xi->x509) <= 0))
-                goto err;
-        /* we are ignoring anything else that is loaded into the X509_INFO
-         * structure for the moment ... as I don't need it so I'm not
-         * coding it here and Eric can do it when this makes it into the
-         * base library --tjh
-         */
-        ret = 1;
-err:
-        explicit_bzero((char *)&ctx, sizeof(ctx));
-        explicit_bzero(buf, PEM_BUFSIZE);
-        return (ret);
-}
-LCRYPTO_ALIAS(PEM_X509_INFO_write_bio);
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 30db092c3e..7c7f776cae 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.56 2024/02/18 15:44:10 tb Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.57 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,7 +64,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -76,6 +75,7 @@
 #endif
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #define MIN_LENGTH      4
diff --git a/src/lib/libcrypto/pem/pem_oth.c b/src/lib/libcrypto/pem/pem_oth.c
index 2dca978efd..d466179ad7 100644
--- a/src/lib/libcrypto/pem/pem_oth.c
+++ b/src/lib/libcrypto/pem/pem_oth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_oth.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_oth.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,12 +59,13 @@
 #include <stdio.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 /* Handle 'other' PEMs: not private keys */
 void *
diff --git a/src/lib/libcrypto/pem/pem_pk8.c b/src/lib/libcrypto/pem/pem_pk8.c
index 6d0c0cbd57..16bde39a7e 100644
--- a/src/lib/libcrypto/pem/pem_pk8.c
+++ b/src/lib/libcrypto/pem/pem_pk8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pk8.c,v 1.14 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_pk8.c,v 1.15 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,13 +60,13 @@
 #include <string.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid,
    const EVP_CIPHER *enc, char *kstr, int klen, pem_password_cb *cb, void *u);
 static int do_pk8pkey_fp(FILE *bp, EVP_PKEY *x, int isder, int nid,
diff --git a/src/lib/libcrypto/pem/pem_pkey.c b/src/lib/libcrypto/pem/pem_pkey.c
index d7001c83cc..df8ebaa036 100644
--- a/src/lib/libcrypto/pem/pem_pkey.c
+++ b/src/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.28 2023/11/19 15:46:10 tb Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
@@ -70,6 +69,7 @@
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 int pem_check_suffix(const char *pem_str, const char *suffix);
diff --git a/src/lib/libcrypto/pem/pem_sign.c b/src/lib/libcrypto/pem/pem_sign.c
index 461f957445..878be01b70 100644
--- a/src/lib/libcrypto/pem/pem_sign.c
+++ b/src/lib/libcrypto/pem/pem_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_sign.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_sign.c,v 1.16 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,12 +58,13 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 int
 PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type)
 {
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index 40c9feefe5..395fd9df83 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.28 2024/02/18 15:45:42 tb Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.30 2025/06/07 09:32:35 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -66,7 +66,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
@@ -75,6 +74,7 @@
 #include "bn_local.h"
 #include "dsa_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
@@ -803,8 +803,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen,
 err:
        EVP_CIPHER_CTX_free(cctx);
-        if (enctmp && saltlen)
+        free(enctmp);
-                free(enctmp);
        return ret;
 }
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index f6f42c558c..e45218ba96 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.25 2024/03/02 10:20:27 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -58,9 +58,9 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 502ccecd25..321115cfcd 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crt.c,v 1.26 2024/08/22 12:22:42 tb Exp $ */
+/* $OpenBSD: p12_crt.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -58,10 +58,10 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_decr.c b/src/lib/libcrypto/pkcs12/p12_decr.c
index 907d4e52a6..8466e92415 100644
--- a/src/lib/libcrypto/pkcs12/p12_decr.c
+++ b/src/lib/libcrypto/pkcs12/p12_decr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_decr.c,v 1.26 2024/03/02 10:15:16 tb Exp $ */
+/* $OpenBSD: p12_decr.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "evp_local.h"
 /* Encrypt/Decrypt a buffer based on password and algor, result in a
diff --git a/src/lib/libcrypto/pkcs12/p12_init.c b/src/lib/libcrypto/pkcs12/p12_init.c
index cd9422d215..ac0f1eeb57 100644
--- a/src/lib/libcrypto/pkcs12/p12_init.c
+++ b/src/lib/libcrypto/pkcs12/p12_init.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_init.c,v 1.17 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_init.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -58,9 +58,9 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 /* Initialise a PKCS12 structure to take data */
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index 443d632c87..29a99bbca4 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_key.c,v 1.36 2025/03/09 15:45:52 tb Exp $ */
+/* $OpenBSD: p12_key.c,v 1.37 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,9 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "pkcs12_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index e4de2eb61c..f6f09ff2de 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.28 2025/01/06 23:35:25 tb Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -58,9 +58,9 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 /* Simplified PKCS#12 routines */
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 2060358188..4a9d0f9757 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.38 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.40 2025/06/03 08:42:15 kenjiro Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -64,10 +64,10 @@
 #ifndef OPENSSL_NO_HMAC
-#include <openssl/err.h>
 #include <openssl/hmac.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "hmac_local.h"
 #include "pkcs12_local.h"
@@ -189,10 +189,10 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen)
                PKCS12error(PKCS12_R_MAC_GENERATION_ERROR);
                return 0;
        }
-        if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) ||
+        if (maclen != (unsigned int)p12->mac->dinfo->digest->length)
-            memcmp(mac, p12->mac->dinfo->digest->data, maclen))
                return 0;
-        return 1;
+        return timingsafe_memcmp(mac, p12->mac->dinfo->digest->data, maclen) == 0;
 }
 LCRYPTO_ALIAS(PKCS12_verify_mac);
diff --git a/src/lib/libcrypto/pkcs12/p12_npas.c b/src/lib/libcrypto/pkcs12/p12_npas.c
index 6d3b43ce22..c78deb9182 100644
--- a/src/lib/libcrypto/pkcs12/p12_npas.c
+++ b/src/lib/libcrypto/pkcs12/p12_npas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_npas.c,v 1.27 2024/01/25 15:33:35 tb Exp $ */
+/* $OpenBSD: p12_npas.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,9 @@
 #include <stdlib.h>
 #include <string.h>
 #include <openssl/pem.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_p8e.c b/src/lib/libcrypto/pkcs12/p12_p8e.c
index bf61593266..a8a5039dfb 100644
--- a/src/lib/libcrypto/pkcs12/p12_p8e.c
+++ b/src/lib/libcrypto/pkcs12/p12_p8e.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_p8e.c,v 1.13 2024/03/02 10:15:16 tb Exp $ */
+/* $OpenBSD: p12_p8e.c,v 1.14 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -58,9 +58,9 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/p12_sbag.c b/src/lib/libcrypto/pkcs12/p12_sbag.c
index 1664e9409d..5fea54073b 100644
--- a/src/lib/libcrypto/pkcs12/p12_sbag.c
+++ b/src/lib/libcrypto/pkcs12/p12_sbag.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_sbag.c,v 1.9 2024/03/24 06:48:03 tb Exp $ */
+/* $OpenBSD: p12_sbag.c,v 1.10 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 1999-2018.
@@ -59,9 +59,9 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/pkcs12.h>
+#include "err_local.h"
 #include "pkcs12_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 200712039b..aec0362806 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.29 2025/03/09 15:45:52 tb Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.30 2025/05/10 19:01:16 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -77,7 +77,7 @@ extern "C" {
 #define PKCS12_MAC_KEY_LENGTH 20
-#define PKCS12_SALT_LEN 8
+#define PKCS12_SALT_LEN 16
 /* Uncomment out next line for unicode password and names, otherwise ASCII */
diff --git a/src/lib/libcrypto/pkcs7/pk7_asn1.c b/src/lib/libcrypto/pkcs7/pk7_asn1.c
index 8a6ae487da..be1c4c1a1d 100644
--- a/src/lib/libcrypto/pkcs7/pk7_asn1.c
+++ b/src/lib/libcrypto/pkcs7/pk7_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_asn1.c,v 1.18 2024/07/08 16:23:27 beck Exp $ */
+/* $OpenBSD: pk7_asn1.c,v 1.19 2025/06/11 18:11:55 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -84,7 +84,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.data",
                        .item = &ASN1_OCTET_STRING_NDEF_it,
                },
-        
        },
        {
                .value = NID_pkcs7_signed,
@@ -95,7 +94,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.sign",
                        .item = &PKCS7_SIGNED_it,
                },
-        
        },
        {
                .value = NID_pkcs7_enveloped,
@@ -106,7 +104,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.enveloped",
                        .item = &PKCS7_ENVELOPE_it,
                },
-        
        },
        {
                .value = NID_pkcs7_signedAndEnveloped,
@@ -117,7 +114,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.signed_and_enveloped",
                        .item = &PKCS7_SIGN_ENVELOPE_it,
                },
-        
        },
        {
                .value = NID_pkcs7_digest,
@@ -128,7 +124,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.digest",
                        .item = &PKCS7_DIGEST_it,
                },
-        
        },
        {
                .value = NID_pkcs7_encrypted,
@@ -139,7 +134,6 @@ static const ASN1_ADB_TABLE PKCS7_adbtbl[] = {
                        .field_name = "d.encrypted",
                        .item = &PKCS7_ENCRYPT_it,
                },
-        
        },
 };
diff --git a/src/lib/libcrypto/pkcs7/pk7_attr.c b/src/lib/libcrypto/pkcs7/pk7_attr.c
index 52463aa3a3..f2e17806db 100644
--- a/src/lib/libcrypto/pkcs7/pk7_attr.c
+++ b/src/lib/libcrypto/pkcs7/pk7_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_attr.c,v 1.15 2024/02/19 15:37:44 tb Exp $ */
+/* $OpenBSD: pk7_attr.c,v 1.22 2025/07/31 02:24:21 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -59,23 +59,48 @@
 #include <stdio.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/x509.h>
+#include "asn1_local.h"
+#include "err_local.h"
+#include "x509_local.h"
 int
 PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap)
 {
-        ASN1_STRING *seq;
+        ASN1_STRING *seq = NULL;
-        if (!(seq = ASN1_STRING_new())) {
+        unsigned char *data = NULL;
+        int len = 0;
+        int ret = 0;
+        if ((len = i2d_X509_ALGORS(cap, &data)) <= 0) {
+                len = 0;
+                goto err;
+        }
+        if ((seq = ASN1_STRING_new()) == NULL) {
                PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
-        seq->length = ASN1_item_i2d((ASN1_VALUE *)cap, &seq->data,
-            &X509_ALGORS_it);
+        ASN1_STRING_set0(seq, data, len);
-        return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+        data = NULL;
-            V_ASN1_SEQUENCE, seq);
+        len = 0;
+        if (!PKCS7_add_signed_attribute(si, NID_SMIMECapabilities,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+        ret = 1;
+ err:
+        ASN1_STRING_free(seq);
+        freezero(data, len);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap);
@@ -84,51 +109,60 @@ PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si)
 {
        ASN1_TYPE *cap;
        const unsigned char *p;
+        int len;
-        cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities);
+        if ((cap = PKCS7_get_signed_attribute(si, NID_SMIMECapabilities)) == NULL)
-        if (!cap || (cap->type != V_ASN1_SEQUENCE))
+                return NULL;
+        if (cap->type != V_ASN1_SEQUENCE)
                return NULL;
        p = cap->value.sequence->data;
-        return (STACK_OF(X509_ALGOR) *)
+        len = cap->value.sequence->length;
-        ASN1_item_d2i(NULL, &p, cap->value.sequence->length,
-            &X509_ALGORS_it);
+        return d2i_X509_ALGORS(NULL, &p, len);
 }
 LCRYPTO_ALIAS(PKCS7_get_smimecap);
-/* Basic smime-capabilities OID and optional integer arg */
+/*
+ * Add AlgorithmIdentifier OID of type |nid| to the SMIMECapability attribute
+ * set |sk| (see RFC 3851, section 2.5.2). If keysize > 0, the OID has an
+ * integer parameter of value |keysize|, otherwise parameters are omitted.
+ *
+ * See also CMS_add_simple_smimecap().
+ */
 int
-PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int arg)
+PKCS7_simple_smimecap(STACK_OF(X509_ALGOR) *sk, int nid, int keysize)
 {
-        X509_ALGOR *alg;
+        X509_ALGOR *alg = NULL;
+        ASN1_INTEGER *parameter = NULL;
+        int parameter_type = V_ASN1_UNDEF;
+        int ret = 0;
-        if (!(alg = X509_ALGOR_new())) {
+        if (keysize > 0) {
-                PKCS7error(ERR_R_MALLOC_FAILURE);
+                if ((parameter = ASN1_INTEGER_new()) == NULL)
-                return 0;
-        }
-        ASN1_OBJECT_free(alg->algorithm);
-        alg->algorithm = OBJ_nid2obj(nid);
-        if (arg > 0) {
-                ASN1_INTEGER *nbit;
-                if (!(alg->parameter = ASN1_TYPE_new()))
-                        goto err;
-                if (!(nbit = ASN1_INTEGER_new()))
                        goto err;
-                if (!ASN1_INTEGER_set(nbit, arg)) {
+                if (!ASN1_INTEGER_set(parameter, keysize))
-                        ASN1_INTEGER_free(nbit);
                        goto err;
-                }
+                parameter_type = V_ASN1_INTEGER;
-                alg->parameter->value.integer = nbit;
-                alg->parameter->type = V_ASN1_INTEGER;
        }
-        if (sk_X509_ALGOR_push(sk, alg) == 0)
+        if ((alg = X509_ALGOR_new()) == NULL)
                goto err;
-        return 1;
+        if (!X509_ALGOR_set0_by_nid(alg, nid, parameter_type, parameter))
+                goto err;
+        parameter = NULL;
+        if (sk_X509_ALGOR_push(sk, alg) <= 0)
+                goto err;
+        alg = NULL;
-err:
+        ret = 1;
-        PKCS7error(ERR_R_MALLOC_FAILURE);
+ err:
        X509_ALGOR_free(alg);
-        return 0;
+        ASN1_INTEGER_free(parameter);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_simple_smimecap);
@@ -147,30 +181,54 @@ LCRYPTO_ALIAS(PKCS7_add_attrib_content_type);
 int
 PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t)
 {
-        if (!t && !(t = X509_gmtime_adj(NULL, 0))) {
+        ASN1_TIME *tm;
+        int ret = 0;
+        if ((tm = t) == NULL)
+                tm = X509_gmtime_adj(NULL, 0);
+        if (tm == NULL) {
                PKCS7error(ERR_R_MALLOC_FAILURE);
-                return 0;
+                goto err;
        }
-        return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime,
-            V_ASN1_UTCTIME, t);
+        /* RFC 5652, section 11.3 - UTCTime for the years 1950-2049. */
+        if (ASN1_time_parse(tm->data, tm->length, NULL, tm->type) == -1)
+                goto err;
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, tm->type, tm))
+                goto err;
+        tm = NULL;
+        ret = 1;
+ err:
+        if (tm != t)
+                ASN1_TIME_free(tm);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time);
 int
 PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, const unsigned char *md,
-    int mdlen)
+    int md_len)
 {
        ASN1_OCTET_STRING *os;
+        int ret = 0;
-        os = ASN1_OCTET_STRING_new();
+        if ((os = ASN1_OCTET_STRING_new()) == NULL)
-        if (!os)
+                goto err;
-                return 0;
+        if (!ASN1_STRING_set(os, md, md_len))
-        if (!ASN1_STRING_set(os, md, mdlen) ||
+                goto err;
-            !PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
+        if (!PKCS7_add_signed_attribute(si, NID_pkcs9_messageDigest,
-            V_ASN1_OCTET_STRING, os)) {
+            V_ASN1_OCTET_STRING, os))
-                ASN1_OCTET_STRING_free(os);
+                goto err;
-                return 0;
+        os = NULL;
-        }
-        return 1;
+        ret = 1;
+ err:
+        ASN1_OCTET_STRING_free(os);
+        return ret;
 }
 LCRYPTO_ALIAS(PKCS7_add1_attrib_digest);
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 020de71fef..e39d960780 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.59 2025/03/18 12:53:25 tb Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.61 2025/07/27 07:06:41 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,11 +60,11 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -1208,43 +1208,51 @@ PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk)
 LCRYPTO_ALIAS(PKCS7_set_attributes);
 static int
-add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value)
+add_attribute(STACK_OF(X509_ATTRIBUTE) **in_sk, int nid, int atrtype, void *value)
 {
-        X509_ATTRIBUTE *attr = NULL;
+        STACK_OF(X509_ATTRIBUTE) *sk;
+        X509_ATTRIBUTE *old_attr = NULL, *new_attr = NULL;
+        int need_pop = 0;
+        int i;
-        if (*sk == NULL) {
+        if ((sk = *in_sk) == NULL)
-                *sk = sk_X509_ATTRIBUTE_new_null();
+                sk = sk_X509_ATTRIBUTE_new_null();
-                if (*sk == NULL)
+        if (sk == NULL)
-                        return 0;
+                goto err;
-new_attrib:
-                if (!(attr = X509_ATTRIBUTE_create(nid, atrtype, value)))
+        /* Replace an already existing attribute with the given nid. */
-                        return 0;
+        for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) {
-                if (!sk_X509_ATTRIBUTE_push(*sk, attr)) {
+                old_attr = sk_X509_ATTRIBUTE_value(sk, i);
-                        X509_ATTRIBUTE_free(attr);
+                if(OBJ_obj2nid(old_attr->object) == nid)
-                        return 0;
+                        break;
-                }
+        }
-        } else {
-                int i;
+        /* If there is none, make room for the new one, so _set() succeeds. */
+        if (i == sk_X509_ATTRIBUTE_num(sk)) {
-                for (i = 0; i < sk_X509_ATTRIBUTE_num(*sk); i++) {
+                old_attr = NULL;
-                        attr = sk_X509_ATTRIBUTE_value(*sk, i);
+                if (sk_X509_ATTRIBUTE_push(sk, NULL) <= 0)
-                        if (OBJ_obj2nid(attr->object) == nid) {
+                        goto err;
-                                X509_ATTRIBUTE_free(attr);
+                need_pop = 1;
-                                attr = X509_ATTRIBUTE_create(nid, atrtype,
-                                    value);
-                                if (attr == NULL)
-                                        return 0;
-                                if (!sk_X509_ATTRIBUTE_set(*sk, i, attr)) {
-                                        X509_ATTRIBUTE_free(attr);
-                                        return 0;
-                                }
-                                goto end;
-                        }
-                }
-                goto new_attrib;
        }
-end:
+        /* On success, new_attr owns value. */
+        if ((new_attr = X509_ATTRIBUTE_create(nid, atrtype, value)) == NULL)
+                goto err;
+        X509_ATTRIBUTE_free(old_attr);
+        (void)sk_X509_ATTRIBUTE_set(sk, i, new_attr);
+        *in_sk = sk;
        return 1;
+ err:
+        if (need_pop)
+                (void)sk_X509_ATTRIBUTE_pop(sk);
+        if (*in_sk != sk)
+                sk_X509_ATTRIBUTE_pop_free(sk, X509_ATTRIBUTE_free);
+        return 0;
 }
 int
diff --git a/src/lib/libcrypto/pkcs7/pk7_lib.c b/src/lib/libcrypto/pkcs7/pk7_lib.c
index a1c7d61cca..8712a2ecc1 100644
--- a/src/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/src/lib/libcrypto/pkcs7/pk7_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_lib.c,v 1.30 2024/12/06 07:10:20 tb Exp $ */
+/* $OpenBSD: pk7_lib.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,11 +58,11 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/pkcs7/pk7_smime.c b/src/lib/libcrypto/pkcs7/pk7_smime.c
index cff89c34e1..9baff7f525 100644
--- a/src/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/src/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.27 2024/04/20 10:11:55 tb Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.29 2025/12/20 07:22:43 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -60,10 +60,10 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
@@ -277,14 +277,19 @@ PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, BIO *indata,
                return 0;
        }
-        /*
+        if ((flags & PKCS7_NO_DUAL_CONTENT) != 0) {
-         * Very old Netscape illegally included empty content with
+                /*
-         * a detached signature.  Very old users should upgrade.
+                 * This was originally "#if 0" because we thought that only old
-         */
+                 * broken Netscape did this.  It turns out that Authenticode
-        /* Check for data and content: two sets of data */
+                 * uses this kind of "extended" PKCS7 format, and things like
-        if (!PKCS7_get_detached(p7) && indata) {
+                 * UEFI secure boot and tools like osslsigncode need it.  In
-                PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT);
+                 * Authenticode the verification process is different, but the
-                return 0;
+                 * existing PKCS7 verification works.
+                 */
+                if (!PKCS7_get_detached(p7) && indata != NULL) {
+                        PKCS7error(PKCS7_R_CONTENT_AND_DATA_PRESENT);
+                        return 0;
+                }
        }
        sinfos = PKCS7_get_signer_info(p7);
diff --git a/src/lib/libcrypto/pkcs7/pkcs7.h b/src/lib/libcrypto/pkcs7/pkcs7.h
index 6fd5adf457..bac461d30d 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7.h
+++ b/src/lib/libcrypto/pkcs7/pkcs7.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.h,v 1.22 2024/10/23 01:57:19 jsg Exp $ */
+/* $OpenBSD: pkcs7.h,v 1.25 2025/12/20 07:22:43 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -82,7 +82,7 @@ typedef struct pkcs7_issuer_and_serial_st {
 } PKCS7_ISSUER_AND_SERIAL;
 typedef struct pkcs7_signer_info_st {
-        ASN1_INTEGER                    *version;       /* version 1 */
+        ASN1_INTEGER                    *version;       /* version 1 */
        PKCS7_ISSUER_AND_SERIAL         *issuer_and_serial;
        X509_ALGOR                      *digest_alg;
        STACK_OF(X509_ATTRIBUTE)        *auth_attr;     /* [ 0 ] */
@@ -145,7 +145,7 @@ typedef struct pkcs7_signedandenveloped_st {
 typedef struct pkcs7_digest_st {
        ASN1_INTEGER                    *version;       /* version 0 */
        X509_ALGOR                      *md;            /* md used */
-        struct pkcs7_st                 *contents;
+        struct pkcs7_st                 *contents;
        ASN1_OCTET_STRING               *digest;
 } PKCS7_DIGEST;
@@ -241,6 +241,7 @@ DECLARE_PKCS12_STACK_OF(PKCS7)
 #define PKCS7_NOCRL             0x2000
 #define PKCS7_PARTIAL           0x4000
 #define PKCS7_REUSE_DIGEST      0x8000
+#define PKCS7_NO_DUAL_CONTENT   0x10000
 /* Flags: for compatibility with older code */
@@ -362,7 +363,7 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx);
 ASN1_OCTET_STRING *PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk);
 int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int type,
    void *data);
-int PKCS7_add_attribute (PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
+int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype,
    void *value);
 ASN1_TYPE *PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid);
 ASN1_TYPE *PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid);
diff --git a/src/lib/libcrypto/rc2/rc2_cbc.c b/src/lib/libcrypto/rc2/rc2.c
index 1d8e2def99..c122d4b810 100644
--- a/src/lib/libcrypto/rc2/rc2_cbc.c
+++ b/src/lib/libcrypto/rc2/rc2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc2_cbc.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: rc2.c,v 1.1 2025/05/25 05:29:54 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,86 +57,89 @@
 */
 #include <openssl/rc2.h>
 #include "rc2_local.h"
+static const unsigned char key_table[256]={
+        0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79,
+        0x4a,0xa0,0xd8,0x9d,0xc6,0x7e,0x37,0x83,0x2b,0x76,0x53,0x8e,
+        0x62,0x4c,0x64,0x88,0x44,0x8b,0xfb,0xa2,0x17,0x9a,0x59,0xf5,
+        0x87,0xb3,0x4f,0x13,0x61,0x45,0x6d,0x8d,0x09,0x81,0x7d,0x32,
+        0xbd,0x8f,0x40,0xeb,0x86,0xb7,0x7b,0x0b,0xf0,0x95,0x21,0x22,
+        0x5c,0x6b,0x4e,0x82,0x54,0xd6,0x65,0x93,0xce,0x60,0xb2,0x1c,
+        0x73,0x56,0xc0,0x14,0xa7,0x8c,0xf1,0xdc,0x12,0x75,0xca,0x1f,
+        0x3b,0xbe,0xe4,0xd1,0x42,0x3d,0xd4,0x30,0xa3,0x3c,0xb6,0x26,
+        0x6f,0xbf,0x0e,0xda,0x46,0x69,0x07,0x57,0x27,0xf2,0x1d,0x9b,
+        0xbc,0x94,0x43,0x03,0xf8,0x11,0xc7,0xf6,0x90,0xef,0x3e,0xe7,
+        0x06,0xc3,0xd5,0x2f,0xc8,0x66,0x1e,0xd7,0x08,0xe8,0xea,0xde,
+        0x80,0x52,0xee,0xf7,0x84,0xaa,0x72,0xac,0x35,0x4d,0x6a,0x2a,
+        0x96,0x1a,0xd2,0x71,0x5a,0x15,0x49,0x74,0x4b,0x9f,0xd0,0x5e,
+        0x04,0x18,0xa4,0xec,0xc2,0xe0,0x41,0x6e,0x0f,0x51,0xcb,0xcc,
+        0x24,0x91,0xaf,0x50,0xa1,0xf4,0x70,0x39,0x99,0x7c,0x3a,0x85,
+        0x23,0xb8,0xb4,0x7a,0xfc,0x02,0x36,0x5b,0x25,0x55,0x97,0x31,
+        0x2d,0x5d,0xfa,0x98,0xe3,0x8a,0x92,0xae,0x05,0xdf,0x29,0x10,
+        0x67,0x6c,0xba,0xc9,0xd3,0x00,0xe6,0xcf,0xe1,0x9e,0xa8,0x2c,
+        0x63,0x16,0x01,0x3f,0x58,0xe2,0x89,0xa9,0x0d,0x38,0x34,0x1b,
+        0xab,0x33,0xff,0xb0,0xbb,0x48,0x0c,0x5f,0xb9,0xb1,0xcd,0x2e,
+        0xc5,0xf3,0xdb,0x47,0xe5,0xa5,0x9c,0x77,0x0a,0xa6,0x20,0x68,
+        0xfe,0x7f,0xc1,0xad,
+        };
+/* It has come to my attention that there are 2 versions of the RC2
+ * key schedule.  One which is normal, and anther which has a hook to
+ * use a reduced key length.
+ * BSAFE uses the 'retarded' version.  What I previously shipped is
+ * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
+ * a version where the bits parameter is the same as len*8 */
 void
-RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
-    RC2_KEY *ks, unsigned char *iv, int encrypt)
 {
-        unsigned long tin0, tin1;
+        int i, j;
-        unsigned long tout0, tout1, xor0, xor1;
+        unsigned char *k;
-        long l = length;
+        RC2_INT *ki;
-        unsigned long tin[2];
+        unsigned int c, d;
-        if (encrypt) {
+        k = (unsigned char *)&(key->data[0]);
-                c2l(iv, tout0);
+        *k = 0; /* for if there is a zero length key */
-                c2l(iv, tout1);
-                iv -= 8;
+        if (len > 128)
-                for (l -= 8; l >= 0; l -= 8)
+                len = 128;
-                {
+        if (bits <= 0)
-                        c2l(in, tin0);
+                bits = 1024;
-                        c2l(in, tin1);
+        if (bits > 1024)
-                        tin0 ^= tout0;
+                bits = 1024;
-                        tin1 ^= tout1;
-                        tin[0] = tin0;
+        for (i = 0; i < len; i++)
-                        tin[1] = tin1;
+                k[i] = data[i];
-                        RC2_encrypt(tin, ks);
-                        tout0 = tin[0];
+        /* expand table */
-                        l2c(tout0, out);
+        d = k[len - 1];
-                        tout1 = tin[1];
+        j = 0;
-                        l2c(tout1, out);
+        for (i = len; i < 128; i++, j++)
-                }
+        {
-                if (l != -8) {
+                d = key_table[(k[j] + d) & 0xff];
-                        c2ln(in, tin0, tin1, l + 8);
+                k[i] = d;
-                        tin0 ^= tout0;
-                        tin1 ^= tout1;
-                        tin[0] = tin0;
-                        tin[1] = tin1;
-                        RC2_encrypt(tin, ks);
-                        tout0 = tin[0];
-                        l2c(tout0, out);
-                        tout1 = tin[1];
-                        l2c(tout1, out);
-                }
-                l2c(tout0, iv);
-                l2c(tout1, iv);
-        } else {
-                c2l(iv, xor0);
-                c2l(iv, xor1);
-                iv -= 8;
-                for (l -= 8; l >= 0; l -= 8)
-                {
-                        c2l(in, tin0);
-                        tin[0] = tin0;
-                        c2l(in, tin1);
-                        tin[1] = tin1;
-                        RC2_decrypt(tin, ks);
-                        tout0 = tin[0] ^ xor0;
-                        tout1 = tin[1] ^ xor1;
-                        l2c(tout0, out);
-                        l2c(tout1, out);
-                        xor0 = tin0;
-                        xor1 = tin1;
-                }
-                if (l != -8) {
-                        c2l(in, tin0);
-                        tin[0] = tin0;
-                        c2l(in, tin1);
-                        tin[1] = tin1;
-                        RC2_decrypt(tin, ks);
-                        tout0 = tin[0] ^ xor0;
-                        tout1 = tin[1] ^ xor1;
-                        l2cn(tout0, tout1, out, l + 8);
-                        xor0 = tin0;
-                        xor1 = tin1;
-                }
-                l2c(xor0, iv);
-                l2c(xor1, iv);
        }
-        tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
-        tin[0] = tin[1] = 0;
+        /* hmm.... key reduction to 'bits' bits */
+        j = (bits + 7) >> 3;
+        i = 128 - j;
+        c = (0xff >> (-bits & 0x07));
+        d = key_table[k[i] & c];
+        k[i] = d;
+        while (i--) {
+                d = key_table[k[i + j] ^ d];
+                k[i] = d;
+        }
+        /* copy from bytes into RC2_INT's */
+        ki = &(key->data[63]);
+        for (i = 127; i >= 0; i -= 2)
+                *(ki--) = ((k[i] << 8)|k[i - 1]) & 0xffff;
 }
-LCRYPTO_ALIAS(RC2_cbc_encrypt);
+LCRYPTO_ALIAS(RC2_set_key);
 void
 RC2_encrypt(unsigned long *d, RC2_KEY *key)
@@ -234,3 +237,225 @@ RC2_decrypt(unsigned long *d, RC2_KEY *key)
            16L);
 }
 LCRYPTO_ALIAS(RC2_decrypt);
+void
+RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length,
+    RC2_KEY *ks, unsigned char *iv, int encrypt)
+{
+        unsigned long tin0, tin1;
+        unsigned long tout0, tout1, xor0, xor1;
+        long l = length;
+        unsigned long tin[2];
+        if (encrypt) {
+                c2l(iv, tout0);
+                c2l(iv, tout1);
+                iv -= 8;
+                for (l -= 8; l >= 0; l -= 8)
+                {
+                        c2l(in, tin0);
+                        c2l(in, tin1);
+                        tin0 ^= tout0;
+                        tin1 ^= tout1;
+                        tin[0] = tin0;
+                        tin[1] = tin1;
+                        RC2_encrypt(tin, ks);
+                        tout0 = tin[0];
+                        l2c(tout0, out);
+                        tout1 = tin[1];
+                        l2c(tout1, out);
+                }
+                if (l != -8) {
+                        c2ln(in, tin0, tin1, l + 8);
+                        tin0 ^= tout0;
+                        tin1 ^= tout1;
+                        tin[0] = tin0;
+                        tin[1] = tin1;
+                        RC2_encrypt(tin, ks);
+                        tout0 = tin[0];
+                        l2c(tout0, out);
+                        tout1 = tin[1];
+                        l2c(tout1, out);
+                }
+                l2c(tout0, iv);
+                l2c(tout1, iv);
+        } else {
+                c2l(iv, xor0);
+                c2l(iv, xor1);
+                iv -= 8;
+                for (l -= 8; l >= 0; l -= 8)
+                {
+                        c2l(in, tin0);
+                        tin[0] = tin0;
+                        c2l(in, tin1);
+                        tin[1] = tin1;
+                        RC2_decrypt(tin, ks);
+                        tout0 = tin[0] ^ xor0;
+                        tout1 = tin[1] ^ xor1;
+                        l2c(tout0, out);
+                        l2c(tout1, out);
+                        xor0 = tin0;
+                        xor1 = tin1;
+                }
+                if (l != -8) {
+                        c2l(in, tin0);
+                        tin[0] = tin0;
+                        c2l(in, tin1);
+                        tin[1] = tin1;
+                        RC2_decrypt(tin, ks);
+                        tout0 = tin[0] ^ xor0;
+                        tout1 = tin[1] ^ xor1;
+                        l2cn(tout0, tout1, out, l + 8);
+                        xor0 = tin0;
+                        xor1 = tin1;
+                }
+                l2c(xor0, iv);
+                l2c(xor1, iv);
+        }
+        tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0;
+        tin[0] = tin[1] = 0;
+}
+LCRYPTO_ALIAS(RC2_cbc_encrypt);
+/* The input and output encrypted as though 64bit cfb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void
+RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
+    long length, RC2_KEY *schedule, unsigned char *ivec,
+    int *num, int encrypt)
+{
+        unsigned long v0, v1, t;
+        int n = *num;
+        long l = length;
+        unsigned long ti[2];
+        unsigned char *iv, c, cc;
+        iv = (unsigned char *)ivec;
+        if (encrypt) {
+                while (l--) {
+                        if (n == 0) {
+                                c2l(iv, v0);
+                                ti[0] = v0;
+                                c2l(iv, v1);
+                                ti[1] = v1;
+                                RC2_encrypt((unsigned long *)ti, schedule);
+                                iv = (unsigned char *)ivec;
+                                t = ti[0];
+                                l2c(t, iv);
+                                t = ti[1];
+                                l2c(t, iv);
+                                iv = (unsigned char *)ivec;
+                        }
+                        c = *(in++) ^ iv[n];
+                        *(out++) = c;
+                        iv[n] = c;
+                        n = (n + 1) & 0x07;
+                }
+        } else {
+                while (l--) {
+                        if (n == 0) {
+                                c2l(iv, v0);
+                                ti[0] = v0;
+                                c2l(iv, v1);
+                                ti[1] = v1;
+                                RC2_encrypt((unsigned long *)ti, schedule);
+                                iv = (unsigned char *)ivec;
+                                t = ti[0];
+                                l2c(t, iv);
+                                t = ti[1];
+                                l2c(t, iv);
+                                iv = (unsigned char *)ivec;
+                        }
+                        cc = *(in++);
+                        c = iv[n];
+                        iv[n] = cc;
+                        *(out++) = c ^ cc;
+                        n = (n + 1) & 0x07;
+                }
+        }
+        v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
+        *num = n;
+}
+LCRYPTO_ALIAS(RC2_cfb64_encrypt);
+/* RC2 as implemented frm a posting from
+ * Newsgroups: sci.crypt
+ * Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
+ * Subject: Specification for Ron Rivests Cipher No.2
+ * Message-ID: <4fk39f$f70@net.auckland.ac.nz>
+ * Date: 11 Feb 1996 06:45:03 GMT
+ */
+void
+RC2_ecb_encrypt(const unsigned char *in, unsigned char *out, RC2_KEY *ks,
+    int encrypt)
+{
+        unsigned long l, d[2];
+        c2l(in, l);
+        d[0] = l;
+        c2l(in, l);
+        d[1] = l;
+        if (encrypt)
+                RC2_encrypt(d, ks);
+        else
+                RC2_decrypt(d, ks);
+        l = d[0];
+        l2c(l, out);
+        l = d[1];
+        l2c(l, out);
+        l = d[0] = d[1] = 0;
+}
+LCRYPTO_ALIAS(RC2_ecb_encrypt);
+/* The input and output encrypted as though 64bit ofb mode is being
+ * used.  The extra state information to record how much of the
+ * 64bit block we have used is contained in *num;
+ */
+void
+RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
+    long length, RC2_KEY *schedule, unsigned char *ivec,
+    int *num)
+{
+        unsigned long v0, v1, t;
+        int n = *num;
+        long l = length;
+        unsigned char d[8];
+        char *dp;
+        unsigned long ti[2];
+        unsigned char *iv;
+        int save = 0;
+        iv = (unsigned char *)ivec;
+        c2l(iv, v0);
+        c2l(iv, v1);
+        ti[0] = v0;
+        ti[1] = v1;
+        dp = (char *)d;
+        l2c(v0, dp);
+        l2c(v1, dp);
+        while (l--) {
+                if (n == 0) {
+                        RC2_encrypt((unsigned long *)ti, schedule);
+                        dp = (char *)d;
+                        t = ti[0];
+                        l2c(t, dp);
+                        t = ti[1];
+                        l2c(t, dp);
+                        save++;
+                }
+                *(out++) = *(in++) ^ d[n];
+                n = (n + 1) & 0x07;
+        }
+        if (save) {
+                v0 = ti[0];
+                v1 = ti[1];
+                iv = (unsigned char *)ivec;
+                l2c(v0, iv);
+                l2c(v1, iv);
+        }
+        t = v0 = v1 = ti[0] = ti[1] = 0;
+        *num = n;
+}
+LCRYPTO_ALIAS(RC2_ofb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2.h b/src/lib/libcrypto/rc2/rc2.h
index 96e395f32d..ead308cf51 100644
--- a/src/lib/libcrypto/rc2/rc2.h
+++ b/src/lib/libcrypto/rc2/rc2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc2.h,v 1.13 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: rc2.h,v 1.14 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,7 +59,12 @@
 #ifndef HEADER_RC2_H
 #define HEADER_RC2_H
-#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2, RC2_INT */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC2 */
+#ifndef RC2_INT
+/* XXX - typedef */
+#define RC2_INT unsigned int
+#endif
 #define RC2_ENCRYPT     1
 #define RC2_DECRYPT     0
diff --git a/src/lib/libcrypto/rc2/rc2_ecb.c b/src/lib/libcrypto/rc2/rc2_ecb.c
deleted file mode 100644
index 6a3c8098eb..0000000000
--- a/src/lib/libcrypto/rc2/rc2_ecb.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/* $OpenBSD: rc2_ecb.c,v 1.9 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-#include <openssl/opensslv.h>
-/* RC2 as implemented frm a posting from
- * Newsgroups: sci.crypt
- * Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
- * Subject: Specification for Ron Rivests Cipher No.2
- * Message-ID: <4fk39f$f70@net.auckland.ac.nz>
- * Date: 11 Feb 1996 06:45:03 GMT
- */
-void
-RC2_ecb_encrypt(const unsigned char *in, unsigned char *out, RC2_KEY *ks,
-    int encrypt)
-{
-        unsigned long l, d[2];
-        c2l(in, l);
-        d[0] = l;
-        c2l(in, l);
-        d[1] = l;
-        if (encrypt)
-                RC2_encrypt(d, ks);
-        else
-                RC2_decrypt(d, ks);
-        l = d[0];
-        l2c(l, out);
-        l = d[1];
-        l2c(l, out);
-        l = d[0] = d[1] = 0;
-}
-LCRYPTO_ALIAS(RC2_ecb_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2_local.h b/src/lib/libcrypto/rc2/rc2_local.h
index dd5598760e..885b17aa5e 100644
--- a/src/lib/libcrypto/rc2/rc2_local.h
+++ b/src/lib/libcrypto/rc2/rc2_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc2_local.h,v 1.3 2024/03/29 05:03:48 jsing Exp $ */
+/* $OpenBSD: rc2_local.h,v 1.4 2025/11/26 10:19:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,6 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#ifndef HEADER_RC2_LOCAL_H
+#define HEADER_RC2_LOCAL_H
 #undef c2l
 #define c2l(c,l)        (l =((unsigned long)(*((c)++)))    ,            \
                         l|=((unsigned long)(*((c)++)))<< 8L,           \
@@ -110,3 +113,5 @@
        x2=(t<<3)|(t>>13);                                              \
        t=(x3+(x0& ~x2)+(x1&x2)+ *(p0++))&0xffff;                       \
        x3=(t<<5)|(t>>11);
+#endif /* HEADER_RC2_LOCAL_H */
diff --git a/src/lib/libcrypto/rc2/rc2_skey.c b/src/lib/libcrypto/rc2/rc2_skey.c
deleted file mode 100644
index d33c02da8c..0000000000
--- a/src/lib/libcrypto/rc2/rc2_skey.c
+++ /dev/null
@@ -1,142 +0,0 @@
-/* $OpenBSD: rc2_skey.c,v 1.15 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <openssl/crypto.h>
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-static const unsigned char key_table[256]={
-        0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79,
-        0x4a,0xa0,0xd8,0x9d,0xc6,0x7e,0x37,0x83,0x2b,0x76,0x53,0x8e,
-        0x62,0x4c,0x64,0x88,0x44,0x8b,0xfb,0xa2,0x17,0x9a,0x59,0xf5,
-        0x87,0xb3,0x4f,0x13,0x61,0x45,0x6d,0x8d,0x09,0x81,0x7d,0x32,
-        0xbd,0x8f,0x40,0xeb,0x86,0xb7,0x7b,0x0b,0xf0,0x95,0x21,0x22,
-        0x5c,0x6b,0x4e,0x82,0x54,0xd6,0x65,0x93,0xce,0x60,0xb2,0x1c,
-        0x73,0x56,0xc0,0x14,0xa7,0x8c,0xf1,0xdc,0x12,0x75,0xca,0x1f,
-        0x3b,0xbe,0xe4,0xd1,0x42,0x3d,0xd4,0x30,0xa3,0x3c,0xb6,0x26,
-        0x6f,0xbf,0x0e,0xda,0x46,0x69,0x07,0x57,0x27,0xf2,0x1d,0x9b,
-        0xbc,0x94,0x43,0x03,0xf8,0x11,0xc7,0xf6,0x90,0xef,0x3e,0xe7,
-        0x06,0xc3,0xd5,0x2f,0xc8,0x66,0x1e,0xd7,0x08,0xe8,0xea,0xde,
-        0x80,0x52,0xee,0xf7,0x84,0xaa,0x72,0xac,0x35,0x4d,0x6a,0x2a,
-        0x96,0x1a,0xd2,0x71,0x5a,0x15,0x49,0x74,0x4b,0x9f,0xd0,0x5e,
-        0x04,0x18,0xa4,0xec,0xc2,0xe0,0x41,0x6e,0x0f,0x51,0xcb,0xcc,
-        0x24,0x91,0xaf,0x50,0xa1,0xf4,0x70,0x39,0x99,0x7c,0x3a,0x85,
-        0x23,0xb8,0xb4,0x7a,0xfc,0x02,0x36,0x5b,0x25,0x55,0x97,0x31,
-        0x2d,0x5d,0xfa,0x98,0xe3,0x8a,0x92,0xae,0x05,0xdf,0x29,0x10,
-        0x67,0x6c,0xba,0xc9,0xd3,0x00,0xe6,0xcf,0xe1,0x9e,0xa8,0x2c,
-        0x63,0x16,0x01,0x3f,0x58,0xe2,0x89,0xa9,0x0d,0x38,0x34,0x1b,
-        0xab,0x33,0xff,0xb0,0xbb,0x48,0x0c,0x5f,0xb9,0xb1,0xcd,0x2e,
-        0xc5,0xf3,0xdb,0x47,0xe5,0xa5,0x9c,0x77,0x0a,0xa6,0x20,0x68,
-        0xfe,0x7f,0xc1,0xad,
-        };
-/* It has come to my attention that there are 2 versions of the RC2
- * key schedule.  One which is normal, and anther which has a hook to
- * use a reduced key length.
- * BSAFE uses the 'retarded' version.  What I previously shipped is
- * the same as specifying 1024 for the 'bits' parameter.  Bsafe uses
- * a version where the bits parameter is the same as len*8 */
-void
-RC2_set_key(RC2_KEY *key, int len, const unsigned char *data, int bits)
-{
-        int i, j;
-        unsigned char *k;
-        RC2_INT *ki;
-        unsigned int c, d;
-        k = (unsigned char *)&(key->data[0]);
-        *k = 0; /* for if there is a zero length key */
-        if (len > 128)
-                len = 128;
-        if (bits <= 0)
-                bits = 1024;
-        if (bits > 1024)
-                bits = 1024;
-        for (i = 0; i < len; i++)
-                k[i] = data[i];
-        /* expand table */
-        d = k[len - 1];
-        j = 0;
-        for (i = len; i < 128; i++, j++)
-        {
-                d = key_table[(k[j] + d) & 0xff];
-                k[i] = d;
-        }
-        /* hmm.... key reduction to 'bits' bits */
-        j = (bits + 7) >> 3;
-        i = 128 - j;
-        c = (0xff >> (-bits & 0x07));
-        d = key_table[k[i] & c];
-        k[i] = d;
-        while (i--) {
-                d = key_table[k[i + j] ^ d];
-                k[i] = d;
-        }
-        /* copy from bytes into RC2_INT's */
-        ki = &(key->data[63]);
-        for (i = 127; i >= 0; i -= 2)
-                *(ki--) = ((k[i] << 8)|k[i - 1]) & 0xffff;
-}
-LCRYPTO_ALIAS(RC2_set_key);
diff --git a/src/lib/libcrypto/rc2/rc2cfb64.c b/src/lib/libcrypto/rc2/rc2cfb64.c
deleted file mode 100644
index 21266c430b..0000000000
--- a/src/lib/libcrypto/rc2/rc2cfb64.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* $OpenBSD: rc2cfb64.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-/* The input and output encrypted as though 64bit cfb mode is being
- * used.  The extra state information to record how much of the
- * 64bit block we have used is contained in *num;
- */
-void
-RC2_cfb64_encrypt(const unsigned char *in, unsigned char *out,
-    long length, RC2_KEY *schedule, unsigned char *ivec,
-    int *num, int encrypt)
-{
-        unsigned long v0, v1, t;
-        int n = *num;
-        long l = length;
-        unsigned long ti[2];
-        unsigned char *iv, c, cc;
-        iv = (unsigned char *)ivec;
-        if (encrypt) {
-                while (l--) {
-                        if (n == 0) {
-                                c2l(iv, v0);
-                                ti[0] = v0;
-                                c2l(iv, v1);
-                                ti[1] = v1;
-                                RC2_encrypt((unsigned long *)ti, schedule);
-                                iv = (unsigned char *)ivec;
-                                t = ti[0];
-                                l2c(t, iv);
-                                t = ti[1];
-                                l2c(t, iv);
-                                iv = (unsigned char *)ivec;
-                        }
-                        c = *(in++) ^ iv[n];
-                        *(out++) = c;
-                        iv[n] = c;
-                        n = (n + 1) & 0x07;
-                }
-        } else {
-                while (l--) {
-                        if (n == 0) {
-                                c2l(iv, v0);
-                                ti[0] = v0;
-                                c2l(iv, v1);
-                                ti[1] = v1;
-                                RC2_encrypt((unsigned long *)ti, schedule);
-                                iv = (unsigned char *)ivec;
-                                t = ti[0];
-                                l2c(t, iv);
-                                t = ti[1];
-                                l2c(t, iv);
-                                iv = (unsigned char *)ivec;
-                        }
-                        cc = *(in++);
-                        c = iv[n];
-                        iv[n] = cc;
-                        *(out++) = c ^ cc;
-                        n = (n + 1) & 0x07;
-                }
-        }
-        v0 = v1 = ti[0] = ti[1] = t = c = cc = 0;
-        *num = n;
-}
-LCRYPTO_ALIAS(RC2_cfb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rc2ofb64.c b/src/lib/libcrypto/rc2/rc2ofb64.c
deleted file mode 100644
index 73d8323e92..0000000000
--- a/src/lib/libcrypto/rc2/rc2ofb64.c
+++ /dev/null
@@ -1,111 +0,0 @@
-/* $OpenBSD: rc2ofb64.c,v 1.8 2023/07/07 13:40:44 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <openssl/rc2.h>
-#include "rc2_local.h"
-/* The input and output encrypted as though 64bit ofb mode is being
- * used.  The extra state information to record how much of the
- * 64bit block we have used is contained in *num;
- */
-void
-RC2_ofb64_encrypt(const unsigned char *in, unsigned char *out,
-    long length, RC2_KEY *schedule, unsigned char *ivec,
-    int *num)
-{
-        unsigned long v0, v1, t;
-        int n = *num;
-        long l = length;
-        unsigned char d[8];
-        char *dp;
-        unsigned long ti[2];
-        unsigned char *iv;
-        int save = 0;
-        iv = (unsigned char *)ivec;
-        c2l(iv, v0);
-        c2l(iv, v1);
-        ti[0] = v0;
-        ti[1] = v1;
-        dp = (char *)d;
-        l2c(v0, dp);
-        l2c(v1, dp);
-        while (l--) {
-                if (n == 0) {
-                        RC2_encrypt((unsigned long *)ti, schedule);
-                        dp = (char *)d;
-                        t = ti[0];
-                        l2c(t, dp);
-                        t = ti[1];
-                        l2c(t, dp);
-                        save++;
-                }
-                *(out++) = *(in++) ^ d[n];
-                n = (n + 1) & 0x07;
-        }
-        if (save) {
-                v0 = ti[0];
-                v1 = ti[1];
-                iv = (unsigned char *)ivec;
-                l2c(v0, iv);
-                l2c(v1, iv);
-        }
-        t = v0 = v1 = ti[0] = ti[1] = 0;
-        *num = n;
-}
-LCRYPTO_ALIAS(RC2_ofb64_encrypt);
diff --git a/src/lib/libcrypto/rc2/rrc2.doc b/src/lib/libcrypto/rc2/rrc2.doc
deleted file mode 100644
index f93ee003d2..0000000000
--- a/src/lib/libcrypto/rc2/rrc2.doc
+++ /dev/null
@@ -1,219 +0,0 @@
->From cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news Mon Feb 12 18:48:17 EST 1996
-Article 23601 of sci.crypt:
-Path: cygnus.mincom.oz.au!minbne.mincom.oz.au!bunyip.cc.uq.oz.au!munnari.OZ.AU!comp.vuw.ac.nz!waikato!auckland.ac.nz!news
->From: pgut01@cs.auckland.ac.nz (Peter Gutmann)
-Newsgroups: sci.crypt
-Subject: Specification for Ron Rivests Cipher No.2
-Date: 11 Feb 1996 06:45:03 GMT
-Organization: University of Auckland
-Lines: 203
-Sender: pgut01@cs.auckland.ac.nz (Peter Gutmann)
-Message-ID: <4fk39f$f70@net.auckland.ac.nz>
-NNTP-Posting-Host: cs26.cs.auckland.ac.nz
-X-Newsreader: NN version 6.5.0 #3 (NOV)
-                           Ron Rivest's Cipher No.2
-                           ------------------------
- 
-Ron Rivest's Cipher No.2 (hereafter referred to as RRC.2, other people may
-refer to it by other names) is word oriented, operating on a block of 64 bits
-divided into four 16-bit words, with a key table of 64 words.  All data units
-are little-endian.  This functional description of the algorithm is based in
-the paper "The RC5 Encryption Algorithm" (RC5 is a trademark of RSADSI), using
-the same general layout, terminology, and pseudocode style.
- 
- 
-Notation and RRC.2 Primitive Operations
- 
-RRC.2 uses the following primitive operations:
- 
-1. Two's-complement addition of words, denoted by "+".  The inverse operation,
-   subtraction, is denoted by "-".
-2. Bitwise exclusive OR, denoted by "^".
-3. Bitwise AND, denoted by "&".
-4. Bitwise NOT, denoted by "~".
-5. A left-rotation of words; the rotation of word x left by y is denoted
-   x <<< y.  The inverse operation, right-rotation, is denoted x >>> y.
- 
-These operations are directly and efficiently supported by most processors.
- 
- 
-The RRC.2 Algorithm
- 
-RRC.2 consists of three components, a *key expansion* algorithm, an
-*encryption* algorithm, and a *decryption* algorithm.
- 
- 
-Key Expansion
- 
-The purpose of the key-expansion routine is to expand the user's key K to fill
-the expanded key array S, so S resembles an array of random binary words
-determined by the user's secret key K.
- 
-Initialising the S-box
- 
-RRC.2 uses a single 256-byte S-box derived from the ciphertext contents of
-Beale Cipher No.1 XOR'd with a one-time pad.  The Beale Ciphers predate modern
-cryptography by enough time that there should be no concerns about trapdoors
-hidden in the data.  They have been published widely, and the S-box can be
-easily recreated from the one-time pad values and the Beale Cipher data taken
-from a standard source.  To initialise the S-box:
- 
-  for i = 0 to 255 do
-    sBox[ i ] = ( beale[ i ] mod 256 ) ^ pad[ i ]
- 
-The contents of Beale Cipher No.1 and the necessary one-time pad are given as
-an appendix at the end of this document.  For efficiency, implementors may wish
-to skip the Beale Cipher expansion and store the sBox table directly.
- 
-Expanding the Secret Key to 128 Bytes
- 
-The secret key is first expanded to fill 128 bytes (64 words).  The expansion
-consists of taking the sum of the first and last bytes in the user key, looking
-up the sum (modulo 256) in the S-box, and appending the result to the key.  The
-operation is repeated with the second byte and new last byte of the key until
-all 128 bytes have been generated.  Note that the following pseudocode treats
-the S array as an array of 128 bytes rather than 64 words.
- 
-  for j = 0 to length-1 do
-    S[ j ] = K[ j ]
-  for j = length to 127 do
-    s[ j ] = sBox[ ( S[ j-length ] + S[ j-1 ] ) mod 256 ];
- 
-At this point it is possible to perform a truncation of the effective key
-length to ease the creation of espionage-enabled software products.  However
-since the author cannot conceive why anyone would want to do this, it will not
-be considered further.
- 
-The final phase of the key expansion involves replacing the first byte of S
-with the entry selected from the S-box:
- 
-  S[ 0 ] = sBox[ S[ 0 ] ]
- 
- 
-Encryption
- 
-The cipher has 16 full rounds, each divided into 4 subrounds.  Two of the full
-rounds perform an additional transformation on the data.  Note that the
-following pseudocode treats the S array as an array of 64 words rather than 128
-bytes.
- 
-  for i = 0 to 15 do
-    j = i * 4;
-    word0 = ( word0 + ( word1 & ~word3 ) + ( word2 & word3 ) + S[ j+0 ] ) <<< 1
-    word1 = ( word1 + ( word2 & ~word0 ) + ( word3 & word0 ) + S[ j+1 ] ) <<< 2
-    word2 = ( word2 + ( word3 & ~word1 ) + ( word0 & word1 ) + S[ j+2 ] ) <<< 3
-    word3 = ( word3 + ( word0 & ~word2 ) + ( word1 & word2 ) + S[ j+3 ] ) <<< 5
- 
-In addition the fifth and eleventh rounds add the contents of the S-box indexed
-by one of the data words to another of the data words following the four
-subrounds as follows:
- 
-    word0 = word0 + S[ word3 & 63 ];
-    word1 = word1 + S[ word0 & 63 ];
-    word2 = word2 + S[ word1 & 63 ];
-    word3 = word3 + S[ word2 & 63 ];
- 
- 
-Decryption
- 
-The decryption operation is simply the inverse of the encryption operation.
-Note that the following pseudocode treats the S array as an array of 64 words
-rather than 128 bytes.
- 
-  for i = 15 downto 0 do
-    j = i * 4;
-    word3 = ( word3 >>> 5 ) - ( word0 & ~word2 ) - ( word1 & word2 ) - S[ j+3 ]
-    word2 = ( word2 >>> 3 ) - ( word3 & ~word1 ) - ( word0 & word1 ) - S[ j+2 ]
-    word1 = ( word1 >>> 2 ) - ( word2 & ~word0 ) - ( word3 & word0 ) - S[ j+1 ]
-    word0 = ( word0 >>> 1 ) - ( word1 & ~word3 ) - ( word2 & word3 ) - S[ j+0 ]
- 
-In addition the fifth and eleventh rounds subtract the contents of the S-box
-indexed by one of the data words from another one of the data words following
-the four subrounds as follows:
- 
-    word3 = word3 - S[ word2 & 63 ]
-    word2 = word2 - S[ word1 & 63 ]
-    word1 = word1 - S[ word0 & 63 ]
-    word0 = word0 - S[ word3 & 63 ]
- 
- 
-Test Vectors
- 
-The following test vectors may be used to test the correctness of an RRC.2
-implementation:
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x1C, 0x19, 0x8A, 0x83, 0x8D, 0xF0, 0x28, 0xB7
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x21, 0x82, 0x9C, 0x78, 0xA9, 0xF9, 0xC0, 0x74
- 
-  Key:      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Plain:    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
-  Cipher:   0x13, 0xDB, 0x35, 0x17, 0xD3, 0x21, 0x86, 0x9E
- 
-  Key:      0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
-            0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F
-  Plain:    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
-  Cipher:   0x50, 0xDC, 0x01, 0x62, 0xBD, 0x75, 0x7F, 0x31
- 
- 
-Appendix: Beale Cipher No.1, "The Locality of the Vault", and One-time Pad for
-          Creating the S-Box
- 
-Beale Cipher No.1.
- 
-  71, 194,  38,1701,  89,  76,  11,  83,1629,  48,  94,  63, 132,  16, 111,  95,
-  84, 341, 975,  14,  40,  64,  27,  81, 139, 213,  63,  90,1120,   8,  15,   3,
- 126,2018,  40,  74, 758, 485, 604, 230, 436, 664, 582, 150, 251, 284, 308, 231,
- 124, 211, 486, 225, 401, 370,  11, 101, 305, 139, 189,  17,  33,  88, 208, 193,
- 145,   1,  94,  73, 416, 918, 263,  28, 500, 538, 356, 117, 136, 219,  27, 176,
- 130,  10, 460,  25, 485,  18, 436,  65,  84, 200, 283, 118, 320, 138,  36, 416,
- 280,  15,  71, 224, 961,  44,  16, 401,  39,  88,  61, 304,  12,  21,  24, 283,
- 134,  92,  63, 246, 486, 682,   7, 219, 184, 360, 780,  18,  64, 463, 474, 131,
- 160,  79,  73, 440,  95,  18,  64, 581,  34,  69, 128, 367, 460,  17,  81,  12,
- 103, 820,  62, 110,  97, 103, 862,  70,  60,1317, 471, 540, 208, 121, 890, 346,
-  36, 150,  59, 568, 614,  13, 120,  63, 219, 812,2160,1780,  99,  35,  18,  21,
- 136, 872,  15,  28, 170,  88,   4,  30,  44, 112,  18, 147, 436, 195, 320,  37,
- 122, 113,   6, 140,   8, 120, 305,  42,  58, 461,  44, 106, 301,  13, 408, 680,
-  93,  86, 116, 530,  82, 568,   9, 102,  38, 416,  89,  71, 216, 728, 965, 818,
-   2,  38, 121, 195,  14, 326, 148, 234,  18,  55, 131, 234, 361, 824,   5,  81,
- 623,  48, 961,  19,  26,  33,  10,1101, 365,  92,  88, 181, 275, 346, 201, 206
- 
-One-time Pad.
- 
- 158, 186, 223,  97,  64, 145, 190, 190, 117, 217, 163,  70, 206, 176, 183, 194,
- 146,  43, 248, 141,   3,  54,  72, 223, 233, 153,  91, 210,  36, 131, 244, 161,
- 105, 120, 113, 191, 113,  86,  19, 245, 213, 221,  43,  27, 242, 157,  73, 213,
- 193,  92, 166,  10,  23, 197, 112, 110, 193,  30, 156,  51, 125,  51, 158,  67,
- 197, 215,  59, 218, 110, 246, 181,   0, 135,  76, 164,  97,  47,  87, 234, 108,
- 144, 127,   6,   6, 222, 172,  80, 144,  22, 245, 207,  70, 227, 182, 146, 134,
- 119, 176,  73,  58, 135,  69,  23, 198,   0, 170,  32, 171, 176, 129,  91,  24,
- 126,  77, 248,   0, 118,  69,  57,  60, 190, 171, 217,  61, 136, 169, 196,  84,
- 168, 167, 163, 102, 223,  64, 174, 178, 166, 239, 242, 195, 249,  92,  59,  38,
- 241,  46, 236,  31,  59, 114,  23,  50, 119, 186,   7,  66, 212,  97, 222, 182,
- 230, 118, 122,  86, 105,  92, 179, 243, 255, 189, 223, 164, 194, 215,  98,  44,
-  17,  20,  53, 153, 137, 224, 176, 100, 208, 114,  36, 200, 145, 150, 215,  20,
-  87,  44, 252,  20, 235, 242, 163, 132,  63,  18,   5, 122,  74,  97,  34,  97,
- 142,  86, 146, 221, 179, 166, 161,  74,  69, 182,  88, 120, 128,  58,  76, 155,
-  15,  30,  77, 216, 165, 117, 107,  90, 169, 127, 143, 181, 208, 137, 200, 127,
- 170, 195,  26,  84, 255, 132, 150,  58, 103, 250, 120, 221, 237,  37,   8,  99
- 
- 
-Implementation
- 
-A non-US based programmer who has never seen any encryption code before will
-shortly be implementing RRC.2 based solely on this specification and not on
-knowledge of any other encryption algorithms.  Stand by.
diff --git a/src/lib/libcrypto/rc2/version b/src/lib/libcrypto/rc2/version
deleted file mode 100644
index 8ca161a613..0000000000
--- a/src/lib/libcrypto/rc2/version
+++ /dev/null
@@ -1,22 +0,0 @@
-1.1 23/08/96 - eay
-        Changed RC2_set_key() so it now takes another argument.  Many
-        thanks to Peter Gutmann <pgut01@cs.auckland.ac.nz> for the
-        clarification and original specification of RC2.  BSAFE uses
-        this last parameter, 'bits'.  It the key is 128 bits, BSAFE
-        also sets this parameter to 128.  The old behaviour can be
-        duplicated by setting this parameter to 1024.
-1.0 08/04/96 - eay
-        First version of SSLeay with rc2.  This has been written from the spec
-        posted sci.crypt.  It is in this directory under rrc2.doc
-        I have no test values for any mode other than ecb, my wrappers for the
-        other modes should be ok since they are basically the same as
-        the ones taken from idea and des :-).  I have implemented them as
-        little-endian operators.
-        While rc2 is included because it is used with SSL, I don't know how
-        far I trust it.  It is about the same speed as IDEA and DES.
-        So if you are paranoid, used Triple DES, else IDEA.  If RC2
-        does get used more, perhaps more people will look for weaknesses in
-        it.
-        
diff --git a/src/lib/libcrypto/rc4/rc4.c b/src/lib/libcrypto/rc4/rc4.c
index 56ed43cba7..69b7d0a815 100644
--- a/src/lib/libcrypto/rc4/rc4.c
+++ b/src/lib/libcrypto/rc4/rc4.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc4.c,v 1.13 2025/01/27 14:02:32 jsing Exp $ */
+/* $OpenBSD: rc4.c,v 1.15 2025/08/17 08:04:25 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,234 +57,123 @@
 */
 #include <endian.h>
+#include <stdint.h>
 #include <openssl/rc4.h>
 #include "crypto_arch.h"
-/* RC4 as implemented from a posting from
- * Newsgroups: sci.crypt
- * From: sterndark@netcom.com (David Sterndark)
- * Subject: RC4 Algorithm revealed.
- * Message-ID: <sternCvKL4B.Hyy@netcom.com>
- * Date: Wed, 14 Sep 1994 06:35:31 GMT
- */
 #ifdef HAVE_RC4_INTERNAL
-void rc4_internal(RC4_KEY *key, size_t len, const unsigned char *indata,
+void rc4_internal(RC4_KEY *key, size_t len, const uint8_t *in,
-    unsigned char *outdata);
+    uint8_t *out);
 #else
-static void
+static inline RC4_INT
-rc4_internal(RC4_KEY *key, size_t len, const unsigned char *indata,
+rc4_step(RC4_INT *d, RC4_INT *x, RC4_INT *y)
-    unsigned char *outdata)
 {
-        RC4_INT *d;
+        RC4_INT tx, ty;
-        RC4_INT x, y,tx, ty;
-        size_t i;
-        x = key->x;
+        *x = (*x + 1) & 0xff;
-        y = key->y;
+        tx = d[*x];
-        d = key->data;
+        *y = (tx + *y) & 0xff;
+        d[*x] = ty = d[*y];
+        d[*y] = tx;
-#if defined(RC4_CHUNK)
+        return d[(tx + ty) & 0xff];
-        /*
+}
-         * The original reason for implementing this(*) was the fact that
-         * pre-21164a Alpha CPUs don't have byte load/store instructions
-         * and e.g. a byte store has to be done with 64-bit load, shift,
-         * and, or and finally 64-bit store. Peaking data and operating
-         * at natural word size made it possible to reduce amount of
-         * instructions as well as to perform early read-ahead without
-         * suffering from RAW (read-after-write) hazard. This resulted
-         * in ~40%(**) performance improvement on 21064 box with gcc.
-         * But it's not only Alpha users who win here:-) Thanks to the
-         * early-n-wide read-ahead this implementation also exhibits
-         * >40% speed-up on SPARC and 20-30% on 64-bit MIPS (depending
-         * on sizeof(RC4_INT)).
-         *
-         * (*)  "this" means code which recognizes the case when input
-         *      and output pointers appear to be aligned at natural CPU
-         *      word boundary
-         * (**) i.e. according to 'apps/openssl speed rc4' benchmark,
-         *      crypto/rc4/rc4speed.c exhibits almost 70% speed-up...
-         *
-         * Caveats.
-         *
-         * - RC4_CHUNK="unsigned long long" should be a #1 choice for
-         *   UltraSPARC. Unfortunately gcc generates very slow code
-         *   (2.5-3 times slower than one generated by Sun's WorkShop
-         *   C) and therefore gcc (at least 2.95 and earlier) should
-         *   always be told that RC4_CHUNK="unsigned long".
-         *
-         *                                      <appro@fy.chalmers.se>
-         */
-# define RC4_STEP       ( \
+#if BYTE_ORDER == BIG_ENDIAN
-                        x=(x+1) &0xff,  \
+static inline uint64_t
-                        tx=d[x],        \
+rc4_chunk(RC4_INT *d, RC4_INT *x, RC4_INT *y)
-                        y=(tx+y)&0xff,  \
+{
-                        ty=d[y],        \
+        uint64_t chunk = 0;
-                        d[y]=tx,        \
+        size_t i;
-                        d[x]=ty,        \
-                        (RC4_CHUNK)d[(tx+ty)&0xff]\
-                        )
-        if ((((size_t)indata & (sizeof(RC4_CHUNK) - 1)) |
+        for (i = 0; i < 8; i++)
-            ((size_t)outdata & (sizeof(RC4_CHUNK) - 1))) == 0 ) {
+                chunk = chunk << 8 | (uint64_t)rc4_step(d, x, y);
-                RC4_CHUNK ichunk, otp;
+        return chunk;
+}
-                /*
-                 * I reckon we can afford to implement both endian
-                 * cases and to decide which way to take at run-time
-                 * because the machine code appears to be very compact
-                 * and redundant 1-2KB is perfectly tolerable (i.e.
-                 * in case the compiler fails to eliminate it:-). By
-                 * suggestion from Terrel Larson <terr@terralogic.net>.
-                 *
-                 * Special notes.
-                 *
-                 * - compilers (those I've tried) don't seem to have
-                 *   problems eliminating either the operators guarded
-                 *   by "if (sizeof(RC4_CHUNK)==8)" or the condition
-                 *   expressions themselves so I've got 'em to replace
-                 *   corresponding #ifdefs from the previous version;
-                 * - I chose to let the redundant switch cases when
-                 *   sizeof(RC4_CHUNK)!=8 be (were also #ifdefed
-                 *   before);
-                 * - in case you wonder "&(sizeof(RC4_CHUNK)*8-1)" in
-                 *   [LB]ESHFT guards against "shift is out of range"
-                 *   warnings when sizeof(RC4_CHUNK)!=8
-                 *
-                 *                      <appro@fy.chalmers.se>
-                 */
-#if BYTE_ORDER == BIG_ENDIAN
-# define BESHFT(c)      (((sizeof(RC4_CHUNK)-(c)-1)*8)&(sizeof(RC4_CHUNK)*8-1))
-                for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
-                        ichunk  = *(RC4_CHUNK *)indata;
-                        otp = RC4_STEP << BESHFT(0);
-                        otp |= RC4_STEP << BESHFT(1);
-                        otp |= RC4_STEP << BESHFT(2);
-                        otp |= RC4_STEP << BESHFT(3);
-                        if (sizeof(RC4_CHUNK) == 8) {
-                                otp |= RC4_STEP << BESHFT(4);
-                                otp |= RC4_STEP << BESHFT(5);
-                                otp |= RC4_STEP << BESHFT(6);
-                                otp |= RC4_STEP << BESHFT(7);
-                        }
-                        *(RC4_CHUNK *)outdata = otp^ichunk;
-                        indata += sizeof(RC4_CHUNK);
-                        outdata += sizeof(RC4_CHUNK);
-                }
 #else
-# define LESHFT(c)      (((c)*8)&(sizeof(RC4_CHUNK)*8-1))
+static inline uint64_t
-                for (; len & (0 - sizeof(RC4_CHUNK)); len -= sizeof(RC4_CHUNK)) {
+rc4_chunk(RC4_INT *d, RC4_INT *x, RC4_INT *y)
-                        ichunk = *(RC4_CHUNK *)indata;
+{
-                        otp = RC4_STEP;
+        uint64_t chunk = 0;
-                        otp |= RC4_STEP << 8;
+        size_t i;
-                        otp |= RC4_STEP << 16;
-                        otp |= RC4_STEP << 24;
+        for (i = 0; i < 8; i++)
-                        if (sizeof(RC4_CHUNK) == 8) {
+                chunk |= (uint64_t)rc4_step(d, x, y) << (i * 8);
-                                otp |= RC4_STEP << LESHFT(4);
-                                otp |= RC4_STEP << LESHFT(5);
+        return chunk;
-                                otp |= RC4_STEP << LESHFT(6);
+}
-                                otp |= RC4_STEP << LESHFT(7);
-                        }
-                        *(RC4_CHUNK *)outdata = otp ^ ichunk;
-                        indata += sizeof(RC4_CHUNK);
-                        outdata += sizeof(RC4_CHUNK);
-                }
-#endif
-        }
 #endif
-#define RC4_LOOP(in,out) \
-                x=((x+1)&0xff); \
-                tx=d[x]; \
-                y=(tx+y)&0xff; \
-                d[x]=ty=d[y]; \
-                d[y]=tx; \
-                (out) = d[(tx+ty)&0xff]^ (in);
-        i = len >> 3;
+static void
-        if (i) {
+rc4_internal(RC4_KEY *key, size_t len, const uint8_t *in, uint8_t *out)
-                for (;;) {
+{
-                        RC4_LOOP(indata[0], outdata[0]);
+        RC4_INT *d, x, y;
-                        RC4_LOOP(indata[1], outdata[1]);
+        size_t i;
-                        RC4_LOOP(indata[2], outdata[2]);
-                        RC4_LOOP(indata[3], outdata[3]);
-                        RC4_LOOP(indata[4], outdata[4]);
-                        RC4_LOOP(indata[5], outdata[5]);
-                        RC4_LOOP(indata[6], outdata[6]);
-                        RC4_LOOP(indata[7], outdata[7]);
-                        indata += 8;
+        x = key->x;
-                        outdata += 8;
+        y = key->y;
+        d = key->data;
+        /* Process uint64_t chunks if 8 byte aligned. */
+        if ((((size_t)in | (size_t)out) % 8) == 0) {
+                while (len >= 8) {
+                        *(uint64_t *)out = *(const uint64_t *)in ^ rc4_chunk(d, &x, &y);
-                        if (--i == 0)
+                        in += 8;
-                                break;
+                        out += 8;
+                        len -= 8;
                }
        }
-        i = len&0x07;
-        if (i) {
+        while (len >= 8) {
-                for (;;) {
+                for (i = 0; i < 8; i++)
-                        RC4_LOOP(indata[0], outdata[0]);
+                        out[i] = rc4_step(d, &x, &y) ^ in[i];
-                        if (--i == 0)
-                                break;
+                in += 8;
-                        RC4_LOOP(indata[1], outdata[1]);
+                out += 8;
-                        if (--i == 0)
+                len -= 8;
-                                break;
-                        RC4_LOOP(indata[2], outdata[2]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[3], outdata[3]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[4], outdata[4]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[5], outdata[5]);
-                        if (--i == 0)
-                                break;
-                        RC4_LOOP(indata[6], outdata[6]);
-                        if (--i == 0)
-                                break;
-                }
        }
+        for (i = 0; i < len; i++)
+                out[i] = rc4_step(d, &x, &y) ^ in[i];
        key->x = x;
        key->y = y;
 }
 #endif
 #ifdef HAVE_RC4_SET_KEY_INTERNAL
-void rc4_set_key_internal(RC4_KEY *key, int len, const unsigned char *data);
+void rc4_set_key_internal(RC4_KEY *key, int len, const uint8_t *data);
 #else
 static inline void
-rc4_set_key_internal(RC4_KEY *key, int len, const unsigned char *data)
+rc4_set_key_internal(RC4_KEY *key, int len, const uint8_t *data)
 {
-        RC4_INT tmp;
+        RC4_INT *d, tmp;
-        int id1, id2;
+        int idx1, idx2;
-        RC4_INT *d;
+        int i, j;
-        unsigned int i;
-        d = &(key->data[0]);
+        d = key->data;
        key->x = 0;
        key->y = 0;
-        id1 = id2 = 0;
+        idx1 = idx2 = 0;
-#define SK_LOOP(d,n) { \
-                tmp=d[(n)]; \
-                id2 = (data[id1] + tmp + id2) & 0xff; \
-                if (++id1 == len) id1=0; \
-                d[(n)]=d[id2]; \
-                d[id2]=tmp; }
        for (i = 0; i < 256; i++)
                d[i] = i;
        for (i = 0; i < 256; i += 4) {
-                SK_LOOP(d, i + 0);
+                for (j = 0; j < 4; j++) {
-                SK_LOOP(d, i + 1);
+                        tmp = d[i + j];
-                SK_LOOP(d, i + 2);
+                        idx2 = (data[idx1] + tmp + idx2) & 0xff;
-                SK_LOOP(d, i + 3);
+                        d[i + j] = d[idx2];
+                        d[idx2] = tmp;
+                        if (++idx1 == len)
+                                idx1 = 0;
+                }
        }
 }
 #endif
diff --git a/src/lib/libcrypto/rc4/rc4.h b/src/lib/libcrypto/rc4/rc4.h
index a20472372b..c994b39a31 100644
--- a/src/lib/libcrypto/rc4/rc4.h
+++ b/src/lib/libcrypto/rc4/rc4.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rc4.h,v 1.16 2025/01/25 17:59:44 tb Exp $ */
+/* $OpenBSD: rc4.h,v 1.17 2025/06/09 14:37:49 tb Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,10 +59,15 @@
 #ifndef HEADER_RC4_H
 #define HEADER_RC4_H
-#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4, RC4_INT */
+#include <openssl/opensslconf.h> /* OPENSSL_NO_RC4 */
 #include <stddef.h>
+#ifndef RC4_INT
+/* XXX - typedef */
+#define RC4_INT unsigned int
+#endif
 #ifdef  __cplusplus
 extern "C" {
 #endif
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 5a87522289..00fa6afb3d 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ameth.c,v 1.62 2024/11/02 07:11:14 tb Exp $ */
+/* $OpenBSD: rsa_ameth.c,v 1.63 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -66,7 +66,6 @@
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/cms.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
@@ -76,6 +75,7 @@
 #include "asn1_local.h"
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_blinding.c b/src/lib/libcrypto/rsa/rsa_blinding.c
index cac5bd91d2..590b45f5a1 100644
--- a/src/lib/libcrypto/rsa/rsa_blinding.c
+++ b/src/lib/libcrypto/rsa/rsa_blinding.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_blinding.c,v 1.3 2023/08/09 12:09:06 tb Exp $ */
+/* $OpenBSD: rsa_blinding.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
 *
@@ -114,10 +114,10 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 #define BN_BLINDING_COUNTER     32
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index b7666e0fed..87d261f88e 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_chk.c,v 1.18 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_chk.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
@@ -49,10 +49,10 @@
 */
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 int
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index c2e1e22f9a..65ccfc35e1 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_eay.c,v 1.65 2023/08/09 12:09:06 tb Exp $ */
+/* $OpenBSD: rsa_eay.c,v 1.66 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -115,10 +115,10 @@
 #include <openssl/opensslconf.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 static int
diff --git a/src/lib/libcrypto/rsa/rsa_gen.c b/src/lib/libcrypto/rsa/rsa_gen.c
index ff64eb2f0e..6a8bd08160 100644
--- a/src/lib/libcrypto/rsa/rsa_gen.c
+++ b/src/lib/libcrypto/rsa/rsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_gen.c,v 1.30 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_gen.c,v 1.32 2025/09/29 08:46:15 jan Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,10 +60,10 @@
 #include <time.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb);
@@ -84,6 +84,7 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        BIGNUM pr0, d, p;
        int bitsp, bitsq, ok = -1, n = 0;
        BN_CTX *ctx = NULL;
+        BIGNUM *diff, *mindiff;
        ctx = BN_CTX_new();
        if (ctx == NULL)
@@ -97,10 +98,24 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                goto err;
        if ((r3 = BN_CTX_get(ctx)) == NULL)
                goto err;
+        if ((diff = BN_CTX_get(ctx)) == NULL)
+                goto err;
+        if ((mindiff = BN_CTX_get(ctx)) == NULL)
+                goto err;
        bitsp = (bits + 1) / 2;
        bitsq = bits - bitsp;
+        /*
+         * To guarantee a minimum distance of 2^(bits/2 - 100) between p and q.
+         *
+         * NIST SP 800-56B, section 6.2.1, 3.c
+         */
+        if (bits < 200)
+                goto err;
+        if (!BN_set_bit(mindiff, bits/2 - 100))
+                goto err;
        /* We need the RSA components non-NULL */
        if (!rsa->n && ((rsa->n = BN_new()) == NULL))
                goto err;
@@ -148,8 +163,9 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
                        if (!BN_generate_prime_ex(rsa->q, bitsq, 0, NULL, NULL,
                            cb))
                                goto err;
-                } while (BN_cmp(rsa->p, rsa->q) == 0 &&
+                        if (!BN_sub(diff, rsa->p, rsa->q))
-                    ++degenerate < 3);
+                                goto err;
+                } while (BN_ucmp(diff, mindiff) <= 0 && ++degenerate < 3);
                if (degenerate == 3) {
                        ok = 0; /* we set our own err */
                        RSAerror(RSA_R_KEY_SIZE_TOO_SMALL);
diff --git a/src/lib/libcrypto/rsa/rsa_lib.c b/src/lib/libcrypto/rsa/rsa_lib.c
index 91f4938ec9..7b8babdf52 100644
--- a/src/lib/libcrypto/rsa/rsa_lib.c
+++ b/src/lib/libcrypto/rsa/rsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_lib.c,v 1.50 2024/03/27 01:22:30 tb Exp $ */
+/* $OpenBSD: rsa_lib.c,v 1.51 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,12 +62,12 @@
 #include <openssl/bn.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/rsa.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_local.h b/src/lib/libcrypto/rsa/rsa_local.h
index 3f88b952a2..a026a488b6 100644
--- a/src/lib/libcrypto/rsa/rsa_local.h
+++ b/src/lib/libcrypto/rsa/rsa_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_local.h,v 1.10 2025/01/05 15:39:12 tb Exp $ */
+/* $OpenBSD: rsa_local.h,v 1.11 2025/11/26 10:19:57 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,6 +56,9 @@
 * [including the GNU Public Licence.]
 */
+#ifndef HEADER_RSA_LOCAL_H
+#define HEADER_RSA_LOCAL_H
 __BEGIN_HIDDEN_DECLS
 #define RSA_MIN_MODULUS_BITS    512
@@ -152,3 +155,5 @@ int BN_BLINDING_is_local(BN_BLINDING *b);
 BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
 __END_HIDDEN_DECLS
+#endif /* HEADER_RSA_LOCAL_H */
diff --git a/src/lib/libcrypto/rsa/rsa_meth.c b/src/lib/libcrypto/rsa/rsa_meth.c
index 71608caa01..131c4484ab 100644
--- a/src/lib/libcrypto/rsa/rsa_meth.c
+++ b/src/lib/libcrypto/rsa/rsa_meth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rsa_meth.c,v 1.7 2023/07/08 12:26:45 beck Exp $       */
+/*      $OpenBSD: rsa_meth.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
 *
@@ -18,7 +18,6 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_none.c b/src/lib/libcrypto/rsa/rsa_none.c
index 9c53dcf595..b8764d54ef 100644
--- a/src/lib/libcrypto/rsa/rsa_none.c
+++ b/src/lib/libcrypto/rsa/rsa_none.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_none.c,v 1.12 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_none.c,v 1.13 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,9 +60,10 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
+#include "err_local.h"
 int
 RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *from,
    int flen)
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index d1e138c299..af7131704b 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_oaep.c,v 1.39 2024/03/26 05:37:28 joshua Exp $ */
+/* $OpenBSD: rsa_oaep.c,v 1.41 2025/08/25 18:47:39 tb Exp $ */
 /*
 * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved.
 *
@@ -7,7 +7,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -74,12 +74,12 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 #include "constant_time.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 8e56a8c4cd..554e00e8f8 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pk1.c,v 1.17 2024/03/30 04:34:17 jsing Exp $ */
+/* $OpenBSD: rsa_pk1.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,10 +61,10 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include "bytestring.h"
+#include "err_local.h"
 int
 RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 453570cf74..518b077dbc 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pmeth.c,v 1.43 2025/01/17 15:39:19 tb Exp $ */
+/* $OpenBSD: rsa_pmeth.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -65,13 +65,13 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_prn.c b/src/lib/libcrypto/rsa/rsa_prn.c
index 1783563661..ef08f76249 100644
--- a/src/lib/libcrypto/rsa/rsa_prn.c
+++ b/src/lib/libcrypto/rsa/rsa_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_prn.c,v 1.10 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_prn.c,v 1.11 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -58,10 +58,11 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
+#include "err_local.h"
 int
 RSA_print_fp(FILE *fp, const RSA *x, int off)
 {
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index 610ae7c928..72e252ef06 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.19 2024/03/26 05:26:27 joshua Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.20 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -61,11 +61,11 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "rsa_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_saos.c b/src/lib/libcrypto/rsa/rsa_saos.c
index 07a4f5d659..3052fa912f 100644
--- a/src/lib/libcrypto/rsa/rsa_saos.c
+++ b/src/lib/libcrypto/rsa/rsa_saos.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_saos.c,v 1.25 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_saos.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,11 +60,12 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 int
 RSA_sign_ASN1_OCTET_STRING(int type, const unsigned char *m, unsigned int m_len,
    unsigned char *sigret, unsigned int *siglen, RSA *rsa)
diff --git a/src/lib/libcrypto/rsa/rsa_sign.c b/src/lib/libcrypto/rsa/rsa_sign.c
index 6edd20626d..09e6972293 100644
--- a/src/lib/libcrypto/rsa/rsa_sign.c
+++ b/src/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.37 2025/01/05 15:39:12 tb Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,12 +60,12 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "rsa_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/rsa/rsa_x931.c b/src/lib/libcrypto/rsa/rsa_x931.c
index 52f3f803b2..8a0190d7fe 100644
--- a/src/lib/libcrypto/rsa/rsa_x931.c
+++ b/src/lib/libcrypto/rsa/rsa_x931.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_x931.c,v 1.12 2023/05/05 12:19:37 tb Exp $ */
+/* $OpenBSD: rsa_x931.c,v 1.13 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2005.
 */
@@ -60,10 +60,11 @@
 #include <string.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
+#include "err_local.h"
 int
 RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *from,
    int flen)
diff --git a/src/lib/libcrypto/sha/asm/sha1-586.pl b/src/lib/libcrypto/sha/asm/sha1-586.pl
index 5928e083c1..d2491766f3 100644
--- a/src/lib/libcrypto/sha/asm/sha1-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-586.pl
@@ -104,13 +104,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],"sha1-586.pl",$ARGV[$#ARGV] eq "386");
-$xmm=$ymm=0;
+$xmm=$ymm=1;
-for (@ARGV) { $xmm=1 if (/-DOPENSSL_IA32_SSE2/); }
-$ymm=1 if ($xmm &&
-                `$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
-                        =~ /GNU assembler version ([2-9]\.[0-9]+)/ &&
-                $1>=2.19);      # first version supporting AVX
 &external_label("OPENSSL_ia32cap_P") if ($xmm);
diff --git a/src/lib/libcrypto/sha/asm/sha512-586.pl b/src/lib/libcrypto/sha/asm/sha512-586.pl
index c1d0684e92..fe1ff487bc 100644
--- a/src/lib/libcrypto/sha/asm/sha512-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-586.pl
@@ -38,8 +38,7 @@ require "x86asm.pl";
 &asm_init($ARGV[0],"sha512-586.pl",$ARGV[$#ARGV] eq "386");
-$sse2=0;
+$sse2=1;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 &external_label("OPENSSL_ia32cap_P") if ($sse2);
diff --git a/src/lib/libcrypto/sha/sha1_aarch64.c b/src/lib/libcrypto/sha/sha1_aarch64.c
new file mode 100644
index 0000000000..04c87761e0
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha1_aarch64.c
@@ -0,0 +1,34 @@
+/* $OpenBSD: sha1_aarch64.c,v 1.1 2025/06/28 12:51:08 jsing Exp $ */
+/*
+ * Copyright (c) 2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <openssl/sha.h>
+#include "crypto_arch.h"
+void sha1_block_ce(SHA256_CTX *ctx, const void *in, size_t num);
+void sha1_block_generic(SHA256_CTX *ctx, const void *in, size_t num);
+void
+sha1_block_data_order(SHA256_CTX *ctx, const void *in, size_t num)
+{
+        if ((crypto_cpu_caps_aarch64 & CRYPTO_CPU_CAPS_AARCH64_SHA1) != 0) {
+                sha1_block_ce(ctx, in, num);
+                return;
+        }
+        sha1_block_generic(ctx, in, num);
+}
diff --git a/src/lib/libcrypto/sha/sha1_aarch64_ce.S b/src/lib/libcrypto/sha/sha1_aarch64_ce.S
new file mode 100644
index 0000000000..ce7eb81115
--- /dev/null
+++ b/src/lib/libcrypto/sha/sha1_aarch64_ce.S
@@ -0,0 +1,214 @@
+/* $OpenBSD: sha1_aarch64_ce.S,v 1.3 2026/01/17 06:31:45 jsing Exp $ */
+/*
+ * Copyright (c) 2023,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/*
+ * SHA-1 implementation using the ARM Cryptographic Extension (CE).
+ *
+ * There are six instructions for hardware acceleration of SHA-1 - the
+ * documentation for these instructions is woefully inadequate:
+ *
+ *  sha1c:   hash update (choose)
+ *  sha1h:   fixed rotate
+ *  sha1m:   hash update (majority)
+ *  sha1p:   hash update (parity)
+ *  sha1su0: message schedule update with sigma0 for four rounds
+ *  sha1su1: message schedule update with sigma1 for four rounds
+ */
+#define ctx             x0
+#define in              x1
+#define num             x2
+/* Note: the lower 64 bits of v8 through v15 are callee saved. */
+#define hc0             v16
+#define hc1             v17
+#define hc1s            s17
+#define hs0             v18
+#define hs1             v19
+#define hs1s            s19
+#define w0              v20
+#define w1              v21
+#define w2              v22
+#define w3              v23
+#define k0              v24
+#define k1              v25
+#define k2              v26
+#define k3              v27
+#define tmp0            v28
+#define tmp1            s29
+#define tmp2            w11
+/*
+ * Update message schedule for m0 (W0:W1:W2:W3), using m1 (W4:W5:W6:W7),
+ * m2 (W8:W9:W10:11) and m3 (W12:W13:W14:W15). The sha1su0 instruction computes
+ * W0 = W8 ^ W2 ^ W0, while sha1su1 computes rol(W0 ^ W13, 1).
+ */
+#define sha1_message_schedule_update(m0, m1, m2, m3) \
+        sha1su0 m0.4s, m1.4s, m2.4s;                                    \
+        sha1su1 m0.4s, m3.4s;
+/*
+ * Compute four SHA-1 rounds by adding W0:W1:W2:W3 + K0:K1:K2:K3, then
+ * computing the remainder of each round (including the shuffle) via
+ * sha1{c,p,m}/sha1h.
+ */
+#define sha1_round1(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1c   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+#define sha1_round2(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1p   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+#define sha1_round3(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1m   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+#define sha1_round4(h0, h1, w, k) \
+        add     tmp0.4s, w.4s, k.4s;            /* Tt = Wt + Kt */      \
+        mov     tmp1, h0.s[0];                                          \
+        sha1p   h0, h1, tmp0.4s;                                        \
+        sha1h   h1, tmp1;
+.arch   armv8-a+sha2
+.section .text
+/*
+ * void sha1_block_ce(SHA256_CTX *ctx, const void *in, size_t num);
+ *
+ * Standard ARM ABI: x0 = ctx, x1 = in, x2 = num
+ */
+.globl  sha1_block_ce
+.type   sha1_block_ce,@function
+sha1_block_ce:
+        /*
+         * Load SHA-1 round constants.
+         */
+        /* Round 1 - 0x5a827999 */
+        movz    tmp2, #0x5a82, lsl #16
+        movk    tmp2, #0x7999
+        dup     k0.4s, tmp2
+        /* Round 2 - 0x6ed9eba1 */
+        movz    tmp2, #0x6ed9, lsl #16
+        movk    tmp2, #0xeba1
+        dup     k1.4s, tmp2
+        /* Round 3 - 0x8f1bbcdc */
+        movz    tmp2, #0x8f1b, lsl #16
+        movk    tmp2, #0xbcdc
+        dup     k2.4s, tmp2
+        /* Round 4 - 0xca62c1d6 */
+        movz    tmp2, #0xca62, lsl #16
+        movk    tmp2, #0xc1d6
+        dup     k3.4s, tmp2
+        /* Load current hash state from context (hc0 = a:b:c:d, hc1 = e). */
+        ld1     {hc0.4s}, [ctx]
+        ldr     hc1s, [ctx, #(4*4)]
+.Lblock_loop:
+        /* Copy current hash state. */
+        mov     hs0.4s, hc0.4s
+        mov     hs1s, hc1.s[0]
+        /* Load and byte swap message schedule. */
+        ld1     {w0.16b, w1.16b, w2.16b, w3.16b}, [in], #64
+        rev32   w0.16b, w0.16b
+        rev32   w1.16b, w1.16b
+        rev32   w2.16b, w2.16b
+        rev32   w3.16b, w3.16b
+        /* Rounds 0 through 15 (four rounds at a time). */
+        sha1_round1(hs0, hs1s, w0, k0)
+        sha1_round1(hs0, hs1s, w1, k0)
+        sha1_round1(hs0, hs1s, w2, k0)
+        sha1_round1(hs0, hs1s, w3, k0)
+        /* Rounds 16 through 31 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+        sha1_round1(hs0, hs1s, w0, k0)
+        sha1_round2(hs0, hs1s, w1, k1)
+        sha1_round2(hs0, hs1s, w2, k1)
+        sha1_round2(hs0, hs1s, w3, k1)
+        /* Rounds 32 through 47 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+        sha1_round2(hs0, hs1s, w0, k1)
+        sha1_round2(hs0, hs1s, w1, k1)
+        sha1_round3(hs0, hs1s, w2, k2)
+        sha1_round3(hs0, hs1s, w3, k2)
+        /* Rounds 48 through 63 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+        sha1_round3(hs0, hs1s, w0, k2)
+        sha1_round3(hs0, hs1s, w1, k2)
+        sha1_round3(hs0, hs1s, w2, k2)
+        sha1_round4(hs0, hs1s, w3, k3)
+        /* Rounds 64 through 79 (four rounds at a time). */
+        sha1_message_schedule_update(w0, w1, w2, w3)
+        sha1_message_schedule_update(w1, w2, w3, w0)
+        sha1_message_schedule_update(w2, w3, w0, w1)
+        sha1_message_schedule_update(w3, w0, w1, w2)
+        sha1_round4(hs0, hs1s, w0, k3)
+        sha1_round4(hs0, hs1s, w1, k3)
+        sha1_round4(hs0, hs1s, w2, k3)
+        sha1_round4(hs0, hs1s, w3, k3)
+        /* Add intermediate state to hash state. */
+        add     hc0.4s, hc0.4s, hs0.4s
+        add     hc1.4s, hc1.4s, hs1.4s
+        sub     num, num, #1
+        cbnz    num, .Lblock_loop
+        /* Store hash state to context. */
+        st1     {hc0.4s}, [ctx]
+        str     hc1s, [ctx, #(4*4)]
+        ret
diff --git a/src/lib/libcrypto/sha/sha1_amd64_generic.S b/src/lib/libcrypto/sha/sha1_amd64_generic.S
index 38f49b0c3c..685d71edf8 100644
--- a/src/lib/libcrypto/sha/sha1_amd64_generic.S
+++ b/src/lib/libcrypto/sha/sha1_amd64_generic.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha1_amd64_generic.S,v 1.2 2025/01/18 02:56:07 jsing Exp $ */
+/* $OpenBSD: sha1_amd64_generic.S,v 1.3 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -156,7 +156,7 @@
        sha1_message_schedule_update(idx, %rsp, tmp0) \
        sha1_round_parity(a, b, c, d, e, 0xca62c1d6, tmp0)
-.text
+.section .text
 /*
 * void sha1_block_generic(SHA1_CTX *ctx, const void *in, size_t num);
diff --git a/src/lib/libcrypto/sha/sha1_amd64_shani.S b/src/lib/libcrypto/sha/sha1_amd64_shani.S
index d7699d10f1..751554f1d5 100644
--- a/src/lib/libcrypto/sha/sha1_amd64_shani.S
+++ b/src/lib/libcrypto/sha/sha1_amd64_shani.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha1_amd64_shani.S,v 1.1 2024/12/06 11:57:18 jsing Exp $ */
+/* $OpenBSD: sha1_amd64_shani.S,v 1.2 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -71,7 +71,7 @@
        sha1_shani_round(fn, xm0, xe, xe_next);
-.text
+.section .text
 /*
 * void sha1_block_shani(SHA256_CTX *ctx, const void *in, size_t num);
@@ -157,7 +157,7 @@ sha1_block_shani:
        ret
-.rodata
+.section .rodata
 /*
 * Shuffle mask - byte reversal for little endian to big endian word conversion,
diff --git a/src/lib/libcrypto/sha/sha256_aarch64_ce.S b/src/lib/libcrypto/sha/sha256_aarch64_ce.S
index 15726827e6..b66969427b 100644
--- a/src/lib/libcrypto/sha/sha256_aarch64_ce.S
+++ b/src/lib/libcrypto/sha/sha256_aarch64_ce.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256_aarch64_ce.S,v 1.2 2025/03/12 12:53:33 jsing Exp $ */
+/* $OpenBSD: sha256_aarch64_ce.S,v 1.4 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2023,2025 Joel Sing <jsing@openbsd.org>
 *
@@ -84,7 +84,7 @@
 .arch   armv8-a+sha2
-.text
+.section .text
 /*
 * void sha256_block_ce(SHA256_CTX *ctx, const void *in, size_t num);
@@ -105,7 +105,7 @@ sha256_block_ce:
         */
        ld1     {hc0.4s, hc1.4s}, [ctx]
-block_loop:
+.Lblock_loop:
        mov     k256, k256_base
        /* Copy current hash state. */
@@ -156,17 +156,18 @@ block_loop:
        add     hc1.4s, hc1.4s, hs1.4s
        sub     num, num, #1
-        cbnz    num, block_loop
+        cbnz    num, .Lblock_loop
        /* Store hash state to context. */
        st1     {hc0.4s, hc1.4s}, [ctx]
        ret
+.section .rodata
 /*
 * SHA-256 constants - see FIPS 180-4 section 4.2.3.
 */
-.rodata
 .align  4
 .type   K256,@object
 K256:
diff --git a/src/lib/libcrypto/sha/sha256_amd64_generic.S b/src/lib/libcrypto/sha/sha256_amd64_generic.S
index 166bce9ca8..a5bb3eca42 100644
--- a/src/lib/libcrypto/sha/sha256_amd64_generic.S
+++ b/src/lib/libcrypto/sha/sha256_amd64_generic.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256_amd64_generic.S,v 1.3 2024/11/16 12:34:16 jsing Exp $ */
+/* $OpenBSD: sha256_amd64_generic.S,v 1.4 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -143,7 +143,7 @@
        sha256_message_schedule_update(idx, %rsp, tmp0) \
        sha256_round(idx, a, b, c, d, e, f, g, h, k256, %rsp, tmp0)
-.text
+.section .text
 /*
 * void sha256_block_generic(SHA256_CTX *ctx, const void *in, size_t num);
@@ -276,10 +276,11 @@ sha256_block_generic:
        ret
+.section .rodata
 /*
 * SHA-256 constants - see FIPS 180-4 section 4.2.2.
 */
-.rodata
 .align  64
 .type   K256,@object
 K256:
diff --git a/src/lib/libcrypto/sha/sha256_amd64_shani.S b/src/lib/libcrypto/sha/sha256_amd64_shani.S
index df3a796b45..e43ecfa51f 100644
--- a/src/lib/libcrypto/sha/sha256_amd64_shani.S
+++ b/src/lib/libcrypto/sha/sha256_amd64_shani.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256_amd64_shani.S,v 1.1 2024/11/16 15:31:36 jsing Exp $ */
+/* $OpenBSD: sha256_amd64_shani.S,v 1.2 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -80,7 +80,7 @@
        movdqa  xmt0, xmsg;                                             \
        sha256_shani_round(idx);
-.text
+.section .text
 /*
 * void sha256_block_shani(SHA256_CTX *ctx, const void *in, size_t num);
@@ -173,7 +173,7 @@ sha256_block_shani:
        ret
-.rodata
+.section .rodata
 /*
 * Shuffle mask - little endian to big endian word conversion.
diff --git a/src/lib/libcrypto/sha/sha3.c b/src/lib/libcrypto/sha/sha3.c
index 6a7196d582..fde0da94ff 100644
--- a/src/lib/libcrypto/sha/sha3.c
+++ b/src/lib/libcrypto/sha/sha3.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sha3.c,v 1.16 2024/11/23 15:38:12 jsing Exp $ */
+/*      $OpenBSD: sha3.c,v 1.20 2025/04/18 07:36:11 jsing Exp $ */
 /*
 * The MIT License (MIT)
 *
@@ -26,12 +26,11 @@
 #include <endian.h>
 #include <string.h>
+#include "crypto_internal.h"
 #include "sha3_internal.h"
 #define KECCAKF_ROUNDS 24
-#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y))))
 static const uint64_t sha3_keccakf_rndc[24] = {
        0x0000000000000001, 0x0000000000008082, 0x800000000000808a,
        0x8000000080008000, 0x000000000000808b, 0x0000000080000001,
@@ -54,7 +53,7 @@ static const int sha3_keccakf_piln[24] = {
 static void
 sha3_keccakf(uint64_t st[25])
 {
-        uint64_t t, bc[5];
+        uint64_t t0, t1, bc[5];
        int i, j, r;
        for (i = 0; i < 25; i++)
@@ -67,18 +66,18 @@ sha3_keccakf(uint64_t st[25])
                        bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] ^ st[i + 20];
                for (i = 0; i < 5; i++) {
-                        t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1);
+                        t0 = bc[(i + 4) % 5] ^ crypto_rol_u64(bc[(i + 1) % 5], 1);
                        for (j = 0; j < 25; j += 5)
-                                st[j + i] ^= t;
+                                st[j + i] ^= t0;
                }
                /* Rho Pi */
-                t = st[1];
+                t0 = st[1];
                for (i = 0; i < 24; i++) {
                        j = sha3_keccakf_piln[i];
-                        bc[0] = st[j];
+                        t1 = st[j];
-                        st[j] = ROTL64(t, sha3_keccakf_rotc[i]);
+                        st[j] = crypto_rol_u64(t0, sha3_keccakf_rotc[i]);
-                        t = bc[0];
+                        t0 = t1;
                }
                /* Chi */
@@ -98,75 +97,77 @@ sha3_keccakf(uint64_t st[25])
 }
 int
-sha3_init(sha3_ctx *c, int mdlen)
+sha3_init(sha3_ctx *ctx, int mdlen)
 {
        if (mdlen < 0 || mdlen >= KECCAK_BYTE_WIDTH / 2)
                return 0;
-        memset(c, 0, sizeof(*c));
+        memset(ctx, 0, sizeof(*ctx));
-        c->mdlen = mdlen;
+        ctx->mdlen = mdlen;
-        c->rsize = KECCAK_BYTE_WIDTH - 2 * mdlen;
+        ctx->rsize = KECCAK_BYTE_WIDTH - 2 * mdlen;
        return 1;
 }
 int
-sha3_update(sha3_ctx *c, const void *data, size_t len)
+sha3_update(sha3_ctx *ctx, const void *_data, size_t len)
 {
+        const uint8_t *data = _data;
        size_t i, j;
-        j = c->pt;
+        j = ctx->pt;
        for (i = 0; i < len; i++) {
-                c->state.b[j++] ^= ((const uint8_t *) data)[i];
+                ctx->state.b[j++] ^= data[i];
-                if (j >= c->rsize) {
+                if (j >= ctx->rsize) {
-                        sha3_keccakf(c->state.q);
+                        sha3_keccakf(ctx->state.q);
                        j = 0;
                }
        }
-        c->pt = j;
+        ctx->pt = j;
        return 1;
 }
 int
-sha3_final(void *md, sha3_ctx *c)
+sha3_final(void *_md, sha3_ctx *ctx)
 {
+        uint8_t *md = _md;
        int i;
-        c->state.b[c->pt] ^= 0x06;
+        ctx->state.b[ctx->pt] ^= 0x06;
-        c->state.b[c->rsize - 1] ^= 0x80;
+        ctx->state.b[ctx->rsize - 1] ^= 0x80;
-        sha3_keccakf(c->state.q);
+        sha3_keccakf(ctx->state.q);
-        for (i = 0; i < c->mdlen; i++) {
+        for (i = 0; i < ctx->mdlen; i++)
-                ((uint8_t *) md)[i] = c->state.b[i];
+                md[i] = ctx->state.b[i];
-        }
        return 1;
 }
 /* SHAKE128 and SHAKE256 extensible-output functionality. */
 void
-shake_xof(sha3_ctx *c)
+shake_xof(sha3_ctx *ctx)
 {
-        c->state.b[c->pt] ^= 0x1F;
+        ctx->state.b[ctx->pt] ^= 0x1f;
-        c->state.b[c->rsize - 1] ^= 0x80;
+        ctx->state.b[ctx->rsize - 1] ^= 0x80;
-        sha3_keccakf(c->state.q);
+        sha3_keccakf(ctx->state.q);
-        c->pt = 0;
+        ctx->pt = 0;
 }
 void
-shake_out(sha3_ctx *c, void *out, size_t len)
+shake_out(sha3_ctx *ctx, void *_out, size_t len)
 {
+        uint8_t *out = _out;
        size_t i, j;
-        j = c->pt;
+        j = ctx->pt;
        for (i = 0; i < len; i++) {
-                if (j >= c->rsize) {
+                if (j >= ctx->rsize) {
-                        sha3_keccakf(c->state.q);
+                        sha3_keccakf(ctx->state.q);
                        j = 0;
                }
-                ((uint8_t *) out)[i] = c->state.b[j++];
+                out[i] = ctx->state.b[j++];
        }
-        c->pt = j;
+        ctx->pt = j;
 }
diff --git a/src/lib/libcrypto/sha/sha3_internal.h b/src/lib/libcrypto/sha/sha3_internal.h
index 53a4980c19..db09d06cc0 100644
--- a/src/lib/libcrypto/sha/sha3_internal.h
+++ b/src/lib/libcrypto/sha/sha3_internal.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sha3_internal.h,v 1.15 2023/04/25 19:32:19 tb Exp $   */
+/*      $OpenBSD: sha3_internal.h,v 1.16 2025/04/18 07:36:11 jsing Exp $        */
 /*
 * The MIT License (MIT)
 *
@@ -66,16 +66,16 @@ typedef struct sha3_ctx_st {
        size_t mdlen;
 } sha3_ctx;
-int sha3_init(sha3_ctx *c, int mdlen);
+int sha3_init(sha3_ctx *ctx, int mdlen);
-int sha3_update(sha3_ctx *c, const void *data, size_t len);
+int sha3_update(sha3_ctx *ctx, const void *data, size_t len);
-int sha3_final(void *md, sha3_ctx *c);
+int sha3_final(void *md, sha3_ctx *ctx);
 /* SHAKE128 and SHAKE256 extensible-output functions. */
-#define shake128_init(c) sha3_init(c, 16)
+#define shake128_init(ctx) sha3_init((ctx), 16)
-#define shake256_init(c) sha3_init(c, 32)
+#define shake256_init(ctx) sha3_init((ctx), 32)
 #define shake_update sha3_update
-void shake_xof(sha3_ctx *c);
+void shake_xof(sha3_ctx *ctx);
-void shake_out(sha3_ctx *c, void *out, size_t len);
+void shake_out(sha3_ctx *ctx, void *out, size_t len);
 #endif
diff --git a/src/lib/libcrypto/sha/sha512_aarch64_ce.S b/src/lib/libcrypto/sha/sha512_aarch64_ce.S
index 89109a78ba..bec56a49e5 100644
--- a/src/lib/libcrypto/sha/sha512_aarch64_ce.S
+++ b/src/lib/libcrypto/sha/sha512_aarch64_ce.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512_aarch64_ce.S,v 1.1 2025/03/12 14:13:41 jsing Exp $ */
+/* $OpenBSD: sha512_aarch64_ce.S,v 1.3 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2023,2025 Joel Sing <jsing@openbsd.org>
 *
@@ -151,7 +151,7 @@
 .arch   armv8-a+sha3
-.text
+.section .text
 /*
 * void sha512_block_ce(SHA512_CTX *ctx, const void *in, size_t num);
@@ -177,7 +177,7 @@ sha512_block_ce:
         */
        ld1     {hc0.2d, hc1.2d, hc2.2d, hc3.2d}, [ctx]
-block_loop:
+.Lblock_loop:
        mov     k512, k512_base
        /* Copy current hash state. */
@@ -271,7 +271,7 @@ block_loop:
        add     hc3.2d, hc3.2d, hs3.2d
        sub     num, num, #1
-        cbnz    num, block_loop
+        cbnz    num, .Lblock_loop
        /* Store hash state to context. */
        st1     {hc0.2d, hc1.2d, hc2.2d, hc3.2d}, [ctx]
@@ -282,10 +282,11 @@ block_loop:
        ret
+.section .rodata
 /*
 * SHA-512 constants - see FIPS 180-4 section 4.2.3.
 */
-.rodata
 .align  4
 .type   K512,@object
 K512:
diff --git a/src/lib/libcrypto/sha/sha512_amd64_generic.S b/src/lib/libcrypto/sha/sha512_amd64_generic.S
index 8419d60b8e..3b6a9719e1 100644
--- a/src/lib/libcrypto/sha/sha512_amd64_generic.S
+++ b/src/lib/libcrypto/sha/sha512_amd64_generic.S
@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512_amd64_generic.S,v 1.1 2024/11/16 14:56:39 jsing Exp $ */
+/* $OpenBSD: sha512_amd64_generic.S,v 1.2 2026/01/17 06:31:45 jsing Exp $ */
 /*
 * Copyright (c) 2024 Joel Sing <jsing@openbsd.org>
 *
@@ -144,7 +144,7 @@
        sha512_message_schedule_update(idx, %rsp, tmp0) \
        sha512_round(idx, a, b, c, d, e, f, g, h, k512, %rsp, tmp0)
-.text
+.section .text
 /*
 * void sha512_block_generic(SHA512_CTX *ctx, const void *in, size_t num);
@@ -277,10 +277,11 @@ sha512_block_generic:
        ret
+.section .rodata
 /*
 * SHA-512 constants - see FIPS 180-4 section 4.2.3.
 */
-.rodata
 .align  64
 .type   K512,@object
 K512:
diff --git a/src/lib/libcrypto/shlib_version b/src/lib/libcrypto/shlib_version
index a5cb76dd4f..7fa7e46d0c 100644
--- a/src/lib/libcrypto/shlib_version
+++ b/src/lib/libcrypto/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libssl and libtls the same type of bump!
-major=56
+major=57
-minor=0
+minor=2
diff --git a/src/lib/libcrypto/sm2/sm2_crypt.c b/src/lib/libcrypto/sm2/sm2_crypt.c
index 63fe1e6ab9..3bc1f21fb6 100644
--- a/src/lib/libcrypto/sm2/sm2_crypt.c
+++ b/src/lib/libcrypto/sm2/sm2_crypt.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_crypt.c,v 1.3 2024/02/09 07:43:52 tb Exp $ */
+/*      $OpenBSD: sm2_crypt.c,v 1.4 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2017, 2019 Ribose Inc
 *
@@ -22,10 +22,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/sm2.h>
+#include "err_local.h"
 #include "sm2_local.h"
 typedef struct SM2_Ciphertext_st SM2_Ciphertext;
diff --git a/src/lib/libcrypto/sm2/sm2_pmeth.c b/src/lib/libcrypto/sm2/sm2_pmeth.c
index 441f5475d1..786e48a992 100644
--- a/src/lib/libcrypto/sm2/sm2_pmeth.c
+++ b/src/lib/libcrypto/sm2/sm2_pmeth.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_pmeth.c,v 1.2 2022/11/26 16:08:54 tb Exp $ */
+/*      $OpenBSD: sm2_pmeth.c,v 1.3 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2017, 2019 Ribose Inc
 *
@@ -22,9 +22,9 @@
 #include <openssl/sm2.h>
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "sm2_local.h"
diff --git a/src/lib/libcrypto/sm2/sm2_sign.c b/src/lib/libcrypto/sm2/sm2_sign.c
index a5e3a8aee5..1a88d860bc 100644
--- a/src/lib/libcrypto/sm2/sm2_sign.c
+++ b/src/lib/libcrypto/sm2/sm2_sign.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: sm2_sign.c,v 1.4 2023/07/05 17:36:19 tb Exp $ */
+/*      $OpenBSD: sm2_sign.c,v 1.5 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2017, 2019 Ribose Inc
 *
@@ -21,10 +21,10 @@
 #include <openssl/sm2.h>
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/bn.h>
 #include "bn_local.h"
+#include "err_local.h"
 #include "sm2_local.h"
 static BIGNUM *
diff --git a/src/lib/libcrypto/stack/stack.c b/src/lib/libcrypto/stack/stack.c
index 1424661879..dd9d8b8395 100644
--- a/src/lib/libcrypto/stack/stack.c
+++ b/src/lib/libcrypto/stack/stack.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: stack.c,v 1.33 2025/01/03 08:04:16 tb Exp $ */
+/* $OpenBSD: stack.c,v 1.35 2026/01/14 17:43:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -86,17 +86,17 @@ _STACK *
 sk_dup(_STACK *sk)
 {
        _STACK *ret;
-        char **s;
+        void **s;
        if ((ret = sk_new(sk->comp)) == NULL)
                goto err;
-        s = reallocarray(ret->data, sk->num_alloc, sizeof(char *));
+        s = reallocarray(ret->data, sk->num_alloc, sizeof(void *));
        if (s == NULL)
                goto err;
        ret->data = s;
        ret->num = sk->num;
-        memcpy(ret->data, sk->data, sizeof(char *) * sk->num);
+        memcpy(ret->data, sk->data, sizeof(void *) * sk->num);
        ret->sorted = sk->sorted;
        ret->num_alloc = sk->num_alloc;
        ret->comp = sk->comp;
@@ -124,7 +124,7 @@ sk_new(int (*c)(const void *, const void *))
        if ((ret = malloc(sizeof(_STACK))) == NULL)
                goto err;
-        if ((ret->data = reallocarray(NULL, MIN_NODES, sizeof(char *))) == NULL)
+        if ((ret->data = reallocarray(NULL, MIN_NODES, sizeof(void *))) == NULL)
                goto err;
        for (i = 0; i < MIN_NODES; i++)
                ret->data[i] = NULL;
@@ -143,12 +143,12 @@ LCRYPTO_ALIAS(sk_new);
 int
 sk_insert(_STACK *st, void *data, int loc)
 {
-        char **s;
+        void **s;
        if (st == NULL)
                return 0;
        if (st->num_alloc <= st->num + 1) {
-                s = reallocarray(st->data, st->num_alloc, 2 * sizeof(char *));
+                s = reallocarray(st->data, st->num_alloc, 2 * sizeof(void *));
                if (s == NULL)
                        return (0);
                st->data = s;
@@ -158,7 +158,7 @@ sk_insert(_STACK *st, void *data, int loc)
                st->data[st->num] = data;
        else {
                memmove(&(st->data[loc + 1]), &(st->data[loc]),
-                    sizeof(char *)*(st->num - loc));
+                    sizeof(void *) * (st->num - loc));
                st->data[loc] = data;
        }
        st->num++;
@@ -182,7 +182,7 @@ LCRYPTO_ALIAS(sk_delete_ptr);
 void *
 sk_delete(_STACK *st, int loc)
 {
-        char *ret;
+        void *ret;
        if (!st || (loc < 0) || (loc >= st->num))
                return NULL;
@@ -190,7 +190,7 @@ sk_delete(_STACK *st, int loc)
        ret = st->data[loc];
        if (loc != st->num - 1) {
                memmove(&(st->data[loc]), &(st->data[loc + 1]),
-                    sizeof(char *)*(st->num - 1 - loc));
+                    sizeof(void *) * (st->num - 1 - loc));
        }
        st->num--;
        return (ret);
@@ -244,7 +244,7 @@ sk_find(_STACK *st, void *data)
        r = obj_bsearch_ex(&data, st->data, st->num, sizeof(void *), st->comp);
        if (r == NULL)
                return (-1);
-        return (int)((char **)r - st->data);
+        return (int)((void **)r - st->data);
 }
 LCRYPTO_ALIAS(sk_find);
@@ -360,7 +360,7 @@ sk_sort(_STACK *st)
                 * type** with type**, so we leave the casting until absolutely
                 * necessary (ie. "now"). */
                comp_func = (int (*)(const void *, const void *))(st->comp);
-                qsort(st->data, st->num, sizeof(char *), comp_func);
+                qsort(st->data, st->num, sizeof(void *), comp_func);
                st->sorted = 1;
        }
 }
diff --git a/src/lib/libcrypto/stack/stack_local.h b/src/lib/libcrypto/stack/stack_local.h
index a330707192..63d793303a 100644
--- a/src/lib/libcrypto/stack/stack_local.h
+++ b/src/lib/libcrypto/stack/stack_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: stack_local.h,v 1.1 2024/03/02 11:11:11 tb Exp $ */
+/* $OpenBSD: stack_local.h,v 1.2 2025/12/21 07:35:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,7 +61,7 @@
 struct stack_st {
        int num;
-        char **data;
+        void **data;
        int sorted;
        int num_alloc;
diff --git a/src/lib/libcrypto/ts/ts_asn1.c b/src/lib/libcrypto/ts/ts_asn1.c
index feb2da68f9..aa3f4ba867 100644
--- a/src/lib/libcrypto/ts/ts_asn1.c
+++ b/src/lib/libcrypto/ts/ts_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_asn1.c,v 1.15 2024/04/15 15:52:46 tb Exp $ */
+/* $OpenBSD: ts_asn1.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Nils Larsch for the OpenSSL project 2004.
 */
 /* ====================================================================
@@ -58,9 +58,9 @@
 #include <openssl/opensslconf.h>
 #include <openssl/ts.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
+#include "err_local.h"
 #include "ts_local.h"
 static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = {
diff --git a/src/lib/libcrypto/ts/ts_conf.c b/src/lib/libcrypto/ts/ts_conf.c
index bd499238f5..0acefa902f 100644
--- a/src/lib/libcrypto/ts/ts_conf.c
+++ b/src/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.15 2024/08/26 22:01:28 op Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -63,7 +63,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/ts.h>
diff --git a/src/lib/libcrypto/ts/ts_lib.c b/src/lib/libcrypto/ts/ts_lib.c
index 7e40101752..d497fed9d8 100644
--- a/src/lib/libcrypto/ts/ts_lib.c
+++ b/src/lib/libcrypto/ts/ts_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_lib.c,v 1.15 2025/01/07 14:22:19 tb Exp $ */
+/* $OpenBSD: ts_lib.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -155,7 +155,7 @@ TS_MSG_IMPRINT_print_bio(BIO *bio, TS_MSG_IMPRINT *a)
        BIO_printf(bio, "Message data:\n");
        msg = TS_MSG_IMPRINT_get_msg(a);
-        BIO_dump_indent(bio, (const char *)ASN1_STRING_data(msg),
+        BIO_dump_indent(bio, (const char *)ASN1_STRING_get0_data(msg),
            ASN1_STRING_length(msg), 4);
        return 1;
diff --git a/src/lib/libcrypto/ts/ts_req_utils.c b/src/lib/libcrypto/ts/ts_req_utils.c
index d679418060..fa3123863c 100644
--- a/src/lib/libcrypto/ts/ts_req_utils.c
+++ b/src/lib/libcrypto/ts/ts_req_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_req_utils.c,v 1.9 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_req_utils.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -58,11 +58,11 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "ts_local.h"
 int
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index e3101340c5..b8cc7e2baf 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.35 2024/03/26 00:39:22 beck Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.37 2025/07/31 02:02:35 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -60,11 +60,11 @@
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
@@ -955,28 +955,32 @@ static int
 ESS_add_signing_cert(PKCS7_SIGNER_INFO *si, ESS_SIGNING_CERT *sc)
 {
        ASN1_STRING *seq = NULL;
-        unsigned char *p, *pp = NULL;
+        unsigned char *data = NULL;
-        int len;
+        int len = 0;
+        int ret = 0;
-        len = i2d_ESS_SIGNING_CERT(sc, NULL);
+        if ((len = i2d_ESS_SIGNING_CERT(sc, &data)) <= 0) {
-        if (!(pp = malloc(len))) {
+                len = 0;
-                TSerror(ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        p = pp;
-        i2d_ESS_SIGNING_CERT(sc, &p);
+        if ((seq = ASN1_STRING_new()) == NULL)
-        if (!(seq = ASN1_STRING_new()) || !ASN1_STRING_set(seq, pp, len)) {
-                TSerror(ERR_R_MALLOC_FAILURE);
                goto err;
-        }
-        free(pp);
-        pp = NULL;
-        return PKCS7_add_signed_attribute(si,
-            NID_id_smime_aa_signingCertificate, V_ASN1_SEQUENCE, seq);
-err:
+        ASN1_STRING_set0(seq, data, len);
+        data = NULL;
+        len = 0;
+        if (!PKCS7_add_signed_attribute(si, NID_id_smime_aa_signingCertificate,
+            V_ASN1_SEQUENCE, seq))
+                goto err;
+        seq = NULL;
+        ret = 1;
+ err:
        ASN1_STRING_free(seq);
-        free(pp);
+        freezero(data, len);
-        return 0;
+        return ret;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_utils.c b/src/lib/libcrypto/ts/ts_rsp_utils.c
index 34994adce8..ecdb46773f 100644
--- a/src/lib/libcrypto/ts/ts_rsp_utils.c
+++ b/src/lib/libcrypto/ts/ts_rsp_utils.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_utils.c,v 1.11 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: ts_rsp_utils.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -58,11 +58,11 @@
 #include <stdio.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
+#include "err_local.h"
 #include "ts_local.h"
 /* Function definitions. */
diff --git a/src/lib/libcrypto/ts/ts_rsp_verify.c b/src/lib/libcrypto/ts/ts_rsp_verify.c
index 69236f68ab..e9a778bb88 100644
--- a/src/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/src/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.30 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.32 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "ts_local.h"
 #include "x509_local.h"
@@ -667,7 +667,7 @@ TS_get_status_text(STACK_OF(ASN1_UTF8STRING) *text)
                ASN1_UTF8STRING *current = sk_ASN1_UTF8STRING_value(text, i);
                if (i > 0)
                        strlcat(result, "/", length);
-                strlcat(result, (const char *)ASN1_STRING_data(current), length);
+                strlcat(result, (const char *)ASN1_STRING_get0_data(current), length);
        }
        return result;
 }
@@ -771,7 +771,7 @@ TS_check_imprints(X509_ALGOR *algor_a, unsigned char *imprint_a, unsigned len_a,
        /* Compare octet strings. */
        ret = len_a == (unsigned) ASN1_STRING_length(b->hashed_msg) &&
-            memcmp(imprint_a, ASN1_STRING_data(b->hashed_msg), len_a) == 0;
+            memcmp(imprint_a, ASN1_STRING_get0_data(b->hashed_msg), len_a) == 0;
 err:
        if (!ret)
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 5a2d95c680..b2b160c511 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.14 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.16 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2003.
 */
@@ -58,10 +58,10 @@
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/ts.h>
+#include "err_local.h"
 #include "ts_local.h"
 TS_VERIFY_CTX *
@@ -215,7 +215,7 @@ TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
        ret->imprint_len = ASN1_STRING_length(msg);
        if (!(ret->imprint = malloc(ret->imprint_len)))
                goto err;
-        memcpy(ret->imprint, ASN1_STRING_data(msg), ret->imprint_len);
+        memcpy(ret->imprint, ASN1_STRING_get0_data(msg), ret->imprint_len);
        /* Setting nonce. */
        if ((nonce = TS_REQ_get_nonce(req)) != NULL) {
diff --git a/src/lib/libcrypto/ui/ui_lib.c b/src/lib/libcrypto/ui/ui_lib.c
index 73d899afcc..cc9de59c19 100644
--- a/src/lib/libcrypto/ui/ui_lib.c
+++ b/src/lib/libcrypto/ui/ui_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_lib.c,v 1.51 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: ui_lib.c,v 1.52 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL
 * project 2001.
 */
@@ -61,9 +61,9 @@
 #include <openssl/opensslconf.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/ui.h>
+#include "err_local.h"
 #include "ui_local.h"
 static const UI_METHOD *default_UI_meth = NULL;
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 2b2733a04b..9b239c1e9d 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.48 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_dir.c,v 1.49 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,9 +64,9 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
 typedef struct lookup_dir_hashes_st {
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 9b0fd2542c..86d4cd6b60 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_file.c,v 1.31 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_file.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,10 +62,10 @@
 #include <unistd.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
diff --git a/src/lib/libcrypto/x509/by_mem.c b/src/lib/libcrypto/x509/by_mem.c
index 71afefa8a4..66093dd445 100644
--- a/src/lib/libcrypto/x509/by_mem.c
+++ b/src/lib/libcrypto/x509/by_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_mem.c,v 1.10 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_mem.c,v 1.11 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,11 +63,11 @@
 #include <unistd.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
 static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index a198b23202..7b33fef3c3 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.121 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.126 2026/01/01 06:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -178,6 +178,7 @@ DECLARE_STACK_OF(X509)
 #define X509_FLAG_NO_SIGDUMP            (1L << 9)
 #define X509_FLAG_NO_AUX                (1L << 10)
 #define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
+#define X509_FLAG_NO_IDS                (1L << 12)
 /* Flags specific to X509_NAME_print_ex() */
@@ -243,24 +244,9 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
+/* www/apache2 reaches into this. */
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-        /* When decrypted, the following will not be NULL */
        EVP_PKEY *dec_pkey;
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-        int references;
 } X509_PKEY;
 #ifndef OPENSSL_NO_EVP
@@ -312,7 +298,7 @@ extern "C" {
 #define         X509_extract_key(x)     X509_get_pubkey(x) /*****/
 #define         X509_REQ_extract_key(a) X509_REQ_get_pubkey(a)
-#define         X509_name_cmp(a,b)      X509_NAME_cmp((a),(b))
+#define         X509_name_cmp(a, b)     X509_NAME_cmp((a), (b))
 int X509_CRL_up_ref(X509_CRL *x);
 int X509_CRL_get_signature_nid(const X509_CRL *crl);
@@ -367,31 +353,31 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md);
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx);
 int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md);
-int X509_pubkey_digest(const X509 *data,const EVP_MD *type,
+int X509_pubkey_digest(const X509 *data, const EVP_MD *type,
                unsigned char *md, unsigned int *len);
-int X509_digest(const X509 *data,const EVP_MD *type,
+int X509_digest(const X509 *data, const EVP_MD *type,
                unsigned char *md, unsigned int *len);
-int X509_CRL_digest(const X509_CRL *data,const EVP_MD *type,
+int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                unsigned char *md, unsigned int *len);
-int X509_REQ_digest(const X509_REQ *data,const EVP_MD *type,
+int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type,
                unsigned char *md, unsigned int *len);
-int X509_NAME_digest(const X509_NAME *data,const EVP_MD *type,
+int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type,
                unsigned char *md, unsigned int *len);
 #endif
 X509 *d2i_X509_fp(FILE *fp, X509 **x509);
-int i2d_X509_fp(FILE *fp,X509 *x509);
+int i2d_X509_fp(FILE *fp, X509 *x509);
-X509_CRL *d2i_X509_CRL_fp(FILE *fp,X509_CRL **crl);
+X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
-int i2d_X509_CRL_fp(FILE *fp,X509_CRL *crl);
+int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_fp(FILE *fp,X509_REQ **req);
+X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
-int i2d_X509_REQ_fp(FILE *fp,X509_REQ *req);
+int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req);
 #ifndef OPENSSL_NO_RSA
-RSA *d2i_RSAPrivateKey_fp(FILE *fp,RSA **rsa);
+RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
-int i2d_RSAPrivateKey_fp(FILE *fp,RSA *rsa);
+int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa);
-RSA *d2i_RSAPublicKey_fp(FILE *fp,RSA **rsa);
+RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
-int i2d_RSAPublicKey_fp(FILE *fp,RSA *rsa);
+int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa);
-RSA *d2i_RSA_PUBKEY_fp(FILE *fp,RSA **rsa);
+RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
-int i2d_RSA_PUBKEY_fp(FILE *fp,RSA *rsa);
+int i2d_RSA_PUBKEY_fp(FILE *fp, RSA *rsa);
 #endif
 #ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
@@ -405,11 +391,11 @@ int   i2d_EC_PUBKEY_fp(FILE *fp, EC_KEY *eckey);
 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
 int   i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey);
 #endif
-X509_SIG *d2i_PKCS8_fp(FILE *fp,X509_SIG **p8);
+X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
-int i2d_PKCS8_fp(FILE *fp,X509_SIG *p8);
+int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,
                                                PKCS8_PRIV_KEY_INFO **p8inf);
-int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key);
 int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a);
@@ -417,19 +403,19 @@ int i2d_PUBKEY_fp(FILE *fp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PUBKEY_fp(FILE *fp, EVP_PKEY **a);
 #ifndef OPENSSL_NO_BIO
-X509 *d2i_X509_bio(BIO *bp,X509 **x509);
+X509 *d2i_X509_bio(BIO *bp, X509 **x509);
-int i2d_X509_bio(BIO *bp,X509 *x509);
+int i2d_X509_bio(BIO *bp, X509 *x509);
-X509_CRL *d2i_X509_CRL_bio(BIO *bp,X509_CRL **crl);
+X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
-int i2d_X509_CRL_bio(BIO *bp,X509_CRL *crl);
+int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl);
-X509_REQ *d2i_X509_REQ_bio(BIO *bp,X509_REQ **req);
+X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
-int i2d_X509_REQ_bio(BIO *bp,X509_REQ *req);
+int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req);
 #ifndef OPENSSL_NO_RSA
-RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
+RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
-int i2d_RSAPrivateKey_bio(BIO *bp,RSA *rsa);
+int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa);
-RSA *d2i_RSAPublicKey_bio(BIO *bp,RSA **rsa);
+RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
-int i2d_RSAPublicKey_bio(BIO *bp,RSA *rsa);
+int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa);
-RSA *d2i_RSA_PUBKEY_bio(BIO *bp,RSA **rsa);
+RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
-int i2d_RSA_PUBKEY_bio(BIO *bp,RSA *rsa);
+int i2d_RSA_PUBKEY_bio(BIO *bp, RSA *rsa);
 #endif
 #ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
@@ -443,11 +429,11 @@ int   i2d_EC_PUBKEY_bio(BIO *bp, EC_KEY *eckey);
 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
 int   i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey);
 #endif
-X509_SIG *d2i_PKCS8_bio(BIO *bp,X509_SIG **p8);
+X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
-int i2d_PKCS8_bio(BIO *bp,X509_SIG *p8);
+int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8);
 PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,
                                                PKCS8_PRIV_KEY_INFO **p8inf);
-int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp,PKCS8_PRIV_KEY_INFO *p8inf);
+int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf);
 int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key);
 int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey);
 EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
@@ -485,7 +471,7 @@ const char *	X509_get_default_cert_file_env(void );
 const char *    X509_get_default_private_dir(void );
 X509_REQ *      X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md);
-X509 *          X509_REQ_to_X509(X509_REQ *r, int days,EVP_PKEY *pkey);
+X509 *          X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey);
 X509_ALGOR *X509_ALGOR_new(void);
 void X509_ALGOR_free(X509_ALGOR *a);
@@ -512,17 +498,17 @@ EVP_PKEY *	X509_PUBKEY_get(X509_PUBKEY *key);
 EVP_PKEY *      X509_PUBKEY_get0(X509_PUBKEY *key);
 int             X509_get_pubkey_parameters(EVP_PKEY *pkey,
                                           STACK_OF(X509) *chain);
-int             i2d_PUBKEY(EVP_PKEY *a,unsigned char **pp);
+int             i2d_PUBKEY(EVP_PKEY *a, unsigned char **pp);
-EVP_PKEY *      d2i_PUBKEY(EVP_PKEY **a,const unsigned char **pp,
+EVP_PKEY *      d2i_PUBKEY(EVP_PKEY **a, const unsigned char **pp,
                        long length);
 #ifndef OPENSSL_NO_RSA
-int             i2d_RSA_PUBKEY(RSA *a,unsigned char **pp);
+int             i2d_RSA_PUBKEY(RSA *a, unsigned char **pp);
-RSA *           d2i_RSA_PUBKEY(RSA **a,const unsigned char **pp,
+RSA *           d2i_RSA_PUBKEY(RSA **a, const unsigned char **pp,
                        long length);
 #endif
 #ifndef OPENSSL_NO_DSA
-int             i2d_DSA_PUBKEY(DSA *a,unsigned char **pp);
+int             i2d_DSA_PUBKEY(DSA *a, unsigned char **pp);
-DSA *           d2i_DSA_PUBKEY(DSA **a,const unsigned char **pp,
+DSA *           d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp,
                        long length);
 #endif
 #ifndef OPENSSL_NO_EC
@@ -598,8 +584,8 @@ int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 int X509_set_ex_data(X509 *r, int idx, void *arg);
 void *X509_get_ex_data(X509 *r, int idx);
-int             i2d_X509_AUX(X509 *a,unsigned char **pp);
+int             i2d_X509_AUX(X509 *a, unsigned char **pp);
-X509 *          d2i_X509_AUX(X509 **a,const unsigned char **pp,long length);
+X509 *          d2i_X509_AUX(X509 **a, const unsigned char **pp, long length);
 int i2d_re_X509_tbs(X509 *x, unsigned char **pp);
@@ -646,9 +632,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);
@@ -665,11 +648,11 @@ X509_INFO *	X509_INFO_new(void);
 void            X509_INFO_free(X509_INFO *a);
 char *          X509_NAME_oneline(const X509_NAME *a, char *buf, int size);
-int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data,
+int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *data,
-        unsigned char *md,unsigned int *len);
+        unsigned char *md, unsigned int *len);
 int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
-        ASN1_BIT_STRING *signature,void *data,EVP_PKEY *pkey);
+        ASN1_BIT_STRING *signature, void *data, EVP_PKEY *pkey);
 int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
        ASN1_BIT_STRING *signature,
@@ -710,7 +693,7 @@ int		X509_get_signature_type(const X509 *x);
 #define X509_get_notBefore      X509_getm_notBefore
 #define X509_get_notAfter       X509_getm_notAfter
-int             X509_REQ_set_version(X509_REQ *x,long version);
+int             X509_REQ_set_version(X509_REQ *x, long version);
 long            X509_REQ_get_version(const X509_REQ *x);
 int             X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
 X509_NAME       *X509_REQ_get_subject_name(const X509_REQ *x);
@@ -755,7 +738,7 @@ const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x);
 int X509_REVOKED_set_revocationDate(X509_REVOKED *r, ASN1_TIME *tm);
 int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial);
-int             X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey);
+int             X509_REQ_check_private_key(X509_REQ *x509, EVP_PKEY *pkey);
 int             X509_check_private_key(const X509 *x509, const EVP_PKEY *pkey);
@@ -780,29 +763,29 @@ unsigned long	X509_NAME_hash_old(X509_NAME *x);
 int             X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
 int             X509_CRL_match(const X509_CRL *a, const X509_CRL *b);
-int             X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
+int             X509_print_ex_fp(FILE *bp, X509 *x, unsigned long nmflag, unsigned long cflag);
-int             X509_print_fp(FILE *bp,X509 *x);
+int             X509_print_fp(FILE *bp, X509 *x);
-int             X509_CRL_print_fp(FILE *bp,X509_CRL *x);
+int             X509_CRL_print_fp(FILE *bp, X509_CRL *x);
-int             X509_REQ_print_fp(FILE *bp,X509_REQ *req);
+int             X509_REQ_print_fp(FILE *bp, X509_REQ *req);
 int             X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent,
                    unsigned long flags);
 #ifndef OPENSSL_NO_BIO
 int             X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent,
                    unsigned long flags);
-int             X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag);
+int             X509_print_ex(BIO *bp, X509 *x, unsigned long nmflag, unsigned long cflag);
-int             X509_print(BIO *bp,X509 *x);
+int             X509_print(BIO *bp, X509 *x);
-int             X509_ocspid_print(BIO *bp,X509 *x);
+int             X509_ocspid_print(BIO *bp, X509 *x);
-int             X509_CRL_print(BIO *bp,X509_CRL *x);
+int             X509_CRL_print(BIO *bp, X509_CRL *x);
 int             X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long cflag);
-int             X509_REQ_print(BIO *bp,X509_REQ *req);
+int             X509_REQ_print(BIO *bp, X509_REQ *req);
 #endif
 int             X509_NAME_entry_count(const X509_NAME *name);
 int             X509_NAME_get_text_by_NID(X509_NAME *name, int nid,
-                        char *buf,int len);
+                        char *buf, int len);
 int             X509_NAME_get_text_by_OBJ(X509_NAME *name,
-                        const ASN1_OBJECT *obj, char *buf,int len);
+                        const ASN1_OBJECT *obj, char *buf, int len);
 /* NOTE: you should be passing -1, not 0 as lastpos.  The functions that use
 * lastpos, search after that position on. */
@@ -920,9 +903,9 @@ ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
 int             X509_verify_cert(X509_STORE_CTX *ctx);
 /* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk,X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name,
                                     ASN1_INTEGER *serial);
-X509 *X509_find_by_subject(STACK_OF(X509) *sk,X509_NAME *name);
+X509 *X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name);
 extern const ASN1_ITEM PBEPARAM_it;
@@ -1013,6 +996,7 @@ void ERR_load_X509_strings(void);
 #define X509_R_ERR_ASN1_LIB                              102
 #define X509_R_INVALID_DIRECTORY                         113
 #define X509_R_INVALID_FIELD_NAME                        119
+#define X509_R_INVALID_POLICY_EXTENSION                  201
 #define X509_R_INVALID_TRUST                             123
 #define X509_R_INVALID_VERSION                           137
 #define X509_R_KEY_TYPE_MISMATCH                         115
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 2208cc434e..b4ee92a14b 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.94 2025/05/10 05:54:39 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -69,12 +69,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
index 926508c4cd..524fea8009 100644
--- a/src/lib/libcrypto/x509/x509_akey.c
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.3 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.4 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 34734a55bd..ca91493848 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.19 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.20 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -60,9 +60,9 @@
 #include <string.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_internal.h"
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 40ee201a9f..45a154e7d9 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.46 2025/05/10 05:54:39 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -68,10 +68,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 4931cbbc17..a442a17746 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_att.c,v 1.25 2024/08/31 10:46:40 tb Exp $ */
+/* $OpenBSD: x509_att.c,v 1.26 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,13 +59,13 @@
 #include <stdio.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
index 99cb5afe9a..c10f822ccc 100644
--- a/src/lib/libcrypto/x509/x509_bcons.c
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
index 2bc4f9911a..89289b7af0 100644
--- a/src/lib/libcrypto/x509/x509_bitst.c
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.8 2024/08/31 10:23:13 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.9 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,9 @@
 #include <string.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static const BIT_STRING_BITNAME ns_cert_type_table[] = {
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 2c1e427093..2479dcdd0d 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.44 2024/03/25 03:41:16 joshua Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.45 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,11 +63,11 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
index e5b18c2f77..2089f72bc7 100644
--- a/src/lib/libcrypto/x509/x509_conf.c
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.29 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.31 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,11 +62,11 @@
 #include <string.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 static int v3_check_critical(const char **value);
@@ -242,8 +242,9 @@ v3_check_critical(const char **value)
        if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
                return 0;
        p += 9;
-        while (isspace((unsigned char)*p)) p++;
+        while (isspace((unsigned char)*p))
-                *value = p;
+                p++;
+        *value = p;
        return 1;
 }
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 6bae2a0482..25a40b0739 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.15 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.20 2025/11/28 06:03:40 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 /* Certificate policies extension support: this one is a bit complex... */
@@ -488,7 +488,7 @@ r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
        return pols;
-err:
+ err:
        sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
        sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
        return NULL;
@@ -573,10 +573,10 @@ policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
        return pol;
-merr:
+ merr:
        X509V3error(ERR_R_MALLOC_FAILURE);
-err:
+ err:
        POLICYQUALINFO_free(nqual);
        POLICYINFO_free(pol);
        return NULL;
@@ -659,10 +659,10 @@ notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
        return qual;
-merr:
+ merr:
        X509V3error(ERR_R_MALLOC_FAILURE);
-err:
+ err:
        POLICYQUALINFO_free(qual);
        return NULL;
 }
@@ -676,21 +676,18 @@ nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
        for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
                cnf = sk_CONF_VALUE_value(nos, i);
-                if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+                if ((aint = s2i_ASN1_INTEGER(NULL, cnf->name)) == NULL) {
                        X509V3error(X509V3_R_INVALID_NUMBER);
-                        goto err;
+                        return 0;
+                }
+                if (sk_ASN1_INTEGER_push(nnums, aint) <= 0) {
+                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        ASN1_INTEGER_free(aint);
+                        return 0;
                }
-                if (!sk_ASN1_INTEGER_push(nnums, aint))
-                        goto merr;
        }
-        return 1;
-merr:
+        return 1;
-        X509V3error(ERR_R_MALLOC_FAILURE);
-err:
-        sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
-        return 0;
 }
 static int
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
index 81f2010df5..75afcefca8 100644
--- a/src/lib/libcrypto/x509/x509_crld.c
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.9 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
index da5036a09a..35460ca46b 100644
--- a/src/lib/libcrypto/x509/x509_extku.c
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index 1ea7155795..5214c394ed 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.7 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.8 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -63,6 +63,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
        {
                .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
index 4f62a9134c..b8886c6cb8 100644
--- a/src/lib/libcrypto/x509/x509_ia5.c
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.3 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,9 +61,10 @@
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
    X509V3_CTX *ctx, char *str);
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
index d1de346ee6..c91642a02e 100644
--- a/src/lib/libcrypto/x509/x509_info.c
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_info.c,v 1.6 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,9 +62,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
    X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
    STACK_OF(CONF_VALUE) *ret);
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
index 6fa66ab88e..0285ac0d3a 100644
--- a/src/lib/libcrypto/x509/x509_lib.c
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.25 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,9 @@
 #include <stdio.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 const X509V3_EXT_METHOD *
diff --git a/src/lib/libcrypto/x509/x509_local.h b/src/lib/libcrypto/x509/x509_local.h
index 796a2ee718..5b9c1e51f7 100644
--- a/src/lib/libcrypto/x509/x509_local.h
+++ b/src/lib/libcrypto/x509/x509_local.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_local.h,v 1.38 2025/03/06 07:20:01 tb Exp $ */
+/*      $OpenBSD: x509_local.h,v 1.39 2025/10/10 11:31:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2013.
 */
@@ -213,7 +213,6 @@ struct x509_revoked_st {
        STACK_OF(GENERAL_NAME) *issuer;
        /* Revocation reason */
        int reason;
-        int sequence; /* load sequence */
 };
 struct X509_crl_info_st {
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 0367794fca..1ac3436a6e 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.67 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.68 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static int X509_OBJECT_up_ref_count(X509_OBJECT *a);
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
index 148a66e887..f197488d70 100644
--- a/src/lib/libcrypto/x509/x509_ncons.c
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -61,9 +61,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
index 6531b4c420..d0a0d49890 100644
--- a/src/lib/libcrypto/x509/x509_ocsp.c
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.4 2024/12/24 09:14:33 schwarze Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.5 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -65,10 +65,10 @@
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "ocsp_local.h"
 /* OCSP extensions and a couple of CRL entry extensions
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
index 66dc57abf6..404fa28724 100644
--- a/src/lib/libcrypto/x509/x509_pcons.c
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static STACK_OF(CONF_VALUE) *
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
index 5039f65f2e..141a3a6f90 100644
--- a/src/lib/libcrypto/x509/x509_pmaps.c
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -61,9 +61,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index d93760755d..2df965aad1 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.31 2025/03/28 13:11:57 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.33 2025/08/10 06:36:45 beck Exp $ */
 /*
 * Copyright (c) 2022, Google Inc.
 *
@@ -17,19 +17,16 @@
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "stack_local.h"
 #include "x509_internal.h"
 #include "x509_local.h"
-/* XXX move to proper place */
-#define X509_R_INVALID_POLICY_EXTENSION 201
 /*
 * This file computes the X.509 policy tree, as described in RFC 5280,
 * section 6.1 and RFC 9618. It differs in that:
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
index 3bf7c803e5..23c649a7b9 100644
--- a/src/lib/libcrypto/x509/x509_prn.c
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */
+/* $OpenBSD: x509_prn.c,v 1.7 2025/06/02 12:18:22 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -87,8 +87,9 @@ X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
        for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
                if (ml)
                        BIO_printf(out, "%*s", indent, "");
-                else if (i > 0) BIO_printf(out, ", ");
+                else if (i > 0)
-                        nval = sk_CONF_VALUE_value(val, i);
+                        BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
                if (!nval->name)
                        BIO_puts(out, nval->value);
                else if (!nval->value)
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 619a4b890a..36dfe6abee 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 39b392259b..4ca8a87935 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.17 2023/04/25 09:46:36 job Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.18 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,11 +61,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
 X509 *
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 704acbd897..df1119a55c 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.43 2024/08/31 10:16:52 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,13 +64,13 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
index d2c90b6f1c..e9e915a0c7 100644
--- a/src/lib/libcrypto/x509/x509_skey.c
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
index 08383849c9..2e60834edf 100644
--- a/src/lib/libcrypto/x509/x509_utl.c
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_utl.c,v 1.26 2025/01/26 13:51:41 tb Exp $ */
+/* $OpenBSD: x509_utl.c,v 1.28 2026/01/12 22:08:34 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -64,11 +64,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "bytestring.h"
 #include "conf_local.h"
+#include "err_local.h"
 /*
 * Match reference identifiers starting with "." to any sub-domain. This
@@ -148,8 +148,6 @@ X509V3_add_value_uchar(const char *name, const unsigned char *value,
        return X509V3_add_value(name, (const char *)value, extlist);
 }
-/* Free function for STACK_OF(CONF_VALUE) */
 void
 X509V3_conf_free(CONF_VALUE *conf)
 {
@@ -354,8 +352,6 @@ X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
 #define HDR_NAME        1
 #define HDR_VALUE       2
-/*#define DEBUG*/
 STACK_OF(CONF_VALUE) *
 X509V3_parse_list(const char *line)
 {
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 688aed15a2..ee14d2dcef 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c93ae81bd8..3d0abda615 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.147 2025/03/04 08:43:25 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -67,7 +67,6 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
@@ -75,6 +74,7 @@
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_vfy.h b/src/lib/libcrypto/x509/x509_vfy.h
index 7058bbc5b0..04e555149a 100644
--- a/src/lib/libcrypto/x509/x509_vfy.h
+++ b/src/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.70 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.71 2025/10/24 11:33:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -441,6 +441,7 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name,
    size_t namelen);
 int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name,
    size_t namelen);
+unsigned int X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param);
 void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
    unsigned int flags);
 char *X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param);
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 9efe473fc3..7b4ce3b7a6 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.55 2025/03/19 17:11:21 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.58 2025/10/24 11:33:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2004.
 */
@@ -61,12 +61,12 @@
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 /* X509_VERIFY_PARAM functions */
@@ -543,12 +543,12 @@ X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param,
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host);
-/* Public API in OpenSSL - nothing seems to use this. */
 unsigned int
-X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param)
+X509_VERIFY_PARAM_get_hostflags(const X509_VERIFY_PARAM *param)
 {
        return param->hostflags;
 }
+LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_hostflags);
 void
 X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags)
diff --git a/src/lib/libcrypto/x509/x509cset.c b/src/lib/libcrypto/x509/x509cset.c
index 468831266f..facca27880 100644
--- a/src/lib/libcrypto/x509/x509cset.c
+++ b/src/lib/libcrypto/x509/x509cset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509cset.c,v 1.22 2024/03/26 23:41:45 tb Exp $ */
+/* $OpenBSD: x509cset.c,v 1.23 2025/10/10 11:31:13 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -156,15 +156,7 @@ LCRYPTO_ALIAS(X509_CRL_set1_nextUpdate);
 int
 X509_CRL_sort(X509_CRL *c)
 {
-        X509_REVOKED *r;
-        int i;
-        /* Sort the data so it will be written in serial number order */
        sk_X509_REVOKED_sort(c->crl->revoked);
-        for (i = 0; i < sk_X509_REVOKED_num(c->crl->revoked); i++) {
-                r = sk_X509_REVOKED_value(c->crl->revoked, i);
-                r->sequence = i;
-        }
        c->crl->enc.modified = 1;
        return 1;
 }
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index d2df06ccc6..e60d8b7a3b 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509name.c,v 1.35 2023/05/29 11:54:50 beck Exp $ */
+/* $OpenBSD: x509name.c,v 1.39 2025/12/21 10:02:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -60,13 +60,13 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 int
@@ -404,25 +404,19 @@ int
 X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
    const unsigned char *bytes, int len)
 {
-        int i;
+        if (ne == NULL || (bytes == NULL && len != 0))
+                return 0;
-        if ((ne == NULL) || ((bytes == NULL) && (len != 0)))
+        if (type > 0 && (type & MBSTRING_FLAG) != 0)
-                return (0);
-        if ((type > 0) && (type & MBSTRING_FLAG))
                return ASN1_STRING_set_by_NID(&ne->value, bytes, len, type,
                    OBJ_obj2nid(ne->object)) ? 1 : 0;
        if (len < 0)
                len = strlen((const char *)bytes);
-        i = ASN1_STRING_set(ne->value, bytes, len);
+        if (!ASN1_STRING_set(ne->value, bytes, len))
-        if (!i)
+                return 0;
-                return (0);
+        if (type != V_ASN1_UNDEF)
-        if (type != V_ASN1_UNDEF) {
+                ne->value->type = type;
-                if (type == V_ASN1_APP_CHOOSE)
-                        ne->value->type = ASN1_PRINTABLE_type(bytes, len);
+        return 1;
-                else
-                        ne->value->type = type;
-        }
-        return (1);
 }
 LCRYPTO_ALIAS(X509_NAME_ENTRY_set_data);
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index 04c9a6f01b..ef5f9e34c8 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509spki.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509spki.c,v 1.17 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -60,9 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 int
 NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+        /*
+         * The Certificate's signature AlgorithmIdentifier must match the one
+         * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+         */
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
                return 0;
        return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
            a->signature, a->cert_info, r);
diff --git a/src/lib/libssl/LICENSE b/src/lib/libssl/LICENSE
index 892e14a450..c41ff4d1ca 100644
--- a/src/lib/libssl/LICENSE
+++ b/src/lib/libssl/LICENSE
@@ -1,7 +1,7 @@
-  LibReSSL files are retained under the copyright of the authors. New
+  LibreSSL files are retained under the copyright of the authors. New
  additions are ISC licensed as per OpenBSD's normal licensing policy,
-  or are placed in the public domain. 
+  or are placed in the public domain.
  The OpenSSL code is distributed under the terms of the original OpenSSL
  licenses which follow:
@@ -25,7 +25,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
+ *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -80,21 +80,21 @@
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
+ *
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- * 
+ *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -109,10 +109,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
+ *
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -124,7 +124,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- * 
+ *
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
diff --git a/src/lib/libssl/Symbols.list b/src/lib/libssl/Symbols.list
index 65cd3e7f86..0d82c7c726 100644
--- a/src/lib/libssl/Symbols.list
+++ b/src/lib/libssl/Symbols.list
@@ -137,6 +137,7 @@ SSL_CTX_use_certificate_ASN1
 SSL_CTX_use_certificate_chain_file
 SSL_CTX_use_certificate_chain_mem
 SSL_CTX_use_certificate_file
+SSL_SESSION_dup
 SSL_SESSION_free
 SSL_SESSION_get0_cipher
 SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/bio_ssl.c b/src/lib/libssl/bio_ssl.c
index 6dd1699606..13e4f30539 100644
--- a/src/lib/libssl/bio_ssl.c
+++ b/src/lib/libssl/bio_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ssl.c,v 1.40 2023/07/19 13:34:33 tb Exp $ */
+/* $OpenBSD: bio_ssl.c,v 1.41 2025/06/02 12:18:22 jsg Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -229,9 +229,7 @@ ssl_write(BIO *b, const char *out, int outl)
        BIO_clear_retry_flags(b);
-/*      ret=SSL_do_handshake(ssl);
+        ret = SSL_write(ssl, out, outl);
-        if (ret > 0) */
-                ret = SSL_write(ssl, out, outl);
        switch (SSL_get_error(ssl, ret)) {
        case SSL_ERROR_NONE:
diff --git a/src/lib/libssl/hidden/openssl/ssl.h b/src/lib/libssl/hidden/openssl/ssl.h
index b854dd7b73..b010488d7f 100644
--- a/src/lib/libssl/hidden/openssl/ssl.h
+++ b/src/lib/libssl/hidden/openssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.9 2024/08/31 10:51:48 tb Exp $ */
+/* $OpenBSD: ssl.h,v 1.10 2025/10/24 11:36:08 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -182,6 +182,7 @@ LSSL_USED(SSL_SESSION_set1_id_context);
 LSSL_USED(SSL_SESSION_is_resumable);
 LSSL_USED(SSL_SESSION_new);
 LSSL_USED(SSL_SESSION_free);
+LSSL_USED(SSL_SESSION_dup);
 LSSL_USED(SSL_SESSION_up_ref);
 LSSL_USED(SSL_SESSION_get_id);
 LSSL_USED(SSL_SESSION_get0_id_context);
diff --git a/src/lib/libssl/hidden/ssl_namespace.h b/src/lib/libssl/hidden/ssl_namespace.h
index 5d26516f3c..763dcd700f 100644
--- a/src/lib/libssl/hidden/ssl_namespace.h
+++ b/src/lib/libssl/hidden/ssl_namespace.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_namespace.h,v 1.3 2024/07/12 05:26:34 miod Exp $  */
+/*      $OpenBSD: ssl_namespace.h,v 1.4 2025/08/18 16:00:53 tb Exp $    */
 /*
 * Copyright (c) 2016 Philip Guenther <guenther@openbsd.org>
 *
@@ -35,7 +35,11 @@
 #else
 #define LSSL_UNUSED(x)
 #define LSSL_USED(x)
+#ifdef _MSC_VER
+#define LSSL_ALIAS(x)
+#else
 #define LSSL_ALIAS(x)           asm("")
+#endif /* _MSC_VER */
 #endif
 #endif  /* _LIBSSL_SSL_NAMESPACE_H_ */
diff --git a/src/lib/libssl/man/BIO_f_ssl.3 b/src/lib/libssl/man/BIO_f_ssl.3
index 3b74a3d6a4..e23a15e121 100644
--- a/src/lib/libssl/man/BIO_f_ssl.3
+++ b/src/lib/libssl/man/BIO_f_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BIO_f_ssl.3,v 1.16 2024/01/13 18:37:51 tb Exp $
+.\" $OpenBSD: BIO_f_ssl.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f672aee4 Feb 9 11:52:40 2016 -0500
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt BIO_F_SSL 3
 .Os
 .Sh NAME
@@ -69,6 +69,7 @@
 .Nm BIO_do_handshake
 .Nd SSL BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/bio.h
 .In openssl/ssl.h
 .Ft const BIO_METHOD *
diff --git a/src/lib/libssl/man/DTLSv1_listen.3 b/src/lib/libssl/man/DTLSv1_listen.3
index 047ec0a7ff..bdba1c59b0 100644
--- a/src/lib/libssl/man/DTLSv1_listen.3
+++ b/src/lib/libssl/man/DTLSv1_listen.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: DTLSv1_listen.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: DTLSv1_listen.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 7795475f Dec 18 13:18:31 2015 -0500
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt DTLSV1_LISTEN 3
 .Os
 .Sh NAME
 .Nm DTLSv1_listen
 .Nd listen for incoming DTLS connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo DTLSv1_listen
diff --git a/src/lib/libssl/man/OPENSSL_init_ssl.3 b/src/lib/libssl/man/OPENSSL_init_ssl.3
index f37dccfaac..ec840f5e1c 100644
--- a/src/lib/libssl/man/OPENSSL_init_ssl.3
+++ b/src/lib/libssl/man/OPENSSL_init_ssl.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.4 2019/06/14 13:41:31 schwarze Exp $
+.\" $OpenBSD: OPENSSL_init_ssl.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt OPENSSL_INIT_SSL 3
 .Os
 .Sh NAME
 .Nm OPENSSL_init_ssl
 .Nd initialise the crypto and ssl libraries
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo OPENSSL_init_ssl
diff --git a/src/lib/libssl/man/PEM_read_SSL_SESSION.3 b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
index 3eb1414c62..93bd0b8ebd 100644
--- a/src/lib/libssl/man/PEM_read_SSL_SESSION.3
+++ b/src/lib/libssl/man/PEM_read_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: PEM_read_SSL_SESSION.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/PEM_read_CMS.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt PEM_READ_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm PEM_write_bio_SSL_SESSION
 .Nd encode and decode SSL session objects in PEM format
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fo PEM_read_SSL_SESSION
diff --git a/src/lib/libssl/man/SSL_CIPHER_get_name.3 b/src/lib/libssl/man/SSL_CIPHER_get_name.3
index 86c1d3c0ba..fc92eb9723 100644
--- a/src/lib/libssl/man/SSL_CIPHER_get_name.3
+++ b/src/lib/libssl/man/SSL_CIPHER_get_name.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.17 2024/07/16 10:19:38 tb Exp $
+.\" $OpenBSD: SSL_CIPHER_get_name.3,v 1.19 2025/06/13 18:34:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 16 2024 $
+.Dd $Mdocdate: June 13 2025 $
 .Dt SSL_CIPHER_GET_NAME 3
 .Os
 .Sh NAME
@@ -70,6 +70,7 @@
 .Nm SSL_CIPHER_description
 .Nd get SSL_CIPHER properties
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_CIPHER_get_name "const SSL_CIPHER *cipher"
@@ -81,7 +82,7 @@
 .Fn SSL_CIPHER_get_cipher_nid "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_digest_nid "const SSL_CIPHER *cipher"
-.Ft "const EVP_MD *"
+.Ft const EVP_MD *
 .Fn SSL_CIPHER_get_handshake_digest "const SSL_CIPHER *cipher"
 .Ft int
 .Fn SSL_CIPHER_get_kx_nid "const SSL_CIPHER *cipher"
diff --git a/src/lib/libssl/man/SSL_COMP_add_compression_method.3 b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
index f9e25358d7..0b990ca88e 100644
--- a/src/lib/libssl/man/SSL_COMP_add_compression_method.3
+++ b/src/lib/libssl/man/SSL_COMP_add_compression_method.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.7 2024/08/31 10:51:48 tb Exp $
+.\" $OpenBSD: SSL_COMP_add_compression_method.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 31 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COMP_ADD_COMPRESSION_METHOD 3
 .Os
 .Sh NAME
 .Nm SSL_COMP_get_compression_methods
 .Nd handle SSL/TLS integrated compression methods
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_COMP) *
 .Fn SSL_COMP_get_compression_methods void
diff --git a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
index 86eb27a523..91c4c80758 100644
--- a/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add1_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add1_chain_cert.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD1_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -67,6 +67,7 @@
 .Nm SSL_clear_chain_certs
 .Nd extra chain certificate processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set0_chain
diff --git a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
index b9694b0cbc..891c22a40a 100644
--- a/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
+++ b/src/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.8 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_add_extra_chain_cert.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_EXTRA_CHAIN_CERT 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_clear_extra_chain_certs
 .Nd add, retrieve, and clear extra chain certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_add_extra_chain_cert "SSL_CTX *ctx" "X509 *x509"
diff --git a/src/lib/libssl/man/SSL_CTX_add_session.3 b/src/lib/libssl/man/SSL_CTX_add_session.3
index 443bdb542a..df634bcdda 100644
--- a/src/lib/libssl/man/SSL_CTX_add_session.3
+++ b/src/lib/libssl/man/SSL_CTX_add_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_add_session.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_add_session.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_ADD_SESSION 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_remove_session
 .Nd manipulate session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_add_session "SSL_CTX *ctx" "SSL_SESSION *c"
diff --git a/src/lib/libssl/man/SSL_CTX_ctrl.3 b/src/lib/libssl/man/SSL_CTX_ctrl.3
index c91ddff374..4d254d8f48 100644
--- a/src/lib/libssl/man/SSL_CTX_ctrl.3
+++ b/src/lib/libssl/man/SSL_CTX_ctrl.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.7 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_ctrl.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_CTRL 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_callback_ctrl
 .Nd internal handling functions for SSL_CTX and SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_ctrl "SSL_CTX *ctx" "int cmd" "long larg" "void *parg"
diff --git a/src/lib/libssl/man/SSL_CTX_flush_sessions.3 b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
index 2ef781cb4a..deabf5200a 100644
--- a/src/lib/libssl/man/SSL_CTX_flush_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_flush_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_flush_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_flush_sessions.pod 1722496f Jun 8 15:18:38 2017 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FLUSH_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_flush_sessions
 .Nd remove expired sessions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_flush_sessions "SSL_CTX *ctx" "long tm"
diff --git a/src/lib/libssl/man/SSL_CTX_free.3 b/src/lib/libssl/man/SSL_CTX_free.3
index 47f247631b..0afef7cd0e 100644
--- a/src/lib/libssl/man/SSL_CTX_free.3
+++ b/src/lib/libssl/man/SSL_CTX_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_free.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_free.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_free
 .Nd free an allocated SSL_CTX object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_free "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get0_certificate.3 b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
index 63c86bd5e0..226e6cd87a 100644
--- a/src/lib/libssl/man/SSL_CTX_get0_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_get0_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_get0_certificate.3,v 1.4 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,15 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET0_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_get0_certificate
 .Nd get the active certificate from an SSL context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_CTX_get0_certificate
 .Fa "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3 b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
index 3dbaf2e981..30a02cc317 100644
--- a/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_CTX_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3 b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
index 7c87775069..88187f7f3c 100644
--- a/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_get_verify_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_get_verify_mode.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_GET_VERIFY_MODE 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_CTX_get_verify_callback
 .Nd get currently set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_get_verify_mode "const SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3 b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
index 373df2402e..0cc22f433d 100644
--- a/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
+++ b/src/lib/libssl/man/SSL_CTX_load_verify_locations.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_load_verify_locations.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_LOAD_VERIFY_LOCATIONS 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_set_default_verify_paths
 .Nd set default locations for trusted CA certificates
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_load_verify_locations
diff --git a/src/lib/libssl/man/SSL_CTX_new.3 b/src/lib/libssl/man/SSL_CTX_new.3
index 4b50a03de4..2afad5378c 100644
--- a/src/lib/libssl/man/SSL_CTX_new.3
+++ b/src/lib/libssl/man/SSL_CTX_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_new.3,v 1.17 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_new.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 21cd6e00 Oct 21 14:40:15 2015 +0100
 .\" selective merge up to: OpenSSL 8f75443f May 24 14:04:26 2019 +0200
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_NEW 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm DTLSv1_2_client_method
 .Nd create a new SSL_CTX object as a framework for TLS enabled functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_CTX_new "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_number.3 b/src/lib/libssl/man/SSL_CTX_sess_number.3
index 76d436cd17..854f6256eb 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_number.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_number.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_number.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_sess_number.pod 7bd27895 Mar 29 11:45:29 2017 +1000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_NUMBER 3
 .Os
 .Sh NAME
@@ -66,6 +66,7 @@
 .Nm SSL_CTX_sess_cache_full
 .Nd obtain session cache statistics
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_number "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
index 6d5fede0b6..e8bfe50a3c 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_cache_size.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_CACHE_SIZE 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_sess_get_cache_size
 .Nd manipulate session cache size
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_sess_set_cache_size "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
index e99f2be671..62a6698399 100644
--- a/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.7 2022/03/29 18:15:52 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_sess_set_get_cb.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESS_SET_GET_CB 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_CTX_sess_get_get_cb
 .Nd provide callback functions for server side external session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_sess_set_new_cb
diff --git a/src/lib/libssl/man/SSL_CTX_sessions.3 b/src/lib/libssl/man/SSL_CTX_sessions.3
index 964d1a7346..627c694cd8 100644
--- a/src/lib/libssl/man/SSL_CTX_sessions.3
+++ b/src/lib/libssl/man/SSL_CTX_sessions.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.5 2018/04/25 14:19:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_sessions.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 25 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SESSIONS 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_sessions
 .Nd access internal session cache
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft LHASH_OF(SSL_SESSION) *
 .Fn SSL_CTX_sessions "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
index 0d1eb36ea7..8cd620d3b4 100644
--- a/src/lib/libssl/man/SSL_CTX_set1_groups.3
+++ b/src/lib/libssl/man/SSL_CTX_set1_groups.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.2 2017/08/19 19:36:39 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set1_groups.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
 .\"
 .\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 19 2017 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET1_GROUPS 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set1_curves_list
 .Nd choose supported EC groups
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set1_groups
diff --git a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
index 2317c57af4..ff69408247 100644
--- a/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.11 2025/02/04 14:00:05 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 4 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_get0_alpn_selected
 .Nd handle application layer protocol negotiation (ALPN)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_alpn_protos
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_store.3 b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
index 1be1ba2f68..75c145fd78 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_store.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_store.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.8 2024/08/03 04:53:01 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_store.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 3 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_STORE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_cert_store
 .Nd manipulate X509 certificate verification storage
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_cert_store "SSL_CTX *ctx" "X509_STORE *store"
diff --git a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
index 0e12b48c78..2e2beac850 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.5 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_cert_verify_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CERT_VERIFY_CALLBACK 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_cert_verify_callback
 .Nd set peer certificate verification procedure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_cert_verify_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
index b3f0dc3541..6201dc9f55 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.18 2025/01/18 12:20:02 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_cipher_list.3,v 1.19 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -73,6 +73,7 @@
 .Nm SSL_set_cipher_list
 .Nd choose list of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_cipher_list "SSL_CTX *ctx" "const char *control"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3 b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
index d19fb93ed0..520be04318 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_CA_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,16 +48,17 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_client_CA_list ,
 .Nm SSL_set_client_CA_list ,
 .Nm SSL_CTX_add_client_CA ,
-.Nm  SSL_add_client_CA
+.Nm SSL_add_client_CA
 .Nd set list of CAs sent to the client when requesting a client certificate
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_client_CA_list "SSL_CTX *ctx" "STACK_OF(X509_NAME) *list"
diff --git a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
index a2433b5e92..2cf8275602 100644
--- a/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_client_cert_cb.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_CLIENT_CERT_CB 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_client_cert_cb
 .Nd handle client certificate callback function
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_client_cert_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
index 94b4ea543d..e3da1bec66 100644
--- a/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.9 2023/09/19 09:40:35 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_default_passwd_cb.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 18bad535 Apr 9 15:13:55 2019 +0100
 .\"
@@ -67,7 +67,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 19 2023 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_DEFAULT_PASSWD_CB 3
 .Os
 .Sh NAME
@@ -77,6 +77,7 @@
 .Nm SSL_CTX_get_default_passwd_cb_userdata
 .Nd set or get passwd callback for encrypted PEM file handling
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_default_passwd_cb "SSL_CTX *ctx" "pem_password_cb *cb"
diff --git a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3 b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
index d85383d776..29c102ac50 100644
--- a/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
+++ b/src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.5 2018/03/22 21:09:18 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_generate_session_id.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 22 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_GENERATE_SESSION_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm GEN_SESSION_CB
 .Nd manipulate generation of SSL session IDs (server only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*GEN_SESSION_CB)
diff --git a/src/lib/libssl/man/SSL_CTX_set_info_callback.3 b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
index 76eb8bee61..ec251b5b69 100644
--- a/src/lib/libssl/man/SSL_CTX_set_info_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_info_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_info_callback.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_INFO_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_info_callback
 .Nd handle information callback for SSL connections
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_info_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3 b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
index 24b8f9992f..0cb36b07c6 100644
--- a/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_keylog_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.3 2024/05/16 08:39:30 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_keylog_callback.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 16 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_KEYLOG_CALLBACK 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_CTX_get_keylog_callback
 .Nd set and get the unused key logging callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef void
 .Fo (*SSL_CTX_keylog_cb_func)
diff --git a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3 b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
index 89513b1006..700f534f54 100644
--- a/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_max_cert_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_max_cert_list.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MAX_CERT_LIST 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_max_cert_list
 .Nd manipulate allowed size for the peer's certificate chain
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_max_cert_list "SSL_CTX *ctx" "long size"
diff --git a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3 b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
index a2597cda83..50a5fc448d 100644
--- a/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_min_proto_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.5 2021/04/15 16:40:32 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_min_proto_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3edabd3c Sep 14 09:28:39 2017 +0200
 .\"
 .\" This file was written by Kurt Roeckx <kurt@roeckx.be> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MIN_PROTO_VERSION 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_get_max_proto_version
 .Nd get and set minimum and maximum supported protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_min_proto_version
diff --git a/src/lib/libssl/man/SSL_CTX_set_mode.3 b/src/lib/libssl/man/SSL_CTX_set_mode.3
index fca1a977d0..62a7a6deda 100644
--- a/src/lib/libssl/man/SSL_CTX_set_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_mode.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.7 2020/10/08 16:02:38 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 8671b898 Jun 3 02:48:34 2008 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MODE 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_get_mode
 .Nd manipulate SSL engine mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_mode "SSL_CTX *ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3 b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
index a27333e6d9..65df06016a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_msg_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.5 2021/04/15 16:43:27 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_msg_callback.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod e9b77246 Jan 20 19:58:49 2017 +0100
 .\"     OpenSSL SSL_CTX_set_msg_callback.pod b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_MSG_CALLBACK 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set_msg_callback_arg
 .Nd install callback for observing protocol messages
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_msg_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3 b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
index cb6d7e000a..093387725a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
+++ b/src/lib/libssl/man/SSL_CTX_set_num_tickets.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.2 2021/10/23 17:20:50 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_num_tickets.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL pod checked up to: 5402f96a Sep 11 09:58:52 2021 +0100
 .\"
 .\" Copyright (c) 2021 Bob Beck <beck@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 23 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_NUM_TICKETS 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm SSL_get_num_tickets
 .Nd set and get the number of TLS 1.3 session tickets to be sent
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_num_tickets "SSL_CTX *ctx" "size_t num_tickets"
diff --git a/src/lib/libssl/man/SSL_CTX_set_options.3 b/src/lib/libssl/man/SSL_CTX_set_options.3
index 5df0b07785..5e81c978bd 100644
--- a/src/lib/libssl/man/SSL_CTX_set_options.3
+++ b/src/lib/libssl/man/SSL_CTX_set_options.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_options.3,v 1.16 2022/03/31 17:27:18 naddy Exp $
+.\" $OpenBSD: SSL_CTX_set_options.3,v 1.17 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 7946ab33 Dec 6 17:56:41 2015 +0100
 .\" selective merge up to: OpenSSL edb79c3a Mar 29 10:07:14 2017 +1000
 .\"
@@ -52,7 +52,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_OPTIONS 3
 .Os
 .Sh NAME
@@ -65,6 +65,7 @@
 .Nm SSL_get_secure_renegotiation_support
 .Nd manipulate SSL options
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_options "SSL_CTX *ctx" "long options"
diff --git a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
index 71463f1eca..20b882167b 100644
--- a/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
+++ b/src/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.6 2020/03/30 10:28:59 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_quiet_shutdown.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 30 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_QUIET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_quiet_shutdown
 .Nd manipulate shutdown behaviour
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_CTX_set_quiet_shutdown "SSL_CTX *ctx" "int mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3 b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
index eae76eb472..208ecfbf1a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
+++ b/src/lib/libssl/man/SSL_CTX_set_read_ahead.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_read_ahead.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_READ_AHEAD 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_CTX_get_default_read_ahead
 .Nd manage whether to read as many input bytes as possible
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_read_ahead
diff --git a/src/lib/libssl/man/SSL_CTX_set_security_level.3 b/src/lib/libssl/man/SSL_CTX_set_security_level.3
index 89adb3d65d..2d3afa5785 100644
--- a/src/lib/libssl/man/SSL_CTX_set_security_level.3
+++ b/src/lib/libssl/man/SSL_CTX_set_security_level.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.2 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_set_security_level.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SECURITY_LEVEL 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_get_security_level
 .Nd change security level for TLS
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_security_level
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
index 1fe67b2a7e..d19ff79545 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_cache_mode.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 67adf0a7 Dec 25 19:58:38 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_CACHE_MODE 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_session_cache_mode
 .Nd enable/disable session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_session_cache_mode "SSL_CTX ctx" "long mode"
diff --git a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3 b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
index 06fd9348ae..53923888db 100644
--- a/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
+++ b/src/lib/libssl/man/SSL_CTX_set_session_id_context.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_session_id_context.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SESSION_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_set_session_id_context
 .Nd set context within which session can be reused (server side only)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_session_id_context
diff --git a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3 b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
index b1bdb92bb0..fe9febe431 100644
--- a/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
+++ b/src/lib/libssl/man/SSL_CTX_set_ssl_version.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.5 2021/05/11 19:48:56 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_ssl_version.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_SSL_VERSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_ssl_method
 .Nd choose a new TLS/SSL method
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_set_ssl_version "SSL_CTX *ctx" "const SSL_METHOD *method"
diff --git a/src/lib/libssl/man/SSL_CTX_set_timeout.3 b/src/lib/libssl/man/SSL_CTX_set_timeout.3
index ab99e2016e..da2f811528 100644
--- a/src/lib/libssl/man/SSL_CTX_set_timeout.3
+++ b/src/lib/libssl/man/SSL_CTX_set_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_CTX_set_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TIMEOUT 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_CTX_get_timeout
 .Nd manipulate timeout values for session caching
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_CTX_set_timeout "SSL_CTX *ctx" "long t"
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
index 2b54406de8..b6cece259c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_servername_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.6 2021/09/01 13:56:03 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_servername_callback.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 190b9a03 Jun 28 15:46:13 2017 +0800
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 1 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_SERVERNAME_CALLBACK 3
 .Os
 .Sh NAME
@@ -62,6 +62,7 @@
 .Nm SSL_set_tlsext_host_name
 .Nd handle server name indication (SNI)
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_servername_callback
@@ -84,7 +85,7 @@
 .Fc
 .Ft int
 .Fo SSL_set_tlsext_host_name
-.Fa "const SSL *ssl"
+.Fa "SSL *ssl"
 .Fa "const char *name"
 .Fc
 .Sh DESCRIPTION
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
index d5979af1e8..c9763f9d2f 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.8 2021/09/11 18:58:41 schwarze Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_status_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 43c34894 Nov 30 16:04:51 2015 +0000
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_STATUS_CB 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_tlsext_status_ocsp_resp
 .Nd OCSP Certificate Status Request functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_status_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
index b6ccabaeca..0427f7dcf5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.8 2022/01/25 18:01:20 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tlsext_ticket_key_cb.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Rich Salz <rsalz@akamai.com>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 25 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_TICKET_KEY_CB 3
 .Os
 .Sh NAME
 .Nm SSL_CTX_set_tlsext_ticket_key_cb
 .Nd set a callback for session ticket processing
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/tls1.h
 .Ft long
 .Fo SSL_CTX_set_tlsext_ticket_key_cb
diff --git a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3 b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
index 04c4833c6a..4acd452ad5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tlsext_use_srtp.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_tlsext_use_srtp.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b0edda11 Mar 20 13:00:17 2018 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TLSEXT_USE_SRTP 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get_selected_srtp_profile
 .Nd Configure and query SRTP support
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/srtp.h
 .Ft int
 .Fo SSL_CTX_set_tlsext_use_srtp
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
index c6f5253431..9fa830656a 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.11 2025/01/18 10:45:12 tb Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_dh_callback.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_DH_CALLBACK 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_set_tmp_dh
 .Nd handle DH keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_dh_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
index b4c3a3c647..7009ac6ab5 100644
--- a/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
+++ b/src/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.9 2022/03/29 14:27:59 naddy Exp $
+.\"     $OpenBSD: SSL_CTX_set_tmp_rsa_callback.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 0b30fc90 Dec 19 15:23:05 2013 -0500
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_TMP_RSA_CALLBACK 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_need_tmp_RSA
 .Nd handle RSA keys for ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_tmp_rsa_callback
diff --git a/src/lib/libssl/man/SSL_CTX_set_verify.3 b/src/lib/libssl/man/SSL_CTX_set_verify.3
index 1ed86407e9..656c85afd4 100644
--- a/src/lib/libssl/man/SSL_CTX_set_verify.3
+++ b/src/lib/libssl/man/SSL_CTX_set_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.9 2021/06/12 16:59:53 jmc Exp $
+.\" $OpenBSD: SSL_CTX_set_verify.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\" selective merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_SET_VERIFY 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm SSL_set_verify_depth
 .Nd set peer certificate verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fo SSL_CTX_set_verify
diff --git a/src/lib/libssl/man/SSL_CTX_use_certificate.3 b/src/lib/libssl/man/SSL_CTX_use_certificate.3
index c88a6971b2..27ec834d16 100644
--- a/src/lib/libssl/man/SSL_CTX_use_certificate.3
+++ b/src/lib/libssl/man/SSL_CTX_use_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.17 2025/01/18 10:45:12 tb Exp $
+.\" $OpenBSD: SSL_CTX_use_certificate.3,v 1.18 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 3aaa1bd0 Mar 28 16:35:25 2017 +1000
 .\" selective merge up to: OpenSSL d1f7a1e6 Apr 26 14:05:40 2018 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 18 2025 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CTX_USE_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -79,6 +79,7 @@
 .Nm SSL_check_private_key
 .Nd load certificate and key data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_CTX_use_certificate "SSL_CTX *ctx" "X509 *x"
diff --git a/src/lib/libssl/man/SSL_SESSION_free.3 b/src/lib/libssl/man/SSL_SESSION_free.3
index 3f785e95e5..af02a273a0 100644
--- a/src/lib/libssl/man/SSL_SESSION_free.3
+++ b/src/lib/libssl/man/SSL_SESSION_free.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_free.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_free.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_FREE 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_free
 .Nd SSL_SESSION reference counting
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_SESSION_up_ref "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3 b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
index 239a426dbd..4e5b0bb057 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_cipher.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.1 2021/05/12 14:16:25 tb Exp $
+.\" $OpenBSD: SSL_SESSION_get0_cipher.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL d42e7759f Mar 30 19:40:04 2017 +0200
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 12 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_cipher
 .Nd retrieve the SSL cipher associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fo SSL_SESSION_get0_cipher
diff --git a/src/lib/libssl/man/SSL_SESSION_get0_peer.3 b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
index 6b1ef6680e..98ae1bab9d 100644
--- a/src/lib/libssl/man/SSL_SESSION_get0_peer.3
+++ b/src/lib/libssl/man/SSL_SESSION_get0_peer.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.2 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get0_peer.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get0_peer.pod b31db505 Mar 24 16:01:50 2017 +0000
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET0_PEER 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get0_peer
 .Nd get details about peer's certificate for a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_SESSION_get0_peer
diff --git a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3 b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
index aedc216a15..da0d48ff6c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_compress_id.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.3 2018/03/23 05:50:30 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_compress_id.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_SESSION_get_compress_id.pod b31db505 Mar 24 16:01:50 2017
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 23 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_COMPRESS_ID 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_compress_id
 .Nd get details about the compression associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft unsigned int
 .Fo SSL_SESSION_get_compress_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
index 9fd6949b6a..55cde1c66b 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.3 2018/03/21 08:06:34 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_ex_new_index.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 21 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_SESSION_get_id.3 b/src/lib/libssl/man/SSL_SESSION_get_id.3
index 6d0de1e52e..eb14d24111 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_id.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.6 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_id.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_set1_id 17b60280 Dec 21 09:08:25 2017 +0100
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_ID 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_SESSION_set1_id
 .Nd get and set the SSL session ID
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get_id
diff --git a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3 b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
index f14c0490e9..dad9eab7ef 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_protocol_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_get_protocol_version.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by TJ Saunders <tj@castaglia.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_PROTOCOL_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_get_protocol_version
 .Nd get the session protocol version
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_get_protocol_version
diff --git a/src/lib/libssl/man/SSL_SESSION_get_time.3 b/src/lib/libssl/man/SSL_SESSION_get_time.3
index aaadec5137..28aeedf72c 100644
--- a/src/lib/libssl/man/SSL_SESSION_get_time.3
+++ b/src/lib/libssl/man/SSL_SESSION_get_time.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.8 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_SESSION_get_time.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_GET_TIME 3
 .Os
 .Sh NAME
@@ -63,6 +63,7 @@
 .Nm SSL_set_timeout
 .Nd retrieve and manipulate session time and timeout settings
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_SESSION_get_time "const SSL_SESSION *s"
diff --git a/src/lib/libssl/man/SSL_SESSION_has_ticket.3 b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
index 322b49feef..07b894c4f8 100644
--- a/src/lib/libssl/man/SSL_SESSION_has_ticket.3
+++ b/src/lib/libssl/man/SSL_SESSION_has_ticket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_has_ticket.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL f2baac27 Feb 8 15:43:16 2015 +0000
 .\" selective merge up to: OpenSSL 61f805c1 Jan 16 01:01:46 2018 +0800
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_HAS_TICKET 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_ticket_lifetime_hint
 .Nd get details about the ticket associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_has_ticket
diff --git a/src/lib/libssl/man/SSL_SESSION_is_resumable.3 b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
index 48d7d17889..ddc037c1aa 100644
--- a/src/lib/libssl/man/SSL_SESSION_is_resumable.3
+++ b/src/lib/libssl/man/SSL_SESSION_is_resumable.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.1 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_is_resumable.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_IS_RESUMABLE 3
 .Os
 .Sh NAME
 .Nm SSL_SESSION_is_resumable
 .Nd determine whether an SSL_SESSION object can be used for resumption
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_is_resumable
diff --git a/src/lib/libssl/man/SSL_SESSION_new.3 b/src/lib/libssl/man/SSL_SESSION_new.3
index 2dcdb264c1..182266a311 100644
--- a/src/lib/libssl/man/SSL_SESSION_new.3
+++ b/src/lib/libssl/man/SSL_SESSION_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_new.3,v 1.9 2021/09/14 14:08:15 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_new.3,v 1.12 2025/10/24 13:18:22 tb Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,16 +14,20 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: October 24 2025 $
 .Dt SSL_SESSION_NEW 3
 .Os
 .Sh NAME
-.Nm SSL_SESSION_new
+.Nm SSL_SESSION_new ,
+.Nm SSL_SESSION_dup
 .Nd construct a new SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_SESSION_new void
+.Ft SSL_SESSION *
+.Fn SSL_SESSION_dup "const SSL_SESSION *src"
 .Sh DESCRIPTION
 .Fn SSL_SESSION_new
 allocates and initializes a new
@@ -38,9 +42,20 @@ When the object is no longer needed, it can be destructed with
 .Fn SSL_SESSION_new
 is used internally, for example by
 .Xr SSL_connect 3 .
+.Pp
+.Fn SSL_SESSION_dup
+creates a deep copy of
+.Fa src
+with the exception that
+the reference count is set to 1, that
+the peer certificate is shared with
+.Fa src ,
+and that the new session is not part of any session cache.
 .Sh RETURN VALUES
 .Fn SSL_SESSION_new
-returns the new
+and
+.Fn SSL_SESSION_dup
+return the new
 .Vt SSL_SESSION
 object or
 .Dv NULL
@@ -76,3 +91,7 @@ returns
 .Fn SSL_SESSION_new
 first appeared in SSLeay 0.5.2 and has been available since
 .Ox 2.4 .
+.Pp
+.Fn SSL_SESSION_dup
+first appeared in OpenSSL 1.1.1 and has been available since
+.Ox 7.9 .
diff --git a/src/lib/libssl/man/SSL_SESSION_print.3 b/src/lib/libssl/man/SSL_SESSION_print.3
index e92debde0e..65742140d0 100644
--- a/src/lib/libssl/man/SSL_SESSION_print.3
+++ b/src/lib/libssl/man/SSL_SESSION_print.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_print.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_print.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_PRINT 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_SESSION_print_fp
 .Nd print some properties of an SSL_SESSION object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_SESSION_print
diff --git a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3 b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
index dd7595baca..24f1de4fda 100644
--- a/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
+++ b/src/lib/libssl/man/SSL_SESSION_set1_id_context.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.4 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_SESSION_set1_id_context.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL SSL_SESSION_get0_id_context b31db505 Mar 24 16:01:50 2017
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_SET1_ID_CONTEXT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_set1_id_context
 .Nd get and set the SSL ID context associated with a session
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const unsigned char *
 .Fo SSL_SESSION_get0_id_context
diff --git a/src/lib/libssl/man/SSL_accept.3 b/src/lib/libssl/man/SSL_accept.3
index fb1d89eb57..ecb757aaa5 100644
--- a/src/lib/libssl/man/SSL_accept.3
+++ b/src/lib/libssl/man/SSL_accept.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_accept.3,v 1.6 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: SSL_accept.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ACCEPT 3
 .Os
 .Sh NAME
 .Nm SSL_accept
 .Nd wait for a TLS/SSL client to initiate a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_accept "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_alert_type_string.3 b/src/lib/libssl/man/SSL_alert_type_string.3
index 354865e546..0f051cc0a6 100644
--- a/src/lib/libssl/man/SSL_alert_type_string.3
+++ b/src/lib/libssl/man/SSL_alert_type_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_alert_type_string.3,v 1.7 2024/10/13 08:25:09 jsg Exp $
+.\"     $OpenBSD: SSL_alert_type_string.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 13 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_ALERT_TYPE_STRING 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_alert_desc_string_long
 .Nd get textual description of alert information
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_alert_type_string "int value"
diff --git a/src/lib/libssl/man/SSL_clear.3 b/src/lib/libssl/man/SSL_clear.3
index 809c3b20f4..5e4da1257f 100644
--- a/src/lib/libssl/man/SSL_clear.3
+++ b/src/lib/libssl/man/SSL_clear.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_clear.3,v 1.5 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_clear.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CLEAR 3
 .Os
 .Sh NAME
 .Nm SSL_clear
 .Nd reset SSL object to allow another connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_clear "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_connect.3 b/src/lib/libssl/man/SSL_connect.3
index d5b962a480..a0cd8f8443 100644
--- a/src/lib/libssl/man/SSL_connect.3
+++ b/src/lib/libssl/man/SSL_connect.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_connect.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_connect.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_CONNECT 3
 .Os
 .Sh NAME
 .Nm SSL_connect
 .Nd initiate the TLS/SSL handshake with a TLS/SSL server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_connect "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_copy_session_id.3 b/src/lib/libssl/man/SSL_copy_session_id.3
index a7a7a8aa99..75a52e8879 100644
--- a/src/lib/libssl/man/SSL_copy_session_id.3
+++ b/src/lib/libssl/man/SSL_copy_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_copy_session_id.3,v 1.7 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_copy_session_id.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_COPY_SESSION_ID 3
 .Os
 .Sh NAME
 .Nm SSL_copy_session_id
 .Nd copy session details between SSL objects
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_copy_session_id
diff --git a/src/lib/libssl/man/SSL_do_handshake.3 b/src/lib/libssl/man/SSL_do_handshake.3
index e9327b4229..78b41db2f4 100644
--- a/src/lib/libssl/man/SSL_do_handshake.3
+++ b/src/lib/libssl/man/SSL_do_handshake.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_do_handshake.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_do_handshake.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Martin Sjoegren <martin@strakt.com>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DO_HANDSHAKE 3
 .Os
 .Sh NAME
 .Nm SSL_do_handshake
 .Nd perform a TLS/SSL handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_do_handshake "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_dup.3 b/src/lib/libssl/man/SSL_dup.3
index a83440b431..f7d999fb62 100644
--- a/src/lib/libssl/man/SSL_dup.3
+++ b/src/lib/libssl/man/SSL_dup.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup.3,v 1.5 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_dup.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP 3
 .Os
 .Sh NAME
 .Nm SSL_dup
 .Nd deep copy of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fo SSL_dup
diff --git a/src/lib/libssl/man/SSL_dup_CA_list.3 b/src/lib/libssl/man/SSL_dup_CA_list.3
index d073b07176..553c03bd8c 100644
--- a/src/lib/libssl/man/SSL_dup_CA_list.3
+++ b/src/lib/libssl/man/SSL_dup_CA_list.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_dup_CA_list.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_dup_CA_list.3,v 1.7 2025/06/08 22:47:20 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_DUP_CA_LIST 3
 .Os
 .Sh NAME
@@ -22,6 +22,8 @@
 .Nd deep copy of a stack of X.509 Name objects
 .\" The capital "N" in "Name" is intentional (X.509 syntax).
 .Sh SYNOPSIS
+.Lb libssl libcrypto
+.In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fo SSL_dup_CA_list
 .Fa "const STACK_OF(X509_NAME) *sk"
diff --git a/src/lib/libssl/man/SSL_export_keying_material.3 b/src/lib/libssl/man/SSL_export_keying_material.3
index e32a5c5d61..d3daa3a5a3 100644
--- a/src/lib/libssl/man/SSL_export_keying_material.3
+++ b/src/lib/libssl/man/SSL_export_keying_material.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_export_keying_material.3,v 1.3 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_export_keying_material.3,v 1.4 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a599574b Jun 28 17:18:27 2017 +0100
 .\"     OpenSSL 23cec1f4 Jun 21 13:55:02 2017 +0100
 .\"
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_EXPORT_KEYING_MATERIAL 3
 .Os
 .Sh NAME
 .Nm SSL_export_keying_material
 .Nd obtain keying material for application use
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_export_keying_material
diff --git a/src/lib/libssl/man/SSL_free.3 b/src/lib/libssl/man/SSL_free.3
index c713ded121..b630bc8a2e 100644
--- a/src/lib/libssl/man/SSL_free.3
+++ b/src/lib/libssl/man/SSL_free.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_free.3,v 1.6 2021/06/11 19:41:39 jmc Exp $
+.\"     $OpenBSD: SSL_free.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 11 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_FREE 3
 .Os
 .Sh NAME
 .Nm SSL_free
 .Nd free an allocated SSL structure
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_free "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_SSL_CTX.3 b/src/lib/libssl/man/SSL_get_SSL_CTX.3
index 60fda555bc..eaf1b6ff11 100644
--- a/src/lib/libssl/man/SSL_get_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_get_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_get_SSL_CTX
 .Nd get the SSL_CTX from which an SSL is created
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fn SSL_get_SSL_CTX "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_certificate.3 b/src/lib/libssl/man/SSL_get_certificate.3
index eb53ea49bf..72ae7ec541 100644
--- a/src/lib/libssl/man/SSL_get_certificate.3
+++ b/src/lib/libssl/man/SSL_get_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_certificate.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_certificate.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CERTIFICATE 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_privatekey
 .Nd get SSL certificate and private key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fo SSL_get_certificate
diff --git a/src/lib/libssl/man/SSL_get_ciphers.3 b/src/lib/libssl/man/SSL_get_ciphers.3
index 8030f0bbb1..d723f7959e 100644
--- a/src/lib/libssl/man/SSL_get_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_ciphers.3,v 1.11 2020/09/16 07:25:15 schwarze Exp $
+.\" $OpenBSD: SSL_get_ciphers.3,v 1.12 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" selective merge up to: OpenSSL 83cf7abf May 29 13:07:08 2018 +0100
 .\"
@@ -69,7 +69,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 16 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CIPHERS 3
 .Os
 .Sh NAME
@@ -80,6 +80,7 @@
 .Nm SSL_get_cipher_list
 .Nd get lists of available SSL_CIPHERs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(SSL_CIPHER) *
 .Fn SSL_get_ciphers "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_client_CA_list.3 b/src/lib/libssl/man/SSL_get_client_CA_list.3
index e80e5cb6f5..8be7020489 100644
--- a/src/lib/libssl/man/SSL_get_client_CA_list.3
+++ b/src/lib/libssl/man/SSL_get_client_CA_list.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_client_CA_list.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_CA_LIST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_CTX_get_client_CA_list
 .Nd get list of client CAs
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_get_client_CA_list "const SSL *s"
diff --git a/src/lib/libssl/man/SSL_get_client_random.3 b/src/lib/libssl/man/SSL_get_client_random.3
index eda74db355..131972b688 100644
--- a/src/lib/libssl/man/SSL_get_client_random.3
+++ b/src/lib/libssl/man/SSL_get_client_random.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_client_random.3,v 1.2 2018/03/24 00:55:37 schwarze Exp $
+.\" $OpenBSD: SSL_get_client_random.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL e9b77246 Jan 20 19:58:49 2017 +0100
 .\"
 .\" This file was written by Nick Mathewson <nickm@torproject.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 24 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CLIENT_RANDOM 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_SESSION_get_master_key
 .Nd get internal TLS handshake random values and master key
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fo SSL_get_client_random
diff --git a/src/lib/libssl/man/SSL_get_current_cipher.3 b/src/lib/libssl/man/SSL_get_current_cipher.3
index 6b951d03ca..37f6409023 100644
--- a/src/lib/libssl/man/SSL_get_current_cipher.3
+++ b/src/lib/libssl/man/SSL_get_current_cipher.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_current_cipher.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,17 +48,18 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_CURRENT_CIPHER 3
 .Os
 .Sh NAME
 .Nm SSL_get_current_cipher ,
 .Nm SSL_get_cipher ,
 .Nm SSL_get_cipher_name ,
-.Nm  SSL_get_cipher_bits ,
+.Nm SSL_get_cipher_bits ,
 .Nm SSL_get_cipher_version
 .Nd get SSL_CIPHER of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const SSL_CIPHER *
 .Fn SSL_get_current_cipher "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_default_timeout.3 b/src/lib/libssl/man/SSL_get_default_timeout.3
index 47737d8ee0..ef119780a3 100644
--- a/src/lib/libssl/man/SSL_get_default_timeout.3
+++ b/src/lib/libssl/man/SSL_get_default_timeout.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_default_timeout.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_DEFAULT_TIMEOUT 3
 .Os
 .Sh NAME
 .Nm SSL_get_default_timeout
 .Nd get default session timeout value
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_default_timeout "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_error.3 b/src/lib/libssl/man/SSL_get_error.3
index 5d325b3f56..ba64b779ac 100644
--- a/src/lib/libssl/man/SSL_get_error.3
+++ b/src/lib/libssl/man/SSL_get_error.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_error.3,v 1.5 2018/04/29 07:37:01 guenther Exp $
+.\"     $OpenBSD: SSL_get_error.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Bodo Moeller <bodo@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 29 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_ERROR 3
 .Os
 .Sh NAME
 .Nm SSL_get_error
 .Nd obtain result code for TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_error "const SSL *ssl" "int ret"
diff --git a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
index a249cda6ac..234034ac2d 100644
--- a/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
+++ b/src/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.5 2022/02/06 00:29:02 jsg Exp $
+.\"     $OpenBSD: SSL_get_ex_data_X509_STORE_CTX_idx.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 6 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_DATA_X509_STORE_CTX_IDX 3
 .Os
 .Sh NAME
 .Nm SSL_get_ex_data_X509_STORE_CTX_idx
 .Nd get ex_data index to access SSL structure from X509_STORE_CTX
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_ex_data_X509_STORE_CTX_idx void
diff --git a/src/lib/libssl/man/SSL_get_ex_new_index.3 b/src/lib/libssl/man/SSL_get_ex_new_index.3
index cecd25fa44..811df94fc7 100644
--- a/src/lib/libssl/man/SSL_get_ex_new_index.3
+++ b/src/lib/libssl/man/SSL_get_ex_new_index.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_ex_new_index.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_EX_NEW_INDEX 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_ex_data
 .Nd internal application specific data functions
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_ex_new_index
diff --git a/src/lib/libssl/man/SSL_get_fd.3 b/src/lib/libssl/man/SSL_get_fd.3
index 1e093424cb..3a7948d35f 100644
--- a/src/lib/libssl/man/SSL_get_fd.3
+++ b/src/lib/libssl/man/SSL_get_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_fd.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_fd.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get_wfd
 .Nd get file descriptor linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_get_fd "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_finished.3 b/src/lib/libssl/man/SSL_get_finished.3
index 3cfb655ea0..e5c8a36cf6 100644
--- a/src/lib/libssl/man/SSL_get_finished.3
+++ b/src/lib/libssl/man/SSL_get_finished.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_finished.3,v 1.2 2021/01/30 10:48:15 tb Exp $
+.\" $OpenBSD: SSL_get_finished.3,v 1.3 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_FINISHED 3
 .Os
 .Sh NAME
@@ -22,6 +22,7 @@
 .Nm SSL_get_peer_finished
 .Nd get last sent or last expected finished message
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft size_t
 .Fn SSL_get_finished "const SSL *ssl" "void *buf" "size_t count"
diff --git a/src/lib/libssl/man/SSL_get_peer_cert_chain.3 b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
index eb2ae53dc4..c4f778aac6 100644
--- a/src/lib/libssl/man/SSL_get_peer_cert_chain.3
+++ b/src/lib/libssl/man/SSL_get_peer_cert_chain.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_peer_cert_chain.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 1f164c6f Jan 18 01:40:36 2017 +0100
 .\"     OpenSSL SSL_get_peer_cert_chain.pod 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERT_CHAIN 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_cert_chain
 .Nd get the X509 certificate chain sent by the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509) *
 .Fn SSL_get_peer_cert_chain "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_peer_certificate.3 b/src/lib/libssl/man/SSL_get_peer_certificate.3
index 99f9330288..9ac35a607d 100644
--- a/src/lib/libssl/man/SSL_get_peer_certificate.3
+++ b/src/lib/libssl/man/SSL_get_peer_certificate.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_peer_certificate.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_PEER_CERTIFICATE 3
 .Os
 .Sh NAME
 .Nm SSL_get_peer_certificate
 .Nd get the X509 certificate of the peer
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509 *
 .Fn SSL_get_peer_certificate "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_rbio.3 b/src/lib/libssl/man/SSL_get_rbio.3
index 38096fbecf..7179277f71 100644
--- a/src/lib/libssl/man/SSL_get_rbio.3
+++ b/src/lib/libssl/man/SSL_get_rbio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_rbio.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_get_rbio.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_RBIO 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_wbio
 .Nd get BIO linked to an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft BIO *
 .Fn SSL_get_rbio "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_server_tmp_key.3 b/src/lib/libssl/man/SSL_get_server_tmp_key.3
index aeeb358240..c55036d526 100644
--- a/src/lib/libssl/man/SSL_get_server_tmp_key.3
+++ b/src/lib/libssl/man/SSL_get_server_tmp_key.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.4 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_get_server_tmp_key.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_get_server_tmp_key.pod 508fafd8 Apr 3 15:41:21 2017 +0100
 .\"
 .\" This file was written by Matt Caswell <matt@openssl.org>
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SERVER_TMP_KEY 3
 .Os
 .Sh NAME
 .Nm SSL_get_server_tmp_key
 .Nd temporary server key during a handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_get_server_tmp_key
diff --git a/src/lib/libssl/man/SSL_get_session.3 b/src/lib/libssl/man/SSL_get_session.3
index 2ab43fdd3e..597888a0bd 100644
--- a/src/lib/libssl/man/SSL_get_session.3
+++ b/src/lib/libssl/man/SSL_get_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_get_session.3,v 1.8 2022/03/31 17:27:18 naddy Exp $
+.\"     $OpenBSD: SSL_get_session.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SESSION 3
 .Os
 .Sh NAME
@@ -58,6 +58,7 @@
 .Nm SSL_get1_session
 .Nd retrieve TLS/SSL session data
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_SESSION *
 .Fn SSL_get_session "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_shared_ciphers.3 b/src/lib/libssl/man/SSL_get_shared_ciphers.3
index 207e8c42eb..9011780527 100644
--- a/src/lib/libssl/man/SSL_get_shared_ciphers.3
+++ b/src/lib/libssl/man/SSL_get_shared_ciphers.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.5 2021/01/09 10:50:02 tb Exp $
+.\" $OpenBSD: SSL_get_shared_ciphers.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 9 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_SHARED_CIPHERS 3
 .Os
 .Sh NAME
 .Nm SSL_get_shared_ciphers
 .Nd ciphers supported by both client and server
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft char *
 .Fo SSL_get_shared_ciphers
diff --git a/src/lib/libssl/man/SSL_get_state.3 b/src/lib/libssl/man/SSL_get_state.3
index 297bbce876..0e1a20e6f7 100644
--- a/src/lib/libssl/man/SSL_get_state.3
+++ b/src/lib/libssl/man/SSL_get_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_state.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_get_state.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_STATE 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm SSL_is_init_finished
 .Nd inspect the state of the SSL state machine
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_get_state
diff --git a/src/lib/libssl/man/SSL_get_verify_result.3 b/src/lib/libssl/man/SSL_get_verify_result.3
index 180cf1bb73..32a397f4a2 100644
--- a/src/lib/libssl/man/SSL_get_verify_result.3
+++ b/src/lib/libssl/man/SSL_get_verify_result.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_verify_result.3,v 1.6 2021/06/26 17:36:28 tb Exp $
+.\" $OpenBSD: SSL_get_verify_result.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_get_verify_result
 .Nd get result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fn SSL_get_verify_result "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_get_version.3 b/src/lib/libssl/man/SSL_get_version.3
index a6cefb055b..d32dd34e0e 100644
--- a/src/lib/libssl/man/SSL_get_version.3
+++ b/src/lib/libssl/man/SSL_get_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_get_version.3,v 1.9 2021/04/15 16:13:22 tb Exp $
+.\" $OpenBSD: SSL_get_version.3,v 1.10 2025/06/08 22:49:42 schwarze Exp $
 .\" full merge up to: OpenSSL e417070c Jun 8 11:37:06 2016 -0400
 .\" selective merge up to: OpenSSL df75c2bf Dec 9 01:02:36 2018 +0100
 .\"
@@ -49,21 +49,16 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 15 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_GET_VERSION 3
 .Os
 .Sh NAME
 .Nm SSL_get_version ,
 .Nm SSL_is_dtls ,
 .Nm SSL_version
-.\" The following are intentionally undocumented because
-.\" - the longer term plan is to remove them
-.\" - nothing appears to be using them in the wild
-.\" - and they have the wrong namespace prefix
-.\" Nm TLS1_get_version
-.\" Nm TLS1_get_client_version
 .Nd get the protocol information of a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_get_version "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_library_init.3 b/src/lib/libssl/man/SSL_library_init.3
index 053c1e6fcb..d25a248617 100644
--- a/src/lib/libssl/man/SSL_library_init.3
+++ b/src/lib/libssl/man/SSL_library_init.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_library_init.3,v 1.7 2019/06/14 13:41:31 schwarze Exp $
+.\"     $OpenBSD: SSL_library_init.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 14 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LIBRARY_INIT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSLeay_add_ssl_algorithms
 .Nd initialize SSL library by registering algorithms
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_library_init void
diff --git a/src/lib/libssl/man/SSL_load_client_CA_file.3 b/src/lib/libssl/man/SSL_load_client_CA_file.3
index f782d96dce..e57900c941 100644
--- a/src/lib/libssl/man/SSL_load_client_CA_file.3
+++ b/src/lib/libssl/man/SSL_load_client_CA_file.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_load_client_CA_file.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_LOAD_CLIENT_CA_FILE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_add_dir_cert_subjects_to_stack
 .Nd load certificate names from files
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft STACK_OF(X509_NAME) *
 .Fn SSL_load_client_CA_file "const char *file"
diff --git a/src/lib/libssl/man/SSL_new.3 b/src/lib/libssl/man/SSL_new.3
index 22c5dbf2db..3906a346d7 100644
--- a/src/lib/libssl/man/SSL_new.3
+++ b/src/lib/libssl/man/SSL_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_new.3,v 1.7 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_new.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 1c7ae3dd Mar 29 19:17:55 2017 +1000
 .\"
 .\" This file was written by Richard Levitte <levitte@openssl.org>
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NEW 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_up_ref
 .Nd create a new SSL structure for a connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL *
 .Fn SSL_new "SSL_CTX *ctx"
diff --git a/src/lib/libssl/man/SSL_num_renegotiations.3 b/src/lib/libssl/man/SSL_num_renegotiations.3
index 6a81b76a60..d366f97c4a 100644
--- a/src/lib/libssl/man/SSL_num_renegotiations.3
+++ b/src/lib/libssl/man/SSL_num_renegotiations.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_num_renegotiations.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\" $OpenBSD: SSL_num_renegotiations.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_NUM_RENEGOTIATIONS 3
 .Os
 .Sh NAME
@@ -23,6 +23,7 @@
 .Nm SSL_total_renegotiations
 .Nd renegotiation counters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_num_renegotiations
diff --git a/src/lib/libssl/man/SSL_pending.3 b/src/lib/libssl/man/SSL_pending.3
index bbc2e9bdd2..c304302ed8 100644
--- a/src/lib/libssl/man/SSL_pending.3
+++ b/src/lib/libssl/man/SSL_pending.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_pending.3,v 1.5 2020/01/23 03:40:18 beck Exp $
+.\"     $OpenBSD: SSL_pending.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL a528d4f0 Oct 27 13:40:11 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>,
@@ -50,13 +50,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: January 23 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_PENDING 3
 .Os
 .Sh NAME
 .Nm SSL_pending
 .Nd obtain number of readable bytes buffered in an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_pending "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_read.3 b/src/lib/libssl/man/SSL_read.3
index bb72a8ed82..3d42fd8a90 100644
--- a/src/lib/libssl/man/SSL_read.3
+++ b/src/lib/libssl/man/SSL_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read.3,v 1.8 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_read.3,v 1.9 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL 5a2443ae Nov 14 11:37:36 2016 +0000
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ 3
 .Os
 .Sh NAME
@@ -61,6 +61,7 @@
 .Nm SSL_peek
 .Nd read bytes from a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_read_ex "SSL *ssl" "void *buf" "size_t num" "size_t *readbytes"
diff --git a/src/lib/libssl/man/SSL_read_early_data.3 b/src/lib/libssl/man/SSL_read_early_data.3
index 1435c15935..d36b1e49f7 100644
--- a/src/lib/libssl/man/SSL_read_early_data.3
+++ b/src/lib/libssl/man/SSL_read_early_data.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_read_early_data.3,v 1.4 2021/11/26 13:48:22 jsg Exp $
+.\" $OpenBSD: SSL_read_early_data.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" content checked up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 26 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_READ_EARLY_DATA 3
 .Os
 .Sh NAME
@@ -30,6 +30,7 @@
 .Nm SSL_get_early_data_status
 .Nd transmit application data during the handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_CTX_set_max_early_data
diff --git a/src/lib/libssl/man/SSL_renegotiate.3 b/src/lib/libssl/man/SSL_renegotiate.3
index 8188d37323..badfe8c6cb 100644
--- a/src/lib/libssl/man/SSL_renegotiate.3
+++ b/src/lib/libssl/man/SSL_renegotiate.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_renegotiate.3,v 1.9 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_renegotiate.3,v 1.10 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL SSL_key_update.pod 4fbfe86a Feb 16 17:04:40 2017 +0000
 .\"
 .\" This file is a derived work.
@@ -65,7 +65,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RENEGOTIATE 3
 .Os
 .Sh NAME
@@ -74,6 +74,7 @@
 .Nm SSL_renegotiate_pending
 .Nd initiate a new TLS handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_renegotiate
diff --git a/src/lib/libssl/man/SSL_rstate_string.3 b/src/lib/libssl/man/SSL_rstate_string.3
index 99613ba3c0..624c1b08ab 100644
--- a/src/lib/libssl/man/SSL_rstate_string.3
+++ b/src/lib/libssl/man/SSL_rstate_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_rstate_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_rstate_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_RSTATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_rstate_string_long
 .Nd get textual description of state of an SSL object during read operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_rstate_string "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_session_reused.3 b/src/lib/libssl/man/SSL_session_reused.3
index add61a904b..3340144660 100644
--- a/src/lib/libssl/man/SSL_session_reused.3
+++ b/src/lib/libssl/man/SSL_session_reused.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_session_reused.3,v 1.6 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_session_reused.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SESSION_REUSED 3
 .Os
 .Sh NAME
 .Nm SSL_session_reused
 .Nd query whether a reused session was negotiated during handshake
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_session_reused "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set1_host.3 b/src/lib/libssl/man/SSL_set1_host.3
index 2a3935c3f2..2c6cdbe5a1 100644
--- a/src/lib/libssl/man/SSL_set1_host.3
+++ b/src/lib/libssl/man/SSL_set1_host.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_host.3,v 1.4 2021/03/31 16:56:46 tb Exp $
+.\" $OpenBSD: SSL_set1_host.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\" selective merge up to: OpenSSL 6328d367 Jul 4 21:58:30 2020 +0200
 .\"
 .\" This file was written by Viktor Dukhovni <viktor@openssl.org>
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_HOST 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_get0_peername
 .Nd SSL server verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fo SSL_set1_host
diff --git a/src/lib/libssl/man/SSL_set1_param.3 b/src/lib/libssl/man/SSL_set1_param.3
index cd8ad40ad0..2d255a0991 100644
--- a/src/lib/libssl/man/SSL_set1_param.3
+++ b/src/lib/libssl/man/SSL_set1_param.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set1_param.3,v 1.6 2022/09/10 10:22:46 jsg Exp $
+.\" $OpenBSD: SSL_set1_param.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/SSL_CTX_get0_param 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 10 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET1_PARAM 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_set1_param
 .Nd get and set verification parameters
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft X509_VERIFY_PARAM *
 .Fo SSL_CTX_get0_param
diff --git a/src/lib/libssl/man/SSL_set_SSL_CTX.3 b/src/lib/libssl/man/SSL_set_SSL_CTX.3
index 2abaefb292..3a909dabe6 100644
--- a/src/lib/libssl/man/SSL_set_SSL_CTX.3
+++ b/src/lib/libssl/man/SSL_set_SSL_CTX.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.4 2022/07/13 22:05:53 schwarze Exp $
+.\" $OpenBSD: SSL_set_SSL_CTX.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2020 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 13 2022 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SSL_CTX 3
 .Os
 .Sh NAME
 .Nm SSL_set_SSL_CTX
 .Nd modify an SSL connection object to use another context
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft SSL_CTX *
 .Fo SSL_set_SSL_CTX
diff --git a/src/lib/libssl/man/SSL_set_bio.3 b/src/lib/libssl/man/SSL_set_bio.3
index e727f442d6..98ce9a7080 100644
--- a/src/lib/libssl/man/SSL_set_bio.3
+++ b/src/lib/libssl/man/SSL_set_bio.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_bio.3,v 1.6 2020/10/08 18:21:30 tb Exp $
+.\"     $OpenBSD: SSL_set_bio.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL acb5b343 Sep 16 16:00:38 2000 +0000
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 8 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_BIO 3
 .Os
 .Sh NAME
 .Nm SSL_set_bio
 .Nd connect the SSL object with a BIO
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_bio "SSL *ssl" "BIO *rbio" "BIO *wbio"
diff --git a/src/lib/libssl/man/SSL_set_connect_state.3 b/src/lib/libssl/man/SSL_set_connect_state.3
index c2072c4370..b7d126d046 100644
--- a/src/lib/libssl/man/SSL_set_connect_state.3
+++ b/src/lib/libssl/man/SSL_set_connect_state.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_connect_state.3,v 1.6 2018/03/27 17:35:50 schwarze Exp $
+.\" $OpenBSD: SSL_set_connect_state.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\" selective merge up to: OpenSSL dbd007d7 Jul 28 13:31:27 2017 +0800
 .\"
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_CONNECT_STATE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_is_server
 .Nd prepare SSL object to work in client or server mode
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_connect_state "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_set_fd.3 b/src/lib/libssl/man/SSL_set_fd.3
index 7b9727e9ad..3c4441e677 100644
--- a/src/lib/libssl/man/SSL_set_fd.3
+++ b/src/lib/libssl/man/SSL_set_fd.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_fd.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_fd.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_FD 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_wfd
 .Nd connect the SSL object with a file descriptor
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_fd "SSL *ssl" "int fd"
diff --git a/src/lib/libssl/man/SSL_set_max_send_fragment.3 b/src/lib/libssl/man/SSL_set_max_send_fragment.3
index 7de087a743..d5265ebb74 100644
--- a/src/lib/libssl/man/SSL_set_max_send_fragment.3
+++ b/src/lib/libssl/man/SSL_set_max_send_fragment.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.5 2019/06/12 09:36:30 schwarze Exp $
+.\"     $OpenBSD: SSL_set_max_send_fragment.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL doc/man3/SSL_CTX_set_split_send_fragment.pod
 .\"     OpenSSL 6782e5fd Oct 21 16:16:20 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 12 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_MAX_SEND_FRAGMENT 3
 .Os
 .Sh NAME
@@ -57,6 +57,7 @@
 .Nm SSL_set_max_send_fragment
 .Nd control fragment sizes
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_CTX_set_max_send_fragment
diff --git a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3 b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
index 7f2bfcc010..d53f5b97c9 100644
--- a/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
+++ b/src/lib/libssl/man/SSL_set_psk_use_session_callback.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.1 2021/09/14 14:30:57 schwarze Exp $
+.\" $OpenBSD: SSL_set_psk_use_session_callback.3,v 1.2 2025/06/08 22:52:00 schwarze Exp $
 .\" OpenSSL man3/SSL_CTX_set_psk_client_callback.pod
 .\" checked up to 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 14 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_PSK_USE_SESSION_CALLBACK 3
 .Os
 .Sh NAME
@@ -24,6 +24,7 @@
 .Nm SSL_psk_use_session_cb_func
 .Nd set TLS pre-shared key client callback
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft typedef int
 .Fo (*SSL_psk_use_session_cb_func)
diff --git a/src/lib/libssl/man/SSL_set_session.3 b/src/lib/libssl/man/SSL_set_session.3
index 7d85f5ad0c..db3fc6a85c 100644
--- a/src/lib/libssl/man/SSL_set_session.3
+++ b/src/lib/libssl/man/SSL_set_session.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_session.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_set_session.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 05ea606a May 20 20:52:46 2016 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SESSION 3
 .Os
 .Sh NAME
 .Nm SSL_set_session
 .Nd set a TLS/SSL session to be used during TLS/SSL connect
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_set_session "SSL *ssl" "SSL_SESSION *session"
diff --git a/src/lib/libssl/man/SSL_set_shutdown.3 b/src/lib/libssl/man/SSL_set_shutdown.3
index ef8c004f76..1c1d59e927 100644
--- a/src/lib/libssl/man/SSL_set_shutdown.3
+++ b/src/lib/libssl/man/SSL_set_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_shutdown.3,v 1.7 2024/12/19 06:45:21 jmc Exp $
+.\"     $OpenBSD: SSL_set_shutdown.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2024 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_SHUTDOWN 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_get_shutdown
 .Nd manipulate shutdown state of an SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_shutdown "SSL *ssl" "int mode"
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
index 8fd2d9fd5b..0794efdfb7 100644
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.6 2021/11/30 15:58:08 jsing Exp $
+.\"     $OpenBSD: SSL_set_tmp_ecdh.3,v 1.7 2025/06/08 22:52:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 30 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_TMP_ECDH 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm SSL_CTX_set_tmp_ecdh_callback
 .Nd select a curve for ECDH ephemeral key exchange
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft long
 .Fo SSL_set_tmp_ecdh
diff --git a/src/lib/libssl/man/SSL_set_verify_result.3 b/src/lib/libssl/man/SSL_set_verify_result.3
index 4b7cc6ec3c..f43d375bc9 100644
--- a/src/lib/libssl/man/SSL_set_verify_result.3
+++ b/src/lib/libssl/man/SSL_set_verify_result.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_set_verify_result.3,v 1.5 2020/03/29 17:05:02 schwarze Exp $
+.\"     $OpenBSD: SSL_set_verify_result.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,13 +48,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 29 2020 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SET_VERIFY_RESULT 3
 .Os
 .Sh NAME
 .Nm SSL_set_verify_result
 .Nd override result of peer certificate verification
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft void
 .Fn SSL_set_verify_result "SSL *ssl" "long verify_result"
diff --git a/src/lib/libssl/man/SSL_shutdown.3 b/src/lib/libssl/man/SSL_shutdown.3
index bfb1e91ea7..ad49a47d8e 100644
--- a/src/lib/libssl/man/SSL_shutdown.3
+++ b/src/lib/libssl/man/SSL_shutdown.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_shutdown.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_shutdown.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -49,13 +49,14 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_SHUTDOWN 3
 .Os
 .Sh NAME
 .Nm SSL_shutdown
 .Nd shut down a TLS/SSL connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_shutdown "SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_state_string.3 b/src/lib/libssl/man/SSL_state_string.3
index 1070335448..d202056eec 100644
--- a/src/lib/libssl/man/SSL_state_string.3
+++ b/src/lib/libssl/man/SSL_state_string.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_state_string.3,v 1.4 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_state_string.3,v 1.5 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_STATE_STRING 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm SSL_state_string_long
 .Nd get textual description of state of an SSL object
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft const char *
 .Fn SSL_state_string "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_want.3 b/src/lib/libssl/man/SSL_want.3
index 24e8645ba8..c7c2ee4885 100644
--- a/src/lib/libssl/man/SSL_want.3
+++ b/src/lib/libssl/man/SSL_want.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: SSL_want.3,v 1.5 2018/03/27 17:35:50 schwarze Exp $
+.\"     $OpenBSD: SSL_want.3,v 1.6 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL 9b86974e Aug 17 15:21:33 2015 -0400
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 27 2018 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WANT 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_want_x509_lookup
 .Nd obtain state information TLS/SSL I/O operation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_want "const SSL *ssl"
diff --git a/src/lib/libssl/man/SSL_write.3 b/src/lib/libssl/man/SSL_write.3
index 2c6fbcef08..54d0953e82 100644
--- a/src/lib/libssl/man/SSL_write.3
+++ b/src/lib/libssl/man/SSL_write.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: SSL_write.3,v 1.7 2021/10/24 15:10:13 schwarze Exp $
+.\" $OpenBSD: SSL_write.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\" full merge up to: OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\" partial merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100
 .\"
@@ -51,7 +51,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 24 2021 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt SSL_WRITE 3
 .Os
 .Sh NAME
@@ -59,6 +59,7 @@
 .Nm SSL_write
 .Nd write bytes to a TLS connection
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft int
 .Fn SSL_write_ex "SSL *ssl" "const void *buf" "size_t num" "size_t *written"
diff --git a/src/lib/libssl/man/d2i_SSL_SESSION.3 b/src/lib/libssl/man/d2i_SSL_SESSION.3
index 7a2bc529ab..6b0dfc86b9 100644
--- a/src/lib/libssl/man/d2i_SSL_SESSION.3
+++ b/src/lib/libssl/man/d2i_SSL_SESSION.3
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.7 2019/06/08 15:25:43 schwarze Exp $
+.\"     $OpenBSD: d2i_SSL_SESSION.3,v 1.8 2025/06/08 22:52:00 schwarze Exp $
 .\"     OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 8 2019 $
+.Dd $Mdocdate: June 8 2025 $
 .Dt D2I_SSL_SESSION 3
 .Os
 .Sh NAME
@@ -56,6 +56,7 @@
 .Nm i2d_SSL_SESSION
 .Nd convert SSL_SESSION object from/to ASN1 representation
 .Sh SYNOPSIS
+.Lb libssl libcrypto
 .In openssl/ssl.h
 .Ft  SSL_SESSION *
 .Fn d2i_SSL_SESSION "SSL_SESSION **a" "const unsigned char **pp" "long length"
diff --git a/src/lib/libssl/pqueue.c b/src/lib/libssl/pqueue.c
index 602969deb0..aafd0a704e 100644
--- a/src/lib/libssl/pqueue.c
+++ b/src/lib/libssl/pqueue.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */
+/* $OpenBSD: pqueue.c,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -68,7 +68,7 @@ typedef struct _pqueue {
 } pqueue_s;
 pitem *
-pitem_new(unsigned char *prio64be, void *data)
+pitem_new(const unsigned char *prio64be, void *data)
 {
        pitem *item = malloc(sizeof(pitem));
@@ -154,7 +154,7 @@ pqueue_pop(pqueue_s *pq)
 }
 pitem *
-pqueue_find(pqueue_s *pq, unsigned char *prio64be)
+pqueue_find(pqueue_s *pq, const unsigned char *prio64be)
 {
        pitem *next;
diff --git a/src/lib/libssl/pqueue.h b/src/lib/libssl/pqueue.h
index cdda4a3961..79ddf7a105 100644
--- a/src/lib/libssl/pqueue.h
+++ b/src/lib/libssl/pqueue.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pqueue.h,v 1.4 2016/11/04 18:28:58 guenther Exp $ */
+/* $OpenBSD: pqueue.h,v 1.7 2025/05/04 10:53:38 tb Exp $ */
 /*
 * DTLS implementation written by Nagendra Modadugu
@@ -61,7 +61,7 @@
 #ifndef HEADER_PQUEUE_H
 #define HEADER_PQUEUE_H
-__BEGIN_HIDDEN_DECLS 
+__BEGIN_HIDDEN_DECLS
 typedef struct _pqueue *pqueue;
@@ -73,7 +73,7 @@ typedef struct _pitem {
 typedef struct _pitem *piterator;
-pitem *pitem_new(unsigned char *prio64be, void *data);
+pitem *pitem_new(const unsigned char *prio64be, void *data);
 void   pitem_free(pitem *item);
 pqueue pqueue_new(void);
@@ -82,12 +82,12 @@ void   pqueue_free(pqueue pq);
 pitem *pqueue_insert(pqueue pq, pitem *item);
 pitem *pqueue_peek(pqueue pq);
 pitem *pqueue_pop(pqueue pq);
-pitem *pqueue_find(pqueue pq, unsigned char *prio64be);
+pitem *pqueue_find(pqueue pq, const unsigned char *prio64be);
 pitem *pqueue_iterator(pqueue pq);
 pitem *pqueue_next(piterator *iter);
 int    pqueue_size(pqueue pq);
-__END_HIDDEN_DECLS 
+__END_HIDDEN_DECLS
 #endif /* ! HEADER_PQUEUE_H */
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 86b32aec15..bcf26bec40 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_lib.c,v 1.257 2024/07/23 14:40:53 jsing Exp $ */
+/* $OpenBSD: s3_lib.c,v 1.258 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1286,6 +1286,7 @@ ssl3_free(SSL *s)
        sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free);
        sk_X509_pop_free(s->s3->hs.verified_chain, X509_free);
        tls_key_share_free(s->s3->hs.key_share);
+        tls_key_share_free(s->s3->hs.tls13.key_share);
        tls13_secrets_destroy(s->s3->hs.tls13.secrets);
        freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len);
@@ -1337,6 +1338,8 @@ ssl3_clear(SSL *s)
        tls_key_share_free(s->s3->hs.key_share);
        s->s3->hs.key_share = NULL;
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
        tls13_secrets_destroy(s->s3->hs.tls13.secrets);
        s->s3->hs.tls13.secrets = NULL;
diff --git a/src/lib/libssl/shlib_version b/src/lib/libssl/shlib_version
index c2665004b4..dc886efa77 100644
--- a/src/lib/libssl/shlib_version
+++ b/src/lib/libssl/shlib_version
@@ -1,3 +1,3 @@
 # Don't forget to give libtls the same type of bump!
-major=59
+major=60
-minor=1
+minor=2
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index a1ed22b778..48cb6256df 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.247 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.249 2025/10/24 11:36:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -231,9 +231,9 @@ extern "C" {
 #define SSL_TXT_kRSA            "kRSA"
 #define SSL_TXT_kDHr            "kDHr" /* no such ciphersuites supported! */
 #define SSL_TXT_kDHd            "kDHd" /* no such ciphersuites supported! */
-#define SSL_TXT_kDH             "kDH"  /* no such ciphersuites supported! */
+#define SSL_TXT_kDH             "kDH"  /* no such ciphersuites supported! */
 #define SSL_TXT_kEDH            "kEDH"
-#define SSL_TXT_kKRB5           "kKRB5"
+#define SSL_TXT_kKRB5           "kKRB5"
 #define SSL_TXT_kECDHr          "kECDHr"
 #define SSL_TXT_kECDHe          "kECDHe"
 #define SSL_TXT_kECDH           "kECDH"
@@ -245,7 +245,7 @@ extern "C" {
 #define SSL_TXT_aDSS            "aDSS"
 #define SSL_TXT_aDH             "aDH" /* no such ciphersuites supported! */
 #define SSL_TXT_aECDH           "aECDH"
-#define SSL_TXT_aKRB5           "aKRB5"
+#define SSL_TXT_aKRB5           "aKRB5"
 #define SSL_TXT_aECDSA          "aECDSA"
 #define SSL_TXT_aPSK            "aPSK"
@@ -260,7 +260,7 @@ extern "C" {
 #define SSL_TXT_EECDH           "EECDH" /* previous name for ECDHE */
 #define SSL_TXT_AECDH           "AECDH"
 #define SSL_TXT_ECDSA           "ECDSA"
-#define SSL_TXT_KRB5            "KRB5"
+#define SSL_TXT_KRB5            "KRB5"
 #define SSL_TXT_PSK             "PSK"
 #define SSL_TXT_SRP             "SRP"
@@ -1117,7 +1117,7 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
 int     SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits);
 const char *    SSL_CIPHER_get_version(const SSL_CIPHER *c);
 const char *    SSL_CIPHER_get_name(const SSL_CIPHER *c);
-unsigned long   SSL_CIPHER_get_id(const SSL_CIPHER *c);
+unsigned long   SSL_CIPHER_get_id(const SSL_CIPHER *c);
 uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c);
 const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr);
 int SSL_CIPHER_get_cipher_nid(const SSL_CIPHER *c);
@@ -1199,6 +1199,7 @@ int SSL_SESSION_is_resumable(const SSL_SESSION *s);
 SSL_SESSION *SSL_SESSION_new(void);
 void    SSL_SESSION_free(SSL_SESSION *ses);
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src);
 int     SSL_SESSION_up_ref(SSL_SESSION *ss);
 const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss,
            unsigned int *len);
@@ -1272,16 +1273,16 @@ int SSL_set1_param(SSL *ssl, X509_VERIFY_PARAM *vpm);
 SSL *SSL_new(SSL_CTX *ctx);
 void    SSL_free(SSL *ssl);
 int     SSL_up_ref(SSL *ssl);
-int     SSL_accept(SSL *ssl);
+int     SSL_accept(SSL *ssl);
-int     SSL_connect(SSL *ssl);
+int     SSL_connect(SSL *ssl);
 int     SSL_is_dtls(const SSL *s);
 int     SSL_is_server(const SSL *s);
-int     SSL_read(SSL *ssl, void *buf, int num);
+int     SSL_read(SSL *ssl, void *buf, int num);
-int     SSL_peek(SSL *ssl, void *buf, int num);
+int     SSL_peek(SSL *ssl, void *buf, int num);
-int     SSL_write(SSL *ssl, const void *buf, int num);
+int     SSL_write(SSL *ssl, const void *buf, int num);
-int     SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_read);
+int     SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_read);
-int     SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_peeked);
+int     SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *bytes_peeked);
-int     SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *bytes_written);
+int     SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *bytes_written);
 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL)
 uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx);
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 1b1110b4e9..03dda33530 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.60 2024/03/02 11:47:41 tb Exp $ */
+/* $OpenBSD: ssl3.h,v 1.61 2025/04/18 07:34:01 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -134,7 +134,7 @@ extern "C" {
 #define SSL3_CK_RSA_NULL_MD5                    0x03000001
 #define SSL3_CK_RSA_NULL_SHA                    0x03000002
-#define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
+#define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
 #define SSL3_CK_RSA_RC4_128_MD5                 0x03000004
 #define SSL3_CK_RSA_RC4_128_SHA                 0x03000005
 #define SSL3_CK_RSA_RC2_40_MD5                  0x03000006
@@ -145,10 +145,10 @@ extern "C" {
 #define SSL3_CK_DH_DSS_DES_40_CBC_SHA           0x0300000B
 #define SSL3_CK_DH_DSS_DES_64_CBC_SHA           0x0300000C
-#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA         0x0300000D
+#define SSL3_CK_DH_DSS_DES_192_CBC3_SHA         0x0300000D
 #define SSL3_CK_DH_RSA_DES_40_CBC_SHA           0x0300000E
 #define SSL3_CK_DH_RSA_DES_64_CBC_SHA           0x0300000F
-#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA         0x03000010
+#define SSL3_CK_DH_RSA_DES_192_CBC3_SHA         0x03000010
 #define SSL3_CK_EDH_DSS_DES_40_CBC_SHA          0x03000011
 #define SSL3_CK_EDH_DSS_DES_64_CBC_SHA          0x03000012
@@ -168,22 +168,22 @@ extern "C" {
 #define SSL3_CK_KRB5_DES_64_CBC_SHA             0x0300001E
 #define SSL3_CK_KRB5_DES_192_CBC3_SHA           0x0300001F
 #define SSL3_CK_KRB5_RC4_128_SHA                0x03000020
-#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
+#define SSL3_CK_KRB5_IDEA_128_CBC_SHA           0x03000021
-#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
+#define SSL3_CK_KRB5_DES_64_CBC_MD5             0x03000022
-#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
+#define SSL3_CK_KRB5_DES_192_CBC3_MD5           0x03000023
-#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
+#define SSL3_CK_KRB5_RC4_128_MD5                0x03000024
-#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
+#define SSL3_CK_KRB5_IDEA_128_CBC_MD5           0x03000025
-#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
+#define SSL3_CK_KRB5_DES_40_CBC_SHA             0x03000026
-#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
+#define SSL3_CK_KRB5_RC2_40_CBC_SHA             0x03000027
-#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
+#define SSL3_CK_KRB5_RC4_40_SHA                 0x03000028
-#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
+#define SSL3_CK_KRB5_DES_40_CBC_MD5             0x03000029
-#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
+#define SSL3_CK_KRB5_RC2_40_CBC_MD5             0x0300002A
-#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
+#define SSL3_CK_KRB5_RC4_40_MD5                 0x0300002B
 #define SSL3_TXT_RSA_NULL_MD5                   "NULL-MD5"
 #define SSL3_TXT_RSA_NULL_SHA                   "NULL-SHA"
-#define SSL3_TXT_RSA_RC4_40_MD5                 "EXP-RC4-MD5"
+#define SSL3_TXT_RSA_RC4_40_MD5                 "EXP-RC4-MD5"
 #define SSL3_TXT_RSA_RC4_128_MD5                "RC4-MD5"
 #define SSL3_TXT_RSA_RC4_128_SHA                "RC4-SHA"
 #define SSL3_TXT_RSA_RC2_40_MD5                 "EXP-RC2-CBC-MD5"
@@ -194,10 +194,10 @@ extern "C" {
 #define SSL3_TXT_DH_DSS_DES_40_CBC_SHA          "EXP-DH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_DH_DSS_DES_64_CBC_SHA          "DH-DSS-DES-CBC-SHA"
-#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA        "DH-DSS-DES-CBC3-SHA"
+#define SSL3_TXT_DH_DSS_DES_192_CBC3_SHA        "DH-DSS-DES-CBC3-SHA"
 #define SSL3_TXT_DH_RSA_DES_40_CBC_SHA          "EXP-DH-RSA-DES-CBC-SHA"
 #define SSL3_TXT_DH_RSA_DES_64_CBC_SHA          "DH-RSA-DES-CBC-SHA"
-#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA        "DH-RSA-DES-CBC3-SHA"
+#define SSL3_TXT_DH_RSA_DES_192_CBC3_SHA        "DH-RSA-DES-CBC3-SHA"
 #define SSL3_TXT_EDH_DSS_DES_40_CBC_SHA         "EXP-EDH-DSS-DES-CBC-SHA"
 #define SSL3_TXT_EDH_DSS_DES_64_CBC_SHA         "EDH-DSS-DES-CBC-SHA"
@@ -215,18 +215,18 @@ extern "C" {
 #define SSL3_TXT_KRB5_DES_64_CBC_SHA            "KRB5-DES-CBC-SHA"
 #define SSL3_TXT_KRB5_DES_192_CBC3_SHA          "KRB5-DES-CBC3-SHA"
 #define SSL3_TXT_KRB5_RC4_128_SHA               "KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_SHA          "KRB5-IDEA-CBC-SHA"
-#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_64_CBC_MD5            "KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
+#define SSL3_TXT_KRB5_DES_192_CBC3_MD5          "KRB5-DES-CBC3-MD5"
 #define SSL3_TXT_KRB5_RC4_128_MD5               "KRB5-RC4-MD5"
-#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
+#define SSL3_TXT_KRB5_IDEA_128_CBC_MD5          "KRB5-IDEA-CBC-MD5"
-#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
+#define SSL3_TXT_KRB5_DES_40_CBC_SHA            "EXP-KRB5-DES-CBC-SHA"
-#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
+#define SSL3_TXT_KRB5_RC2_40_CBC_SHA            "EXP-KRB5-RC2-CBC-SHA"
-#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
+#define SSL3_TXT_KRB5_RC4_40_SHA                "EXP-KRB5-RC4-SHA"
-#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
+#define SSL3_TXT_KRB5_DES_40_CBC_MD5            "EXP-KRB5-DES-CBC-MD5"
-#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
+#define SSL3_TXT_KRB5_RC2_40_CBC_MD5            "EXP-KRB5-RC2-CBC-MD5"
-#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
+#define SSL3_TXT_KRB5_RC4_40_MD5                "EXP-KRB5-RC4-MD5"
 #define SSL3_SSL_SESSION_ID_LENGTH              32
 #define SSL3_MAX_SSL_SESSION_ID_LENGTH          32
diff --git a/src/lib/libssl/ssl_clnt.c b/src/lib/libssl/ssl_clnt.c
index 0d3dcf78af..22469ce346 100644
--- a/src/lib/libssl/ssl_clnt.c
+++ b/src/lib/libssl/ssl_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_clnt.c,v 1.169 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_clnt.c,v 1.170 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1195,7 +1195,7 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs)
                }
                goto err;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, cbs,
            &decode_error, &invalid_key)) {
                if (decode_error) {
                        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1264,7 +1264,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs)
        if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL)
                goto err;
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share, &public,
            &decode_error, NULL)) {
                if (decode_error)
                        goto decode_err;
@@ -1859,7 +1859,7 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb)
                goto err;
        }
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                goto err;
        if (!tls_key_share_public(s->s3->hs.key_share, cbb))
                goto err;
@@ -1898,7 +1898,7 @@ ssl3_send_client_kex_ecdhe(SSL *s, CBB *cbb)
                goto err;
        }
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_client_generate(s->s3->hs.key_share))
                goto err;
        if (!CBB_add_u8_length_prefixed(cbb, &public))
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index eac2d9e61f..90822490e2 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.53 2024/10/09 08:00:29 tb Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.55 2025/05/10 05:49:21 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
 *
@@ -669,8 +669,7 @@ SSL_state_func_code(int state) {
 }
 void
-SSL_error_internal(const SSL *s, int r, char *f, int l)
+SSL_error_internal(const SSL *s, int r, const char *f, int l)
 {
-        ERR_PUT_error(ERR_LIB_SSL,
+        ERR_PUT_error(ERR_LIB_SSL, SSL_state_func_code(s->s3->hs.state), r, f, l);
-            (SSL_state_func_code(s->s3->hs.state)), r, f, l);
 }
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index ce68981493..630724e670 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.331 2025/03/12 14:03:55 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.333 2025/06/09 10:14:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1298,7 +1298,7 @@ SSL_shutdown(SSL *s)
                return (-1);
        }
-        if (s != NULL && !SSL_in_init(s))
+        if (!SSL_in_init(s))
                return (s->method->ssl_shutdown(s));
        return (1);
@@ -3008,8 +3008,9 @@ SSL_dup(SSL *s)
        /* Dup the client_CA list */
        if (s->client_CA != NULL) {
-                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err;
+                if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL)
-                        ret->client_CA = sk;
+                        goto err;
+                ret->client_CA = sk;
                for (i = 0; i < sk_X509_NAME_num(sk); i++) {
                        xn = sk_X509_NAME_value(sk, i);
                        if (sk_X509_NAME_set(sk, i,
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index 6095940388..7942c36dbd 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.27 2025/03/09 15:12:18 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.35 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -203,7 +203,7 @@ __BEGIN_HIDDEN_DECLS
 /* Bits for algorithm_auth (server authentication) */
 #define SSL_aRSA                0x00000001L /* RSA auth */
 #define SSL_aNULL               0x00000004L /* no auth (i.e. use ADH or AECDH) */
-#define SSL_aECDSA              0x00000040L /* ECDSA auth*/
+#define SSL_aECDSA              0x00000040L /* ECDSA auth*/
 #define SSL_aTLS1_3             0x00000400L /* TLSv1.3 authentication */
 /* Bits for algorithm_enc (symmetric encryption) */
@@ -289,12 +289,8 @@ __BEGIN_HIDDEN_DECLS
 * SSL_aDSS <- DSA_SIGN
 */
-/* From ECC-TLS draft, used in encoding the curve type in
+/* From RFC 4492, section 5.4. Only named curves are supported. */
- * ECParameters
+#define NAMED_CURVE_TYPE        3
- */
-#define EXPLICIT_PRIME_CURVE_TYPE  1
-#define EXPLICIT_CHAR2_CURVE_TYPE  2
-#define NAMED_CURVE_TYPE           3
 typedef struct ssl_cert_pkey_st {
        X509 *x509;
@@ -396,7 +392,7 @@ struct ssl_method_st {
 *      PSK_identity_hint [ 7 ] EXPLICIT OCTET STRING, -- optional PSK identity hint
 *      PSK_identity [ 8 ] EXPLICIT OCTET STRING,  -- optional PSK identity
 *      Ticket_lifetime_hint [9] EXPLICIT INTEGER, -- server's lifetime hint for session ticket
- *      Ticket [10]             EXPLICIT OCTET STRING, -- session ticket (clients only)
+ *      Ticket [10]             EXPLICIT OCTET STRING, -- session ticket (clients only)
 *      Compression_meth [11]   EXPLICIT OCTET STRING, -- optional compression method
 *      SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username
 * }
@@ -494,6 +490,9 @@ typedef struct ssl_handshake_tls13_st {
        /* Certificate selected for use (static pointer). */
        const SSL_CERT_PKEY *cpk;
+        /* Client's extra predicted key share */
+        struct tls_key_share *key_share;
        /* Version proposed by peer server. */
        uint16_t server_version;
@@ -1054,7 +1053,7 @@ struct ssl_st {
        int renegotiate;/* 1 if we are renegotiating.
                         * 2 if we are a server and are inside a handshake
-                         * (i.e. not just sending a HelloRequest) */
+                         * (i.e. not just sending a HelloRequest) */
        int rstate;     /* where we are when reading */
@@ -1078,7 +1077,7 @@ typedef struct ssl3_record_internal_st {
 typedef struct ssl3_buffer_internal_st {
        unsigned char *buf;     /* at least SSL3_RT_MAX_PACKET_SIZE bytes,
-                                 * see ssl3_setup_buffers() */
+                                 * see ssl3_setup_buffers() */
        size_t len;             /* buffer size */
        int offset;             /* where to 'copy from' */
        int left;               /* how many bytes left */
@@ -1244,7 +1243,7 @@ int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
 int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
 int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int include_ticket);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
    int *alert);
@@ -1443,9 +1442,10 @@ int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out,
    unsigned int mac_secret_length);
 int SSL_state_func_code(int _state);
-#define SSLerror(s, r) SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
+void SSL_error_internal(const SSL *s, int r, const char *f, int l);
-#define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SSLerror(s, r)  SSL_error_internal(s, r, OPENSSL_FILE, OPENSSL_LINE)
-void SSL_error_internal(const SSL *s, int r, char *f, int l);
+#define SSLerrorx(r)    ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
+#define SYSerror(r)     ERR_PUT_error(ERR_LIB_SYS,(0xfff),(r),OPENSSL_FILE,OPENSSL_LINE)
 #ifndef OPENSSL_NO_SRTP
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index 6c8a2be3d3..1490e10ba4 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_rsa.c,v 1.51 2023/12/30 06:25:56 tb Exp $ */
+/* $OpenBSD: ssl_rsa.c,v 1.53 2025/08/14 15:55:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index a5cfc33c04..7f16061b48 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.129 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.131 2025/10/24 11:36:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -247,7 +247,7 @@ SSL_SESSION_new(void)
 LSSL_ALIAS(SSL_SESSION_new);
 SSL_SESSION *
-ssl_session_dup(SSL_SESSION *sess, int include_ticket)
+ssl_session_dup(const SSL_SESSION *sess, int include_ticket)
 {
        SSL_SESSION *copy;
        CBS cbs;
@@ -313,7 +313,7 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
                goto err;
        if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
-            &sess->ex_data))
+            (CRYPTO_EX_DATA *)&sess->ex_data))
                goto err;
        /* Omit prev/next: the new session gets its own slot in the cache. */
@@ -345,6 +345,13 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
        return NULL;
 }
+SSL_SESSION *
+SSL_SESSION_dup(const SSL_SESSION *src)
+{
+        return ssl_session_dup(src, 1);
+}
+LSSL_ALIAS(SSL_SESSION_dup);
 const unsigned char *
 SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len)
 {
diff --git a/src/lib/libssl/ssl_srvr.c b/src/lib/libssl/ssl_srvr.c
index db4ba38b51..ef93e283de 100644
--- a/src/lib/libssl/ssl_srvr.c
+++ b/src/lib/libssl/ssl_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_srvr.c,v 1.166 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_srvr.c,v 1.167 2025/12/04 21:03:42 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1357,7 +1357,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb)
                        goto err;
        }
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                goto err;
        if (!tls_key_share_params(s->s3->hs.key_share, cbb))
@@ -1393,7 +1393,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb)
        if ((s->s3->hs.key_share = tls_key_share_new_nid(nid)) == NULL)
                goto err;
-        if (!tls_key_share_generate(s->s3->hs.key_share))
+        if (!tls_key_share_server_generate(s->s3->hs.key_share))
                goto err;
        /*
@@ -1744,7 +1744,7 @@ ssl3_get_client_kex_dhe(SSL *s, CBS *cbs)
                goto err;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, cbs,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, cbs,
            &decode_error, &invalid_key)) {
                if (decode_error) {
                        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
@@ -1792,7 +1792,7 @@ ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs)
                ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
                goto err;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share, &public,
+        if (!tls_key_share_server_peer_public(s->s3->hs.key_share, &public,
            &decode_error, NULL)) {
                if (decode_error) {
                        SSLerror(s, SSL_R_BAD_PACKET_LENGTH);
diff --git a/src/lib/libssl/ssl_stat.c b/src/lib/libssl/ssl_stat.c
index b19944ca83..9966217ca3 100644
--- a/src/lib/libssl/ssl_stat.c
+++ b/src/lib/libssl/ssl_stat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_stat.c,v 1.23 2024/10/12 03:54:18 tb Exp $ */
+/* $OpenBSD: ssl_stat.c,v 1.24 2025/05/22 08:25:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -438,72 +438,7 @@ LSSL_ALIAS(SSL_alert_type_string);
 const char *
 SSL_alert_desc_string(int value)
 {
-        switch (value & 0xff) {
+        return "!!";
-        case SSL_AD_CLOSE_NOTIFY:
-                return "CN";
-        case SSL_AD_UNEXPECTED_MESSAGE:
-                return "UM";
-        case SSL_AD_BAD_RECORD_MAC:
-                return "BM";
-        case SSL_AD_RECORD_OVERFLOW:
-                return "RO";
-        case SSL_AD_DECOMPRESSION_FAILURE:
-                return "DF";
-        case SSL_AD_HANDSHAKE_FAILURE:
-                return "HF";
-        case SSL_AD_BAD_CERTIFICATE:
-                return "BC";
-        case SSL_AD_UNSUPPORTED_CERTIFICATE:
-                return "UC";
-        case SSL_AD_CERTIFICATE_REVOKED:
-                return "CR";
-        case SSL_AD_CERTIFICATE_EXPIRED:
-                return "CE";
-        case SSL_AD_CERTIFICATE_UNKNOWN:
-                return "CU";
-        case SSL_AD_ILLEGAL_PARAMETER:
-                return "IP";
-        case SSL_AD_UNKNOWN_CA:
-                return "CA";
-        case SSL_AD_ACCESS_DENIED:
-                return "AD";
-        case SSL_AD_DECODE_ERROR:
-                return "DE";
-        case SSL_AD_DECRYPT_ERROR:
-                return "CY";
-        case SSL_AD_PROTOCOL_VERSION:
-                return "PV";
-        case SSL_AD_INSUFFICIENT_SECURITY:
-                return "IS";
-        case SSL_AD_INTERNAL_ERROR:
-                return "IE";
-        case SSL_AD_INAPPROPRIATE_FALLBACK:
-                return "IF";
-        case SSL_AD_USER_CANCELLED:
-                return "US";
-        case SSL_AD_NO_RENEGOTIATION:
-                return "NR";
-        case SSL_AD_MISSING_EXTENSION:
-                return "ME";
-        case SSL_AD_UNSUPPORTED_EXTENSION:
-                return "UE";
-        case SSL_AD_CERTIFICATE_UNOBTAINABLE:
-                return "CO";
-        case SSL_AD_UNRECOGNIZED_NAME:
-                return "UN";
-        case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE:
-                return "BR";
-        case SSL_AD_BAD_CERTIFICATE_HASH_VALUE:
-                return "BH";
-        case SSL_AD_UNKNOWN_PSK_IDENTITY:
-                return "UP";
-        case SSL_AD_CERTIFICATE_REQUIRED:
-                return "CQ"; /* XXX */
-        case SSL_AD_NO_APPLICATION_PROTOCOL:
-                return "AP";
-        default:
-                return "UK";
-        }
 }
 LSSL_ALIAS(SSL_alert_desc_string);
diff --git a/src/lib/libssl/ssl_tlsext.c b/src/lib/libssl/ssl_tlsext.c
index 08bf5593ec..d879b3304e 100644
--- a/src/lib/libssl/ssl_tlsext.c
+++ b/src/lib/libssl/ssl_tlsext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_tlsext.c,v 1.154 2024/07/09 12:27:27 beck Exp $ */
+/* $OpenBSD: ssl_tlsext.c,v 1.159 2025/12/04 21:16:17 beck Exp $ */
 /*
 * Copyright (c) 2016, 2017, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -1445,7 +1445,7 @@ tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type)
 static int
 tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
 {
-        CBB client_shares, key_exchange;
+        CBB client_shares, key_exchange, key_exchange2;
        if (!CBB_add_u16_length_prefixed(cbb, &client_shares))
                return 0;
@@ -1458,6 +1458,31 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb)
        if (!tls_key_share_public(s->s3->hs.key_share, &key_exchange))
                return 0;
+        /*
+         * We wish to include a second key share prediction in a TLS 1.3 client
+         * hello if we have more than one preferred group. We never wish to do
+         * this in response to a server selected group (Either from a TLS 1.2
+         * server, or from a hello retry request after having negotiated TLS
+         * 1.3).
+         *
+         * Therefore we only do this if we have not yet negotiated
+         * a version, and our max version could negotiate TLS 1.3.
+         */
+        if (s->s3->hs.negotiated_tls_version == 0 &&
+            s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
+                if (s->s3->hs.tls13.key_share != NULL) {
+                        if (!CBB_add_u16(&client_shares,
+                            tls_key_share_group(s->s3->hs.tls13.key_share)))
+                                return 0;
+                        if (!CBB_add_u16_length_prefixed(&client_shares,
+                            &key_exchange2))
+                                return 0;
+                        if (!tls_key_share_public(s->s3->hs.tls13.key_share,
+                            &key_exchange2))
+                                return 0;
+                }
+        }
        if (!CBB_flush(cbb))
                return 0;
@@ -1523,7 +1548,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1554,6 +1579,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                for (j = 0; j < server_groups_len; j++) {
                        if (server_groups[j] == client_groups[i]) {
                                client_preferred_group = client_groups[i];
+                                s->s3->hs.tls13.server_group = client_preferred_group;
                                preferred_group_found = 1;
                                break;
                        }
@@ -1613,7 +1639,7 @@ tlsext_keyshare_server_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                        *alert = SSL_AD_INTERNAL_ERROR;
                        return 0;
                }
-                if (!tls_key_share_peer_public(s->s3->hs.key_share,
+                if (!tls_key_share_server_peer_public(s->s3->hs.key_share,
                    &key_exchange, &decode_error, NULL)) {
                        if (!decode_error)
                                *alert = SSL_AD_INTERNAL_ERROR;
@@ -1686,11 +1712,33 @@ tlsext_keyshare_client_process(SSL *s, uint16_t msg_type, CBS *cbs, int *alert)
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
+        if (s->s3->hs.tls13.server_version >= TLS1_3_VERSION &&
+            tls_key_share_group(s->s3->hs.key_share) != group &&
+            s->s3->hs.tls13.key_share != NULL &&
+            tls_key_share_group(s->s3->hs.tls13.key_share) == group) {
+                /*
+                 * Server chose our second key share prediction, switch to it,
+                 * and discard the first one.
+                 */
+                tls_key_share_free(s->s3->hs.key_share);
+                s->s3->hs.key_share = s->s3->hs.tls13.key_share;
+                s->s3->hs.tls13.key_share = NULL;
+        }
        if (tls_key_share_group(s->s3->hs.key_share) != group) {
                *alert = SSL_AD_INTERNAL_ERROR;
                return 0;
        }
-        if (!tls_key_share_peer_public(s->s3->hs.key_share,
+        /*
+         * Discard our now unused second key share prediction if we had made one
+         * with our initial 1.3 client hello
+         */
+        tls_key_share_free(s->s3->hs.tls13.key_share);
+        s->s3->hs.tls13.key_share = NULL;
+        if (!tls_key_share_client_peer_public(s->s3->hs.key_share,
            &key_exchange, &decode_error, NULL)) {
                if (!decode_error)
                        *alert = SSL_AD_INTERNAL_ERROR;
@@ -2410,13 +2458,12 @@ tlsext_randomize_build_order(SSL *s)
 {
        const struct tls_extension *psk_ext;
        size_t idx, new_idx;
-        size_t alpn_idx = 0, sni_idx = 0;
        free(s->tlsext_build_order);
        s->tlsext_build_order_len = 0;
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
-            N_TLS_EXTENSIONS)) == NULL)
+            sizeof(*s->tlsext_build_order))) == NULL)
                return 0;
        s->tlsext_build_order_len = N_TLS_EXTENSIONS;
@@ -2433,28 +2480,6 @@ tlsext_randomize_build_order(SSL *s)
                s->tlsext_build_order[new_idx] = &tls_extensions[idx];
        }
-        /*
-         * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN
-         * for clients so that virtual host setups work correctly.
-         */
-        if (s->server)
-                return 1;
-        for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) {
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn)
-                        alpn_idx = idx;
-                if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name)
-                        sni_idx = idx;
-        }
-        if (alpn_idx < sni_idx) {
-                const struct tls_extension *tmp;
-                tmp = s->tlsext_build_order[alpn_idx];
-                s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx];
-                s->tlsext_build_order[sni_idx] = tmp;
-        }
        return 1;
 }
@@ -2466,8 +2491,8 @@ tlsext_linearize_build_order(SSL *s)
        free(s->tlsext_build_order);
        s->tlsext_build_order_len = 0;
-        if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order),
+        if ((s->tlsext_build_order = calloc(N_TLS_EXTENSIONS,
-            N_TLS_EXTENSIONS)) == NULL)
+            sizeof(*s->tlsext_build_order))) == NULL)
                return 0;
        s->tlsext_build_order_len = N_TLS_EXTENSIONS;
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index b200f78098..912bea592a 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_lib.c,v 1.204 2025/01/18 14:17:05 tb Exp $ */
+/* $OpenBSD: t1_lib.c,v 1.207 2025/12/04 21:16:17 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -151,6 +151,7 @@ tls1_clear(SSL *s)
 }
 struct supported_group {
+        uint16_t group_id;
        int nid;
        int bits;
 };
@@ -160,122 +161,156 @@ struct supported_group {
 * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8
 */
 static const struct supported_group nid_list[] = {
-        [1] = {
+        {
+                .group_id = 1,
                .nid = NID_sect163k1,
                .bits = 80,
        },
-        [2] = {
+        {
+                .group_id = 2,
                .nid = NID_sect163r1,
                .bits = 80,
        },
-        [3] = {
+        {
+                .group_id = 3,
                .nid = NID_sect163r2,
                .bits = 80,
        },
-        [4] = {
+        {
+                .group_id = 4,
                .nid = NID_sect193r1,
                .bits = 80,
        },
-        [5] = {
+        {
+                .group_id = 5,
                .nid = NID_sect193r2,
                .bits = 80,
        },
-        [6] = {
+        {
+                .group_id = 6,
                .nid = NID_sect233k1,
                .bits = 112,
        },
-        [7] = {
+        {
+                .group_id = 7,
                .nid = NID_sect233r1,
                .bits = 112,
        },
-        [8] = {
+        {
+                .group_id = 8,
                .nid = NID_sect239k1,
                .bits = 112,
        },
-        [9] = {
+        {
+                .group_id = 9,
                .nid = NID_sect283k1,
                .bits = 128,
        },
-        [10] = {
+        {
+                .group_id = 10,
                .nid = NID_sect283r1,
                .bits = 128,
        },
-        [11] = {
+        {
+                .group_id = 11,
                .nid = NID_sect409k1,
                .bits = 192,
        },
-        [12] = {
+        {
+                .group_id = 12,
                .nid = NID_sect409r1,
                .bits = 192,
        },
-        [13] = {
+        {
+                .group_id = 13,
                .nid = NID_sect571k1,
                .bits = 256,
        },
-        [14] = {
+        {
+                .group_id = 14,
                .nid = NID_sect571r1,
                .bits = 256,
        },
-        [15] = {
+        {
+                .group_id = 15,
                .nid = NID_secp160k1,
                .bits = 80,
        },
-        [16] = {
+        {
+                .group_id = 16,
                .nid = NID_secp160r1,
                .bits = 80,
        },
-        [17] = {
+        {
+                .group_id = 17,
                .nid = NID_secp160r2,
                .bits = 80,
        },
-        [18] = {
+        {
+                .group_id = 18,
                .nid = NID_secp192k1,
                .bits = 80,
        },
-        [19] = {
+        {
+                .group_id = 19,
                .nid = NID_X9_62_prime192v1,    /* aka secp192r1 */
                .bits = 80,
        },
-        [20] = {
+        {
+                .group_id = 20,
                .nid = NID_secp224k1,
                .bits = 112,
        },
-        [21] = {
+        {
+                .group_id = 21,
                .nid = NID_secp224r1,
                .bits = 112,
        },
-        [22] = {
+        {
+                .group_id = 22,
                .nid = NID_secp256k1,
                .bits = 128,
        },
-        [23] = {
+        {
+                .group_id = 23,
                .nid = NID_X9_62_prime256v1,    /* aka secp256r1 */
                .bits = 128,
        },
-        [24] = {
+        {
+                .group_id = 24,
                .nid = NID_secp384r1,
                .bits = 192,
        },
-        [25] = {
+        {
+                .group_id = 25,
                .nid = NID_secp521r1,
                .bits = 256,
        },
-        [26] = {
+        {
+                .group_id = 26,
                .nid = NID_brainpoolP256r1,
                .bits = 128,
        },
-        [27] = {
+        {
+                .group_id = 27,
                .nid = NID_brainpoolP384r1,
                .bits = 192,
        },
-        [28] = {
+        {
+                .group_id = 28,
                .nid = NID_brainpoolP512r1,
                .bits = 256,
        },
-        [29] = {
+        {
+                .group_id = 29,
                .nid = NID_X25519,
                .bits = 128,
        },
+        {
+                .group_id = 4588,
+                .nid = NID_X25519MLKEM768,
+                .bits = 128,
+        },
 };
 #define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0]))
@@ -292,41 +327,21 @@ static const uint8_t ecformats_default[] = {
        TLSEXT_ECPOINTFORMAT_uncompressed,
 };
-#if 0
+static const uint16_t ecgroups_tls12_client_default[] = {
-static const uint16_t ecgroups_list[] = {
        29,                     /* X25519 (29) */
-        14,                     /* sect571r1 (14) */
+        23,                     /* secp256r1 (23) */
-        13,                     /* sect571k1 (13) */
-        25,                     /* secp521r1 (25) */
-        28,                     /* brainpoolP512r1 (28) */
-        11,                     /* sect409k1 (11) */
-        12,                     /* sect409r1 (12) */
-        27,                     /* brainpoolP384r1 (27) */
        24,                     /* secp384r1 (24) */
-        9,                      /* sect283k1 (9) */
+        25,                     /* secp521r1 (25) */
-        10,                     /* sect283r1 (10) */
+};
-        26,                     /* brainpoolP256r1 (26) */
-        22,                     /* secp256k1 (22) */
+static const uint16_t ecgroups_tls12_server_default[] = {
+        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
-        8,                      /* sect239k1 (8) */
+        24,                     /* secp384r1 (24) */
-        6,                      /* sect233k1 (6) */
-        7,                      /* sect233r1 (7) */
-        20,                     /* secp224k1 (20) */
-        21,                     /* secp224r1 (21) */
-        4,                      /* sect193r1 (4) */
-        5,                      /* sect193r2 (5) */
-        18,                     /* secp192k1 (18) */
-        19,                     /* secp192r1 (19) */
-        1,                      /* sect163k1 (1) */
-        2,                      /* sect163r1 (2) */
-        3,                      /* sect163r2 (3) */
-        15,                     /* secp160k1 (15) */
-        16,                     /* secp160r1 (16) */
-        17,                     /* secp160r2 (17) */
 };
-#endif
 static const uint16_t ecgroups_client_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
        24,                     /* secp384r1 (24) */
@@ -334,23 +349,47 @@ static const uint16_t ecgroups_client_default[] = {
 };
 static const uint16_t ecgroups_server_default[] = {
+        4588,                   /* X25519MLKEM768 (4588) */
        29,                     /* X25519 (29) */
        23,                     /* secp256r1 (23) */
        24,                     /* secp384r1 (24) */
 };
+static const struct supported_group *
+tls1_supported_group_by_id(uint16_t group_id)
+{
+        int i;
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (group_id == nid_list[i].group_id)
+                        return &nid_list[i];
+        }
+        return NULL;
+}
+static const struct supported_group *
+tls1_supported_group_by_nid(int nid)
+{
+        int i;
+        for (i = 0; i < NID_LIST_LEN; i++) {
+                if (nid == nid_list[i].nid)
+                        return &nid_list[i];
+        }
+        return NULL;
+}
 int
 tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 {
-        int nid;
+        const struct supported_group *sg;
-        if (group_id >= NID_LIST_LEN)
-                return 0;
-        if ((nid = nid_list[group_id].nid) == 0)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                return 0;
-        *out_nid = nid;
+        *out_nid = sg->nid;
        return 1;
 }
@@ -358,15 +397,12 @@ tls1_ec_group_id2nid(uint16_t group_id, int *out_nid)
 int
 tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 {
-        int bits;
+        const struct supported_group *sg;
-        if (group_id >= NID_LIST_LEN)
+        if ((sg = tls1_supported_group_by_id(group_id)) == NULL)
                return 0;
-        if ((bits = nid_list[group_id].bits) == 0)
+        *out_bits = sg->bits;
-                return 0;
-        *out_bits = bits;
        return 1;
 }
@@ -374,19 +410,14 @@ tls1_ec_group_id2bits(uint16_t group_id, int *out_bits)
 int
 tls1_ec_nid2group_id(int nid, uint16_t *out_group_id)
 {
-        uint16_t group_id;
+        const struct supported_group *sg;
-        if (nid == 0)
+        if ((sg = tls1_supported_group_by_nid(nid)) == NULL)
                return 0;
-        for (group_id = 0; group_id < NID_LIST_LEN; group_id++) {
+        *out_group_id = sg->group_id;
-                if (nid_list[group_id].nid == nid) {
-                        *out_group_id = group_id;
-                        return 1;
-                }
-        }
-        return 0;
+        return 1;
 }
 /*
@@ -433,11 +464,21 @@ tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups,
                return;
        if (!s->server) {
-                *pgroups = ecgroups_client_default;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
-                *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                        *pgroups = ecgroups_client_default;
+                        *pgroupslen = sizeof(ecgroups_client_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_client_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_client_default) / 2;
+                }
        } else {
-                *pgroups = ecgroups_server_default;
+                if (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION) {
-                *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                        *pgroups = ecgroups_server_default;
+                        *pgroupslen = sizeof(ecgroups_server_default) / 2;
+                } else {
+                        *pgroups = ecgroups_tls12_server_default;
+                        *pgroupslen = sizeof(ecgroups_tls12_server_default) / 2;
+                }
        }
 }
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index d018fced5c..2d5dffc6cf 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.60 2024/10/23 01:57:19 jsg Exp $ */
+/* $OpenBSD: tls1.h,v 1.61 2025/04/18 07:34:01 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -197,7 +197,7 @@ extern "C" {
 /* Codes 110-114 from RFC 3546. */
 #define TLS1_AD_UNSUPPORTED_EXTENSION           110
 #define TLS1_AD_CERTIFICATE_UNOBTAINABLE        111
-#define TLS1_AD_UNRECOGNIZED_NAME               112
+#define TLS1_AD_UNRECOGNIZED_NAME               112
 #define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113
 #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE      114
 /* Code 115 from RFC 4279. */
@@ -455,7 +455,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_DH_RSA_WITH_SEED_SHA                    0x03000098
 #define TLS1_CK_DHE_DSS_WITH_SEED_SHA                   0x03000099
 #define TLS1_CK_DHE_RSA_WITH_SEED_SHA                   0x0300009A
-#define TLS1_CK_ADH_WITH_SEED_SHA                       0x0300009B
+#define TLS1_CK_ADH_WITH_SEED_SHA                       0x0300009B
 /* TLS v1.2 GCM ciphersuites from RFC 5288. */
 #define TLS1_CK_RSA_WITH_AES_128_GCM_SHA256             0x0300009C
diff --git a/src/lib/libssl/tls13_client.c b/src/lib/libssl/tls13_client.c
index 901b38f860..21d3960796 100644
--- a/src/lib/libssl/tls13_client.c
+++ b/src/lib/libssl/tls13_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_client.c,v 1.104 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_client.c,v 1.106 2025/12/04 21:16:17 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 *
@@ -53,9 +53,21 @@ tls13_client_init(struct tls13_ctx *ctx)
                return 0;
        if ((ctx->hs->key_share = tls_key_share_new(groups[0])) == NULL)
                return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                return 0;
+        /*
+         * Generate a second key share prediction if we have another
+         * supported group
+         */
+        if (groups_len > 1) {
+                if ((ctx->hs->tls13.key_share = tls_key_share_new(groups[1])) ==
+                    NULL)
+                        return 0;
+                if (!tls_key_share_client_generate(ctx->hs->tls13.key_share))
+                        return 0;
+        }
        arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE);
        /*
@@ -450,7 +462,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb)
        if ((ctx->hs->key_share =
            tls_key_share_new(ctx->hs->tls13.server_group)) == NULL)
                return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_client_generate(ctx->hs->key_share))
                return 0;
        if (!tls13_client_hello_build(ctx, cbb))
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 331a3ad1a7..c3470b2931 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.77 2024/01/27 14:23:51 jsing Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.78 2025/06/07 10:25:12 tb Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -538,7 +538,7 @@ tls13_ctx_new(int mode, SSL *ssl)
 {
        struct tls13_ctx *ctx = NULL;
-        if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL)
+        if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
                goto err;
        ctx->hs = &ssl->s3->hs;
diff --git a/src/lib/libssl/tls13_server.c b/src/lib/libssl/tls13_server.c
index 63b7d92093..604dab4cba 100644
--- a/src/lib/libssl/tls13_server.c
+++ b/src/lib/libssl/tls13_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_server.c,v 1.109 2024/07/22 14:47:15 jsing Exp $ */
+/* $OpenBSD: tls13_server.c,v 1.112 2025/12/04 21:03:42 beck Exp $ */
 /*
 * Copyright (c) 2019, 2020 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
@@ -327,7 +327,7 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs)
 }
 static int
-tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
+tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb)
 {
        uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH;
        const uint8_t *server_random;
@@ -338,7 +338,7 @@ tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr)
        cipher = SSL_CIPHER_get_value(ctx->hs->cipher);
        server_random = s->s3->server_random;
-        if (hrr) {
+        if (ctx->hs->tls13.hrr) {
                server_random = tls13_hello_retry_request_hash;
                tlsext_msg_type = SSL_TLSEXT_MSG_HRR;
        }
@@ -437,8 +437,6 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx)
 int
 tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
 {
-        int nid;
        ctx->hs->tls13.hrr = 1;
        if (!tls13_synthetic_handshake_message(ctx))
@@ -446,12 +444,10 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb)
        if (ctx->hs->key_share != NULL)
                return 0;
-        if (!tls1_get_supported_group(ctx->ssl, &nid))
+        if (ctx->hs->tls13.server_group == 0)
-                return 0;
-        if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group))
                return 0;
-        if (!tls13_server_hello_build(ctx, cbb, 1))
+        if (!tls13_server_hello_build(ctx, cbb))
                return 0;
        return 1;
@@ -506,14 +502,12 @@ tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb)
 {
        if (ctx->hs->key_share == NULL)
                return 0;
-        if (!tls_key_share_generate(ctx->hs->key_share))
+        if (!tls_key_share_server_generate(ctx->hs->key_share))
                return 0;
        if (!tls13_servername_process(ctx))
                return 0;
-        ctx->hs->tls13.server_group = 0;
+        if (!tls13_server_hello_build(ctx, cbb))
-        if (!tls13_server_hello_build(ctx, cbb, 0))
                return 0;
        return 1;
diff --git a/src/lib/libssl/tls_internal.h b/src/lib/libssl/tls_internal.h
index 84edde8474..3d8d6aa940 100644
--- a/src/lib/libssl/tls_internal.h
+++ b/src/lib/libssl/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.10 2022/11/10 18:06:37 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.11 2025/12/04 21:03:42 beck Exp $ */
 /*
 * Copyright (c) 2018, 2019, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -85,12 +85,15 @@ int tls_key_share_nid(struct tls_key_share *ks);
 void tls_key_share_set_key_bits(struct tls_key_share *ks, size_t key_bits);
 int tls_key_share_set_dh_params(struct tls_key_share *ks, DH *dh_params);
 int tls_key_share_peer_pkey(struct tls_key_share *ks, EVP_PKEY *pkey);
-int tls_key_share_generate(struct tls_key_share *ks);
+int tls_key_share_client_generate(struct tls_key_share *ks);
+int tls_key_share_server_generate(struct tls_key_share *ks);
 int tls_key_share_params(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_public(struct tls_key_share *ks, CBB *cbb);
 int tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
    int *decode_error, int *invalid_params);
-int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs,
+int tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key);
+int tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
    int *decode_error, int *invalid_key);
 int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
    size_t *shared_key_len);
diff --git a/src/lib/libssl/tls_key_share.c b/src/lib/libssl/tls_key_share.c
index cf7b1da262..9e04cb7b75 100644
--- a/src/lib/libssl/tls_key_share.c
+++ b/src/lib/libssl/tls_key_share.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */
+/* $OpenBSD: tls_key_share.c,v 1.10 2026/01/01 12:47:52 tb Exp $ */
 /*
 * Copyright (c) 2020, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -21,6 +21,7 @@
 #include <openssl/dh.h>
 #include <openssl/ec.h>
 #include <openssl/evp.h>
+#include <openssl/mlkem.h>
 #include "bytestring.h"
 #include "ssl_local.h"
@@ -40,6 +41,19 @@ struct tls_key_share {
        uint8_t *x25519_public;
        uint8_t *x25519_private;
        uint8_t *x25519_peer_public;
+        uint8_t *mlkem_public;
+        size_t mlkem_public_len;
+        MLKEM_private_key *mlkem_private;
+        MLKEM_public_key *mlkem_peer_public;
+        /* The ciphertext from MLKEM_encap. */
+        uint8_t *mlkem_encap;
+        size_t mlkem_encap_len;
+        /* The shared secret from an ML-KEM encapsulation. */
+        uint8_t *mlkem_shared_secret;
+        size_t mlkem_shared_secret_len;
 };
 static struct tls_key_share *
@@ -96,6 +110,12 @@ tls_key_share_free(struct tls_key_share *ks)
        freezero(ks->x25519_private, X25519_KEY_LENGTH);
        freezero(ks->x25519_peer_public, X25519_KEY_LENGTH);
+        freezero(ks->mlkem_public, ks->mlkem_public_len);
+        MLKEM_private_key_free(ks->mlkem_private);
+        MLKEM_public_key_free(ks->mlkem_peer_public);
+        freezero(ks->mlkem_encap, ks->mlkem_encap_len);
+        freezero(ks->mlkem_shared_secret, ks->mlkem_shared_secret_len);
        freezero(ks, sizeof(*ks));
 }
@@ -230,7 +250,73 @@ tls_key_share_generate_x25519(struct tls_key_share *ks)
        return ret;
 }
-int
+static int
+tls_key_share_generate_mlkem(struct tls_key_share *ks, int rank)
+{
+        MLKEM_private_key *private = NULL;
+        uint8_t *public = NULL;
+        size_t p_len = 0;
+        int ret = 0;
+        if (ks->mlkem_public != NULL || ks->mlkem_private != NULL)
+                goto err;
+        if ((private = MLKEM_private_key_new(rank)) == NULL)
+                goto err;
+        if (!MLKEM_generate_key(private, &public, &p_len, NULL, NULL))
+                goto err;
+        ks->mlkem_public = public;
+        ks->mlkem_public_len = p_len;
+        ks->mlkem_private = private;
+        public = NULL;
+        private = NULL;
+        ret = 1;
+ err:
+        freezero(public, p_len);
+        MLKEM_private_key_free(private);
+        return ret;
+}
+static int
+tls_key_share_client_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (!tls_key_share_generate_mlkem(ks, MLKEM768_RANK))
+                return 0;
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+        return 1;
+}
+static int
+tls_key_share_server_generate_mlkem768x25519(struct tls_key_share *ks)
+{
+        if (ks->mlkem_private != NULL)
+                return 0;
+        /* The server side needs the client's parsed share */
+        if (ks->x25519_peer_public == NULL)
+                return 0;
+        if (ks->mlkem_peer_public == NULL)
+                return 0;
+        if (!tls_key_share_generate_x25519(ks))
+                return 0;
+        return MLKEM_encap(ks->mlkem_peer_public, &ks->mlkem_encap,
+            &ks->mlkem_encap_len, &ks->mlkem_shared_secret,
+            &ks->mlkem_shared_secret_len);
+}
+static int
 tls_key_share_generate(struct tls_key_share *ks)
 {
        if (ks->nid == NID_dhKeyAgreement)
@@ -242,6 +328,24 @@ tls_key_share_generate(struct tls_key_share *ks)
        return tls_key_share_generate_ecdhe_ecp(ks);
 }
+int
+tls_key_share_client_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_generate_mlkem768x25519(ks);
+        return tls_key_share_generate(ks);
+}
+int
+tls_key_share_server_generate(struct tls_key_share *ks)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_generate_mlkem768x25519(ks);
+        return tls_key_share_generate(ks);
+}
 static int
 tls_key_share_params_dhe(struct tls_key_share *ks, CBB *cbb)
 {
@@ -287,6 +391,47 @@ tls_key_share_public_x25519(struct tls_key_share *ks, CBB *cbb)
        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
 }
+static int
+tls_key_share_public_mlkem768x25519(struct tls_key_share *ks, CBB *cbb)
+{
+        uint8_t *mlkem_part;
+        size_t mlkem_part_len;
+        if (ks->x25519_public == NULL)
+                return 0;
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.2:
+         * The server's key exchange value is the concatenation of an
+         * ML-KEM ciphertext returned from encapsulation to the client's
+         * encapsulation key, and the server's ephemeral X25519 share.
+         */
+        mlkem_part = ks->mlkem_encap;
+        mlkem_part_len = ks->mlkem_encap_len;
+        /*
+         * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+         * Section 3.1.1:
+         * The client's key_exchange value is the concatenation of the
+         * client's ML-KEM-768 encapsulation key and the client's X25519
+         * ephemeral share.
+         */
+        if (mlkem_part == NULL) {
+                mlkem_part = ks->mlkem_public;
+                mlkem_part_len = ks->mlkem_public_len;
+        }
+        if (mlkem_part == NULL)
+                return 0;
+        if (!CBB_add_bytes(cbb, mlkem_part, mlkem_part_len))
+                return 0;
+        /* Both the client and server send their x25519 public keys. */
+        return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH);
+}
 int
 tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
 {
@@ -296,6 +441,9 @@ tls_key_share_public(struct tls_key_share *ks, CBB *cbb)
        if (ks->nid == NID_X25519)
                return tls_key_share_public_x25519(ks, cbb);
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_public_mlkem768x25519(ks, cbb);
        return tls_key_share_public_ecdhe_ecp(ks, cbb);
 }
@@ -325,7 +473,7 @@ tls_key_share_peer_params(struct tls_key_share *ks, CBS *cbs,
                return 0;
        return tls_key_share_peer_params_dhe(ks, cbs, decode_error,
-             invalid_params);
+            invalid_params);
 }
 static int
@@ -383,7 +531,91 @@ tls_key_share_peer_public_x25519(struct tls_key_share *ks, CBS *cbs,
        return CBS_stow(cbs, &ks->x25519_peer_public, &out_len);
 }
-int
+static int
+tls_key_share_client_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem_ciphertext_cbs;
+        size_t out_len;
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+        if (ks->mlkem_private == NULL)
+                return 0;
+        if (!CBS_get_bytes(cbs, &mlkem_ciphertext_cbs,
+            MLKEM_private_key_ciphertext_length(ks->mlkem_private)))
+                return 0;
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                return 0;
+        if (CBS_len(cbs) != 0)
+                return 0;
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                return 0;
+        if (!CBS_stow(&mlkem_ciphertext_cbs, &ks->mlkem_encap, &ks->mlkem_encap_len))
+                return 0;
+        return 1;
+}
+static int
+tls_key_share_server_peer_public_mlkem768x25519(struct tls_key_share *ks,
+    CBS *cbs, int *decode_error)
+{
+        CBS x25519_cbs, mlkem768_cbs;
+        size_t out_len;
+        *decode_error = 0;
+        /* The server should not have an mlkem private key */
+        if (ks->mlkem_private != NULL)
+                return 0;
+        if (ks->mlkem_shared_secret != NULL)
+                return 0;
+        if (ks->mlkem_peer_public != NULL)
+                return 0;
+        if (ks->x25519_peer_public != NULL)
+                return 0;
+        /* Nein, ist nur normal (1024 ist gigantisch) */
+        if ((ks->mlkem_peer_public = MLKEM_public_key_new(MLKEM768_RANK)) == NULL)
+                goto err;
+        if (!CBS_get_bytes(cbs, &mlkem768_cbs,
+            MLKEM_public_key_encoded_length(ks->mlkem_peer_public)))
+                goto err;
+        if (!CBS_get_bytes(cbs, &x25519_cbs, X25519_KEY_LENGTH))
+                goto err;
+        if (CBS_len(cbs) != 0)
+                goto err;
+        if (!CBS_stow(&x25519_cbs, &ks->x25519_peer_public, &out_len))
+                goto err;
+        /* Poetische */
+        if (!MLKEM_parse_public_key(ks->mlkem_peer_public,
+            CBS_data(&mlkem768_cbs), CBS_len(&mlkem768_cbs)))
+                goto err;
+        return 1;
+ err:
+        *decode_error = 1;
+        return 0;
+}
+static int
 tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
    int *invalid_key)
 {
@@ -402,6 +634,30 @@ tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error,
        return tls_key_share_peer_public_ecdhe_ecp(ks, cbs);
 }
+/* Called from client to process a server peer */
+int
+tls_key_share_client_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_client_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
+/* Called from server to process a client peer */
+int
+tls_key_share_server_peer_public(struct tls_key_share *ks, CBS *cbs,
+    int *decode_error, int *invalid_key)
+{
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_server_peer_public_mlkem768x25519(ks, cbs,
+                    decode_error);
+        return tls_key_share_peer_public(ks, cbs, decode_error, invalid_key);
+}
 static int
 tls_key_share_derive_dhe(struct tls_key_share *ks,
    uint8_t **shared_key, size_t *shared_key_len)
@@ -451,6 +707,65 @@ tls_key_share_derive_x25519(struct tls_key_share *ks,
        return ret;
 }
+/*
+ * https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/
+ * Section 3.1.3:
+ * For X25519MLKEM768, the shared secret is the concatenation of the ML-KEM
+ * shared secret and the X25519 shared secret.
+ */
+static int
+tls_key_share_derive_mlkem768x25519(struct tls_key_share *ks,
+    uint8_t **out_shared_key, size_t *out_shared_key_len)
+{
+        uint8_t *x25519_shared_key;
+        CBB cbb;
+        memset(&cbb, 0, sizeof(cbb));
+        if (ks->x25519_private == NULL)
+                goto err;
+        if (ks->x25519_peer_public == NULL)
+                goto err;
+        if (ks->mlkem_shared_secret == NULL) {
+                if (ks->mlkem_private == NULL)
+                        goto err;
+                if (ks->mlkem_encap == NULL)
+                        goto err;
+                if (!MLKEM_decap(ks->mlkem_private, ks->mlkem_encap,
+                    MLKEM_private_key_ciphertext_length(ks->mlkem_private),
+                    &ks->mlkem_shared_secret, &ks->mlkem_shared_secret_len))
+                        goto err;
+        }
+        if (!CBB_init(&cbb,  ks->mlkem_shared_secret_len + X25519_KEY_LENGTH))
+                goto err;
+        if (!CBB_add_bytes(&cbb, ks->mlkem_shared_secret,
+            ks->mlkem_shared_secret_len))
+                goto err;
+        if (!CBB_add_space(&cbb, &x25519_shared_key, X25519_KEY_LENGTH))
+                goto err;
+        if (!X25519(x25519_shared_key, ks->x25519_private,
+            ks->x25519_peer_public))
+                goto err;
+        if (!CBB_finish(&cbb, out_shared_key, out_shared_key_len))
+                goto err;
+        return 1;
+ err:
+        CBB_cleanup(&cbb);
+        return 0;
+}
 int
 tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
    size_t *shared_key_len)
@@ -468,6 +783,10 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key,
                return tls_key_share_derive_x25519(ks, shared_key,
                    shared_key_len);
+        if (ks->nid == NID_X25519MLKEM768)
+                return tls_key_share_derive_mlkem768x25519(ks, shared_key,
+                    shared_key_len);
        return tls_key_share_derive_ecdhe_ecp(ks, shared_key,
            shared_key_len);
 }
diff --git a/src/lib/libtls/man/tls_accept_socket.3 b/src/lib/libtls/man/tls_accept_socket.3
index 931b9346ec..8922708e0f 100644
--- a/src/lib/libtls/man/tls_accept_socket.3
+++ b/src/lib/libtls/man/tls_accept_socket.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_accept_socket.3,v 1.4 2018/05/26 12:35:26 schwarze Exp $
+.\" $OpenBSD: tls_accept_socket.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 26 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_ACCEPT_SOCKET 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_accept_cbs
 .Nd accept an incoming client connection in a TLS server
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_accept_socket
diff --git a/src/lib/libtls/man/tls_client.3 b/src/lib/libtls/man/tls_client.3
index 98f58d4c20..235c779519 100644
--- a/src/lib/libtls/man/tls_client.3
+++ b/src/lib/libtls/man/tls_client.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_client.3,v 1.4 2017/08/12 03:41:48 jsing Exp $
+.\" $OpenBSD: tls_client.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: August 12 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CLIENT 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_free
 .Nd configure a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft struct tls *
 .Fn tls_client void
diff --git a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3 b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
index a0694d304f..d776b61ad6 100644
--- a/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
+++ b/src/lib/libtls/man/tls_config_ocsp_require_stapling.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.5 2017/01/31 20:53:50 jmc Exp $
+.\" $OpenBSD: tls_config_ocsp_require_stapling.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,13 +14,14 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 31 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_OCSP_REQUIRE_STAPLING 3
 .Os
 .Sh NAME
 .Nm tls_config_ocsp_require_stapling
 .Nd OCSP configuration for libtls
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_ocsp_require_stapling "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_config_set_protocols.3 b/src/lib/libtls/man/tls_config_set_protocols.3
index 32b8cce757..403bc10b82 100644
--- a/src/lib/libtls/man/tls_config_set_protocols.3
+++ b/src/lib/libtls/man/tls_config_set_protocols.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_protocols.3,v 1.12 2023/07/02 06:37:27 beck Exp $
+.\" $OpenBSD: tls_config_set_protocols.3,v 1.13 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015, 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 2 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_PROTOCOLS 3
 .Os
 .Sh NAME
@@ -26,10 +26,12 @@
 .Nm tls_config_set_ciphers ,
 .Nm tls_config_set_dheparams ,
 .Nm tls_config_set_ecdhecurves ,
+.\" .Nm tls_config_set_ecdhecurve is intentionally undocumented.
 .Nm tls_config_prefer_ciphers_client ,
 .Nm tls_config_prefer_ciphers_server
 .Nd TLS protocol and cipher selection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_protocols
diff --git a/src/lib/libtls/man/tls_config_set_session_id.3 b/src/lib/libtls/man/tls_config_set_session_id.3
index d969e01e33..a869b3f24c 100644
--- a/src/lib/libtls/man/tls_config_set_session_id.3
+++ b/src/lib/libtls/man/tls_config_set_session_id.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_set_session_id.3,v 1.5 2018/02/10 06:07:43 jsing Exp $
+.\" $OpenBSD: tls_config_set_session_id.3,v 1.6 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Claudio Jeker <claudio@openbsd.org>
 .\" Copyright (c) 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: February 10 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_SET_SESSION_ID 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_add_ticket_key
 .Nd configure resuming of TLS handshakes
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_config_set_session_fd
diff --git a/src/lib/libtls/man/tls_config_verify.3 b/src/lib/libtls/man/tls_config_verify.3
index 4a43c834d7..d5b29e858e 100644
--- a/src/lib/libtls/man/tls_config_verify.3
+++ b/src/lib/libtls/man/tls_config_verify.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_config_verify.3,v 1.4 2017/03/02 11:05:50 jmc Exp $
+.\" $OpenBSD: tls_config_verify.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: March 2 2017 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONFIG_VERIFY 3
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Nm tls_config_insecure_noverifytime
 .Nd insecure TLS configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft void
 .Fn tls_config_verify "struct tls_config *config"
diff --git a/src/lib/libtls/man/tls_conn_version.3 b/src/lib/libtls/man/tls_conn_version.3
index 8fb30624d7..3a386cf11f 100644
--- a/src/lib/libtls/man/tls_conn_version.3
+++ b/src/lib/libtls/man/tls_conn_version.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_conn_version.3,v 1.11 2024/12/10 08:42:12 tb Exp $
+.\" $OpenBSD: tls_conn_version.3,v 1.12 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 .\" Copyright (c) 2016, 2018 Joel Sing <jsing@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: December 10 2024 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONN_VERSION 3
 .Os
 .Sh NAME
@@ -36,6 +36,7 @@
 .Nm tls_peer_cert_notafter
 .Nd inspect an established TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft const char *
 .Fn tls_conn_version "struct tls *ctx"
diff --git a/src/lib/libtls/man/tls_connect.3 b/src/lib/libtls/man/tls_connect.3
index 4c4f01c256..95a18864b2 100644
--- a/src/lib/libtls/man/tls_connect.3
+++ b/src/lib/libtls/man/tls_connect.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_connect.3,v 1.4 2018/07/09 19:51:18 tb Exp $
+.\" $OpenBSD: tls_connect.3,v 1.5 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_CONNECT 3
 .Os
 .Sh NAME
@@ -27,6 +27,7 @@
 .Nm tls_connect_cbs
 .Nd instruct a TLS client to establish a connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_connect
diff --git a/src/lib/libtls/man/tls_init.3 b/src/lib/libtls/man/tls_init.3
index 557998107c..69879c04c7 100644
--- a/src/lib/libtls/man/tls_init.3
+++ b/src/lib/libtls/man/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.13 2018/07/09 19:47:20 tb Exp $
+.\" $OpenBSD: tls_init.3,v 1.14 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2016 Joel Sing <jsing@openbsd.org>
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_INIT 3
 .Os
 .Sh NAME
@@ -26,6 +26,7 @@
 .Nm tls_config_error
 .Nd initialize TLS client and server API
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fn tls_init void
diff --git a/src/lib/libtls/man/tls_load_file.3 b/src/lib/libtls/man/tls_load_file.3
index cf33b575ef..33f486d530 100644
--- a/src/lib/libtls/man/tls_load_file.3
+++ b/src/lib/libtls/man/tls_load_file.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_load_file.3,v 1.14 2022/01/01 02:18:28 jsg Exp $
+.\" $OpenBSD: tls_load_file.3,v 1.15 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -17,7 +17,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 1 2022 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_LOAD_FILE 3
 .Os
 .Sh NAME
@@ -49,6 +49,7 @@
 .Nm tls_default_ca_cert_file
 .Nd TLS certificate and key configuration
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft uint8_t *
 .Fo tls_load_file
diff --git a/src/lib/libtls/man/tls_ocsp_process_response.3 b/src/lib/libtls/man/tls_ocsp_process_response.3
index 6e3aa4aecc..e7b57a6827 100644
--- a/src/lib/libtls/man/tls_ocsp_process_response.3
+++ b/src/lib/libtls/man/tls_ocsp_process_response.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_ocsp_process_response.3,v 1.6 2018/07/24 02:01:34 tb Exp $
+.\" $OpenBSD: tls_ocsp_process_response.3,v 1.7 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2016 Bob Beck <beck@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 24 2018 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_OCSP_PROCESS_RESPONSE 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_peer_ocsp_next_update
 .Nd inspect an OCSP response
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft int
 .Fo tls_ocsp_process_response
diff --git a/src/lib/libtls/man/tls_read.3 b/src/lib/libtls/man/tls_read.3
index f9d949eef5..f72e63cf63 100644
--- a/src/lib/libtls/man/tls_read.3
+++ b/src/lib/libtls/man/tls_read.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_read.3,v 1.8 2023/09/18 17:25:15 schwarze Exp $
+.\" $OpenBSD: tls_read.3,v 1.9 2025/07/07 10:54:00 schwarze Exp $
 .\"
 .\" Copyright (c) 2014, 2015 Ted Unangst <tedu@openbsd.org>
 .\" Copyright (c) 2015 Doug Hogan <doug@openbsd.org>
@@ -18,7 +18,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 18 2023 $
+.Dd $Mdocdate: July 7 2025 $
 .Dt TLS_READ 3
 .Os
 .Sh NAME
@@ -29,6 +29,7 @@
 .Nm tls_close
 .Nd use a TLS connection
 .Sh SYNOPSIS
+.Lb libtls libssl libcrypto
 .In tls.h
 .Ft ssize_t
 .Fo tls_read
diff --git a/src/lib/libtls/shlib_version b/src/lib/libtls/shlib_version
index 3040494c17..715847ed94 100644
--- a/src/lib/libtls/shlib_version
+++ b/src/lib/libtls/shlib_version
@@ -1,2 +1,2 @@
-major=32
+major=33
-minor=1
+minor=2
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index a94b4221ed..42a697327a 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */
+/* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -75,7 +75,7 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
            OPENSSL_NPN_NEGOTIATED)
                return (SSL_TLSEXT_ERR_OK);
-        return (SSL_TLSEXT_ERR_NOACK);
+        return (SSL_TLSEXT_ERR_ALERT_FATAL);
 }
 static int
diff --git a/src/regress/lib/libc/Makefile b/src/regress/lib/libc/Makefile
index 81d8779db0..7a8db225ef 100644
--- a/src/regress/lib/libc/Makefile
+++ b/src/regress/lib/libc/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.60 2025/04/14 17:33:48 tb Exp $
+#       $OpenBSD: Makefile,v 1.62 2025/08/04 06:10:40 tb Exp $
 SUBDIR+= _setjmp
 SUBDIR+= alloca arc4random-fork atexit
@@ -11,7 +11,7 @@ SUBDIR+= ffs fmemopen fnmatch fpclassify fread
 SUBDIR+= gcvt getaddrinfo getcap getopt getopt_long glob
 SUBDIR+= hash
 SUBDIR+= hsearch
-SUBDIR+= ieeefp ifnameindex
+SUBDIR+= ieeefp ifnameindex illumos
 SUBDIR+= ldexp locale longjmp
 SUBDIR+= malloc mkstemp modf
 SUBDIR+= netdb
@@ -19,9 +19,9 @@ SUBDIR+= open_memstream orientation
 SUBDIR+= popen printf
 SUBDIR+= qsort
 SUBDIR+= regex
-SUBDIR+= setjmp setjmp-signal sigsetjmp sigthr sleep sprintf stdio_threading
+SUBDIR+= setjmp setjmp-signal sigsetjmp sigthr sleep sprintf stdio
-SUBDIR+= stpncpy strchr strerror strlcat strlcpy strnlen strtod strtol strtonum
+SUBDIR+= stdio_threading stpncpy strchr strerror strlcat strlcpy strnlen
-SUBDIR+= sys
+SUBDIR+= strtod strtol strtonum sys
 SUBDIR+= telldir time timingsafe
 SUBDIR+= uuid
 SUBDIR+= vis
diff --git a/src/regress/lib/libc/elf_aux_info/elf_aux_info.c b/src/regress/lib/libc/elf_aux_info/elf_aux_info.c
index 14870e253c..e78d282283 100644
--- a/src/regress/lib/libc/elf_aux_info/elf_aux_info.c
+++ b/src/regress/lib/libc/elf_aux_info/elf_aux_info.c
@@ -9,6 +9,7 @@ main(void)
        int ret = 0;
        int a;
        unsigned long b;
+        unsigned long long c;
        /* Should always succeed */
        if (elf_aux_info(AT_PAGESZ, &a, sizeof(a)))
@@ -17,7 +18,7 @@ main(void)
                fprintf(stderr, "AT_PAGESZ %d\n", a);
        /* Wrong size */
-        if (elf_aux_info(AT_PAGESZ, &b, sizeof(b)) != EINVAL)
+        if (elf_aux_info(AT_PAGESZ, &c, sizeof(c)) != EINVAL)
                ret |= 2;
        /* Invalid request */
diff --git a/src/regress/lib/libc/explicit_bzero/explicit_bzero.c b/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
index 496bafb208..30c86290e8 100644
--- a/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
+++ b/src/regress/lib/libc/explicit_bzero/explicit_bzero.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: explicit_bzero.c,v 1.9 2022/02/10 08:39:32 tb Exp $   */
+/*      $OpenBSD: explicit_bzero.c,v 1.10 2025/05/31 15:31:40 tb Exp $  */
 /*
 * Copyright (c) 2014 Google Inc.
 *
@@ -28,9 +28,11 @@
 #if defined(__has_feature)
 #if __has_feature(address_sanitizer)
+#ifndef __SANITIZE_ADDRESS__
 #define __SANITIZE_ADDRESS__
 #endif
 #endif
+#endif
 #ifdef __SANITIZE_ADDRESS__
 #define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
 #else
diff --git a/src/regress/lib/libc/hash/Makefile b/src/regress/lib/libc/hash/Makefile
index 54e4baace8..9bd69bf8df 100644
--- a/src/regress/lib/libc/hash/Makefile
+++ b/src/regress/lib/libc/hash/Makefile
@@ -1,3 +1,5 @@
+#       $OpenBSD: Makefile,v 1.2 2025/04/14 18:33:56 tb Exp $
 PROG = hash_test
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libc/hash/hash_test.c b/src/regress/lib/libc/hash/hash_test.c
index 67b1f380ed..c04a0458fe 100644
--- a/src/regress/lib/libc/hash/hash_test.c
+++ b/src/regress/lib/libc/hash/hash_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: hash_test.c,v 1.1.1.1 2025/04/14 17:32:05 tb Exp $ */
+/*      $OpenBSD: hash_test.c,v 1.3 2025/08/02 06:05:13 tb Exp $ */
 /*
 * Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
@@ -25,8 +25,6 @@
 #include <stdio.h>
 #include <string.h>
-#define ALL_HASHES_ALLOW_NULL 0
 #define MAX_DIGEST_LENGTH SHA512_DIGEST_LENGTH
 struct hash_test_case {
@@ -48,14 +46,12 @@ enum {
 /* RFC 1321, Appendix A.5 */
 static const struct hash_test_case md5_tests[] = {
-#if ALL_HASHES_ALLOW_NULL
        {
                .out = {
                        0xd4, 0x1d, 0x8c, 0xd9, 0x8f, 0x00, 0xb2, 0x04,
                        0xe9, 0x80, 0x09, 0x98, 0xec, 0xf8, 0x42, 0x7e,
                },
        },
-#endif
        {
                .in = "",
                .out = {
@@ -131,7 +127,6 @@ md5_final(void *digest, void *ctx)
 /* https://homes.esat.kuleuven.be/~bosselae/ripemd160.html */
 static const struct hash_test_case rmd160_tests[] = {
-#if ALL_HASHES_ALLOW_NULL
        {
                .out = {
                        0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54,
@@ -139,7 +134,6 @@ static const struct hash_test_case rmd160_tests[] = {
                        0xb2, 0x25, 0x8d, 0x31,
                },
        },
-#endif
        {
                .in = "",
                .out = {
@@ -231,7 +225,6 @@ rmd160_final(void *digest, void *ctx)
 /* RFC 3174 - Appendix A (plus two zero-length tests) */
 static const struct hash_test_case sha1_tests[] = {
-#if ALL_HASHES_ALLOW_NULL
        {
                .out = {
                        0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d,
@@ -239,7 +232,6 @@ static const struct hash_test_case sha1_tests[] = {
                        0xaf, 0xd8, 0x07, 0x09,
                },
        },
-#endif
        {
                .in = "",
                .out = {
@@ -765,7 +757,7 @@ struct hash_ctx {
        void            *ctx;
        void            (*init)(void *);
        void            (*update)(void *, const uint8_t *, size_t);
-        void            (*final)(void *, void *final);
+        void            (*final)(void *, void *);
 };
 static const struct hash_tests {
@@ -822,7 +814,7 @@ hash_test_case(struct hash_ctx *ctx, const struct hash_test_case *tc,
        size_t in_len = tc->in != NULL ? strlen(tc->in) : 0;
        ctx->init(ctx->ctx);
-        ctx->update(ctx->ctx, (uint8_t *)tc->in, in_len);
+        ctx->update(ctx->ctx, (const uint8_t *)tc->in, in_len);
        ctx->final(ctx->digest, ctx->ctx);
        if (memcmp(tc->out, ctx->digest, ctx->digest_len) != 0) {
diff --git a/src/regress/lib/libc/illumos/Makefile b/src/regress/lib/libc/illumos/Makefile
new file mode 100644
index 0000000000..cf2d22eb44
--- /dev/null
+++ b/src/regress/lib/libc/illumos/Makefile
@@ -0,0 +1,7 @@
+#       $OpenBSD: Makefile,v 1.1.1.1 2025/08/02 06:16:34 tb Exp $
+SUBDIR += oclo
+install:
+.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libc/illumos/Makefile.inc b/src/regress/lib/libc/illumos/Makefile.inc
new file mode 100644
index 0000000000..4296b6e690
--- /dev/null
+++ b/src/regress/lib/libc/illumos/Makefile.inc
@@ -0,0 +1,9 @@
+#       $OpenBSD: Makefile.inc,v 1.1.1.1 2025/08/02 06:16:34 tb Exp $
+ILLUMOS_OS_TESTDIR = /usr/local/share/illumos-os-tests
+.if !exists(${ILLUMOS_OS_TESTDIR})
+regress:
+        @echo package illumos-os-tests is required for this regress
+        @echo SKIPPED
+.endif
diff --git a/src/regress/lib/libc/illumos/oclo/Makefile b/src/regress/lib/libc/illumos/oclo/Makefile
new file mode 100644
index 0000000000..284e49dc73
--- /dev/null
+++ b/src/regress/lib/libc/illumos/oclo/Makefile
@@ -0,0 +1,18 @@
+#       $OpenBSD: Makefile,v 1.2 2025/08/09 18:17:42 anton Exp $
+.if exists(/usr/local/share/illumos-os-tests)
+PROGS =         oclo
+PROGS +=        oclo_errors
+PROGS +=        ocloexec_verify
+LDADD_ocloexec_verify = -lkvm
+WARNINGS =      yes
+regress: ${PROGS}
+.PATH: /usr/local/share/illumos-os-tests/tests/oclo
+.endif
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
index 486c247f0d..57d799f49d 100644
--- a/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
+++ b/src/regress/lib/libc/malloc/malloc_errs/malloc_errs.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_errs.c,v 1.5 2024/04/14 17:47:41 otto Exp $    */
+/*      $OpenBSD: malloc_errs.c,v 1.6 2025/05/24 06:40:29 otto Exp $    */
 /*
 * Copyright (c) 2023 Otto Moerbeek <otto@drijf.net>
 *
@@ -286,11 +286,10 @@ int main(int argc, char *argv[])
        int i, status;
        pid_t pid;
        char num[10];
-        char options[10];
+        char options[40];
-        extern char* malloc_options;
+        char const *env[2];
-        if (argc == 3) {
+        if (argc == 2) {
-                malloc_options = argv[2];
                /* prevent coredumps */
                setrlimit(RLIMIT_CORE, &lim);
                i = atoi(argv[1]);
@@ -303,9 +302,11 @@ int main(int argc, char *argv[])
                pid = fork();
                switch (pid) {
                case 0:
-                        snprintf(options, sizeof(options), "us%s", tests[i].flags);
+                        snprintf(options, sizeof(options), "MALLOC_OPTIONS=us%s", tests[i].flags);
                        snprintf(num, sizeof(num), "%d", i);
-                        execl(argv[0], argv[0], num, options, NULL);
+                        env[0] = options;
+                        env[1] = NULL;
+                        execle(argv[0], argv[0], num, NULL, env);
                        err(1, "exec");
                break;
                case -1:
diff --git a/src/regress/lib/libc/malloc/malloc_general/malloc_general.c b/src/regress/lib/libc/malloc/malloc_general/malloc_general.c
index b243787bcf..b0387ce64e 100644
--- a/src/regress/lib/libc/malloc/malloc_general/malloc_general.c
+++ b/src/regress/lib/libc/malloc/malloc_general/malloc_general.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_general.c,v 1.7 2022/01/09 07:18:50 otto Exp $ */
+/*      $OpenBSD: malloc_general.c,v 1.8 2025/10/26 21:25:12 miod Exp $ */
 /*
 * Copyright (c) 2017 Otto Moerbeek <otto@drijf.net>
 *
@@ -24,6 +24,12 @@
 #define N 1000
+#if defined(_LP64)
+#define COUNT 800000
+#else
+#define COUNT 20000
+#endif
 size_t
 size(void)
 {
@@ -59,7 +65,7 @@ main(int argc, char *argv[])
        void * q;
        size_t sz;
-        for (count = 0; count < 800000; count++) {
+        for (count = 0; count < COUNT; count++) {
                if (count % 10000 == 0) {
                        printf(".");
                        fflush(stdout);
diff --git a/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c b/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
index 799d2b9117..7e53c32dbc 100644
--- a/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
+++ b/src/regress/lib/libc/malloc/malloc_ulimit1/malloc_ulimit1.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: malloc_ulimit1.c,v 1.5 2019/06/12 11:31:36 bluhm Exp $        */
+/*      $OpenBSD: malloc_ulimit1.c,v 1.6 2025/05/24 06:47:27 otto Exp $ */
 /* Public Domain, 2006, Otto Moerbeek <otto@drijf.net> */
@@ -23,7 +23,7 @@
 #define FACTOR  1024
 /* This test takes forever with junking turned on. */
-char *malloc_options = "jj";
+const char * const malloc_options = "jj";
 int
 main()
diff --git a/src/regress/lib/libc/stdio/Makefile b/src/regress/lib/libc/stdio/Makefile
new file mode 100644
index 0000000000..f1e980f688
--- /dev/null
+++ b/src/regress/lib/libc/stdio/Makefile
@@ -0,0 +1,29 @@
+# $OpenBSD: Makefile,v 1.4 2025/06/03 14:35:27 yasuoka Exp $
+PROGS=          test_fflush
+CLEANFILES=     test_fflush.tmp
+PROGS+=         test_ungetwc
+CLEANFILES+=    test_ungetwc.tmp
+PROGS+=         test___freading
+CLEANFILES+=    test___freading.tmp
+PROGS+=         test___fwriting
+CLEANFILES+=    test___fwriting.tmp
+PROGS+=         test___fpending
+CLEANFILES+=    test___fpending.tmp
+PROGS+=         test___freadahead
+CLEANFILES+=    test___freadahead.tmp
+PROGS+=         test___freadptr
+CLEANFILES+=    test___freadptr.tmp
+PROGS+=         test___fseterr
+CLEANFILES+=    test___fseterr.tmp
+WARNINGS=       yes
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libc/stdio/test___fpending.c b/src/regress/lib/libc/stdio/test___fpending.c
new file mode 100644
index 0000000000..96ace2e481
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fpending.c
@@ -0,0 +1,58 @@
+/*      $OpenBSD: test___fpending.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___fpending.tmp"
+void test___fpending0(void);
+void
+test___fpending0(void)
+{
+        FILE    *fp;
+        int      r;
+        size_t   s;
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        s = __fpending(fp);
+        assert(s > 0);          /* assume buffered */
+        r = fflush(fp);
+        assert(r == 0);
+        s = __fpending(fp);
+        assert(s == 0);         /* buffer must be 0 */
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        test___fpending0();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freadahead.c b/src/regress/lib/libc/stdio/test___freadahead.c
new file mode 100644
index 0000000000..66d5e3492a
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freadahead.c
@@ -0,0 +1,71 @@
+/*      $OpenBSD: test___freadahead.c,v 1.2 2025/06/03 14:35:27 yasuoka Exp $   */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___freadahead.tmp"
+void test___freadahead0(void);
+void
+test___freadahead0(void)
+{
+        FILE    *fp;
+        int      r;
+        size_t   s;
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+        fp = fopen(TMPFILENAME, "r");
+        s = __freadahead(fp);
+        assert(s == 0);
+        assert(fgetc(fp) == 'H');
+        s = __freadahead(fp);
+        assert(s == 10);
+        r = fflush(fp);
+#if 0
+        /* fflush() to reading file is not supported (yet) */
+        assert(errno == EBADF);
+#else
+        assert(r == 0);
+        s = __freadahead(fp);
+        assert(s == 0);
+#endif
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        test___freadahead0();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freading.c b/src/regress/lib/libc/stdio/test___freading.c
new file mode 100644
index 0000000000..f74eb78d35
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freading.c
@@ -0,0 +1,125 @@
+/*      $OpenBSD: test___freading.c,v 1.2 2025/06/12 07:39:26 yasuoka Exp $     */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___freading.tmp"
+void setup(void);
+void test___freading0(void);
+void test___freading1(void);
+void test___freading2(void);
+void
+setup(void)
+{
+        FILE    *fp;
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        fputs("Hello world\n", fp);
+        fclose(fp);
+}
+void
+test___freading0(void)
+{
+        FILE    *fp;
+        int      r;
+        char     buf[80];
+        fp = popen("echo Hello world", "r");
+        assert(fp != NULL);
+        assert(__freading(fp) != 0);
+        assert(fgets(buf, sizeof(buf), fp) != NULL);
+        assert(strcmp(buf, "Hello world\n") == 0);
+        r = pclose(fp);
+        assert(r == 0);
+}
+void
+test___freading1(void)
+{
+        FILE    *fp;
+        int      r;
+        /* when the last operaiton is read, __freading() returns true */
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        assert(__freading(fp) == 0);
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        assert(__freading(fp) == 0);
+        rewind(fp);
+        assert(fgetc(fp) == 'H');
+        assert(__freading(fp) != 0);
+        /* write */
+        fseek(fp, 0, SEEK_END);
+        r = fputs("\n", fp);
+        assert(__freading(fp) == 0);
+        /* ungetc */
+        rewind(fp);
+        assert(ungetc('X', fp) != 0);
+        assert(__freading(fp) != 0);    /* reading */
+        r = fclose(fp);
+        assert(r == 0);
+}
+void
+test___freading2(void)
+{
+        int      r;
+        FILE    *fp;
+        /*
+         * until v1.10 of fpurge.c mistakenly enables the writing buffer
+         * without _SRD flag set.
+         */
+        fp = fopen(TMPFILENAME, "r+");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        fpurge(fp);
+        fseek(fp, 0, SEEK_CUR);
+        assert(fputc('X', fp) == 'X');
+        assert(__freading(fp) == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        test___freading0();
+        test___freading1();
+        test___freading2();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___freadptr.c b/src/regress/lib/libc/stdio/test___freadptr.c
new file mode 100644
index 0000000000..cce362f2ae
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___freadptr.c
@@ -0,0 +1,78 @@
+/*      $OpenBSD: test___freadptr.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/types.h>
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+#include <string.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___freadptr.tmp"
+void test___freadptr0(void);
+/* test __freadptr() and __freadptrinc() */
+void
+test___freadptr0(void)
+{
+        FILE            *fp;
+        int              r;
+        ssize_t          s;
+        const char      *p;
+        fp = fopen(TMPFILENAME, "w");
+        assert(fp != NULL);
+        r = fputs("Hello world", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+        fp = fopen(TMPFILENAME, "r");
+        assert(fgetc(fp) == 'H');
+        p = __freadptr(fp, &s);
+        assert(p != NULL);
+        assert(s > 4);          /* this test assume this (not by the spec) */
+        assert(*p == 'e');
+        assert(strncmp(p, "ello world", s) == 0);
+        __freadptrinc(fp, 4);
+        assert(fgetc(fp) == ' ');
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        p = __freadptr(fp, &s);
+        assert(s > 0);
+        assert(*p == 'A');
+        /* ptr will contains only the pushback buffer */
+        assert(strncmp(p, "AAAworld", s) == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        test___freadptr0();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___fseterr.c b/src/regress/lib/libc/stdio/test___fseterr.c
new file mode 100644
index 0000000000..70fb491c6c
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fseterr.c
@@ -0,0 +1,60 @@
+/*      $OpenBSD: test___fseterr.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $      */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___fseterr.tmp"
+void test___fseterr0(void);
+void
+test___fseterr0(void)
+{
+        FILE    *fp;
+        int      r;
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        assert(!ferror(fp));
+        r = fprintf(fp, "hello world\n");
+        assert(r > 0);
+        __fseterr(fp);
+        assert(ferror(fp));
+        r = fprintf(fp, "hello world\n");
+        assert(r == -1);
+        fclose(fp);
+}
+int
+main(int argc, char *argv[])
+{
+        test___fseterr0();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test___fwriting.c b/src/regress/lib/libc/stdio/test___fwriting.c
new file mode 100644
index 0000000000..eb4671d3cf
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test___fwriting.c
@@ -0,0 +1,83 @@
+/*      $OpenBSD: test___fwriting.c,v 1.1 2025/05/25 00:20:54 yasuoka Exp $     */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <stdio_ext.h>
+#include <stdlib.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test___fwriting.tmp"
+void test___fwriting0(void);
+void test___fwriting1(void);
+void
+test___fwriting0(void)
+{
+        FILE    *fp;
+        int      r;
+        fp = fopen(TMPFILENAME, "w");   /* write only */
+        assert(fp != NULL);
+        assert(__fwriting(fp) != 0);    /* writing is true immediately */
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        r = fclose(fp);
+        assert(r == 0);
+        fp = fopen(TMPFILENAME, "a");   /* append only */
+        assert(fp != NULL);
+        assert(__fwriting(fp) != 0);    /* writing immediately */
+        r = fclose(fp);
+        assert(r == 0);
+}
+void
+test___fwriting1(void)
+{
+        FILE    *fp;
+        int      r;
+        fp = fopen(TMPFILENAME, "w+");  /* read / write */
+        assert(fp != NULL);
+        r = fputs("Hello world\n", fp);
+        assert(r >= 0);
+        assert(__fwriting(fp) != 0);
+        rewind(fp);
+        assert(fgetc(fp) == 'H');       /* read */
+        assert(__fwriting(fp) == 0);    /* writing becomes false */
+        fputc('e', fp);
+        assert(__fwriting(fp) != 0);    /* writing becomes true */
+        ungetc('e', fp);
+        assert(__fwriting(fp) == 0);    /* ungetc -> writing becomes false */
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        test___fwriting0();
+        test___fwriting1();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test_fflush.c b/src/regress/lib/libc/stdio/test_fflush.c
new file mode 100644
index 0000000000..a0586b7d14
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test_fflush.c
@@ -0,0 +1,345 @@
+/*      $OpenBSD: test_fflush.c,v 1.3 2025/06/08 08:53:53 yasuoka Exp $ */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <wchar.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test_fflush.tmp"
+void setup(void);
+void test_fflush_read0(void);
+void test_fflush_read1(void);
+void test_fflush_read2(void);
+void test_fflush_read3(void);
+void test_fflush_read4(void);
+void setupw(void);
+void test_fflush_read5(void);
+void test_fflush_read6(void);
+void
+setup(void)
+{
+        FILE    *fp;
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        fputs("Hello world\n", fp);
+        fclose(fp);
+}
+/* fflush work with reading file and seekable */
+void
+test_fflush_read0(void)
+{
+        int      r;
+        char     buf[80];
+        FILE    *fp;
+        setup();
+        /* In POSIX 2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        r = fflush(fp);
+        assert(r == 0);
+        /* the position is moved to 1 */
+        assert(ftell(fp) == 1);
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "ello world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+/* fflush work with reading file and seekable + unget */
+void
+test_fflush_read1(void)
+{
+        int      r;
+        char     buf[80];
+        FILE    *fp;
+        setup();
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        assert(fgetc(fp) == 'e');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'o');
+        /* push the 'AAAA' back */
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "AAAA world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+        /* do the same thing + fflush */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        assert(fgetc(fp) == 'e');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'l');
+        assert(fgetc(fp) == 'o');
+        /* push 'AAAA' back */
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        ungetc('A', fp);
+        /* then fflush */
+        r = fflush(fp);
+        assert(r == 0);
+        /* fllush() clears the all pushed back chars */
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, " world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+/* fflush() to reading and non-seekable stream */
+void
+test_fflush_read2(void)
+{
+        int      r;
+        FILE    *fp;
+        char     buf[80];
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = popen("echo Hello world", "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');
+        r = fflush(fp);
+        assert(r == 0);
+        /*
+         * FILE object for read and NOT seekable.  In that case, fflush does
+         * nothing, but must keep the buffer.
+         */
+        /* can read rest of that */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "ello world\n") == 0);
+        r = pclose(fp);
+        assert(r == 0);
+}
+/* fflush() to the file which doesn't have any buffer */
+void
+test_fflush_read3(void)
+{
+        int      r;
+        FILE    *fp;
+        setup();
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        r = fflush(fp);
+        assert(r == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+/* freopen() should call fflush() internal */
+void
+test_fflush_read4(void)
+{
+        int      r;
+        FILE    *fp;
+        off_t    pos;
+        char     buf[80];
+        setup();
+        /* In POSIX-2008, fflush() must work with the file object for reading */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetc(fp) == 'H');       /* read 1 */
+        pos = lseek(fileno(fp), 0, SEEK_CUR);
+        assert(pos >= 1);
+        assert(pos > 1);        /* this test assume the buffer is used */
+        /* freopen() should call fflush() internal */
+        fp = freopen(TMPFILENAME, "r", fp);
+        assert(fp != NULL);
+        /* can read rest of that on fp */
+        fgets(buf, sizeof(buf), fp);
+        assert(strcmp(buf, "Hello world\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+void
+setupw(void)
+{
+        FILE    *fp;
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        /* Konnitiwa Sekai(in Kanji) */
+        fputws(L"\u3053\u3093\u306b\u3061\u308f \u4e16\u754c\n", fp);
+        fclose(fp);
+}
+/* fflush work with reading file and seekable + ungetwc */
+void
+test_fflush_read5(void)
+{
+        int      r;
+        wchar_t  buf[80];
+        FILE    *fp;
+        setupw();
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+        /* can read reset of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+        /* do the same thing + fflush */
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+        /* then fflush */
+        r = fflush(fp);
+        assert(r == 0);
+        /* fllush() clears the all pushed back chars */
+        /* can read rest of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+void
+test_fflush_read6(void)
+{
+        int      r, c;
+        FILE    *fp;
+        setup();
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        /*
+         * https://pubs.opengroup.org/onlinepubs/9699919799/functions/fflush.html
+         * .. any characters pushed back onto the stream by ungetc() or ungetwc()
+         * that have not subsequently been read from the stream shall be discarded
+         * (without further changing the file offset).
+         */
+        assert(fgetc(fp) == 'H');
+        c = getc(fp);
+        ungetc(c, fp);  /* push back the character has been read */
+        r = fflush(fp);
+        assert(r == 0);
+        assert(getc(fp) == c);
+        fseek(fp, 0, SEEK_SET);
+        assert(fgetc(fp) == 'H');
+        c = getc(fp);
+        ungetc('X', fp); /* push back the character has not been read */
+        r = fflush(fp);
+        assert(r == 0);
+        assert(getc(fp) == 'l');
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        setlocale(LC_ALL, "C.UTF-8");
+        test_fflush_read0();
+        test_fflush_read1();
+        test_fflush_read2();
+        test_fflush_read3();
+        test_fflush_read4();
+        test_fflush_read5();
+        test_fflush_read6();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/stdio/test_ungetwc.c b/src/regress/lib/libc/stdio/test_ungetwc.c
new file mode 100644
index 0000000000..bb4e853020
--- /dev/null
+++ b/src/regress/lib/libc/stdio/test_ungetwc.c
@@ -0,0 +1,90 @@
+/*      $OpenBSD: test_ungetwc.c,v 1.1 2025/05/25 05:32:45 yasuoka Exp $        */
+/*
+ * Copyright (c) 2025 YASUOKA Masahiko <yasuoka@yasuoka.net>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <locale.h>
+#include <wchar.h>
+/* we use assert() */
+#undef  NDEBUG
+#define TMPFILENAME     "test_ungetwc.tmp"
+void setupw(void);
+void test_fflush_ungetwc0(void);
+void
+setupw(void)
+{
+        FILE    *fp;
+        /* common setup */
+        unlink(TMPFILENAME);
+        fp = fopen(TMPFILENAME, "w+");
+        assert(fp != NULL);
+        /* Konnitiwa Sekai(in Kanji) */
+        fputws(L"\u3053\u3093\u306b\u3061\u308f \u4e16\u754c\n", fp);
+        fclose(fp);
+}
+/* fflush work with reading file and seekable + ungetwc */
+void
+test_fflush_ungetwc0(void)
+{
+        int      r;
+        wchar_t  buf[80];
+        FILE    *fp;
+        setupw();
+        fp = fopen(TMPFILENAME, "r");
+        assert(fp != NULL);
+        assert(fgetwc(fp) == L'\u3053');        /* Ko */
+        assert(fgetwc(fp) == L'\u3093');        /* N  */
+        assert(fgetwc(fp) == L'\u306b');        /* Ni */
+        assert(fgetwc(fp) == L'\u3061');        /* Ti */
+        assert(fgetwc(fp) == L'\u308f');        /* Wa */
+        /* push 263A(smile) back */
+        assert(ungetwc(L'\u263a', fp));
+        /* we support 1 push back wchar_t */
+        assert(fgetwc(fp) == L'\u263a');
+        /* can read reset of that */
+        fgetws(buf, sizeof(buf), fp);
+        assert(wcscmp(buf, L" \u4e16\u754c\n") == 0);
+        r = fclose(fp);
+        assert(r == 0);
+}
+int
+main(int argc, char *argv[])
+{
+        setlocale(LC_ALL, "C.UTF-8");
+        test_fflush_ungetwc0();
+        exit(0);
+}
diff --git a/src/regress/lib/libc/sys/t_fork.c b/src/regress/lib/libc/sys/t_fork.c
index b55b557824..1084855aee 100644
--- a/src/regress/lib/libc/sys/t_fork.c
+++ b/src/regress/lib/libc/sys/t_fork.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: t_fork.c,v 1.5 2021/12/13 16:56:48 deraadt Exp $      */
+/*      $OpenBSD: t_fork.c,v 1.6 2025/10/31 17:14:46 miod Exp $ */
 /*      $NetBSD: t_fork.c,v 1.4 2019/04/06 15:41:54 kamil Exp $ */
 /*-
@@ -28,7 +28,7 @@
 */
 #include "macros.h"
-#include <sys/types.h>
+#include <sys/param.h>  /* for MACHINE_STACK_GROWS_UP */
 #include <sys/signal.h>
 #ifdef __OpenBSD__
 #include <sys/proc.h>
@@ -282,7 +282,7 @@ nested_raw(const char *fn, volatile int flags)
        stack = malloc(stack_size);
        ATF_REQUIRE(stack != NULL);
-#ifdef __MACHINE_STACK_GROWS_UP
+#ifdef MACHINE_STACK_GROWS_UP
        stack_base = stack;
 #else
        stack_base = (char *)stack + stack_size;
diff --git a/src/regress/lib/libc/sys/t_getrusage.c b/src/regress/lib/libc/sys/t_getrusage.c
index 1a9e3d139c..04ad7e4e87 100644
--- a/src/regress/lib/libc/sys/t_getrusage.c
+++ b/src/regress/lib/libc/sys/t_getrusage.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: t_getrusage.c,v 1.3 2021/12/13 16:56:48 deraadt Exp $ */
+/*      $OpenBSD: t_getrusage.c,v 1.4 2025/11/06 12:56:58 miod Exp $    */
 /* $NetBSD: t_getrusage.c,v 1.8 2018/05/09 08:45:03 mrg Exp $ */
 /*-
@@ -68,6 +68,8 @@ work(void)
                 asm volatile("l.nop"); /* Do something. */
 #elif defined(__ia64__)
                 asm volatile("nop 0"); /* Do something. */
+#elif defined(__m88k)
+                 asm volatile("or %r0, %r0, %r0"); /* Do something. */
 #else
                 asm volatile("nop");   /* Do something. */
 #endif
diff --git a/src/regress/lib/libc/time/time_conversion/timetest.c b/src/regress/lib/libc/time/time_conversion/timetest.c
index 0706704ee1..1405f1c6a5 100644
--- a/src/regress/lib/libc/time/time_conversion/timetest.c
+++ b/src/regress/lib/libc/time/time_conversion/timetest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: timetest.c,v 1.4 2023/04/13 11:32:06 mbuhl Exp $ */
+/*      $OpenBSD: timetest.c,v 1.5 2025/08/17 08:43:03 phessler Exp $ */
 /*
 * Copyright (c) 2022 Bob Beck <beck@openbsd.org>
@@ -79,12 +79,12 @@ struct timetest timetests[] = {
                        .tm_yday=171,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="moon",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-16751025,
                .local_tm=              {
                        .tm_year=69,
@@ -97,7 +97,7 @@ struct timetest timetests[] = {
                        .tm_yday=171,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=69,
@@ -110,7 +110,7 @@ struct timetest timetests[] = {
                        .tm_yday=171,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -141,7 +141,7 @@ struct timetest timetests[] = {
                        .tm_yday=171,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -172,12 +172,12 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="epoch",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=0,
                .local_tm=              {
                        .tm_year=70,
@@ -190,7 +190,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=70,
@@ -203,7 +203,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -234,7 +234,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -265,12 +265,12 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="epoch - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-1,
                .local_tm=              {
                        .tm_year=69,
@@ -283,7 +283,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=69,
@@ -296,7 +296,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -327,7 +327,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -358,12 +358,12 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="legacy min",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-2147483648,
                .local_tm=              {
                        .tm_year=1,
@@ -376,7 +376,7 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=1,
@@ -389,7 +389,7 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -420,12 +420,12 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="legacy min - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-2147483649,
                .local_tm=              {
                        .tm_year=1,
@@ -438,7 +438,7 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=1,
@@ -451,7 +451,7 @@ struct timetest timetests[] = {
                        .tm_yday=346,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -482,12 +482,12 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="legacy max",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=2147483647,
                .local_tm=              {
                        .tm_year=138,
@@ -500,7 +500,7 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=138,
@@ -513,7 +513,7 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -544,12 +544,12 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="legacy max + 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=2147483648,
                .local_tm=              {
                        .tm_year=138,
@@ -562,7 +562,7 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=138,
@@ -575,7 +575,7 @@ struct timetest timetests[] = {
                        .tm_yday=18,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -611,7 +611,7 @@ struct timetest timetests[] = {
        },
        {
                .descr="min",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=INT64_MIN,
                .local_tm=              {
                        .tm_year=0,
@@ -704,7 +704,7 @@ struct timetest timetests[] = {
        },
        {
                .descr="max",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=9223372036854775807,
                .local_tm=              {
                        .tm_year=0,
@@ -792,7 +792,7 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -823,12 +823,12 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="maxint struct tm",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=67767976204675199,
                .local_tm=              {
                        .tm_year=2147481747,
@@ -841,7 +841,7 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=2147481747,
@@ -854,12 +854,12 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="minint struct tm",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-67768038398073601,
                .local_tm=              {
                        .tm_year=-2147483578,
@@ -872,7 +872,7 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=-2147483578,
@@ -885,7 +885,7 @@ struct timetest timetests[] = {
                        .tm_yday=30,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -916,12 +916,12 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="0000",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=-62167219200,
                .local_tm=              {
                        .tm_year=-1900,
@@ -934,7 +934,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=-1900,
@@ -947,7 +947,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -978,7 +978,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1009,12 +1009,12 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="9999",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=253402300799,
                .local_tm=              {
                        .tm_year=8099,
@@ -1027,7 +1027,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=8099,
@@ -1040,7 +1040,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1071,7 +1071,7 @@ struct timetest timetests[] = {
                        .tm_yday=364,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1102,7 +1102,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1133,7 +1133,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1164,12 +1164,12 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="leap second - 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=1483228825,
                .local_tm=              {
                        .tm_year=116,
@@ -1182,7 +1182,7 @@ struct timetest timetests[] = {
                        .tm_yday=365,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=117,
@@ -1195,12 +1195,12 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="leap second",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=1483228826,
                .local_tm=              {
                        .tm_year=116,
@@ -1213,7 +1213,7 @@ struct timetest timetests[] = {
                        .tm_yday=365,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=117,
@@ -1226,12 +1226,12 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
                .descr="leap second + 1",
-                .timezone="right/UTC",
+                .timezone="right/GMT",
                .time=1483228827,
                .local_tm=              {
                        .tm_year=117,
@@ -1244,7 +1244,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="UTC"
+                        .tm_zone="GMT"
                },
                .gmt_tm=                {
                        .tm_year=117,
@@ -1257,7 +1257,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1288,7 +1288,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1319,7 +1319,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1350,7 +1350,7 @@ struct timetest timetests[] = {
                        .tm_yday=0,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1381,7 +1381,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1412,7 +1412,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1443,7 +1443,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1474,7 +1474,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1505,7 +1505,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1536,7 +1536,7 @@ struct timetest timetests[] = {
                        .tm_yday=72,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1567,7 +1567,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1598,7 +1598,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1629,7 +1629,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1660,7 +1660,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1691,7 +1691,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
@@ -1722,7 +1722,7 @@ struct timetest timetests[] = {
                        .tm_yday=310,
                        .tm_isdst=0,
                        .tm_gmtoff=0,
-                        .tm_zone="GMT"
+                        .tm_zone="UTC"
                },
        },
        {
diff --git a/src/regress/lib/libcrypto/aes/aes_test.c b/src/regress/lib/libcrypto/aes/aes_test.c
index 37bee05ca7..8d5947a031 100644
--- a/src/regress/lib/libcrypto/aes/aes_test.c
+++ b/src/regress/lib/libcrypto/aes/aes_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: aes_test.c,v 1.3 2023/09/28 08:21:43 tb Exp $ */
+/*      $OpenBSD: aes_test.c,v 1.5 2025/07/05 14:32:47 jsing Exp $ */
 /*
 * Copyright (c) 2022 Joshua Sing <joshua@hypera.dev>
 *
@@ -524,6 +524,161 @@ static const struct aes_test aes_tests[] = {
                },
                .out_len = 64,
        },
+        /* XTS128 - Test vectors from NIST SP 800-38A */
+        {
+                /* XTSGenAES128 1 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35,
+                        0x3b, 0x2c, 0x34, 0x38, 0x76, 0x08, 0x17, 0x62,
+                        0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18,
+                        0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f,
+                },
+                .iv = {
+                        0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6,
+                        0x6e, 0x4b, 0x92, 0x01, 0x3e, 0x76, 0x8a, 0xd5,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d,
+                        0x6f, 0xb3, 0x50, 0x39, 0x07, 0x90, 0x31, 0x1c,
+                },
+                .in_len = 16,
+                .out = {
+                        0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a,
+                        0x82, 0x50, 0x81, 0xd5, 0xbe, 0x47, 0x1c, 0x63,
+                },
+                .out_len = 16,
+        },
+        {
+                /* XTSGenAES128 385 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xb8, 0xdb, 0x0b, 0x9e, 0x63, 0xf5, 0xf0, 0xe6,
+                        0x60, 0x97, 0x98, 0xa6, 0xcb, 0x42, 0xbb, 0x5b,
+                        0x5d, 0x71, 0x39, 0xbb, 0x95, 0x57, 0x99, 0xf5,
+                        0x2a, 0x7c, 0x58, 0x1f, 0x84, 0x63, 0x31, 0x76,
+                },
+                .iv = {
+                        0x8d, 0x46, 0xf9, 0x67, 0x01, 0x16, 0x7a, 0x1d,
+                        0x77, 0xcd, 0x1e, 0x44, 0xda, 0x92, 0xf3, 0xa8,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xb4, 0x64, 0x4d, 0xc1, 0xb3, 0x8d, 0xd5, 0x98,
+                        0xca, 0x84, 0x0a, 0x82, 0xd4, 0xd9, 0xc0, 0x65,
+                        0x67, 0x23, 0xb1, 0x58, 0x01, 0xaa, 0x18, 0xe6,
+                        0x6e,
+                },
+                .in_len = 25,
+                .out = {
+                        0x09, 0x28, 0x8c, 0xf5, 0x1f, 0x1e, 0xb4, 0xad,
+                        0xb8, 0x54, 0x23, 0xd0, 0xe0, 0xd6, 0xe9, 0x58,
+                        0x18, 0x87, 0x06, 0xaf, 0x26, 0x0e, 0x24, 0x67,
+                        0x4e,
+                },
+                .out_len = 25,
+        },
+        {
+                /* XTSGenAES128 404 */
+                .mode = NID_aes_128_xts,
+                .key = {
+                        0xbe, 0x5c, 0xf1, 0xf9, 0x9d, 0x51, 0x59, 0xf2,
+                        0x11, 0xdb, 0xc4, 0xc1, 0x47, 0xf7, 0x9c, 0x55,
+                        0x6b, 0x2d, 0xa5, 0xc6, 0x91, 0xde, 0xed, 0x74,
+                        0x0d, 0x01, 0x57, 0xea, 0xb8, 0xc9, 0xc8, 0x9a,
+                },
+                .iv = {
+                        0x89, 0x24, 0x86, 0x24, 0xb6, 0x96, 0xcf, 0x9c,
+                        0xb1, 0xb5, 0x77, 0x9c, 0xdc, 0xbc, 0xfe, 0x1c,
+                },
+                .iv_len = 16,
+                .in = {
+                        0x3b, 0x80, 0xf8, 0x22, 0xc4, 0xee, 0xe1, 0x31,
+                        0x3f, 0x79, 0xca, 0x3d, 0xb1, 0x34, 0xd9, 0xca,
+                        0x8b, 0x09, 0xa3, 0x53, 0x4d, 0x4e, 0x18, 0xe6,
+                        0x43, 0x9e, 0x1c, 0xdb, 0x86, 0x18, 0x2a, 0x4f,
+                },
+                .in_len = 32,
+                .out = {
+                        0x4b, 0x6a, 0xf4, 0x3a, 0x88, 0xb6, 0x33, 0xeb,
+                        0xd1, 0xe1, 0x27, 0xc1, 0xec, 0x90, 0xcc, 0x47,
+                        0xa2, 0xf1, 0x6e, 0x3b, 0xc7, 0x9f, 0x88, 0x45,
+                        0xe3, 0xbd, 0x00, 0x25, 0xda, 0x87, 0x26, 0x45,
+                },
+                .out_len = 32,
+        },
+        {
+                /* XTSGenAES256 1 */
+                .mode = NID_aes_256_xts,
+                .key = {
+                        0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e,
+                        0x48, 0x01, 0xe4, 0x2f, 0x4b, 0x09, 0x47, 0x14,
+                        0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7,
+                        0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c,
+                        0xd6, 0xe1, 0x3f, 0xfd, 0xf2, 0x41, 0x8d, 0x8d,
+                        0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3,
+                        0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58,
+                        0x31, 0x8e, 0xea, 0x39, 0x2c, 0xf4, 0x1b, 0x08,
+                },
+                .iv = {
+                        0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2,
+                        0xf0, 0x42, 0x8e, 0x84, 0xa9, 0xf8, 0x75, 0x64,
+                },
+                .iv_len = 16,
+                .in = {
+                        0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1,
+                        0xac, 0xc6, 0x47, 0xe8, 0x10, 0xbb, 0xc3, 0x64,
+                        0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3,
+                        0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e,
+                },
+                .in_len = 32,
+                .out = {
+                        0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5,
+                        0x0b, 0x37, 0xf9, 0x34, 0xd4, 0x6a, 0x9b, 0x13,
+                        0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a,
+                        0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb,
+                },
+                .out_len = 32,
+        },
+        {
+                /* XTSGenAES256 172 */
+                .mode = NID_aes_256_xts,
+                .key= {
+                        0x5c, 0x7f, 0x7a, 0x36, 0x08, 0x01, 0x78, 0x43,
+                        0x00, 0x83, 0xff, 0x54, 0x92, 0xef, 0x77, 0x26,
+                        0x0f, 0x68, 0x0a, 0x15, 0xa7, 0x66, 0x24, 0xb8,
+                        0x9e, 0x85, 0x4c, 0x94, 0xf0, 0x48, 0x8a, 0x9e,
+                        0x7d, 0xaa, 0x4f, 0x33, 0x01, 0x1f, 0x91, 0xdf,
+                        0x5e, 0x33, 0x80, 0x53, 0xf4, 0x6c, 0xee, 0x65,
+                        0x0f, 0xb0, 0xee, 0x69, 0xf8, 0xc2, 0x15, 0x75,
+                        0x5a, 0x4a, 0x63, 0xcd, 0x42, 0x28, 0xc2, 0x19,
+                },
+                .iv = {
+                        0xa4, 0x01, 0xd7, 0x3c, 0x88, 0x75, 0xe7, 0x59,
+                        0xaa, 0x3e, 0xef, 0x53, 0xe0, 0xfb, 0x62, 0x63,
+                },
+                .iv_len = 16,
+                .in = {
+                        0xb1, 0xe6, 0x29, 0xa6, 0x2a, 0x03, 0xca, 0x96,
+                        0x9b, 0x16, 0x91, 0x52, 0x02, 0xbc, 0xaa, 0x09,
+                        0xe7, 0x8a, 0xe1, 0x85, 0x1b, 0xc8, 0x85, 0x81,
+                        0x16, 0x49, 0x68, 0xa5, 0x65, 0x6c, 0x82, 0xc0,
+                        0xe5, 0xc4, 0x03, 0xba, 0x54, 0xb9, 0xb5, 0xed,
+                        0x9b, 0xab, 0xe8, 0xb0, 0x75, 0x1d, 0x1b, 0x34,
+                },
+                .in_len = 48,
+                .out = {
+                        0xf5, 0xbc, 0xa6, 0x0f, 0xb9, 0x35, 0x2b, 0x1d,
+                        0xe0, 0x4d, 0x71, 0x29, 0x40, 0x56, 0x26, 0xb3,
+                        0xa4, 0x74, 0xa2, 0x64, 0xfb, 0xac, 0x2d, 0x6b,
+                        0xe1, 0x19, 0xe1, 0xd5, 0x7a, 0xa9, 0x98, 0xd0,
+                        0xe0, 0xe4, 0xd9, 0xf9, 0xc9, 0x76, 0x21, 0x0d,
+                        0x93, 0xc4, 0x65, 0xa3, 0xe3, 0x60, 0xcd, 0x92,
+                },
+                .out_len = 48,
+        },
 };
 #define N_AES_TESTS (sizeof(aes_tests) / sizeof(aes_tests[0]))
@@ -542,7 +697,10 @@ aes_ecb_test(size_t test_number, const char *label, int key_bits,
        /* Encryption */
        memset(out, 0, sizeof(out));
-        AES_set_encrypt_key(at->key, key_bits, &key);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
        AES_ecb_encrypt(at->in, out, &key, 1);
        if (memcmp(at->out, out, at->out_len) != 0) {
@@ -553,7 +711,10 @@ aes_ecb_test(size_t test_number, const char *label, int key_bits,
        /* Decryption */
        memset(out, 0, sizeof(out));
-        AES_set_decrypt_key(at->key, key_bits, &key);
+        if (AES_set_decrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_decrypt_key failed\n", label, test_number);
+                return 0;
+        }
        AES_ecb_encrypt(at->out, out, &key, 0);
        if (memcmp(at->in, out, at->in_len) != 0) {
@@ -582,7 +743,10 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
        /* Encryption */
        memset(out, 0, sizeof(out));
        memcpy(iv, at->iv, at->iv_len);
-        AES_set_encrypt_key(at->key, key_bits, &key);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
        AES_cbc_encrypt(at->in, out, at->in_len, &key, iv, 1);
        if (memcmp(at->out, out, at->out_len) != 0) {
@@ -594,7 +758,10 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
        /* Decryption */
        memset(out, 0, sizeof(out));
        memcpy(iv, at->iv, at->iv_len);
-        AES_set_decrypt_key(at->key, key_bits, &key);
+        if (AES_set_decrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_decrypt_key failed\n", label, test_number);
+                return 0;
+        }
        AES_cbc_encrypt(at->out, out, at->out_len, &key, iv, 0);
        if (memcmp(at->in, out, at->in_len) != 0) {
@@ -607,6 +774,96 @@ aes_cbc_test(size_t test_number, const char *label, int key_bits,
 }
 static int
+aes_cfb128_test(size_t test_number, const char *label, int key_bits,
+    const struct aes_test *at)
+{
+        AES_KEY key;
+        uint8_t out[64];
+        uint8_t iv[16];
+        int num = 0;
+        /* CFB mode has no padding */
+        /* Encryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_cfb128_encrypt(at->in, out, at->in_len, &key, iv, &num, AES_ENCRYPT);
+        if (memcmp(at->out, out, at->out_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): encryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+        /* Decryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        num = 0;
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_cfb128_encrypt(at->out, out, at->out_len, &key, iv, &num, AES_DECRYPT);
+        if (memcmp(at->in, out, at->in_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): decryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+        return 1;
+}
+static int
+aes_ofb128_test(size_t test_number, const char *label, int key_bits,
+    const struct aes_test *at)
+{
+        AES_KEY key;
+        uint8_t out[64];
+        uint8_t iv[16];
+        int num = 0;
+        /* OFB mode has no padding */
+        /* Encryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_ofb128_encrypt(at->in, out, at->in_len, &key, iv, &num);
+        if (memcmp(at->out, out, at->out_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): encryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+        /* Decryption */
+        memset(out, 0, sizeof(out));
+        memcpy(iv, at->iv, at->iv_len);
+        num = 0;
+        if (AES_set_encrypt_key(at->key, key_bits, &key) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): AES_set_encrypt_key failed\n", label, test_number);
+                return 0;
+        }
+        AES_ofb128_encrypt(at->out, out, at->out_len, &key, iv, &num);
+        if (memcmp(at->in, out, at->in_len) != 0) {
+                fprintf(stderr, "FAIL (%s:%zu): decryption mismatch\n",
+                    label, test_number);
+                return 0;
+        }
+        return 1;
+}
+static int
 aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
    int key_bits, const EVP_CIPHER *cipher)
 {
@@ -649,6 +906,10 @@ aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
                if (in_len > at->in_len - i)
                        in_len = at->in_len - i;
+                /* XTS needs to be single shot. */
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_XTS_MODE)
+                        in_len = at->in_len;
                if (!EVP_EncryptUpdate(ctx, out + total_len, &out_len,
                    at->in + i, in_len)) {
                        fprintf(stderr,
@@ -715,6 +976,10 @@ aes_evp_test(size_t test_number, const struct aes_test *at, const char *label,
                if (in_len > at->out_len - i)
                        in_len = at->out_len - i;
+                /* XTS needs to be single shot. */
+                if (EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_XTS_MODE)
+                        in_len = at->in_len;
                if (!EVP_DecryptUpdate(ctx, out + total_len, &out_len,
                    at->out + i, in_len)) {
                        fprintf(stderr,
@@ -881,6 +1146,16 @@ aes_cipher_from_nid(int nid, const char **out_label,
                *out_cipher = EVP_aes_256_ccm();
                break;
+        /* XTS */
+        case NID_aes_128_xts:
+                *out_label = SN_aes_128_xts;
+                *out_cipher = EVP_aes_128_xts();
+                break;
+        case NID_aes_256_xts:
+                *out_label = SN_aes_256_xts;
+                *out_cipher = EVP_aes_256_xts();
+                break;
        /* Unknown */
        default:
                return 0;
@@ -902,8 +1177,10 @@ aes_test(void)
        for (i = 0; i < N_AES_TESTS; i++) {
                at = &aes_tests[i];
                key_bits = aes_key_bits_from_nid(at->mode);
-                if (!aes_cipher_from_nid(at->mode, &label, &cipher))
+                if (!aes_cipher_from_nid(at->mode, &label, &cipher)) {
+                        fprintf(stderr, "unknown cipher\n");
                        goto failed;
+                }
                switch (at->mode) {
                /* ECB */
@@ -926,14 +1203,16 @@ aes_test(void)
                case NID_aes_128_cfb128:
                case NID_aes_192_cfb128:
                case NID_aes_256_cfb128:
-                        /* XXX - CFB128 non-EVP tests */
+                        if (!aes_cfb128_test(i, label, key_bits, at))
+                                goto failed;
                        break;
                /* OFB128 */
                case NID_aes_128_ofb128:
                case NID_aes_192_ofb128:
                case NID_aes_256_ofb128:
-                        /* XXX - OFB128 non-EVP tests */
+                        if (!aes_ofb128_test(i, label, key_bits, at))
+                                goto failed;
                        break;
                /* GCM */
@@ -947,7 +1226,13 @@ aes_test(void)
                case NID_aes_128_ccm:
                case NID_aes_192_ccm:
                case NID_aes_256_ccm:
-                        /* XXX - CCM non-EVP tests */
+                        /* CCM is EVP-only */
+                        break;
+                /* XTS */
+                case NID_aes_128_xts:
+                case NID_aes_256_xts:
+                        /* XTS is EVP-only */
                        break;
                /* Unknown */
diff --git a/src/regress/lib/libcrypto/asn1/Makefile b/src/regress/lib/libcrypto/asn1/Makefile
index 1ba2fecf23..23a01ab600 100644
--- a/src/regress/lib/libcrypto/asn1/Makefile
+++ b/src/regress/lib/libcrypto/asn1/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.28 2024/02/29 20:03:47 tb Exp $
+#       $OpenBSD: Makefile,v 1.30 2026/01/04 09:51:42 tb Exp $
 PROGS = \
        asn1api \
diff --git a/src/regress/lib/libcrypto/asn1/asn1basic.c b/src/regress/lib/libcrypto/asn1/asn1basic.c
index 1a873bf25d..0666e5b061 100644
--- a/src/regress/lib/libcrypto/asn1/asn1basic.c
+++ b/src/regress/lib/libcrypto/asn1/asn1basic.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: asn1basic.c,v 1.16 2024/02/04 13:07:02 tb Exp $ */
+/* $OpenBSD: asn1basic.c,v 1.20 2026/01/04 09:43:52 tb Exp $ */
 /*
 * Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2021 Google, Inc
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
@@ -65,6 +66,14 @@ const uint8_t asn1_bit_string_primitive[] = {
        0x04, 0x0a, 0x3b, 0x5f, 0x29, 0x1c, 0xd0,
 };
+static const uint8_t asn1_bit_string_trailing_zeroes[] = {
+        0x04, 0x00
+};
+static const uint8_t asn1_bit_string_trailing_zeroes_encoded[] = {
+        0x03, 0x02, 0x02, 0x04,
+};
 static int
 asn1_bit_string_test(void)
 {
@@ -165,6 +174,35 @@ asn1_bit_string_test(void)
            sizeof(asn1_bit_string_primitive)))
                goto failed;
+        /*
+         * ASN1_STRING_set() truncates and determines unused bits
+         */
+        ASN1_BIT_STRING_free(abs);
+        abs = NULL;
+        if ((abs = ASN1_BIT_STRING_new()) == NULL) {
+                fprintf(stderr, "FAIL: ASN1_BIT_STRING_new\n");
+                goto failed;
+        }
+        if (!ASN1_STRING_set(abs, asn1_bit_string_trailing_zeroes,
+            sizeof(asn1_bit_string_trailing_zeroes))) {
+                fprintf(stderr, "FAIL: BIT STRING ASN1_BIT_STRING_set trailing zeroes\n");
+                goto failed;
+        }
+        freezero(p, len);
+        p = NULL;
+        if ((len = i2d_ASN1_BIT_STRING(abs, &p)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING trailing zeroes", p, len,
+            asn1_bit_string_trailing_zeroes_encoded,
+            sizeof(asn1_bit_string_trailing_zeroes_encoded)))
+                goto failed;
        failed = 0;
 failed:
@@ -174,6 +212,459 @@ asn1_bit_string_test(void)
        return failed;
 }
+static const uint8_t asn1_bit_string_empty[] = {
+        0x03, 0x01, 0x00,
+};
+static const uint8_t asn1_bit_string_1101[] = {
+        0x03, 0x02, 0x04, 0xd0,
+};
+static const uint8_t asn1_bit_string_1001[] = {
+        0x03, 0x02, 0x04, 0x90,
+};
+static const uint8_t asn1_bit_string_1[] = {
+        0x03, 0x02, 0x07, 0x80,
+};
+static const uint8_t asn1_bit_string_1zeroes1[] = {
+        0x03, 0x09, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x01,
+};
+static const uint8_t asn1_bit_string_10010[] = {
+        0x03, 0x02, 0x03, 0x90,
+};
+static const uint8_t asn1_bit_string_zeroes[64] = { 0 };
+static int
+asn1_bit_string_set_bit_test(void)
+{
+        ASN1_BIT_STRING *abs;
+        const unsigned char *p;
+        unsigned char *der = NULL;
+        int der_len = 0;
+        int p_len;
+        int got;
+        int failed = 1;
+        /*
+         * A new ASN1_BIT_STRING serializes to the empty BIT STRING
+         */
+        if ((abs = ASN1_BIT_STRING_new()) == NULL) {
+                fprintf(stderr, "FAIL: ASN1_BIT_STRING_new()\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("new BIT STRING", der, der_len,
+            asn1_bit_string_empty, sizeof(asn1_bit_string_empty)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 0) {
+                fprintf(stderr, "FAIL: new BIT STRING bit 0: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 100)) != 0) {
+                fprintf(stderr, "FAIL: new BIT STRING bit 100: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * Now set a few bits via ASN1_BIT_STRING_set_bit()
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 0, 1) ||
+            !ASN1_BIT_STRING_set_bit(abs, 1, 1) ||
+            !ASN1_BIT_STRING_set_bit(abs, 2, 0) ||
+            !ASN1_BIT_STRING_set_bit(abs, 3, 1)) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 ASN1_BIT_STRING_set_bit\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1101", der, der_len,
+            asn1_bit_string_1101, sizeof(asn1_bit_string_1101)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 bit 1: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 2)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 bit 2: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 3)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 bit 3: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 4)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1101 bit 4: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * Bits that were set may be cleared.
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 1, 0)) {
+                fprintf(stderr, "FAIL: BIT STRING 1101, clear bit 1\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1001", der, der_len,
+            asn1_bit_string_1001, sizeof(asn1_bit_string_1001)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1001 bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1001 bit 1: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 2)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1001 bit 2: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 3)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1001 bit 3: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 4)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1001 bit 4: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * Clearing trailing bits truncates the string.
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 3, 0)) {
+                fprintf(stderr, "FAIL: BIT STRING 1001, clear bit 3\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1", der, der_len,
+            asn1_bit_string_1, sizeof(asn1_bit_string_1)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1 bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1 bit 1: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 2)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1 bit 2: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 3)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1 bit 3: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 4)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1 bit 4: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * Bits may be set beyond the end of the string.
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 63, 1)) {
+                fprintf(stderr, "FAIL: BIT STRING 1 set bit 63\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1zeroes1", der, der_len,
+            asn1_bit_string_1zeroes1, sizeof(asn1_bit_string_1zeroes1)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 bit 1: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 62)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 bit 62: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 63)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 bit 63: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 64)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 bit 64: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * We can truncate the string back down again.
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 63, 0)) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1, clear bit 63\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1zeroes", der, der_len,
+            asn1_bit_string_1, sizeof(asn1_bit_string_1)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes bit 1: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 62)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes bit 62: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 63)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes bit 63: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 64)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes bit 64: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * ASN1_BIT_STRING_set_bit() truncation also happens for a parsed string.
+         */
+        ASN1_BIT_STRING_free(abs);
+        abs = NULL;
+        p = asn1_bit_string_1zeroes1;
+        p_len = sizeof(asn1_bit_string_1zeroes1);
+        if ((abs = d2i_ASN1_BIT_STRING(NULL, &p, p_len)) == NULL) {
+                fprintf(stderr, "FAIL: BIT STRING 1zereos1 d2i_ASN1_BIT_STRING\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1zeroes1 (after d2i)", der, der_len,
+            asn1_bit_string_1zeroes1, sizeof(asn1_bit_string_1zeroes1)))
+                goto failed;
+        if (!ASN1_BIT_STRING_set_bit(abs, 63, 0)) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes1 (after d2i), clear bit 63\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 1zeroes (after d2i)", der, der_len,
+            asn1_bit_string_1, sizeof(asn1_bit_string_1)))
+                goto failed;
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 0)) != 1) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes (after d2i) bit 0: want %d, got %d\n",
+                    1, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 1)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes (after d2i) bit 1: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 62)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes (after d2i) bit 62: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 63)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes (after d2i) bit 63: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        if ((got = ASN1_BIT_STRING_get_bit(abs, 64)) != 0) {
+                fprintf(stderr, "FAIL: BIT STRING 1zeroes (after d2i) bit 64: want %d, got %d\n",
+                    0, got);
+                goto failed;
+        }
+        /*
+         * A parsed bit string keeps its trailing zero bits.
+         */
+        ASN1_BIT_STRING_free(abs);
+        abs = NULL;
+        p = asn1_bit_string_10010;
+        p_len = sizeof(asn1_bit_string_10010);
+        if ((abs = d2i_ASN1_BIT_STRING(NULL, &p, p_len)) == NULL) {
+                fprintf(stderr, "FAIL: BIT STRING 10010 d2i_ASN1_BIT_STRING\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 10010", der, der_len,
+            asn1_bit_string_10010, sizeof(asn1_bit_string_10010)))
+                goto failed;
+        /*
+         * Of course, ASN1_BIT_STRING_set_bit() still truncates, even if it's
+         * a noop.
+         */
+        if (!ASN1_BIT_STRING_set_bit(abs, 0, 1)) {
+                fprintf(stderr, "FAIL: BIT STRING 10010 set bit 0 to 1\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING 10010 after set bit", der, der_len,
+            asn1_bit_string_1001, sizeof(asn1_bit_string_1001)))
+                goto failed;
+        /*
+         * ASN1_BIT_STRING_set() also truncates
+         */
+        ASN1_BIT_STRING_free(abs);
+        abs = NULL;
+        if ((abs = ASN1_BIT_STRING_new()) == NULL) {
+                fprintf(stderr, "FAIL: ASN1_BIT_STRING_new\n");
+                goto failed;
+        }
+        if (!ASN1_STRING_set(abs, asn1_bit_string_zeroes,
+            sizeof(asn1_bit_string_zeroes))) {
+                fprintf(stderr, "FAIL: ASN1_BIT_STRING_set zeroes\n");
+                goto failed;
+        }
+        freezero(der, der_len);
+        der = NULL;
+        if ((der_len = i2d_ASN1_BIT_STRING(abs, &der)) <= 0) {
+                fprintf(stderr, "FAIL: i2d_ASN1_BIT_STRING\n");
+                der_len = 0;
+                goto failed;
+        }
+        if (!asn1_compare_bytes("BIT STRING all zeroes", der, der_len,
+            asn1_bit_string_empty, sizeof(asn1_bit_string_empty)))
+                goto failed;
+        failed = 0;
+ failed:
+        ASN1_BIT_STRING_free(abs);
+        freezero(der, der_len);
+        return failed;
+}
 const uint8_t asn1_boolean_false[] = {
        0x01, 0x01, 0x00,
 };
@@ -1129,6 +1620,7 @@ main(int argc, char **argv)
        int failed = 0;
        failed |= asn1_bit_string_test();
+        failed |= asn1_bit_string_set_bit_test();
        failed |= asn1_boolean_test();
        failed |= asn1_integer_test();
        failed |= asn1_string_test();
diff --git a/src/regress/lib/libcrypto/asn1/asn1complex.c b/src/regress/lib/libcrypto/asn1/asn1complex.c
index 6f34154b7f..0e2f50212c 100644
--- a/src/regress/lib/libcrypto/asn1/asn1complex.c
+++ b/src/regress/lib/libcrypto/asn1/asn1complex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1complex.c,v 1.4 2022/09/05 21:06:31 tb Exp $ */
+/* $OpenBSD: asn1complex.c,v 1.5 2025/12/07 09:35:20 tb Exp $ */
 /*
 * Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
 *
@@ -190,7 +190,7 @@ do_asn1_constructed_test(const struct asn1_constructed_test *act)
                ERR_print_errors_fp(stderr);
                goto failed;
        }
-        if (!asn1_compare_bytes(act->name, ASN1_STRING_data(aos),
+        if (!asn1_compare_bytes(act->name, ASN1_STRING_get0_data(aos),
            ASN1_STRING_length(aos), act->want, act->want_len))
                goto failed;
@@ -285,7 +285,7 @@ do_asn1_sequence_string_tests(void)
                goto failed;
        }
-        if (!asn1_compare_bytes("sequence", ASN1_STRING_data(astr),
+        if (!asn1_compare_bytes("sequence", ASN1_STRING_get0_data(astr),
            ASN1_STRING_length(astr), asn1_sequence_content,
            sizeof(asn1_sequence_content)))
                goto failed;
@@ -299,7 +299,7 @@ do_asn1_sequence_string_tests(void)
                goto failed;
        }
-        if (!asn1_compare_bytes("sequence indefinite", ASN1_STRING_data(astr),
+        if (!asn1_compare_bytes("sequence indefinite", ASN1_STRING_get0_data(astr),
            ASN1_STRING_length(astr), asn1_sequence_indefinite_content,
            sizeof(asn1_sequence_indefinite_content)))
                goto failed;
diff --git a/src/regress/lib/libcrypto/asn1/asn1time.c b/src/regress/lib/libcrypto/asn1/asn1time.c
index 7223ad9c9b..e0e5139808 100644
--- a/src/regress/lib/libcrypto/asn1/asn1time.c
+++ b/src/regress/lib/libcrypto/asn1/asn1time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1time.c,v 1.30 2024/07/21 13:25:11 tb Exp $ */
+/* $OpenBSD: asn1time.c,v 1.31 2025/05/22 04:54:14 joshua Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2024 Google Inc.
@@ -33,6 +33,7 @@ struct asn1_time_test {
        const char *data;
        const unsigned char der[32];
        time_t time;
+        int generalized_time;
 };
 static const struct asn1_time_test asn1_invtime_tests[] = {
@@ -73,20 +74,19 @@ static const struct asn1_time_test asn1_invtime_tests[] = {
        {
                .str = "aaaaaaaaaaaaaaZ",
        },
-        /* utc time with omitted seconds, should fail */
        {
+                /* UTC time with omitted seconds, should fail */
                .str = "1609082343Z",
        },
-};
-static const struct asn1_time_test asn1_invgentime_tests[] = {
-        /* Generalized time with omitted seconds, should fail */
        {
+                /* Generalized time with omitted seconds, should fail */
                .str = "201612081934Z",
+                .generalized_time = 1,
        },
-        /* Valid UTC time, should fail as a generalized time */
        {
+                /* Valid UTC time, should fail as a generalized time */
                .str = "160908234300Z",
+                .generalized_time = 1,
        },
 };
@@ -235,7 +235,7 @@ asn1_compare_str(int test_no, const struct asn1_string_st *asn1str,
 }
 static int
-asn1_invtime_test(int test_no, const struct asn1_time_test *att, int gen)
+asn1_invtime_test(int test_no, const struct asn1_time_test *att)
 {
        ASN1_GENERALIZEDTIME *gt = NULL;
        ASN1_UTCTIME *ut = NULL;
@@ -255,7 +255,7 @@ asn1_invtime_test(int test_no, const struct asn1_time_test *att, int gen)
                goto done;
        }
-        if (gen)  {
+        if (att->generalized_time)  {
                failure = 0;
                goto done;
        }
@@ -842,13 +842,7 @@ main(int argc, char **argv)
        fprintf(stderr, "Invalid time tests...\n");
        for (i = 0; i < N_INVTIME_TESTS; i++) {
                att = &asn1_invtime_tests[i];
-                failed |= asn1_invtime_test(i, att, 0);
+                failed |= asn1_invtime_test(i, att);
-        }
-        fprintf(stderr, "Invalid generalized time tests...\n");
-        for (i = 0; i < N_INVGENTIME_TESTS; i++) {
-                att = &asn1_invgentime_tests[i];
-                failed |= asn1_invtime_test(i, att, 1);
        }
        fprintf(stderr, "GENERALIZEDTIME tests...\n");
diff --git a/src/regress/lib/libcrypto/bio/bio_dump.c b/src/regress/lib/libcrypto/bio/bio_dump.c
index 22db80fa3d..fd2bb285fb 100644
--- a/src/regress/lib/libcrypto/bio/bio_dump.c
+++ b/src/regress/lib/libcrypto/bio/bio_dump.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bio_dump.c,v 1.4 2024/02/09 12:48:32 tb Exp $ */
+/*      $OpenBSD: bio_dump.c,v 1.5 2025/05/18 06:41:51 tb Exp $ */
 /*
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
 *
@@ -809,7 +809,7 @@ bio_dump_test(const struct bio_dump_testcase *tc)
                    tc->indent, ret, got_len, strlen(tc->output));
                goto err;
        }
-        if (strncmp(tc->output, got, got_len) != 0) {
+        if (got_len > 0 && strncmp(tc->output, got, got_len) != 0) {
                fprintf(stderr, "%d: mismatch\n", tc->indent);
                goto err;
        }
diff --git a/src/regress/lib/libcrypto/bn/bn_mul_div.c b/src/regress/lib/libcrypto/bn/bn_mul_div.c
index 625d5e318e..dbad01004e 100644
--- a/src/regress/lib/libcrypto/bn/bn_mul_div.c
+++ b/src/regress/lib/libcrypto/bn/bn_mul_div.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_mul_div.c,v 1.7 2023/06/21 07:18:10 jsing Exp $ */
+/*      $OpenBSD: bn_mul_div.c,v 1.8 2025/08/12 10:29:35 jsing Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -233,6 +233,13 @@ struct benchmark benchmarks[] = {
                .b_bits = 256,
        },
        {
+                .desc = "BN_mul (384 bit x 384 bit)",
+                .setup = benchmark_bn_mul_setup,
+                .run_once = benchmark_bn_mul_run_once,
+                .a_bits = 384,
+                .b_bits = 384,
+        },
+        {
                .desc = "BN_mul (512 bit x 512 bit)",
                .setup = benchmark_bn_mul_setup,
                .run_once = benchmark_bn_mul_run_once,
@@ -294,6 +301,12 @@ struct benchmark benchmarks[] = {
                .a_bits = 256,
        },
        {
+                .desc = "BN_sqr (384 bit)",
+                .setup = benchmark_bn_sqr_setup,
+                .run_once = benchmark_bn_sqr_run_once,
+                .a_bits = 384,
+        },
+        {
                .desc = "BN_sqr (512 bit)",
                .setup = benchmark_bn_sqr_setup,
                .run_once = benchmark_bn_sqr_run_once,
diff --git a/src/regress/lib/libcrypto/bn/bn_print.c b/src/regress/lib/libcrypto/bn/bn_print.c
index a3118869fc..d3e1e83464 100644
--- a/src/regress/lib/libcrypto/bn/bn_print.c
+++ b/src/regress/lib/libcrypto/bn/bn_print.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_print.c,v 1.5 2023/07/27 06:41:39 tb Exp $ */
+/*      $OpenBSD: bn_print.c,v 1.6 2025/11/05 11:40:47 jsing Exp $ */
 /*
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -51,7 +51,7 @@ const struct print_test {
                .desc = "minus one",
                .want = "    mana mana -1 (-0x1)\n",
        },
-#ifdef _LP64
+#if BN_BYTES == 8
        {
                .desc = "largest word",
                .want = "    mana mana 18446744073709551615 "
diff --git a/src/regress/lib/libcrypto/bn/bn_test.c b/src/regress/lib/libcrypto/bn/bn_test.c
index 5348788f50..b32b9e81e2 100644
--- a/src/regress/lib/libcrypto/bn/bn_test.c
+++ b/src/regress/lib/libcrypto/bn/bn_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: bn_test.c,v 1.23 2025/02/12 21:22:15 tb Exp $ */
+/*      $OpenBSD: bn_test.c,v 1.25 2025/11/15 16:30:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -69,7 +69,9 @@
 *
 */
+#include <inttypes.h>
 #include <stdio.h>
+#include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
@@ -474,18 +476,7 @@ test_div(BIO *bp, BN_CTX *ctx)
 static void
 print_word(BIO *bp, BN_ULONG w)
 {
-#ifdef SIXTY_FOUR_BIT
+        BIO_printf(bp, "%" PRIX64, (uint64_t)w);
-        if (sizeof(w) > sizeof(unsigned long)) {
-                unsigned long h = (unsigned long)(w >> 32), l = (unsigned long)(w);
-                if (h)
-                        BIO_printf(bp, "%lX%08lX", h, l);
-                else
-                        BIO_printf(bp, "%lX", l);
-                return;
-        }
-#endif
-        BIO_printf(bp, BN_HEX_FMT1, w);
 }
 int
diff --git a/src/regress/lib/libcrypto/bn/bn_word.c b/src/regress/lib/libcrypto/bn/bn_word.c
index 2ec518ed1b..433a8a3ba6 100644
--- a/src/regress/lib/libcrypto/bn/bn_word.c
+++ b/src/regress/lib/libcrypto/bn/bn_word.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_word.c,v 1.2 2024/08/23 12:56:26 anton Exp $ */
+/* $OpenBSD: bn_word.c,v 1.3 2025/12/05 14:07:01 tb Exp $ */
 /*
 * Copyright (c) 2023 Joel Sing <jsing@openbsd.org>
 *
@@ -20,6 +20,8 @@
 #include <openssl/bn.h>
+#include "bn_local.h"
 struct bn_word_test {
        const char *in_hex;
        BN_ULONG in_word;
diff --git a/src/regress/lib/libcrypto/c2sp/Makefile b/src/regress/lib/libcrypto/c2sp/Makefile
index 9b2c944ba4..73ee0b8c22 100644
--- a/src/regress/lib/libcrypto/c2sp/Makefile
+++ b/src/regress/lib/libcrypto/c2sp/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.4 2024/10/28 16:27:14 tb Exp $
+# $OpenBSD: Makefile,v 1.7 2025/07/23 07:35:21 tb Exp $
 C2SP_TESTVECTORS = /usr/local/share/c2sp-testvectors/
@@ -13,12 +13,12 @@ PROGS += cctv
 SRCS_cctv =
 cctv: cctv.go
-        go build -o $@ ${.CURDIR}/cctv.go
+        env GOCACHE=${.OBJDIR}/go-build go build -o $@ ${.CURDIR}/cctv.go
 OSSL_LIB =      /usr/local/lib/eopenssl
 OSSL_INC =      /usr/local/include/eopenssl
-. for V in 11 32 33 34
+. for V in 35
 .  if exists(/usr/local/bin/eopenssl$V)
 PROGS +=        cctv-openssl$V
 SRCS_cctv-openssl$V =
@@ -29,10 +29,17 @@ CGO_LDFLAGS_$V += 	-L${OSSL_LIB}$V
 cctv-openssl$V: cctv.go
        env CGO_CFLAGS="${CGO_CFLAGS_$V}" CGO_LDFLAGS="${CGO_LDFLAGS_$V}" \
+            GOCACHE=${.OBJDIR}/go-build \
            go build -o $@ ${.CURDIR}/cctv.go
 .  endif
 . endfor
+REGRESS_CLEANUP =       clean-go-cache
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
 .endif
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/certs/Makefile b/src/regress/lib/libcrypto/certs/Makefile
index 621c60907f..f7ba9fcad8 100644
--- a/src/regress/lib/libcrypto/certs/Makefile
+++ b/src/regress/lib/libcrypto/certs/Makefile
@@ -1,21 +1,24 @@
-#       $OpenBSD: Makefile,v 1.1 2020/07/14 18:27:28 jsing Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/07/09 05:04:35 tb Exp $
-.if ! (make(clean) || make(cleandir) || make(obj))
+.if !exists(/usr/local/bin/go)
-GO_VERSION != sh -c "(go version) 2>/dev/null || true"
-.endif
-.if empty(GO_VERSION)
 regress:
        @echo package go is required for this regress
        @echo SKIPPED
-.endif
+.else
 REGRESS_TARGETS=regress-go-verify
+REGRESS_CLEANUP=clean-go-cache
 certs:
        cd ${.CURDIR} && sh ./make-certs.sh
 regress-go-verify:
-        cd ${.CURDIR} && go test -test.v .
+        cd ${.CURDIR} && env GOCACHE=${.OBJDIR}/go-build go test -test.v .
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
+.endif
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/des/destest.c b/src/regress/lib/libcrypto/des/destest.c
index ebc67f3107..8a2b94d2d6 100644
--- a/src/regress/lib/libcrypto/des/destest.c
+++ b/src/regress/lib/libcrypto/des/destest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: destest.c,v 1.4 2018/07/17 17:06:49 tb Exp $  */
+/*      $OpenBSD: destest.c,v 1.5 2025/12/26 19:11:01 tb Exp $  */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -233,24 +233,12 @@ static unsigned char cbc_ok[32]={
        0x46,0x8e,0x91,0x15,0x78,0x88,0xba,0x68,
        0x1d,0x26,0x93,0x97,0xf7,0xfe,0x62,0xb4};
-#ifdef SCREW_THE_PARITY
-#error "SCREW_THE_PARITY is not ment to be defined."
-#error "Original vectors are preserved for reference only."
-static unsigned char cbc2_key[8]={0xf0,0xe1,0xd2,0xc3,0xb4,0xa5,0x96,0x87};
-static unsigned char xcbc_ok[32]={
-        0x86,0x74,0x81,0x0D,0x61,0xA4,0xA5,0x48,
-        0xB9,0x93,0x03,0xE1,0xB8,0xBB,0xBD,0xBD,
-        0x64,0x30,0x0B,0xB9,0x06,0x65,0x81,0x76,
-        0x04,0x1D,0x77,0x62,0x17,0xCA,0x2B,0xD2,
-        };
-#else
 static unsigned char xcbc_ok[32]={
        0x84,0x6B,0x29,0x14,0x85,0x1E,0x9A,0x29,
        0x54,0x73,0x2F,0x8A,0xA0,0xA6,0x11,0xC1,
        0x15,0xCD,0xC2,0xD7,0x95,0x1B,0x10,0x53,
        0xA6,0x3C,0x5E,0x03,0xB2,0x1A,0xA3,0xC4,
        };
-#endif
 static unsigned char cbc3_ok[32]={
        0x3F,0xE3,0x01,0xC9,0x62,0xAC,0x01,0xD0,
diff --git a/src/regress/lib/libcrypto/ec/Makefile b/src/regress/lib/libcrypto/ec/Makefile
index b21eacb4bc..1d976c77d0 100644
--- a/src/regress/lib/libcrypto/ec/Makefile
+++ b/src/regress/lib/libcrypto/ec/Makefile
@@ -1,12 +1,13 @@
-#       $OpenBSD: Makefile,v 1.11 2025/03/08 20:09:35 tb Exp $
+#       $OpenBSD: Makefile,v 1.13 2025/08/03 08:29:39 jsing Exp $
-.ifdef EOPENSSL33
+.ifdef EOPENSSL35
-LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl33 -L/usr/local/lib/eopenssl33
+LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl35 -L/usr/local/lib/eopenssl35
-CFLAGS +=       -I/usr/local/include/eopenssl33/
+CFLAGS +=       -I/usr/local/include/eopenssl35/
 CFLAGS +=       -DOPENSSL_SUPPRESS_DEPRECATED
 .endif
 PROGS +=        ectest
+PROGS +=        ec_arithmetic
 PROGS +=        ec_asn1_test
 PROGS +=        ec_point_conversion
diff --git a/src/regress/lib/libcrypto/ec/ec_arithmetic.c b/src/regress/lib/libcrypto/ec/ec_arithmetic.c
new file mode 100644
index 0000000000..c6f7cd4f8c
--- /dev/null
+++ b/src/regress/lib/libcrypto/ec/ec_arithmetic.c
@@ -0,0 +1,210 @@
+/*      $OpenBSD: ec_arithmetic.c,v 1.1 2025/08/03 08:29:39 jsing Exp $ */
+/*
+ * Copyright (c) 2022,2025 Joel Sing <jsing@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/time.h>
+#include <err.h>
+#include <signal.h>
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <openssl/bn.h>
+#include <openssl/ec.h>
+#include <openssl/objects.h>
+static void
+benchmark_ec_point_add(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_add(group, result, a, b, ctx))
+                errx(1, "EC_POINT_add");
+}
+static void
+benchmark_ec_point_dbl(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_dbl(group, result, a, ctx))
+                errx(1, "EC_POINT_dbl");
+}
+static void
+benchmark_ec_point_mul_generator(const EC_GROUP *group, EC_POINT *result,
+    const BIGNUM *scalar, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx)
+{
+        if (!EC_POINT_mul(group, result, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+}
+struct benchmark {
+        int curve;
+        const char *desc;
+        void (*func)(const EC_GROUP *, EC_POINT *, const BIGNUM *,
+            const EC_POINT *, const EC_POINT *, BN_CTX *);
+};
+static const struct benchmark benchmarks[] = {
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_add() p256",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_add() p384",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_add() p521",
+                .func = benchmark_ec_point_add,
+        },
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_dbl() p256",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_dbl() p384",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_dbl() p521",
+                .func = benchmark_ec_point_dbl,
+        },
+        {
+                .curve = NID_X9_62_prime256v1,
+                .desc = "EC_POINT_mul() generator p256",
+                .func = benchmark_ec_point_mul_generator,
+        },
+        {
+                .curve = NID_secp384r1,
+                .desc = "EC_POINT_mul() generator p384",
+                .func = benchmark_ec_point_mul_generator,
+        },
+        {
+                .curve = NID_secp521r1,
+                .desc = "EC_POINT_mul() generator p521",
+                .func = benchmark_ec_point_mul_generator,
+        },
+};
+#define N_BENCHMARKS (sizeof(benchmarks) / sizeof(benchmarks[0]))
+static volatile sig_atomic_t benchmark_stop;
+static void
+benchmark_sig_alarm(int sig)
+{
+        benchmark_stop = 1;
+}
+static void
+benchmark_run(const struct benchmark *bm, int seconds)
+{
+        struct timespec start, end, duration;
+        EC_GROUP *group = NULL;
+        EC_POINT *a = NULL, *b = NULL, *result = NULL;
+        BIGNUM *order = NULL, *scalar = NULL;
+        BN_CTX *ctx = NULL;
+        int i;
+        signal(SIGALRM, benchmark_sig_alarm);
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+        if ((group = EC_GROUP_new_by_curve_name(bm->curve)) == NULL)
+                errx(1, "EC_GROUP_new_by_curve_name");
+        if ((order = BN_new()) == NULL)
+                errx(1, "BN_new");
+        if (!EC_GROUP_get_order(group, order, ctx))
+                errx(1, "EC_GROUP_get_order");
+        if ((scalar = BN_new()) == NULL)
+                errx(1, "BN_new");
+        if (!BN_rand_range(scalar, order))
+                errx(1, "BN_rand_range");
+        if (!BN_set_bit(scalar, EC_GROUP_order_bits(group) - 1))
+                errx(1, "BN_set_bit");
+        if ((result = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+        if ((a = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+        if ((b = EC_POINT_new(group)) == NULL)
+                errx(1, "EC_POINT_new");
+        if (!EC_POINT_mul(group, a, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+        if (!EC_POINT_mul(group, b, scalar, NULL, NULL, ctx))
+                errx(1, "EC_POINT_mul");
+        benchmark_stop = 0;
+        i = 0;
+        alarm(seconds);
+        clock_gettime(CLOCK_MONOTONIC, &start);
+        fprintf(stderr, "Benchmarking %s for %ds: ", bm->desc, seconds);
+        while (!benchmark_stop) {
+                bm->func(group, result, scalar, a, b, ctx);
+                i++;
+        }
+        clock_gettime(CLOCK_MONOTONIC, &end);
+        timespecsub(&end, &start, &duration);
+        fprintf(stderr, "%d iterations in %f seconds\n", i,
+            duration.tv_sec + duration.tv_nsec / 1000000000.0);
+        EC_GROUP_free(group);
+        EC_POINT_free(result);
+        EC_POINT_free(a);
+        EC_POINT_free(b);
+        BN_free(order);
+        BN_free(scalar);
+        BN_CTX_free(ctx);
+}
+static void
+benchmark_ec_mul_single(void)
+{
+        const struct benchmark *bm;
+        size_t i;
+        for (i = 0; i < N_BENCHMARKS; i++) {
+                bm = &benchmarks[i];
+                benchmark_run(bm, 5);
+        }
+}
+int
+main(int argc, char **argv)
+{
+        int benchmark = 0, failed = 0;
+        if (argc == 2 && strcmp(argv[1], "--benchmark") == 0)
+                benchmark = 1;
+        if (benchmark && !failed)
+                benchmark_ec_mul_single();
+        return failed;
+}
diff --git a/src/regress/lib/libcrypto/ec/ec_asn1_test.c b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
index 03358e69ca..4dfe681dbd 100644
--- a/src/regress/lib/libcrypto/ec/ec_asn1_test.c
+++ b/src/regress/lib/libcrypto/ec/ec_asn1_test.c
@@ -1,7 +1,7 @@
-/* $OpenBSD: ec_asn1_test.c,v 1.32 2025/03/08 20:09:35 tb Exp $ */
+/* $OpenBSD: ec_asn1_test.c,v 1.41 2025/12/07 11:39:00 tb Exp $ */
 /*
 * Copyright (c) 2017, 2021 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2024, 2025 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -17,12 +17,17 @@
 */
 #include <err.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
 #include <string.h>
 #include <openssl/bio.h>
+#include <openssl/bn.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
 #include <openssl/objects.h>
+#include <openssl/sha.h>
 #include "ec_local.h"
@@ -730,6 +735,82 @@ static const struct curve secp256k1_m = {
        .param_len = sizeof(ec_secp256k1_m_pkparameters_parameters),
 };
+/*
+ * From https://eips.ethereum.org/EIPS/eip-2539
+ */
+static const uint8_t ec_bls12_377_pkparameters_named_curve[] = {
+        0x06, 0x04, 0x29, 0x01, 0x01, 0x01,
+};
+static const uint8_t ec_bls12_377_pkparameters_parameters[] = {
+        0x30, 0x82, 0x01, 0x3d, 0x02, 0x01, 0x01, 0x30,
+        0x3b, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d,
+        0x01, 0x01, 0x02, 0x30, 0x01, 0xae, 0x3a, 0x46,
+        0x17, 0xc5, 0x10, 0xea, 0xc6, 0x3b, 0x05, 0xc0,
+        0x6c, 0xa1, 0x49, 0x3b, 0x1a, 0x22, 0xd9, 0xf3,
+        0x00, 0xf5, 0x13, 0x8f, 0x1e, 0xf3, 0x62, 0x2f,
+        0xba, 0x09, 0x48, 0x00, 0x17, 0x0b, 0x5d, 0x44,
+        0x30, 0x00, 0x00, 0x00, 0x85, 0x08, 0xc0, 0x00,
+        0x00, 0x00, 0x00, 0x01, 0x30, 0x64, 0x04, 0x30,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x04, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x01, 0x04, 0x61, 0x04, 0x00, 0x88, 0x48,
+        0xde, 0xfe, 0x74, 0x0a, 0x67, 0xc8, 0xfc, 0x62,
+        0x25, 0xbf, 0x87, 0xff, 0x54, 0x85, 0x95, 0x1e,
+        0x2c, 0xaa, 0x9d, 0x41, 0xbb, 0x18, 0x82, 0x82,
+        0xc8, 0xbd, 0x37, 0xcb, 0x5c, 0xd5, 0x48, 0x15,
+        0x12, 0xff, 0xcd, 0x39, 0x4e, 0xea, 0xb9, 0xb1,
+        0x6e, 0xb2, 0x1b, 0xe9, 0xef, 0x01, 0x91, 0x4a,
+        0x69, 0xc5, 0x10, 0x2e, 0xff, 0x1f, 0x67, 0x4f,
+        0x5d, 0x30, 0xaf, 0xee, 0xc4, 0xbd, 0x7f, 0xb3,
+        0x48, 0xca, 0x3e, 0x52, 0xd9, 0x6d, 0x18, 0x2a,
+        0xd4, 0x4f, 0xb8, 0x23, 0x05, 0xc2, 0xfe, 0x3d,
+        0x36, 0x34, 0xa9, 0x59, 0x1a, 0xfd, 0x82, 0xde,
+        0x55, 0x55, 0x9c, 0x8e, 0xa6, 0x02, 0x20, 0x12,
+        0xab, 0x65, 0x5e, 0x9a, 0x2c, 0xa5, 0x56, 0x60,
+        0xb4, 0x4d, 0x1e, 0x5c, 0x37, 0xb0, 0x01, 0x59,
+        0xaa, 0x76, 0xfe, 0xd0, 0x00, 0x00, 0x01, 0x0a,
+        0x11, 0x80, 0x00, 0x00, 0x00, 0x00, 0x01, 0x02,
+        0x10, 0x17, 0x0b, 0x5d, 0x44, 0x30, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00,
+};
+static const struct curve bls12_377 = {
+        .descr = "BLS12-377",
+        .oid =   "1.1.1.1.1", /* XXX */
+        .sn =    "BLS12-377",
+        .p =     "01ae3a46" "17c510ea" "c63b05c0" "6ca1493b"
+                 "1a22d9f3" "00f5138f" "1ef3622f" "ba094800"
+                 "170b5d44" "30000000" "8508c000" "00000001",
+        .a =     "0",
+        .b =     "1",
+        .x =     "008848de" "fe740a67" "c8fc6225" "bf87ff54"
+                 "85951e2c" "aa9d41bb" "188282c8" "bd37cb5c"
+                 "d5481512" "ffcd394e" "eab9b16e" "b21be9ef",
+        .y =     "01914a69" "c5102eff" "1f674f5d" "30afeec4"
+                 "bd7fb348" "ca3e52d9" "6d182ad4" "4fb82305"
+                 "c2fe3d36" "34a9591a" "fd82de55" "559c8ea6",
+        .order = "12ab655e" "9a2ca556" "60b44d1e" "5c37b001"
+                 "59aa76fe" "d0000001" "0a118000" "00000001",
+        .cofactor = "170b5d44" "30000000" "00000000" "00000000",
+        .named = ec_bls12_377_pkparameters_named_curve,
+        .named_len = sizeof(ec_bls12_377_pkparameters_named_curve),
+        .param = ec_bls12_377_pkparameters_parameters,
+        .param_len = sizeof(ec_bls12_377_pkparameters_parameters),
+};
 static EC_GROUP *
 ec_group_from_curve_method(const struct curve *curve, const EC_METHOD *method,
    BN_CTX *ctx)
@@ -1020,6 +1101,65 @@ ec_group_non_builtin_curves(void)
        failed |= ec_group_non_builtin_curve(&secp256k1_m, EC_GFp_mont_method(), ctx);
        failed |= ec_group_non_builtin_curve(&secp256k1_m, EC_GFp_simple_method(), ctx);
+        failed |= ec_group_non_builtin_curve(&bls12_377, EC_GFp_mont_method(), ctx);
+        failed |= ec_group_non_builtin_curve(&bls12_377, EC_GFp_simple_method(), ctx);
+        BN_CTX_free(ctx);
+        return failed;
+}
+static int
+ec_group_check_prime_order(EC_builtin_curve *curve, BN_CTX *ctx)
+{
+        EC_GROUP *group;
+        BIGNUM *order;
+        int rv;
+        int failed = 0;
+        if ((group = EC_GROUP_new_by_curve_name(curve->nid)) == NULL)
+                errx(1, "EC_GROUP_new_by_curve_name");
+        BN_CTX_start(ctx);
+        if ((order = BN_CTX_get(ctx)) == NULL)
+                errx(1, "order = BN_CTX_get()");
+        if (!EC_GROUP_get_order(group, order, ctx))
+                errx(1, "EC_GROUP_get_order");
+        if ((rv = BN_is_prime_ex(order, 0, ctx, NULL)) != 1) {
+                fprintf(stderr, "%s: nid %d: BN_is_prime_ex() returned %d, want 1\n",
+                    __func__, curve->nid, rv);
+                failed = 1;
+        }
+        BN_CTX_end(ctx);
+        EC_GROUP_free(group);
+        return failed;
+}
+static int
+ec_group_builtin_curves_have_prime_order(void)
+{
+        BN_CTX *ctx = NULL;
+        EC_builtin_curve *all_curves = NULL;
+        size_t curve_id, ncurves;
+        int failed = 0;
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+        ncurves = EC_get_builtin_curves(NULL, 0);
+        if ((all_curves = calloc(ncurves, sizeof(*all_curves))) == NULL)
+                err(1, "calloc builtin curves");
+        EC_get_builtin_curves(all_curves, ncurves);
+        for (curve_id = 0; curve_id < ncurves; curve_id++)
+                failed |= ec_group_check_prime_order(&all_curves[curve_id], ctx);
+        free(all_curves);
        BN_CTX_free(ctx);
        return failed;
@@ -1281,126 +1421,6 @@ static const struct ec_private_key {
                },
        },
        {
-                .name = "prime239v1",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x6e,
-                        0x26, 0x5e, 0xde, 0x5b, 0x67, 0xd6, 0x38, 0x52,
-                        0xe7, 0x1e, 0x8d, 0x44, 0xb1, 0xfb, 0xf8, 0xaf,
-                        0xf9, 0x94, 0x2c, 0xe2, 0x0d, 0xa8, 0x5f, 0x03,
-                        0x67, 0x53, 0x7b, 0x8b, 0x2e, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x04, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x33,
-                        0xc6, 0xe5, 0x8a, 0xc1, 0x8b, 0x7c, 0x96, 0x19,
-                        0xc9, 0xe1, 0x54, 0x7f, 0x81, 0x9e, 0x59, 0x62,
-                        0xec, 0xc0, 0x1e, 0xe5, 0x53, 0xd5, 0xae, 0x6b,
-                        0xd3, 0xe0, 0x09, 0x07, 0xc5, 0x27, 0x81, 0xa6,
-                        0x8d, 0x39, 0x8e, 0xfe, 0x01, 0xc2, 0x1d, 0xda,
-                        0xde, 0x7b, 0xdc, 0x76, 0x27, 0x17, 0xf9, 0x6f,
-                        0xe3, 0x04, 0xef, 0x5d, 0x65, 0x75, 0x98, 0x7f,
-                        0x2d, 0xd0, 0x68,
-                },
-                .hex =  "0433C6E58AC18B7C"
-                        "9619C9E1547F819E"
-                        "5962ECC01EE553D5"
-                        "AE6BD3E00907C527"
-                        "81A68D398EFE01C2"
-                        "1DDADE7BDC762717"
-                        "F96FE304EF5D6575"
-                        "987F2DD068",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x33, 0xc6, 0xe5, 0x8a, 0xc1, 0x8b, 0x7c,
-                        0x96, 0x19, 0xc9, 0xe1, 0x54, 0x7f, 0x81, 0x9e,
-                        0x59, 0x62, 0xec, 0xc0, 0x1e, 0xe5, 0x53, 0xd5,
-                        0xae, 0x6b, 0xd3, 0xe0, 0x09, 0x07, 0xc5, 0x27,
-                        0x81, 0xa6, 0x8d, 0x39, 0x8e, 0xfe, 0x01, 0xc2,
-                        0x1d, 0xda, 0xde, 0x7b, 0xdc, 0x76, 0x27, 0x17,
-                        0xf9, 0x6f, 0xe3, 0x04, 0xef, 0x5d, 0x65, 0x75,
-                        0x98, 0x7f, 0x2d, 0xd0, 0x68,
-                },
-        },
-        {
-                .name = "prime239v2",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x30,
-                        0x2f, 0x01, 0x10, 0xe9, 0x09, 0x15, 0xdd, 0xe3,
-                        0xdd, 0xae, 0xcb, 0x9d, 0x3a, 0x58, 0x92, 0x02,
-                        0x1e, 0x6e, 0x02, 0x57, 0xa8, 0x36, 0x0b, 0x20,
-                        0x0b, 0x7e, 0xf4, 0xad, 0x0b, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x05, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x3c,
-                        0x10, 0x27, 0x7b, 0xac, 0xdf, 0x86, 0xc9, 0x4f,
-                        0xf8, 0x39, 0x87, 0x02, 0x39, 0xaf, 0x41, 0xbc,
-                        0x4b, 0x67, 0xd8, 0x5e, 0x04, 0x96, 0x84, 0xb5,
-                        0x60, 0x50, 0x48, 0x6a, 0x20, 0x1d, 0x2b, 0x7e,
-                        0x9f, 0xaf, 0xf8, 0x8e, 0x7e, 0xa4, 0xcd, 0x00,
-                        0xad, 0xb1, 0xad, 0x22, 0x69, 0x32, 0x10, 0x6c,
-                        0xe0, 0xcc, 0xdd, 0x45, 0xd8, 0xa6, 0x29, 0x2f,
-                        0xad, 0x6b, 0xf9,
-                },
-                .hex =  "043C10277BACDF86"
-                        "C94FF839870239AF"
-                        "41BC4B67D85E0496"
-                        "84B56050486A201D"
-                        "2B7E9FAFF88E7EA4"
-                        "CD00ADB1AD226932"
-                        "106CE0CCDD45D8A6"
-                        "292FAD6BF9",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x3c, 0x10, 0x27, 0x7b, 0xac, 0xdf, 0x86,
-                        0xc9, 0x4f, 0xf8, 0x39, 0x87, 0x02, 0x39, 0xaf,
-                        0x41, 0xbc, 0x4b, 0x67, 0xd8, 0x5e, 0x04, 0x96,
-                        0x84, 0xb5, 0x60, 0x50, 0x48, 0x6a, 0x20, 0x1d,
-                        0x2b, 0x7e, 0x9f, 0xaf, 0xf8, 0x8e, 0x7e, 0xa4,
-                        0xcd, 0x00, 0xad, 0xb1, 0xad, 0x22, 0x69, 0x32,
-                        0x10, 0x6c, 0xe0, 0xcc, 0xdd, 0x45, 0xd8, 0xa6,
-                        0x29, 0x2f, 0xad, 0x6b, 0xf9,
-                },
-        },
-        {
-                .name = "prime239v3",
-                .der_len = 115,
-                .der = {
-                        0x30, 0x71, 0x02, 0x01, 0x01, 0x04, 0x1e, 0x26,
-                        0x3f, 0x23, 0x4c, 0xe7, 0xbd, 0xa8, 0xe4, 0xfe,
-                        0x7c, 0xf6, 0x18, 0x6a, 0xb2, 0xa6, 0x39, 0x15,
-                        0x6d, 0x72, 0xe8, 0x9e, 0x3f, 0x0f, 0x10, 0x1e,
-                        0xe5, 0xdf, 0xac, 0xe8, 0x2f, 0xa0, 0x0a, 0x06,
-                        0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01,
-                        0x06, 0xa1, 0x40, 0x03, 0x3e, 0x00, 0x04, 0x37,
-                        0xba, 0x07, 0x7f, 0xd9, 0x46, 0x5a, 0x33, 0x03,
-                        0x31, 0x77, 0x38, 0xef, 0xee, 0xcc, 0x3d, 0xe1,
-                        0xaa, 0x57, 0xe3, 0x8d, 0xb7, 0xcd, 0xe3, 0x01,
-                        0xf4, 0xd6, 0x75, 0x49, 0x72, 0x61, 0x4c, 0xbf,
-                        0xc0, 0x1f, 0x8b, 0x5f, 0x98, 0x9b, 0xa7, 0xe5,
-                        0x6a, 0xb7, 0xfe, 0x63, 0xdb, 0xb0, 0x40, 0xcb,
-                        0x26, 0x81, 0x2a, 0x91, 0x14, 0x0f, 0xc7, 0x31,
-                        0x13, 0x78, 0x16,
-                },
-                .hex =  "0437BA077FD9465A"
-                        "3303317738EFEECC"
-                        "3DE1AA57E38DB7CD"
-                        "E301F4D675497261"
-                        "4CBFC01F8B5F989B"
-                        "A7E56AB7FE63DBB0"
-                        "40CB26812A91140F"
-                        "C731137816",
-                .oct_len = 61,
-                .oct = {
-                        0x04, 0x37, 0xba, 0x07, 0x7f, 0xd9, 0x46, 0x5a,
-                        0x33, 0x03, 0x31, 0x77, 0x38, 0xef, 0xee, 0xcc,
-                        0x3d, 0xe1, 0xaa, 0x57, 0xe3, 0x8d, 0xb7, 0xcd,
-                        0xe3, 0x01, 0xf4, 0xd6, 0x75, 0x49, 0x72, 0x61,
-                        0x4c, 0xbf, 0xc0, 0x1f, 0x8b, 0x5f, 0x98, 0x9b,
-                        0xa7, 0xe5, 0x6a, 0xb7, 0xfe, 0x63, 0xdb, 0xb0,
-                        0x40, 0xcb, 0x26, 0x81, 0x2a, 0x91, 0x14, 0x0f,
-                        0xc7, 0x31, 0x13, 0x78, 0x16,
-                },
-        },
-        {
                .name = "prime256v1",
                .der_len = 121,
                .der = {
@@ -2468,6 +2488,197 @@ ec_group_check_private_keys(void)
        return failed;
 }
+static void
+ec_group_sha1_bignum(BIGNUM *out, const BIGNUM *in)
+{
+        char md[SHA_DIGEST_LENGTH];
+        unsigned char *bin;
+        size_t bin_len;
+        if (BN_num_bytes(in) <= 0)
+                errx(1, "%s: invalid bignum", __func__);
+        bin_len = BN_num_bytes(in);
+        if ((bin = calloc(1, bin_len)) == NULL)
+                err(1, "calloc");
+        if (BN_bn2bin(in, bin) <= 0)
+                errx(1, "BN_bn2bin");
+        SHA1(bin, bin_len, md);
+        free(bin);
+        if (BN_bin2bn(md, sizeof(md), out) == NULL)
+                errx(1, "BN_bin2bn");
+}
+static int
+ec_group_check_seed(const EC_builtin_curve *curve, BN_CTX *ctx)
+{
+        EC_GROUP *group = NULL;
+        BIGNUM *p, *a, *b, *pow2, *r, *seed_bn, *w;
+        const unsigned char *seed;
+        size_t seed_len;
+        int i, g, h, s, t;
+        int failed = 1;
+        if ((group = EC_GROUP_new_by_curve_name(curve->nid)) == NULL)
+                errx(1, "EC_GROUP_new_by_curve_name");
+        BN_CTX_start(ctx);
+        if ((p = BN_CTX_get(ctx)) == NULL)
+                errx(1, "p = BN_CTX_get()");
+        if ((a = BN_CTX_get(ctx)) == NULL)
+                errx(1, "a = BN_CTX_get()");
+        if ((b = BN_CTX_get(ctx)) == NULL)
+                errx(1, "b = BN_CTX_get()");
+        if ((r = BN_CTX_get(ctx)) == NULL)
+                errx(1, "r = BN_CTX_get()");
+        if ((pow2 = BN_CTX_get(ctx)) == NULL)
+                errx(1, "pow2 = BN_CTX_get()");
+        if ((seed_bn = BN_CTX_get(ctx)) == NULL)
+                errx(1, "seed_bn = BN_CTX_get()");
+        if ((w = BN_CTX_get(ctx)) == NULL)
+                errx(1, "w = BN_CTX_get()");
+        /*
+         * If the curve has a seed, verify that its parameters a and b have
+         * been selected using that seed, loosely following X9.62, F.3.4.b.
+         * Otherwise there's nothing to do.
+         */
+        if ((seed = EC_GROUP_get0_seed(group)) == NULL)
+                goto done;
+        seed_len = EC_GROUP_get_seed_len(group);
+        /*
+         * This isn't a requirement but happens to be the case for NIST
+         * curves - the only built-in curves that have a seed.
+         */
+        if (seed_len != SHA_DIGEST_LENGTH) {
+                fprintf(stderr, "%s FAIL: unexpected seed length. "
+                    "want %d, got %zu\n", __func__, SHA_DIGEST_LENGTH, seed_len);
+                goto err;
+        }
+        /* Seed length in bits, per F.3.3.b. */
+        g = 8 * seed_len;
+        /*
+         * Prepare to build the verifiably random element r of GFp by
+         * concatenating the SHA-1 of modifications of the seed as a number.
+         */
+        if (BN_bin2bn(seed, seed_len, seed_bn) == NULL)
+                errx(1, "BN_bin2bn");
+        if (!EC_GROUP_get_curve(group, p, a, b, ctx))
+                errx(1, "EC_GROUP_get_curve");
+        t = BN_num_bits(p);     /* bit length needed. */
+        s = (t - 1) / 160;      /* number of SHA-1 fitting in bit length. */
+        h = t - 160 * s;        /* remaining number of bits in r. */
+        /*
+         * Steps 1 - 3: compute hash of the seed and take h - 1 rightmost bits.
+         */
+        ec_group_sha1_bignum(r, seed_bn);
+        BN_zero(pow2);
+        if (!BN_set_bit(pow2, h - 1))
+                errx(1, "BN_set_bit");
+        if (!BN_mod(r, r, pow2, ctx))
+                errx(1, "BN_nnmod");
+        /*
+         * Steps 4 - 6: for i from 1 to s do Wi = SHA-1(SEED + i mod 2^g).
+         * With W0 = r as already computed, let r = W0 || W1 || ... || Ws.
+         */
+        BN_zero(pow2);
+        if (!BN_set_bit(pow2, g))
+                errx(1, "BN_set_bit");
+        for (i = 0; i < s; i++) {
+                /*
+                 * This is a bit silly since the seed isn't going to have all
+                 * its bits set, so BN_add_word(seed_bn, 1) would do, but for
+                 * the sake of correctness...
+                 */
+                if (!BN_mod_add(seed_bn, seed_bn, BN_value_one(), pow2, ctx))
+                        errx(1, "BN_mod_add");
+                ec_group_sha1_bignum(w, seed_bn);
+                if (!BN_lshift(r, r, 8 * SHA_DIGEST_LENGTH))
+                        errx(1, "BN_lshift");
+                if (!BN_add(r, r, w))
+                        errx(1, "BN_add");
+        }
+        /*
+         * Step 7: check that r * b^2 == a^3 (mod p)
+         */
+        /* Compute r = r * b^2 (mod p). */
+        if (!BN_mod_sqr(b, b, p, ctx))
+                errx(1, "BN_mod_sqr");
+        if (!BN_mod_mul(r, r, b, p, ctx))
+                errx(1, "BN_mod_mul");
+        /* Compute a = a^3 (mod p). */
+        if (!BN_mod_sqr(b, a, p, ctx))
+                errx(1, "BN_mod_sqr");
+        if (!BN_mod_mul(a, a, b, p, ctx))
+                errx(1, "BN_mod_mul");
+        /*
+         * XXX - this assumes that a, b, p >= 0, so the results are in [0, p).
+         * This is currently enforced in the EC code.
+         */
+        if (BN_cmp(r, a) != 0) {
+                fprintf(stderr, "FAIL: %s verification failed for %s\nr * b^2:\t",
+                    __func__, curve->comment);
+                BN_print_fp(stderr, r);
+                fprintf(stderr, "\na^3:\t\t");
+                BN_print_fp(stderr, a);
+                fprintf(stderr, "\n");
+                goto err;
+        }
+ done:
+        failed = 0;
+ err:
+        BN_CTX_end(ctx);
+        EC_GROUP_free(group);
+        return failed;
+}
+static int
+ec_group_check_seeds(void)
+{
+        BN_CTX *ctx = NULL;
+        EC_builtin_curve *all_curves = NULL;
+        size_t curve_id, ncurves;
+        int failed = 0;
+        if ((ctx = BN_CTX_new()) == NULL)
+                errx(1, "BN_CTX_new");
+        ncurves = EC_get_builtin_curves(NULL, 0);
+        if ((all_curves = calloc(ncurves, sizeof(*all_curves))) == NULL)
+                err(1, "calloc builtin curves");
+        EC_get_builtin_curves(all_curves, ncurves);
+        for (curve_id = 0; curve_id < ncurves; curve_id++)
+                failed |= ec_group_check_seed(&all_curves[curve_id], ctx);
+        free(all_curves);
+        BN_CTX_free(ctx);
+        return failed;
+}
 int
 main(int argc, char **argv)
 {
@@ -2478,7 +2689,9 @@ main(int argc, char **argv)
        failed |= ec_group_pkparameters_correct_padding_test();
        failed |= ec_group_roundtrip_builtin_curves();
        failed |= ec_group_non_builtin_curves();
+        failed |= ec_group_builtin_curves_have_prime_order();
        failed |= ec_group_check_private_keys();
+        failed |= ec_group_check_seeds();
        return failed;
 }
diff --git a/src/regress/lib/libcrypto/ec/ectest.c b/src/regress/lib/libcrypto/ec/ectest.c
index fc44f9c886..3e81954174 100644
--- a/src/regress/lib/libcrypto/ec/ectest.c
+++ b/src/regress/lib/libcrypto/ec/ectest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ectest.c,v 1.35 2025/01/24 11:49:13 tb Exp $  */
+/*      $OpenBSD: ectest.c,v 1.36 2025/07/23 07:40:07 tb Exp $  */
 /*
 * Originally written by Bodo Moeller for the OpenSSL project.
 */
@@ -71,14 +71,11 @@
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
-#include <time.h>
+#include <openssl/bn.h>
+#include <openssl/crypto.h>
 #include <openssl/ec.h>
 #include <openssl/err.h>
-#include <openssl/obj_mac.h>
-#include <openssl/objects.h>
-#include <openssl/bn.h>
 #include <openssl/opensslconf.h>
 #define ABORT do { \
diff --git a/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c b/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
index d4825f68e8..1d2fa60be7 100644
--- a/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
+++ b/src/regress/lib/libcrypto/evp/evp_pkey_cleanup.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_pkey_cleanup.c,v 1.5 2024/02/29 20:02:00 tb Exp $ */
+/*      $OpenBSD: evp_pkey_cleanup.c,v 1.6 2025/05/21 03:53:20 kenjiro Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -38,6 +38,8 @@ int pkey_ids[] = {
        EVP_PKEY_RSA,
        EVP_PKEY_RSA_PSS,
        EVP_PKEY_X25519,
+        EVP_PKEY_HKDF,
+        EVP_PKEY_TLS1_PRF,
 };
 static const size_t N_PKEY_IDS = sizeof(pkey_ids) / sizeof(pkey_ids[0]);
diff --git a/src/regress/lib/libcrypto/evp/evp_test.c b/src/regress/lib/libcrypto/evp/evp_test.c
index a699832c45..0bd8b4d092 100644
--- a/src/regress/lib/libcrypto/evp/evp_test.c
+++ b/src/regress/lib/libcrypto/evp/evp_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: evp_test.c,v 1.20 2024/07/09 17:24:12 tb Exp $ */
+/*      $OpenBSD: evp_test.c,v 1.21 2025/05/22 00:13:47 kenjiro Exp $ */
 /*
 * Copyright (c) 2017, 2022 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2023, 2024 Theo Buehler <tb@openbsd.org>
@@ -802,6 +802,85 @@ kdf_compare_bytes(const char *label, const unsigned char *d1, int len1,
 }
 static int
+evp_kdf_hkdf_basic(void)
+{
+        EVP_PKEY_CTX *pctx;
+        unsigned char out[42];
+        size_t outlen = sizeof(out);
+        int failed = 1;
+        /* Test vector from RFC 5869, Appendix A.1. */
+        const unsigned char ikm[] = {
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+                0x0b, 0x0b,
+        };
+        const unsigned char salt[] = {
+                0x00, 0x01, 0x02, 0x03, 0x04, 0x05,
+                0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+                0x0c,
+        };
+        const unsigned char info[] = {
+                0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5,
+                0xf6, 0xf7, 0xf8, 0xf9,
+        };
+        const unsigned char expected[42] = {
+                0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a,
+                0x90, 0x43, 0x4f, 0x64, 0xd0, 0x36, 0x2f, 0x2a,
+                0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a, 0x5a, 0x4c,
+                0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf,
+                0x34, 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18,
+                0x58, 0x65,
+        };
+        if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_new_id\n");
+                goto err;
+        }
+        if (EVP_PKEY_derive_init(pctx) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_derive_init\n");
+                goto err;
+        }
+        if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set_hkdf_md\n");
+                goto err;
+        }
+        if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, sizeof(salt)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set1_hkdf_salt\n");
+                goto err;
+        }
+        if (EVP_PKEY_CTX_set1_hkdf_key(pctx, ikm, sizeof(ikm)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_set1_hkdf_key\n");
+                goto err;
+        }
+        if (EVP_PKEY_CTX_add1_hkdf_info(pctx, info, sizeof(info)) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_CTX_add1_hkdf_info\n");
+                goto err;
+        }
+        if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) {
+                fprintf(stderr, "FAIL: EVP_PKEY_derive\n");
+                goto err;
+        }
+        if (!kdf_compare_bytes("HKDF test", out, outlen, expected, sizeof(expected)))
+                goto err;
+        failed = 0;
+ err:
+        EVP_PKEY_CTX_free(pctx);
+        return failed;
+}
+static int
 evp_kdf_tls1_prf_basic(void)
 {
        EVP_PKEY_CTX *pctx;
@@ -1038,6 +1117,7 @@ main(int argc, char **argv)
        failed |= obj_name_do_all_test();
        failed |= evp_get_cipherbyname_test();
        failed |= evp_get_digestbyname_test();
+        failed |= evp_kdf_hkdf_basic();
        failed |= evp_kdf_tls1_prf_basic();
        failed |= evp_kdf_tls1_prf();
diff --git a/src/regress/lib/libcrypto/free/Makefile b/src/regress/lib/libcrypto/free/Makefile
index 21516f1172..9171393c0f 100644
--- a/src/regress/lib/libcrypto/free/Makefile
+++ b/src/regress/lib/libcrypto/free/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.5 2023/04/15 14:10:09 tb Exp $
+#       $OpenBSD: Makefile,v 1.6 2025/08/25 06:08:33 tb Exp $
 TESTS = \
        freenull
@@ -10,9 +10,11 @@ REGRESS_TARGETS= all_tests
 LDADD=          -lcrypto
 DPADD=          ${LIBCRYPTO}
+CFLAGS+=        -Wall -Werror
 CLEANFILES+= freenull.c freenull.c.body freenull.c.tmp
-freenull.c: freenull.awk ../../../../lib/libcrypto/Symbols.list
+freenull.c: freenull.awk freenull.c.head freenull.c.tail ../../../../lib/libcrypto/Symbols.list
        awk -f ${.CURDIR}/freenull.awk \
                < ${BSDSRCDIR}/lib/libcrypto/Symbols.list > freenull.c.body
        cat ${.CURDIR}/freenull.c.head freenull.c.body \
diff --git a/src/regress/lib/libcrypto/free/freenull.c.head b/src/regress/lib/libcrypto/free/freenull.c.head
index db652bfb01..747f174a4c 100644
--- a/src/regress/lib/libcrypto/free/freenull.c.head
+++ b/src/regress/lib/libcrypto/free/freenull.c.head
@@ -1,4 +1,4 @@
-/*      $OpenBSD: freenull.c.head,v 1.10 2024/08/30 05:00:38 tb Exp $   */
+/*      $OpenBSD: freenull.c.head,v 1.11 2025/08/25 06:01:33 tb Exp $   */
 #include <openssl/asn1.h>
 #include <openssl/cmac.h>
@@ -10,6 +10,7 @@
 #include <openssl/gost.h>
 #endif
 #include <openssl/hmac.h>
+#include <openssl/mlkem.h>
 #include <openssl/ocsp.h>
 #include <openssl/pkcs12.h>
 #include <openssl/ts.h>
diff --git a/src/regress/lib/libcrypto/gcm128/gcm128test.c b/src/regress/lib/libcrypto/gcm128/gcm128test.c
index def7653c7b..78631979fe 100644
--- a/src/regress/lib/libcrypto/gcm128/gcm128test.c
+++ b/src/regress/lib/libcrypto/gcm128/gcm128test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: gcm128test.c,v 1.7 2022/09/05 21:06:31 tb Exp $       */
+/*      $OpenBSD: gcm128test.c,v 1.8 2025/05/16 14:03:49 jsing Exp $    */
 /* ====================================================================
 * Copyright (c) 2010 The OpenSSL Project.  All rights reserved.
 *
@@ -57,11 +57,6 @@
 #include <openssl/aes.h>
 #include <openssl/modes.h>
-/* XXX - something like this should be in the public headers. */
-struct gcm128_context {
-        uint64_t opaque[64];
-};
 struct gcm128_test {
        const uint8_t K[128];
        size_t K_len;
@@ -856,7 +851,7 @@ struct gcm128_test gcm128_tests[] = {
 static int
 do_gcm128_test(int test_no, struct gcm128_test *tv)
 {
-        GCM128_CONTEXT ctx;
+        GCM128_CONTEXT *ctx;
        AES_KEY key;
        uint8_t *out = NULL;
        size_t out_len;
@@ -873,13 +868,16 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
        if (out_len != 0)
                memset(out, 0, out_len);
-        CRYPTO_gcm128_init(&ctx, &key, (block128_f)AES_encrypt);
-        CRYPTO_gcm128_setiv(&ctx, tv->IV, tv->IV_len);
+        if ((ctx = CRYPTO_gcm128_new(&key, (block128_f)AES_encrypt)) == NULL)
+                err(1, "CRYPTO_gcm128_new");
+        CRYPTO_gcm128_setiv(ctx, tv->IV, tv->IV_len);
        if (tv->A_len > 0)
-                CRYPTO_gcm128_aad(&ctx, tv->A, tv->A_len);
+                CRYPTO_gcm128_aad(ctx, tv->A, tv->A_len);
        if (tv->P_len > 0)
-                CRYPTO_gcm128_encrypt(&ctx, tv->P, out, out_len);
+                CRYPTO_gcm128_encrypt(ctx, tv->P, out, out_len);
-        if (CRYPTO_gcm128_finish(&ctx, tv->T, 16)) {
+        if (CRYPTO_gcm128_finish(ctx, tv->T, 16)) {
                fprintf(stderr, "TEST %d: CRYPTO_gcm128_finish failed\n",
                    test_no);
                goto fail;
@@ -891,12 +889,12 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
        if (out_len != 0)
                memset(out, 0, out_len);
-        CRYPTO_gcm128_setiv(&ctx, tv->IV, tv->IV_len);
+        CRYPTO_gcm128_setiv(ctx, tv->IV, tv->IV_len);
        if (tv->A_len > 0)
-                CRYPTO_gcm128_aad(&ctx, tv->A, tv->A_len);
+                CRYPTO_gcm128_aad(ctx, tv->A, tv->A_len);
        if (tv->C_len > 0)
-                CRYPTO_gcm128_decrypt(&ctx, tv->C, out, out_len);
+                CRYPTO_gcm128_decrypt(ctx, tv->C, out, out_len);
-        if (CRYPTO_gcm128_finish(&ctx, tv->T, 16)) {
+        if (CRYPTO_gcm128_finish(ctx, tv->T, 16)) {
                fprintf(stderr, "TEST %d: CRYPTO_gcm128_finish failed\n",
                    test_no);
                goto fail;
@@ -909,6 +907,8 @@ do_gcm128_test(int test_no, struct gcm128_test *tv)
        ret = 0;
 fail:
+        CRYPTO_gcm128_release(ctx);
        free(out);
        return (ret);
 }
diff --git a/src/regress/lib/libcrypto/man/check_complete.pl b/src/regress/lib/libcrypto/man/check_complete.pl
index 5f2d12ec73..dbce9b74ec 100755
--- a/src/regress/lib/libcrypto/man/check_complete.pl
+++ b/src/regress/lib/libcrypto/man/check_complete.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/perl
 #
-# Copyright (c) 2021 Ingo Schwarze <schwarze@openbsd.org>
+# Copyright (c) 2021,2022,2023,2024,2025 Ingo Schwarze <schwarze@openbsd.org>
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -25,10 +25,10 @@ my %internal = (
        CHARTYPE_FIRST_ESC_2253 CHARTYPE_LAST_ESC_2253 CHARTYPE_PRINTABLESTRING
    )],
    bn => [qw(
-        BN_BITS BN_BITS4 BN_BYTES
+        BN_BYTES BN_LLONG BN_ULLONG
-        BN_DEC_CONV BN_DEC_FMT1 BN_DEC_FMT2 BN_DEC_NUM BN_LLONG BN_LONG
+    )],
-        BN_MASK2 BN_MASK2h BN_MASK2h1 BN_MASK2l
+    conf => [qw(
-        BN_TBIT BN_ULLONG
+        conf_st conf_method_st
    )],
    evp => [qw(
        ASN1_PKEY_CTRL_CMS_ENVELOPE ASN1_PKEY_CTRL_CMS_RI_TYPE
@@ -55,7 +55,6 @@ my %obsolete = (
        ASN1_dup ASN1_d2i_bio ASN1_d2i_bio_of ASN1_d2i_fp ASN1_d2i_fp_of
        ASN1_i2d_bio ASN1_i2d_bio_of ASN1_i2d_bio_of_const
        ASN1_i2d_fp ASN1_i2d_fp_of ASN1_i2d_fp_of_const
-        ASN1_LONG_UNDEF
        BIT_STRING_BITNAME
        V_ASN1_PRIMATIVE_TAG
        X509_algor_st
@@ -69,9 +68,6 @@ my %obsolete = (
        BIO_set_filter_bio BIO_set_no_connect_return BIO_set_proxies
        BIO_set_proxy_cb BIO_set_proxy_header BIO_set_url
    )],
-    bn => [qw(
-        BN_HEX_FMT1 BN_HEX_FMT2 BN_MASK
-    )],
    evp => [qw(
        EVP_CIPH_FLAG_FIPS EVP_CIPH_FLAG_NON_FIPS_ALLOW
        EVP_CTRL_AEAD_SET_MAC_KEY EVP_CTRL_AEAD_TLS1_AAD
@@ -116,7 +112,7 @@ my %postponed = (
 my $MANW = 'man -M /usr/share/man -w';
 my $srcdir = '/usr/src/lib/libcrypto/man';
-my $hfile = '/usr/include/openssl';
+my $hfile = '/usr/include';
 my $in_cplusplus = 0;
 my $in_comment = 0;
@@ -133,6 +129,7 @@ if (defined $ARGV[0] && $ARGV[0] eq '-v') {
        shift @ARGV;
 }
 $#ARGV == 0 or die "usage: $0 [-v] headername";
+$hfile .= "/openssl" unless $ARGV[0] eq 'tls';
 $hfile .= "/$ARGV[0].h";
 open my $in_fh, '<', $hfile or die "$hfile: $!";
@@ -236,6 +233,7 @@ try_again:
        # Uninteresting lines.
        if (/^\s*$/ ||
+            /^DECLARE_LHASH_OF\(\w+\);$/ ||
            /^DECLARE_STACK_OF\(\w+\)$/ ||
            /^DECLARE_PKCS12_STACK_OF\(\w+\)$/ ||
            /^TYPEDEF_D2I2D_OF\(\w+\);$/ ||
@@ -288,7 +286,7 @@ try_again:
                        print "D- $line\n" if $verbose;
                        next;
                }
-                if ($id =~ /^(?:ASN1|BIO|BN|EVP|X509(?:V3)?)_[FR]_\w+$/) {
+                if ($id =~ /^(?:ASN1|BIO|BN|CONF|EVP|X509(?:V3)?)_[FR]_\w+$/) {
                        print "D- $line\n" if $verbose;
                        next;
                }
diff --git a/src/regress/lib/libcrypto/md/Makefile b/src/regress/lib/libcrypto/md/Makefile
index 94bec95e05..1df57283b2 100644
--- a/src/regress/lib/libcrypto/md/Makefile
+++ b/src/regress/lib/libcrypto/md/Makefile
@@ -1,9 +1,15 @@
-#       $OpenBSD: Makefile,v 1.1.1.1 2022/09/02 13:34:48 tb Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/05/22 03:24:47 joshua Exp $
-PROG=   md_test
+PROG =          md_test
-LDADD=  -lcrypto
+LDADD =         -lcrypto
-DPADD=  ${LIBCRYPTO}
+DPADD =         ${LIBCRYPTO}
-WARNINGS=       Yes
+WARNINGS =      Yes
-CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
+CFLAGS +=       -DLIBRESSL_INTERNAL -Werror
+CFLAGS +=       -I${.CURDIR}/../test
+SRCS +=         md_test.c
+SRCS +=         test.c
+SRCS +=         test_util.c
+.PATH: ${.CURDIR}/../test
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/md/md_test.c b/src/regress/lib/libcrypto/md/md_test.c
index 590bb50ee3..752f2e4958 100644
--- a/src/regress/lib/libcrypto/md/md_test.c
+++ b/src/regress/lib/libcrypto/md/md_test.c
@@ -1,6 +1,6 @@
-/*      $OpenBSD: md_test.c,v 1.3 2025/01/19 10:17:39 tb Exp $ */
+/*      $OpenBSD: md_test.c,v 1.4 2025/05/22 03:24:47 joshua Exp $ */
 /*
- * Copyright (c) 2022 Joshua Sing <joshua@hypera.dev>
+ * Copyright (c) 2022, 2025 Joshua Sing <joshua@joshuasing.dev>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -22,6 +22,8 @@
 #include <stdint.h>
 #include <string.h>
+#include "test.h"
 struct md_test {
        const int algorithm;
        const uint8_t in[128];
@@ -30,7 +32,7 @@ struct md_test {
 };
 static const struct md_test md_tests[] = {
-        /* MD4 (RFC 1320 test vectors)  */
+        /* MD4 (RFC 1320 test vectors) */
        {
                .algorithm = NID_md4,
                .in = "",
@@ -99,7 +101,7 @@ static const struct md_test md_tests[] = {
                }
        },
-        /* MD5 (RFC 1321 test vectors)  */
+        /* MD5 (RFC 1321 test vectors) */
        {
                .algorithm = NID_md5,
                .in = "",
@@ -175,25 +177,21 @@ typedef unsigned char *(*md_hash_func)(const unsigned char *, size_t,
    unsigned char *);
 static int
-md_hash_from_algorithm(int algorithm, const char **out_label,
+md_hash_from_algorithm(int algorithm, md_hash_func *out_func,
-    md_hash_func *out_func, const EVP_MD **out_md, size_t *out_len)
+    const EVP_MD **out_md, size_t *out_len)
 {
        switch (algorithm) {
        case NID_md4:
-                *out_label = SN_md4;
                *out_func = MD4;
                *out_md = EVP_md4();
                *out_len = MD4_DIGEST_LENGTH;
                break;
        case NID_md5:
-                *out_label = SN_md5;
                *out_func = MD5;
                *out_md = EVP_md5();
                *out_len = MD5_DIGEST_LENGTH;
                break;
        default:
-                fprintf(stderr, "FAIL: unknown algorithm (%d)\n",
-                        algorithm);
                return 0;
        }
@@ -201,108 +199,100 @@ md_hash_from_algorithm(int algorithm, const char **out_label,
 }
 static void
-hexdump(const unsigned char *buf, size_t len)
+test_md_tv(struct test *t, const void *arg)
-{
-        size_t i;
-        for (i = 1; i <= len; i++)
-                fprintf(stderr, " 0x%02hhx,%s", buf[i - 1], i % 8 ? "" : "\n");
-        fprintf(stderr, "\n");
-}
-static int
-md_test(void)
 {
-        unsigned char *(*md_func)(const unsigned char *, size_t, unsigned char *);
+        const struct md_test *st = arg;
-        const struct md_test *st;
+        md_hash_func md_func;
-        EVP_MD_CTX *hash = NULL;
        const EVP_MD *md;
+        EVP_MD_CTX *hash = NULL;
        uint8_t out[EVP_MAX_MD_SIZE];
        size_t in_len, out_len;
-        size_t i;
-        const char *label;
-        int failed = 1;
-        if ((hash = EVP_MD_CTX_new()) == NULL) {
+        if (!md_hash_from_algorithm(st->algorithm, &md_func, &md, &out_len)) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
+                test_errorf(t, "md_hash_from_algorithm: unknown algorithm: %d",
-                goto failed;
+                    st->algorithm);
+                goto fail;
        }
-        for (i = 0; i < N_MD_TESTS; i++) {
+        if ((hash = EVP_MD_CTX_new()) == NULL) {
-                st = &md_tests[i];
+                test_errorf(t, "EVP_MD_CTX_new()");
-                if (!md_hash_from_algorithm(st->algorithm, &label, &md_func,
+                goto fail;
-                    &md, &out_len))
+        }
-                        goto failed;
-                /* Digest */
-                memset(out, 0, sizeof(out));
-                md_func(st->in, st->in_len, out);
-                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s): mismatch\n", label);
-                        goto failed;
-                }
-                /* EVP single-shot digest */
+        /* Digest */
-                memset(out, 0, sizeof(out));
+        memset(out, 0, sizeof(out));
-                if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
+        md_func(st->in, st->in_len, out);
-                        fprintf(stderr, "FAIL (%s): EVP_Digest failed\n",
+        if (memcmp(st->out, out, out_len) != 0) {
-                            label);
+                test_errorf(t, "MD: digest output mismatch");
-                        goto failed;
+                test_hexdiff(t, out, out_len, st->out);
-                }
+        }
-                if (memcmp(st->out, out, out_len) != 0) {
+        /* EVP single-shot digest */
-                        fprintf(stderr, "FAIL (%s): EVP single-shot mismatch\n",
+        memset(out, 0, sizeof(out));
-                            label);
+        if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
-                        goto failed;
+                test_errorf(t, "EVP_Digest()");
-                }
+                goto fail;
+        }
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP_Digest: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
-                /* EVP digest */
+        /* EVP digest */
-                memset(out, 0, sizeof(out));
+        memset(out, 0, sizeof(out));
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        fprintf(stderr, "FAIL (%s): EVP_DigestInit_ex failed\n",
+                test_errorf(t, "EVP_DigestInit_ex()");
-                            label);
+                goto fail;
-                        goto failed;
+        }
-                }
-                in_len = st->in_len / 2;
+        in_len = st->in_len / 2;
-                if (!EVP_DigestUpdate(hash, st->in, in_len)) {
+        if (!EVP_DigestUpdate(hash, st->in, in_len)) {
-                        fprintf(stderr,
+                test_errorf(t, "EVP_DigestUpdate: first half failed");
-                            "FAIL (%s): EVP_DigestUpdate first half failed\n",
+                goto fail;
-                            label);
+        }
-                        goto failed;
-                }
-                if (!EVP_DigestUpdate(hash, st->in + in_len,
+        if (!EVP_DigestUpdate(hash, st->in + in_len,
-                        st->in_len - in_len)) {
+                st->in_len - in_len)) {
-                        fprintf(stderr,
+                test_errorf(t, "EVP_DigestUpdate: second half failed");
-                            "FAIL (%s): EVP_DigestUpdate second half failed\n",
+                goto fail;
-                            label);
+        }
-                        goto failed;
-                }
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
-                        fprintf(stderr,
+                test_errorf(t, "EVP_DigestFinal_ex()");
-                            "FAIL (%s): EVP_DigestFinal_ex failed\n",
+                goto fail;
-                            label);
+        }
-                        goto failed;
-                }
-                if (memcmp(st->out, out, out_len) != 0) {
+        if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr, "FAIL (%s): EVP mismatch\n", label);
+                test_errorf(t, "EVP: digest output mismatch");
-                        goto failed;
+                test_hexdiff(t, out, out_len, st->out);
-                }
        }
-        failed = 0;
- failed:
+ fail:
        EVP_MD_CTX_free(hash);
-        return failed;
 }
-static int
+static void
-md5_large_test(void)
+test_md(struct test *t, const void *arg)
+{
+        const struct md_test *st;
+        size_t i;
+        char *name;
+        for (i = 0; i < N_MD_TESTS; i++) {
+                st = &md_tests[i];
+                if (asprintf(&name, "%s: '%s'", OBJ_nid2sn(st->algorithm), st->in) == -1) {
+                        test_errorf(t, "create test name");
+                        return;
+                }
+                test_run(t, name, test_md_tv, st);
+                free(name);
+        }
+}
+static void
+test_md5_large(struct test *t, const void *arg)
 {
        MD5_CTX ctx;
        uint8_t in[1024];
@@ -310,12 +300,10 @@ md5_large_test(void)
        unsigned int out_len;
        size_t in_len;
        size_t i;
-        const char *label;
        uint8_t want[] = {
                0xd8, 0xbc, 0xae, 0x13, 0xb5, 0x5a, 0xb0, 0xfc,
                0x7f, 0x8a, 0xe1, 0x78, 0x27, 0x8d, 0x44, 0x1b,
        };
-        int failed = 1;
        memset(in, 'A', sizeof(in));
        in_len = sizeof(in);
@@ -323,44 +311,34 @@ md5_large_test(void)
        memset(out, 0, sizeof(out));
        out_len = 16;
-        label = "md5";
        MD5_Init(&ctx);
        for (i = 0; i < (1<<29) + 1; i += in_len) {
                if (!MD5_Update(&ctx, in, in_len)) {
-                        fprintf(stderr, "FAIL (%s): MD5_Update failed\n", label);
+                        test_errorf(t, "MD5_Update()");
-                        goto failed;
+                        return;
                }
        }
        if (!MD5_Final(out, &ctx)) {
-                fprintf(stderr, "FAIL (%s): MD5_Final failed\n", label);
+                test_errorf(t, "MD5_Final()");
-                goto failed;
+                return;
        }
        if (memcmp(out, want, out_len) != 0) {
-                fprintf(stderr, "FAIL (%s): MD5 mismatch\n", label);
+                test_errorf(t, "MD5 digest output mismatch");
-                hexdump(out, out_len);
+                test_hexdump(t, out, out_len);
-                goto failed;
        }
-        if (ctx.Nh != 0x1 || ctx.Nl != 0x2000) {
+        if (ctx.Nh != 0x1 || ctx.Nl != 0x2000)
-                fprintf(stderr, "FAIL (%s): MD5 incorrect bit length\n", label);
+                test_errorf(t, "MD5 incorrect bit length");
-                goto failed;
-        }
-        failed = 0;
- failed:
-        return failed;
 }
 int
 main(int argc, char **argv)
 {
-        int failed = 0;
+        struct test *t = test_init();
-        failed |= md_test();
+        test_run(t, "md", test_md, NULL);
-        failed |= md5_large_test();
+        test_run(t, "md5 large", test_md5_large, NULL);
-        return failed;
+        return test_result(t);
 }
diff --git a/src/regress/lib/libcrypto/mlkem/Makefile b/src/regress/lib/libcrypto/mlkem/Makefile
index a08623c90a..3acaf78e63 100644
--- a/src/regress/lib/libcrypto/mlkem/Makefile
+++ b/src/regress/lib/libcrypto/mlkem/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.9 2024/12/29 20:14:15 tb Exp $
+#       $OpenBSD: Makefile,v 1.10 2025/08/15 14:46:37 tb Exp $
 REGRESS_SLOW_TARGETS += run-regress-mlkem_iteration_tests
@@ -22,7 +22,7 @@ run-regress-mlkem_tests: mlkem_tests
        ./mlkem_tests $f ${.CURDIR}/$f.txt
 .endfor
-SRCS_mlkem_tests =      mlkem_tests.c mlkem_tests_util.c parse_test_file.c
+SRCS_mlkem_tests =      mlkem_tests.c parse_test_file.c
 SRCS_mlkem_iteration_tests = mlkem_iteration_tests.c mlkem_tests_util.c
 SRCS_mlkem_unittest =   mlkem_unittest.c mlkem_tests_util.c
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem768_encap_tests.txt b/src/regress/lib/libcrypto/mlkem/mlkem768_encap_tests.txt
index 76b0cbdef3..bf37654e0c 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem768_encap_tests.txt
+++ b/src/regress/lib/libcrypto/mlkem/mlkem768_encap_tests.txt
@@ -1769,70 +1769,70 @@ result: pass
 ciphertext: bb7e0dca6eca3ef57e945d921c2f80875556f7786d6bcca1312f86b3bea6d0f0a73f7d6036a7c38c62d4e356961ec6a28d8026a2d915d9721ef815147fc09ca65a3394aa5dc14c08d41cbe932337b9a531ddf68df20b6aea297194ac398f15919830e3ee6c20145c0aae7a2cd276ccad7b5c414212f0c0ae7106333868938a6a00da19377d996c7796d400606007dff30fe554a5fef86944d43ba047a00da5c2c2a1aad053aeafcc75a1e826a417b4c320e60a68e63dd7b54827f5b8b0063a00043f29ce8975d95bd418eb2ed29db0d9263c67fdcc153ba9b5a33279becb7ab193c2f257bd660fd7012712be3fdc2e52490ade145e8e030ba1ee5368791e6f3efe00deb34cb454cbf7fdae3a507261d9fce66ab58998ca19380187e3455d425977a8396cee3442935e24347aed45fba9b323a289f1b98691e35017ecfd7a423cd8d0149432a2063e0786c2f912e1134ebed188511c905a1a9890cd55d496e8441ccf637b4d660d93c7a46c3e17219167c3b4740878ae35766470b5eff3c6b1fc8c30e5c9645a94ebd48d2d40fbd4baf9d822deb26c089da84043340a564e6c311bca18c7a2c868831fbb866d89652556b53297b9c0040e98a692fa536af4c9a7aa09321ca27068ca66c665b1121ee4529cb3e6d899964de759ab915b0d2c571c5aa76cd64df4a4e55d9de59eca7b4379b30f8559db41e804a18b8771f594b9bee3de9ae98a003430aac58c141e6f0b7b1e5e08e27d1127b682882be055ba31e280dbace7878ae60426626ea4c5bc034a9206e27f578edd17fa6c33180b649bc7bd437b2c86ef4e0f4583071f99090b95db1e415d21ddd88a910b1fd10e3a04e391d947558a6619683ae070be04cab88300614839503f088e2f04cc4a7d091af9833a4f957cfdc574b1c994673ea14dce6ad89adebf5130d266c1440b3f544eea380ba245e21651f1f2aeb2b3d578000a87683dec69ccac18b0702d3d030077981076766e7e5f3ae1174eaf21bf03662c6bda5fd209da19ff6792c0bbc5d210851061dcdd2e4794d2c3c0c531e92a2c4a23556878d3e890b65289a6a02530bbd40ed66db3bb220aeb71fcc3c0b5d5b3afc71377746b22ce636dba028bc052c219783d468fac1d4eed555c1b4676705c8d27aa8a09c6fd8640a6f7b6790ff173ac39b5f3c709281df4274cccdc1e3b690ac0a77f7ece34cdf3216d2b6058baf5f649ff5036360dff99334ff06a366785c0404c584f623801190082fe5cdf88f9cf41032681e8fd6b84d127add01d4b2286af648b83fe69aa8d109c9320bd40621cf75adff8603e3da00be36f03ed7925f19b2e913d756e952a9402cd4fbffc0428cd7eebdd7fc7d3b4cde181b16b26811cd53d9f5d85d37c1670b957d4b3d04fd06567ac68d3f9dbdd45d182619180cf9292e86f42bcc213e94900e0c759e051bc0e30ffbdb91a2493913dc8b81ba4c3e8ba0e7277dc38dc91eb2b27823dac71b6f1c47e2a04136e2c0474fe070e2e4bf8e6fc98e73143ead3c5f778ce8a4efde4
 shared_secret: 5b357f714a293b6724c0dc2e2c5509676782a9dddb050d88e6efa0a6d09d20b7
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: adf510dc0e997af14f96e4863f316475be59850bc861ca0d1b057d6b94c3b5d6
 public_key = d7dab73b47cd1ca43c7e036d41c94f8f31a0de404fa38a1da0992933d752acc0407234883488a581e340bf5a8dd7112099259ebfdb0cb094c8d592485f25729e1844870a3d57d63fe9c1295fc2c4a374508f359a7e9b062348c6c807322f1a2dc887a20ff1b8e951b103698492504dd86babc01339f5b0c9bdb01b65514c8df3a61abb7941da84b8005648fa0e5b094e54e56a56e8c840371349820dc3f48ef0fa488f180f57b5c0ad663512467836d6765f6517ebd0172d886430357baec25c709b3abb9c01dda27e2ac7c17cac7511726a39050fe92399e14780e3288ae775612b2c4baaa032af561d0356c43175c6263c5d9cbc62f57194c9f76fb5293e86d9a95a641325013dee98067d513525eb5d2f7cb5783915d0917faee635bcdab95a61592fdb1de202c439dba37a235e3888134249044519732701111385b9c91c2fc96b039d6483c6d1bba2223cb0f612c3f7c6dc62bf64a04b349a0fab73290acbb15ce1cfaa15c68d896493e67dd9a518782b35fe141a4d70bf33e97a616c51193b711b04a40c9634bb62726f748572155667146d311016880c670067c653e9a8dc0bc32865adbf41ba99f19b2dd9ac7998bfc8679c689a05a5038042885742a68ef84c429984588995a6cee077c3a099caa7a5d3761cb4411d1dab8fe7258c75903ef515b6b0629ff659436ff687e6625d2080671e0cbe0cb624bf8b367e780452ea3713804e083aa6e0c7adc15618cf223b3587a364320d56c58be8f037f89cae0be209ded78cbae29ed73767ede6793f0051cd5692f63661a257ccd9d859a92ac08784070bfa7ede4577e7ab1ff6c7b159089b8dbcc5ba56357b2659a7a04c8748a86991b2b775c2015a4c12341ebb419e1244396c233c161495366104b8e29979e571c9614fe10c868db56cd934c5b2d04986a70be8dc25d61cb6f0054d5e4000ef72557b712658d962b1e673a07222d59bcbc4e8339bb5b37cc1c2bbd38780f8233843ad420782b4951c3321888fc3b488897c8bab046f79cc456bba9f666ba261284a1285bf1a9a9d274d9b87788c225c0ffa20388183f35817e5825d450a1eee881f94a5a129e688ce6664021356580190a3ec5ed220b8a5878068ec5cd485816f8c1ee05c3c23ec0d0aab7f73aac249142d8992678b38410d41be710a285d3b593a8245e514a870c3c348fa45f99aacc464b399ecc0cb3c306c273e5f4c671b806864120a88c07caa53a550d52c5641203a7927b40631e21344a9337da2d128dbbb5f97b68b8e57cfbb1a67ca7741c60c2533e49ece409b0492a2e81523e6b6ad655a6dd1870b5de3690de3369c898b557886c4877ad1d67a1583bc70502b32a44afb9b60f88838eae005e2703ca26355ddc479bdf1a93756af16b7789a3221fed9a4e468b710035060752e884c56034b768d0a7106a4bebde7622bb46b6649195301192c498bb555c653c42f6d84883be82e8fa56ea303caac534014b6bbf38a9f73283e5a40b36e36c9d8b1a9856aa7d9913b22c40cb103b74853c53c3ab4ce895388aca8584449fae927b16534f48b3aaf350030a8460c8572bcc527f1f62bf1c5a9bb8ccf3ee66f66dc19286782911a6765c72db77ac0e976a2bc114a1b11000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 1a2dd390e05984bfc0f55ef96da5050fd9bb03891d4d2ddea46c463aab28fdfaf63d4b2e0c9af992e4f1421efc26ae86c2b296f6851bbe2e898b8bdf4057e875d4a98469b7d2646edb86a5eb5259341e0d14986a8ccf93563bc6ac067f8ff6997c2e7bbd897f02e844f180769fec5af9d6fa017022cb0af622b6e4f7a69d73ab01d3d09067b118d51805e1b6413b7a9e0ef292a6fca18a8828912a2db675f0244cd63d9340aa3ca00dc5d70c915b0061664b1e1d64d3d4dced3ef739302f1063442569efed0dfbe8c019c27823a3aabd865a47600ff9e24f748302bfca1bb60faf4105889a548be9ecaf266d8f02d3aa4997202477a70ee71b6e79dd1609acb4dabab72a38448758d8debf55369c5d3e0870ca193018e0ae6d0ffa33b93e962598b43e89d5978a9d55a608b98ceae5e897363f8a9e253acf8af560c57e07c4c4bde807620b6deb76d581bf92b7f514509446f5c4e4d09430b1855e62854988302c931b9e624644a636ab8acaec56d7673b26852c692e8325fa1b6215f24ebfb388ad1022fedc0bef272c87e10dca97df1e63f1a0e9582daae0f49e30c6acd119f7c4eef59d47443f491df846431cfbd23900341086a304589f52de1d862c26af32095e922b92650c68facfc13892430d428f626fba00cf9501e1e4646e55f5304c806b5acafe100084d7635702139725561522632e7e3871effe883298a7264a411484cdef78f9e721c0e5f3937f2fb7d40bb91620e473f9b97adddea69b3ac682e8aea2513b985fbae268176c1bff90e401a31e729fe8b76d13b5c8c85ed833d9b076b5e11acecbf0e96edcf8ff562255124edbeb5b9117cf486f30d7883aa353b9e433a77ac6912cc8e5093c12385ad926be1d0893afc7e64fb9ec55d3285e01a3ca63f3c07b95399bb4411c3f820f53d8350d1979ee9cc6bbf2d7c92d0cb2fd0a1de910d92589cf1aac29992489bc179676c31ae768869398fda50ff14860a1b4dd3bb2e4ba8b2c87aef7ee00d375956a62dc1e5d548a59f209448e62c4b1221631d4776dd5192154d637217d31feea1c4cb3ef1903b8987f4c184cf3d6b5355ad53c7bd3e0ae5373d9971115698214a93e12b98489cdd75028cf22c1da41096daca95854b35d8bbf7d0d4ca2727aa511eeb6cec5352ed487bd3b00b261cbabcfa9f082ba7300610c6f92725d532a86e00b2ed1929a8be7a342c079835a2285569dca92a808049f170fba39d990884ef39ca511aaf9a713b8d78973b4f4a2fde7ca8b6adbdc5a70241fe3ea7d005b33e48cc9fe6ce5bc2bae0746827e548332adf83f8aa707e703fd688c494136d8dfa50961a9e5b69b542ed6ae0e70ae159df95dd9d4789e284a675fe048585214047f7f6819f7f011141d265de9fd4c04f4ed5dead63fa4c8938b2f42108d263d5394d164b3254294402cbeb48663cf1ab2c296d6ada107e8aa5b505da49af96e1cebc6b302faa148216d38b9e8130cc654974ce299172cb875742e62c32c063ffe7535db2726f65fc8f600d4dbb1a20f
 shared_secret: 54c35602dafe572b99aedb7069a59c4f7818c860b27a947347657ac1954d6454
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 3983da6a4615805f6d55c14ba582d59a40e646c7ae77f4835a51afc6c37f11f3
 public_key = 47340db6d04313d3a689b357566b9743cace5d5b906a39249f1c2bcdf335f37aac2565932631ac318bbb7ca75db36ac198ac6b15a02173049721d10f7521a52f358f35f3719269a695a4b0fa03b32d8a209aa12a5d786d8dea4ba05498ba222eadd647dd5a397e655ed309883d76326231a6764a7ba4226567022d70fa20cc53a045cc5a1fc54abe0189a4a2b6bf8a969d61706944bc59c6add2992b6e562e9732973d32b97956203dbc523803ca0a462ae118633483cab85c645ee3ad51682c0596378dea5e93bc7ab652648cf1954745172a75c2bf6a3177a7841b089b6ee911149871a9d987c6d499b6e0c4d15c9b74685401b680d3e112d6d70bdad6a3f9954b0057335ca36823328ac4e124d55b9932d548f58b85a32844e9f0260d8a4339285ab46152bbc05a967c5f16072f16178687b0bc06b621f5a4a14ef86b9cf1bade0185c5c52b3f2c407479467e5516ab9a1128260317605d4db250e8f4b59bf28a6ac2606d280af28664b75092fdea1fe9374976722dff579728e121fc1944891c586625a880a7bd154aace3e919b841b1f5f8c0fb841d1eac1fb18002ece216d42cb401dc1681836c1198653456c9392944054200a3b95b986a396d443a306b66018b525fbbb042e662ec108f6b872749d3287440c12bd07d1061a524a01ad7342d74f8a4b76222c5a439eef4235d51c9494602f6624dee256ea7fc09ceba9877f9332bf195c43502ee43c75e78720c306c2fa47f4ef6b7d69038dbcb8272b334c98cb665b306c04252fad3559eda4b96c14bf50b78d4a9a37081a2d61cad33b3b9418bba25409fbf4a5bb3c775a43b39520b37b5b82191b4983398858bbb0c6c8031b9736a5f76cab0e647443cb6d983a5e0a6c27756cbf471baa17870015566db8c8a51aba969e976a1c6cb2be166f20680893950ddf09cf8e3827a2a884a7a65d61c7c70a522d17ac0939625fe63958741255b012712e76fa8da809a8cb447d730d4097bd3e86471019dc8897bfc82c3804a76a38919f7cb50ce79bc13ec4bdda215bda9789503aa822c71ad8107a35818a7cb055b303338e465933565b94950c11836e8e33ae8093b0aa0c5d5d555cbec5eb4190eecaa1525014e8a341e9400180937afeb126c278a5bc4713fe9c417c50c1e47c8756fbb6a6b265bdffb4c1456c5b7d7a895b6932dd9a55623341354549283ccfb36abb3068b2db7348bdb1172318357bac12422ab93a32b453bcc0faa4e8e595b05a145e614aded6bb77278bd78907b828b18a22aabea48bdd69cab061522a618cf39406f6c78cb983354384415d8b857cb451e01b24f489a3133070d775307fb61a0f6d56d1255c4d4e18c62e57d8422080cebc919b81e67c4304cdb560ab16d929413af650a53f870e8017e90096452ca3ea648ca644010d34bb79c5898b775b197189a55840f43371dd9cccb7b4a28a66309a515658f06acdddc47042acee250a37632b42af51adf1c0666902fe0acbfc8f59127753a40161de4ca07a5c8bec0d8ad3141487da4a842147b9de945e4962699033375548d680b88ae8354d6114efe284517778eb9b7957eecaf5b4165424a5f82f100d02b7d39968b98f69c2cea1a0b39394f49265b492ea8f4000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: bc07d2caff561b4645e3878d1de0730a88c05f46348526829a396f05a0a00603f0e2fc79e13beaacbe903827c20d9d687f3fb4eb2a8e9335459fb21380b8bf3734518778d8cfae9524ead1427c6a2dc379ddd2e985e2977bb63e932ed59c83a8b9a593e2adba0cc5f106620fc8c6c4cba5106bfdb4105def0c1d7b6800327cacb964e1d4ebbddfaa15b279115a1d05754c0c8a715fc2fe5aa09af7b96d5a93e758458aa5af8cba03b942f4d3c0fbbc2a45d3f7af5818d67219a72f4f538883ee2d3e507e2dbf4f7748446443bb71bfbb4eff0f57d8154d29f5cb26cfb52c51b676e9b1ac08786d5f475cbbfb49697a748b7902a83da49d285a48c7e9cae74b66a30b02a353a287b40a66a0663e7a71adab7d03272f2ec32d47097d4c303396db3e7b7a947f467a70646777cda227d72310806107b5dc16cfb36918e88784524e3a46c30242a40811593aa8f72c742f885a9623534753b2bac5e29110a1a854646abe1c0337251e85987aa612f3a095409a5a632af14acd19491577223c278b18a9c3ffa7f72ae49b89df6dc45ebb2803ece96cfa94ef9ef5b24fbe686ff90d130d3ae953a4f9ee6581a346b0612f84cb6ccad4fe94a53602817d67c61a9604d288319f5933f4a97dcc6ffc36cf14db593fe27f873be712186a6695d949d4552dab37e36e2e0ced229ea9dccd6d3bae22f9fb888ef400b594ec08a15972e8d2478e50f11947b52bf384c731b0e50dcd4ba116abab8af3b880c54badb11d83b4266d3e5fc25c2c8dbbba12fee2fa5c2017987f31277a67ac702b8dbe110894a8c81011c7c662ce9ab96a2e25cf5056a3e202dbf6bd5bef2347537f7811637e932d13ce02283d48d032c284b6cfb84fd813b6c3421017a7527eafcd3fbc5d4324b5351b30abcf1b366f424a8a0b5edf6bc1f3e8702b03eff875687c6caebd7bc15f1118696cc63859e3aab75aa9acc58484da7f2bc9a120844e4830429c0eee2b2324890bde302bc93f661edd9c04e1183528482f9950654e8c267234245aa9482d94e90e00e929b65431f986e7bb34524cc41f4b4443646713c7abe6c4131a2d67f3bf42f0a7f2eddf82b5c08a94d99a0a7d14c1b0b375fc158b7d4276eab22efb438f0d0a9b30e9dc127026181e42643af8da0b24bd10a532069392724948ad722b25477b481006fc1fd030aa62b217e6695dd4c7ad34dbfb75aff1df5774b061a4ea8526e9bcdf9679405c0d2e40dca00c9e80840e832fd663596dc55f602d094253893405a02d4414f119d23c4544cf832888db5ae8494dd2e8ee357753515d929b8a37b5b45446ffac20fb204b5c937f6344c453ffa449fe839b4afe1da61301057338fe29df93aa962a7374a2ec181ffff9252c8af5c3f75ebee02fba58a76066df4c6acfd5d1c18390652eb2f469d35dd708e63a498c08c5241b2717333904ba0e6e0845dca8c9608f28bd1046805cf7b220498145b23cb18184a259458dd2fbaeb1c383005a0d289562b0a9daf7d1e320aa302fd3d9a02c65fa901d46d4
 shared_secret: 7e1b4195e9cb70e6884d3d00f0b3f0a66b4d8c00ce112e1e79a1dd236ab62b26
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 2676b8426b9d6a30af007094bb76d65d388c2b3da938215dd6f6987206400e13
 public_key = ddabceea01649d9c6588d68c05e93cb6959fbe348468cb6e7f482d2b0507a097625325a7ff5740086bc203410414845a177c578698b313842dd2737d79806fdc8aa4ad8b91b514b6aab60885a49be68ba60d05891dd1cb47c1850b0105ec15a95c93136f22a170e346d2256a0cea672941335423cde35492967759b4317981c34fb0d759a2b08aeb411c362b2630c4b8ef342cf844206d7a5a3934bdfda95ba9fac912fb1844a0bb62041868ba0e3660a5551951b39880eac2959b5028eaa765492416ecf7a05102450eb20eb2a28be460972066b41ac87abcc28b38a7c92d91779e0c7cc8b42f107b48269521edf0c558a1b767536d295c3a7e60b9de6a8f299563be7c4d33d33940234af8c7764b181fb7b5af1dc88e4e830725533656520af7344e4ab40f6df34a90a898c672b854021d0631c1b1e9999d8176b22a5ce829a240642e19472e635a83c5086f87872f72a62e5fa038481a6861141227666f9203675db45a444c6310518d86a9221c9b6bedd753bb7914f7995e39031963ea056536a96c9b14598c95652091dba9210168467d7388b73770aa905052645eaa877c6f8a45acbb775d080521479314e214a5217835667dc2cc67dac17b0103b1049a03585b30631c6dac53b6d4056e5877786b295fe94c8804b57a027609bee938a8812666d12345e04c92469463443fad1c2188c951cfc6a06c3b8c3ad8856ef26a67b7841428a1f5b69a3fb82cad843a55645b78219d6de824701b0b1f192d4f816f45032b1cd5b465d33b3a9cb2fb04cb271a3cc74a8bf7ab6ac7a00e8ce6a0486c660680219c6ace0917b31595584f4756c9c5273ee36c37d25d5da146e57613edd34795b9cf61bbb7ebc441d575631215a87c4070159136348854c297cf3ca44fb2814448e30eb2c555aa2393bee966ceec0221a278f048aaa6d09b1d801aa0fb369ae4480f051329390af222712c61a59f98a31a03ba90c1a6c34c1c98c0be7bf59fd717ad9894786acb1cd081405c66a2e79a1fd77cad853761461c99218aca3cf4920703654fb9529c106f41a78b259294709bbc91679d0442bb383c28d64683ebdc7b94f4592c8ba2c1126c9dba9377040d3a124176fa33a3905cbb96764bc89a69480b74e38f558b422ef22e390bbc76e048c01129c97c26125bb2f86c4bcd274816265d8c41167223b0a22406d2a193ad3b1083b0cb75f9542e55b9aac02845f59618b5aa580b5b2bb44c192a906ce61b8c368278618d8ca8409fc02bb9b097acb208e3c2a9b651a316b70cafe6b9bdb32ad794b4f018b66ce55639e5558f5a3990475794bcaa06f17093d490fa583e6fd9596b40958359a30f813b940b1e1e4223d3857cfea691eeca944de845c2fb502e35a5f1a3750454593fe1c41662a3b3da407aa269c43167acc98f5f3c662d6177d3594d0cb800087c6a525c586d86c12e941b046625d90c8ec6dc8a5c546abb19a0b585aef39379db926691124265103bbb49cfc4e9100c803b4ef68a904273a6c899e48609bca003bcea9cf82203d52b5f9b65c409ba9503b3b16c7077465aae45d2cd4ada79ca43a9e99a124b7c9fa24a323f6c6bc18b81d9a6161191561f3776740b539479582a46bd913ad73e09000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 79efa2d537baa2b87a787317162d3dbcb40cb3c25f540ddb91aea6cea9870bbc5a5f86f8900b913fd4154bcfc7c8a463b9b66118c502ddad539186fcb079664f44a5363cc8d80d6a4c09f28cf8952157526cfef7bad2fc2cb69ff03ac39e37d47faab64cf54f63919303badeaab9e59df7040511ae335c5230e46e00a666b994d647d11cb032e7ee235b5e18b1894621ae93ee129823334580381b857cf0360196cb75180410f9fe7558d0e189502a5dbac5b4f0597cb3d1d201f89de26f7b4ec0d200a418a26cfb82cd4496c3ee22f6eb60f3ad2e1af981c238da13063d1746d65f77ce0ef30894468b687b31443c7acacfc3b3878fc9ec56878e7bd1a9f72ecb1706a4e5face0a83282cbc2bd15c89afbe3c97dfaf395a96ffbe1a3f75af03311afc69dbc01b11ffed2aeb8906505e910105806febc6e1298fbb5c0bf501232b888b7e8b285953d250b866a20cfdc7833a732966b3a03485ae2852d0a3fbeec6dfd0ec8015db5de69e55f091e956ab4392834c5128417105541b1145b27175fe35efbf3102277b35e42bd83aac25e25da6c55c28a03b9e2a8135871b4cc49fbfd5598c9eaa2482f249c0b6332a6999306be55921a3016499bc63a072a6e9eac894a3ec209177d07208d0d271c47f8065d0facd2e975011944f7884088768fdc053cf86f31f6d348222c06467fcf8ce0d404a2558e8cc422521a4e249549037d3e8a29e03a9a9bb511d9ffef4c5185a380d874732c9e862a6e8fa3fb72b213dab2ad0d91b047440b1d334660067566e6d2e14765d8fd0a45b9b8e8566419a6d7138e5a106c31b1278d50027d152bc8658d7045cb2297bb8382585b38be2d5fafaa7e8c867c74be013793874f181a9798193dee26fd5812eb469d1b842a969cda65d3440c67b00e6d1c3ae8630165499c1b4cf3153fb5731916ab779a2562ec62637d747d61342d832aed330e5cd794de900fa507d4b5fbdbc5f3ec1aa69d0319b3644d46d9502d435c1b5a329c0d3524611a145e3024595e91c2afd577a422d59d4d54a430f439534003be467b6f018736c4bebceaf7c83c799c2b7745ce7498dc84b9e455b96410dba1a0a5720fe703b7c0d859a42445eee7ca3353f294438a7d463fc3e98f4403f93b5fc4add88cc22db7bba150a2988639ba96cba8e2a0c980c9bf8cebdb5beb262d79e86cceb774750cd9a192ae93d85e60722ec6590beb7df8e4d036837c97dc05c7964dab00034683a576da5b51aa8a0622edc27975978c7daf1b942285572b09c170dd332a99bbf703d84becc6a96373fd1c0b355f063e4c2c6e59f5437802676000a819b9b99418df893b98a8e6ca22d95da2c151fb24a3a0e5944ac4ca6376e6c281b275589a3907c0473282967a121f1792d09a15e9d71e71e73f9f627ef0dd478061cf053af434b0663624c3bbafe0f37d7a32504e9c686f41bf48e287aaa8fadb73fece907f26a9576611ab2176a58e5c1f3e98ec0248a15774434c2a81c7a8f57f9950b83c0d3770d17c4e57582387d6f19bd
 shared_secret: 2522e72d308dc9d7d701e0b024af9e15627572f13573b27c406fa750df9636fd
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 319c51bcb76124b92f39820a5653c0ecfba79ec91d632b0488f4020e5df4e37a
 public_key = e2c1184862562b91806efa62f1b72a8ec43e70663de1f66a59687ae0cc1d9de1ce69244fccb0841b4b1de2e964e29408094a1ac0a9b4daa836e94454ebb942c6e9ac66f39abae73f61a99834292ada3c824bb53c8e67912a07377da92e63087f8d947f59d94a842b7aa8832b2c3c1aa957577f55027e76c106f86946f036804671b0e0416cf62e70eb8194d88030e2b38585181c4ab1fd8165a821bd68dc8fb3b403016ba5fd129bb9d23182029c4a292433087632816c009a237a608e65cbae17d688a326bd6c1ab4634576fdab2322b983f29c3e63b31303cc386bc90641c84965572c49a91f4e8258764834f38ca7f869cddbb10674d4296e5205ad805ac48462d3b31a9e6067fc0a27470aa593b896c3c319357b9bdf0632bf0786fadb0ac242609462a06f82460ea75762a678fcb07c350649d13c24c9e33200c9ca0e9bb87dd2c8578c7c4e27b1b75681a0b6aec6a55e767c4e14820f2ea609a16b862d5695556b0937f53e0ae370086c8f771295b1a09f0003a07bf512c4272f7241752a6603f8f51ea9a088e5263a59eb0b13b87a1d2929c2c29557681f180261f46c294de4aeaf380ca5f79efa2c64ed3131272ba489494ddbea14c69c46fd6346a7ec9f72d89559435e139a67bc3240bca29b3774127dd85d53c20bef719724612c462bc598c54738c87a00a9cb8c4b44e4e7ad4573afd9324fcab820cbf2091fd83fea52adc1b82b3f6c86369aa358498197631a20d40c790c2ddc66b0871c1ef882305bd978055bb934467d3ffc0359c2b31748cb19f615a63262fdf695f555be1ac432126b08e4a97acc18b8606ab6adc5cbe4589389e1121d737ba2b3a84d02bfbaa669f3a06b1be13fafd42a1773c830749cad35456e956c0ee64a5fcc46f1763c3b0c0d3de5c296a28f61194ae72979add8c7ce710d4ee846af81cba3e18d5e459addea9fb565b010e9ceed5798155227dcab155984635d7539d68c9f0d30537ce8b573b6bef1170540d0c10528737d6a5b219b2d96e5709a721b40536ee3c416fcec0bdba013b0fc0e786c9765d312692a80a5c9a3d65a6662788d194722d63b4bdcaa700e4c3daeb911e4d45674c3720be35269a21c0717a4c3aa2f3e1ab4f20a885cac44228138ebb70bb4548dedf8678d2163c339c1a9c719c2f1a51748571358c1451b0ced7b90109c98591126fbe57e1c913b5a935eff14450a22c4a108108b99b6efcc9bfd8438b5024677144885f1886ba068a6191ae17b9ffac1087bc94badf510095baa7167a7fe245a89a2a627d2631706a15d5aa081d037a4101b217c1c45fa0d83dc790447121cd9a533592cf8ac424de8770b45307f0aab484467c4acaa82a5669f7621e8ca42ec0b9222766b52775173b288ff5b01d70a60a853aa44917b8cd09a4b666138e91a3206c97877c96d690957b58553018f55f168c1c51bd9a48ae762a65dc73f366c79e77c42e793750924bcc1472cd5e552e20868a42047593842619c2e0fd40a3c7bba9557bb5c71185430a0158b9b95d04fefa266005141ffb4ba5160a5eee1499c09b11c549bc88cc501dc94a0a5828ee8a776a2a4aba3bafd410cc8354216cc3a93a457e9847af39b898b04b60a0c661a72a2df2b000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: b0e578cabf9deab616e52934955f42eec74bde5ea98acb022c427e08232142dd08f9120eefe5f455c8f120e672cb68f3a146c3aa457b637d0901fe2b4cd45e8b208e06823b8aae09778cd00fff5bed5232d219a2c33645f2dc30593e591f697118a8472eadbce05c9fbbc5d4b717b880065173cc0854182555376dbbe39194e4204067358808c890e5fe96028921fca344e3500b615f2201a1c4e4d13dcc889cc9b1ac72429074c21a52f4c78ea2c467d65cd2c9ed682f21f31b27af4eb5cad33dd633185bf32e726fe6e57b03168803f693bd85f5a9f2c3ec6944e9ded2b8f3270a89139ce50ba6ded6bc6b0be8893f44aa5856acda60dc1c4c0834d45574ecb6183d6e59a183c0125ff45c718be2cf85b5ce6daae6e37336ea63856561f1bd4404df725d5ed9263038d1c623b2e1aeb35924b79de474407168834891af783fe5d83a631eb14d7cfa949d698ffa45e7d8c46ed4abf75cc666b78526c9b95ebb2920c77c56227eae6c893b57f9f463ff2ebc9acddb2f7ad543c5b2259047a4cc87ad05c08bbf02e8bb267bc490c4b67106fb598d42135c927fef3397f4c3f6838776787f23a9759dd3214075e79eb3929932becde84e82c257e4638a19e1e3312cfe09d4ac681d653d749c8fa6efa6dac35ad59399f1e233540fa354681ca55db90007039b7e504e2e4082aa3e4d672019741aa02a281454d4e1c73a1c7d0b5449c2e143ceaa3b18cb9a74a89f1ba74963dc5dd4155a356211277af3a267947700a2cfd84a605ab02d37bd6faa8a26b50f7b3d9bdc79913272c31dcc0f0183d05933a9f233504ddee2dd851529667ec5174a3d23bfca197538ebacda36bc29ca675384c0b3f45e4f67fb66d8dd4aa57b7da50ead391e6b663af173e7f4d46139f5d0f4cea84dd32e4e718967c6b93617271224f2fb3a1ca5febff5f26c4edc60e9acdd9e464ebb4571dced645814e1038a50515a7e06501adb2de19fec4119dec7548c41097964c3151226153ccac24abd1415579ba1c37c805a5827332d97ba90713829fb30b7b09b275d75bc10d4a26b33980a0ccd4b00844d9f379551bd0170ee895286526ea9625a72b6cb8decd9cf18e57262f8102a025025e8168465a65a7c7e4d5fc8742781acdc16171085d51dd5ec9f4f71f58cfaf4557a55d07e7c164ccf7eb427145c7f9a800e9bd9192ec0f74d19fc17d3881b1d55e8600aa55abf78fd1e226d9dd6e8da2bea15712f5f43325d4b9c083d6e37d35c043f2bc8c796ade072555263331bee7fffa54e2099135ea363575847abb770322376cbfd3f1b7980a1857c55fc82aa80bdcd701c7b7d66221f08492efb5438a04d041b485bcb61f6fd306e96cfe758d99ca1cee70b200eedee86145fe37ab7aafcfbb2df694361fe9923e754187c3277cc895c4a53732ee118c7b6156b55b30847a6e828b7069a5d4be623abff66ba87bff49294dd9b1f698ba445d610973d052a80691c9968e3179aa3eea5b0bccb3cf674c5cfe7d2c14d7b6daa7a4813abcd56ef930099
 shared_secret: 1cffb3d6d9dd9cf90d79fb2c5c974818c5bd6f32ea4d44c302337c4cbea44334
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 00ff48b3769ffaf4e91c1c9110eb8ce9e2cb99f060b486b37035407d2f4ca517
 public_key = e8014b4f4687bb6670b1c2a29ba577100943d5b926cb396423663f710328a8b536403530eee05006e7a7cd679ea44c29146494f1775cddd3b43ce6a903283f7890979ee98842d5a76f93777297abffccc0b8faace8f362c081aa435c32a5c31773bc046e61921f1a5707579fe36067588a0f32e2cbf91aa3ca6b38a0e12ffdf8685874869028775fcb7d7fd7a1e37c611316515638a510a13e950960e6f39395e436821165e734837ed575ad510d4fba6c3ad67e039b71a9b6c2a7ac240ccb3742d65b4b1c50a6a1a496995da77921ce33624fc48135e88c59caa47b299605ac1c79009dabb2062e375547ec907590b9bec52c86a6b9e394ba5f02401e4545c462c5f320939075b516c4a5dd0aa5d879456449a115125369584a609a83df8685ed2ab45f038559dc6b0ea170b09680e7e747cc7246b6c182d9199941847d9c1168a84400da2a98215a9e96f6bc869035a8822b27d459cb52147d966e0c354b70ecbe46daa9034074019acdac30055d8a1a02741ed8e602e2cb3185ea44c9e61fab637188554c8b12cc5abb9073b35108f59f6832112ff23b00acb0936594c00c0534a8c4c11cae4787092bf497b60b4a44116156e8368c0c950f3677f6424690803ee92373ed5c13d84c355bf041edcc872965816d6723b344244d0a54f8ecb0f1703ac251293503baac445996a1c9bd6ab851eb52f042692a2b10e4b9b44dc9625973af03fba67a3a93ff849dbea64739f643bfb803ea8653c2b9ab9639614000994bf48a8024c4e61c8a07a5c79b19540084bc7664ad44122e46ca1fbd517c8e68aeb3d835e53846848742a9fc2a4058047969bc11a773e623462c7bac66a34c62db861ef64dedf23c0b7441f6b75b4e60b86fe309b1b7746d558987f6a92cb8513792360ef76cb6548f0813ae8dbac418c25a1d95b06c530d79c6751e7569a2027f8a5354de3a70752764fabc632f3a1bf2473e8aa2a5cf815b3856a89afc122d98ba3f74185a3b2c09049601e23ee226329f024ac2692adccb2018b22a592a450b4a5819b2a498738d29f7145e534e527c859f05ad96cb963314c58a5a6b050ac6ead9adc4782859e3383170cabe4871cfc17a30ea4ac55cb998e77e1a26662a255f99f4ac7b98723341b2c7134adcdcab12a473bfe001127bcb01f84df31384af06171776263085bed1aa3374da7136648608b569a88663d2122e84b4b946b35c1f24a836e924202b7c7828c15507b17f906bc0e4b28c230134d90655696edde11a32c7a70303aaae3363e2a6947b4bccefe9ce62953f92521029959096a8910e71c51b69a0615ac790341c0ac3a574a79d34c11b4a974ffd7cccb05995d4089f8186b545b80a166982cb53123ef644e82897c77889ef91bd8c5a4ed1a4a414389d77307d53487940fa32782061e8458e0c601c884321d121b48ec04bca78c60d39b0c4bc9291945ae18224ec73ab7a451b9cb511bae34a20e326a497cb6ce46b5848c289da630f497ea3975eda79489f18a405e91bde288379f291f538c1a1426cf1634bc033098bbc9958f7af6e408354314e7221c37c1610bf904cf9e7807ad327f0f316761939674867ec7223f06a245711b0d47832b1a699badc8e1217798c0d000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 3159aa52482f4262cee553f9eb6d853d091a507831f5ed1af37b9c55f217eb1e87e8b0dfb653932c27e9e9f2c4d45cf89e9cfe9ba0d5175be56b7fe3751a4255649cfabdf0cbd5a8704d58511acf6e0580eed572561fab262b24d39c3a430a4e54fca969394037df12fd8cd71b7b6ec3d8f7345b05d4c16c5871b686690cee9804012a3379bbcf720f405c3c83f59aa391cefd8b00a73b41147d42c8b7820b0e779c44e032209067349fa4cd35e83850ae37ee73f96fc6bc5b71ff9b0462604b4e07be60cc76903175b045b908c9b8e7e94c6bc7c48ffd49698873913f9132025e51614317d27a874e319d802923804d1ce1626420d5794bbbe5e077cbd7fa3d958fb2d9608a3d41f605908d21fc7f942e3152337115a28b661f76405620b056692bfcc066f370449628f8e31b7453e5b7b10702f7c195dfb779fb3253f86acbaf4444ba9ce01c9b043133a233030247f8fc44d5b8c9b024ee83c186a62ba9fa5a3e45389217884a478f238d6a9b8eaf3d87b7b4b4375d4d5226dfb80255faab42380365b5511567978be9726d21178eced7294463a348b1e976d800b1114fb8230115b28e51f628a31aa8cf2e3253a7dccaa37f975fa2b8d32a6b6147033cfcbde33ab8857e3a6af95e4cd0db62fc020f55c2d6c9204a05835e2cf878c66502f572016d95b30c45c2ef6048471ad0cb7fe14250dddcb4014c392c22fb1dce1adc8e02f416d3e9b417f41c1b4065b975de472d0e9fd5b3a012ee9bf6311345b4968f6f18262bfc2a38d56d911f9efb981813f77a8a8d6af0618e015b8b005e7ea957f89f140192c7442a645ea7012b5ea2ba9f8cd2fea2ad3e41c6a57582237d53444fceaa933d61eac36d03a2865bfb7f12fd8cf451edb5050a35a75c95dd328296dc32daf61622ce0cc457c5968414b634b3e12a0ce45bbd733e3982c087a037d89cc86d546007bd92eef33949d19dbd4daa18e59c7ea3572bf3155a9a46af527347f4f4dcc2be3cc285d65f2f86c681a137850431ce8d2f76e295e74bd0b3c88f1b68885522dadb99fe1c8e40d938c9610e466770d62c34e9393241907d9cd7bfa470cb8fc149306d9450a7a1887d03cddad3fcdeda1ea54d3f126bb29a1ac3d7c5a60ead90d74ccbf1a75b4289a74a49e0a7c4006ab76a83915ebd4a95a471525444dd2c3e748b1bd347774e2cf01f90f05a1672c58f4f563e4da083e95e0fadd4ba57acebcb45611a3923da1d0d73f5c9a55489fb0097e123694e413460252892a0c6317dcb56efa834f7a51db4a413976afcb30ab4dafbe737f43da11c1b08a2472cdff3995dd7d23382b866873624fedee76823d37ec230dee2107258993d5b802fadeb89c9469a33c66c91567ea92581e0c2c1eaa2e2a4696b024c7c6009687d07769438a8b2ba75a7bfb32841dab8acfb8cbd4d1e26c5eb68bc49bb394b178e6f89dde843f4e2c5353b04390c245a0bddd1aeaefb87528b719fe42b35ad2a89ef34826d9e23f95b1bd3c3b24f785985e10dcaf0eb33f5f71f5cbe55
 shared_secret: fd9e333ac811ae8be12c052c65131e3a7a32ce82e39055012ea564e10acaa85e
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 4960ccb1276f96d7aa55885b6ae6f90343d42e1391e8241b5952931a979837e1
 public_key = f6513e1ec8234bc145eba3446eec18b3826b2ae709792648e071a7c4627e4ac7716db5b1d6040ba7b8ac39b347ef721a99c879453846e1aa591b8495e19003df973580d4192cabb72ae2b1f498bae9b3cfffc8bbce09122cd1910a406574106810dc556894777f35316c992f3b902186dba411ca3462b927688c81f7269b7c2770de5aaf90c81f752a3ec77942729a68fcb38a62946c601c945249bf0e280b66764ba71a44134ba84df1400bebccc61456fdf3bf50aa85e8e60f491ac1c1317d831ba5db6601133883fda81115c67fe4691d9df01fd3732b336bbc3899cf067b9e3905294902ca5686480cc94eb4e98260408b4dd060cf4b5344380c89d564b31158ce098ce1e06b91446c4189c6a4d89aa7e81befa900b250a7060406e25725e09399963c5e3e04219d390e6c28983e335646485023312c4d5bcad9aa7ee683b935d71af1908703fa2c9d66c8b6c55049b3319d39c047b5824d04975a9034e8ca1a9e1a5b0bcb222c5b5c848818d14503c31270d4f8446d013d4ecbc250b72dc25934726b426afc85631ca1065ca6e957ba00f1176a6a45b68a5e93274423e642451129ce83b7de439963c0c4e5d8b25f3b74fc053151610b4263725fe51423e886bed19c534165b4cc90fbd67256839b9371290af9853c948251c768e157041ac91fe6649bd1b1855dc417624b8ca0d798b1947c720b3414db56f01500fba30207322ede05612bb6505818a9a68538c9eb98f2b0a83dd38b765891f0d01f1db768d2355fc6b7a47414527c92ba104637072a72a6c0ce74772664e68660c9c0c28347315b17273a6846a79904a04b90a60c5b15973630209d9460365529bb72524404b3d9cacc013b0a7355a7eb2172d317cd356a07e5a341bab7c33db5a48fca4b1600443df6bf441983cc05125f6aa94f114a8c3ccea3f9c498c1126c072f27e97555456114f6bb3244c4698c3f6091864274a16bd82aaf0711eb8c4fd86a11b35b3b8b0528cefc253d7906b6b05382e37428253ebda5b48b6a068354381b24348dec73c279010bd32e41431d139a021a398f0e5c7fc1a98863f069b9d42a96b029455670caa89e0b867781f73fb7549392124485cb032a008d63812f832cab899a8d5d24b403e76d17d6ccb56c729e15abb2e04e32928c9b8971be6a4c70b15bee620eef375489347df7c622d9a803a86c2a9ec5a7a0554ff763912bcb7f57eb8b8633cf6ef39556162eadf8c285b61a53f4837c8c9ef48c3a58b3b6c31b8227c98df0b9057d452df2c258da8a1de1b99449c0054c48a0bc61a2336323367077cee252d366661904b12ea6215b3ba55aab06f60a517704a4046312731325df563cbed805e2c7b2a5848fa1cb97e17a2f926664c2947a2fdb56ed1b3c5e084a680073669b2b9e888ee010410acba461910795958e7c0c98294865cc700315e86a5c54912dc2affc2469244912d8180eab244332a00b7536c4cab62345872dc31ca3c0d2078d07beda4431f278aeaf2482cde53afc56352a894dfe3948fc14956917a4dc836f54369eacd4af052b4aa6b60af5e86bc868be275abd1118a83e5acfdcd4c92a3c2e2b13cce7101a9d303339f0b2dd4a282499579b803ede0b26c75eb8af34000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 5ab063c95a541d1be3fa0744e0db7e0ece17b6b47cca0fa41d08e7969fe87de63f319f80b9a31ff01e203de6e518e62e6133edd108e5a3e08d3f8ae0556cfd36b399dc1ebf3b229bc5013d06d7550512280bad2b27657d3ca0679d9fc62f0bf875dd0b326008a89b4f29e97211ee7ec75108a9e4a320a34daed15fd7ad394a1747e4e35bbe4f1118703c330aea81bef3e3883fd41c3efc3423ab46b553c7587894ad64db57bb0fe4d289d54c8ba78d40683bdf6330ccecbacd3f7f41541f1f2b1a7626d3969df6586b4214c02f921451f6adc04f5e8de1e3beda82e4aebc5e06abb33f4cd8a3b3b5741617b6a385739133cf5b77dd5607a5c8721d5b51c6c0b6df551a5b440082093f49f31910a04e4226b9ae6f41383672e0694bc4075207034e39c40668aa3174cfc8a75fb1a474485e9aff01f3572a5c7e4914e7519344c8ce7b81377d8c2af66bebc558359601b21beb984c1f00564d46585b4bf02c958c6b348642be25119b12f34a6e5755588f649837ba53c0efaa4c6c95d109a4ce1f761c1dcecb84cce8376cb1c4e34ff932408ccd2d06f20c5397f6277bf9c3234b20cedd45afecb7e87793d85af15909546c6ee41987f36d85865c8c1e281e13d9575abb9a9f215c08d89420535f73643dc584707deb7d5275252e862393fb6493f9e126c651b7981f26af8daf978153fa4476d615183bf147629fe36de7cceaa670dab930ba8a684b0bee24b55961ea556123b34e29491704d2122e46bed0f6fd50601e13a5d46c907b915f3b8e695e0bbf474aab6e082d156e79e59572731b48338892f2268dcbb8fc21cfd537979278ceb210fe3efd052365fa249c97e8e596ae6225839e5b8b296770f3b42240b8727a0a730534d0f42f8c6ef148fc04e4285e1aecf060c3666fc17a1ff794f584b26b0b1c41f0fcca249935cd411a151932b09402016a99832850b3f56c4846145738f709f5e11e28a90d9137e4e43f03dd1ddb6565c67c2a138aca59e8aebcfa61984bc7ac13a60ddd2c1f0fa84fcf9264ad5049c888b9f555e024f0fa685474e083025da168e3b9c4ad91f074e7e711f84bb808604114e09d1ceb83b697cc0f045b5089b0bf7381ff2efc08e7316ddb7eb7be47a1d82cf533ea898e668f0da124d2e87fef2b558f877b50b13a08641c74e2726b19fa7c0f33ab213f403c328ea60d08c07155ca0c19bb75f7f6716de89e34c20f9d15ba8aebcb98e9b6461477f56f9c65ea7e8744a4d7306e216f806ea8f9f1dc45781c1adba44319031fb9e81c6d33bb317d959bc53a677270f13d96da19833965aea9a18172f6f975bc4d03036b1239e7c315ecacec35cc0f788be1220c0497844fe7c989fff5ef7fcdf89c261a0fed3915cbfae94b1fba22827daaaaa0f968f1ac71e9772aed587d607d5d3f57c1500b6e08760e0b971c1999d01553bf87f55fbad96ce61d0750d75180623543f40e5b0cee74bb429edbed1b4c2a3e1aab86c8dc7381afb0b9e7d4151a3f76b7dec4199b97304d7b3845788e19126e
 shared_secret: b4b4634ad37852e19175ccfb5eca50093291da8f76b86be7511379188bc20d92
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 456be124e7f43803de5f734ea016455d68164a7f054c003f4ef49e46f42dd8d0
 public_key = b0abba905c1559715f25f720b7b745a52332355154e60577e598c754b6346b335b0195ac305268bae78bb4617807ca4666738ca81515bb041d43a4188003c52ac4ae4b3808d8c755d3e99d00537249d39d4cc02ed9f98ed4106895666c47538f79e30f5104adab1540a1fc58d1a857a1a4611257be37e0327491aa4b543aa6322ef7816a5c9a55eb3bc8604b15540b62c3405b861a84218211c20bc3d35a8a506b0153306fa98b9488a7841d85197c170f84c380098077e42cafdf1913df369f37f3291ec47289710c57f152b74572c23324f83618fd281f5e41976e77097a570a991b3bc623ad6331a1bb34673b1c328319758ed731ca2981b50a5a2cf8c66d31b10e88c95ffc27c3b6aabe8b207e6cb4373464b1b83f4a5a9806449bf7fb622360bf9f098b56729c5738191d57492b377ca8f989a87922a7368d724b07b7e36133620fa0735d60f5be8b51c19ed1655de5108681cb27273d511c643b7867516c2982a74f62e4cb759bb1f5f0808cc90e1baab60365722293bb07841803076504d00e6fbaae853749fc322e3458810ea41d832b35bf05a10e62a4ff8317b506b9af7216c445663c9061cc62914b0b72b5989d7d9c2b761c2fc5a28b5839bee5596c0de25c10a15776447e17770edb666249a2310962152059c5ed5738741a29e899072427891fb53606ab8b5dd06c005d239adb7bc368b10b74508c45c4aca726fe59c7729cc1ad617236e1b75c760e47815df33297c084429ca371c16c5761c9a23ebbcc2cb43ae9734ba9495d5a86a89e75aef50b9e73470d8d9974cf27a961c0cb2c180ff36140818b005f05afaabc86d8b8bf5c2a62f0632ebeca0c9c567514c9311ba6216fb13f1603c77656cced520d977ac75031044c8790d1b4c97dd38b2aa43dd8808a79e406f8e01503db8f7b51cc1e4265ee830461f41cec398251ea60d2c573ec59b4d28b09dc9446bb972f6d134e2e192e987153b39538e1f631bd81b2e65c2c5c68a96d1b78360889efa4c692b7cc374160e8dc485f47a676d77706e047d3e717386bb49cd942e4c05374b3a1cca148535a3ff1085102f4a7077b5f9c7b1a9ed651edb32691037f9388b672a662bc247beed215d51b414d3530c6b0631999663fd7c0e5da7e411c32c506476fd08a09d499ba3c27bbf6a804cc7e8be5c1f3f97d7aac085dbb3bd1076a69db89bc990efe59b00ca943ef8560642176e926af342b48e8002f6d1aa99b58cd013b03e0d285455786b54a4be3c581419730081361c04697b1b2c07df068621213c8ca6554b5982d5a1aaa113ed9343a56101aec68b838a37ef2c8a15d0504c672b278556b40c766c2066ac995caa32676da182545773881545cd58b71d3d7a02a209bc7407f420a830513b9d9d6c93c56571e42c8bf154afa060667a46d13cc542429c9d1a35be012cd3c9abc2bb7484fc89a4a83a20f7c2bb088793dab732ff370cbab614aa851fb77ce176b8f806c4f2e6068235b93d08c39e96badb37a457e8a790b2b8ef00b0b9e941592373fd2caa3ec3477c6c440d0daa755ac0ad2285754ac64b0852086112b0c9794f1657916fc173209a40425afc9b19946c529ca95154f24ca3cda5f9547c429836c377123c6ec000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 925fde875ae198cfea88c4eeb3a0091897e25a793672df1de3f24ab4fd3edb2cad0b07e698f35dc97bfd1d551fcace3282c8c3d8131857d96ee9986da7b79a02ddc6cfc9fb7f2b809a8e5511b1c1256dbab33e7606d8a5fc048b36f6ee53c7f556efadf94494595a549ca260ac9c45bf9962bf406610ca58dc286a9eeccc447a767b6db3ab009f5848558acea4503de747d72d43218babd6f68c091b4581f4e41f2e850047f5f543a02407e7331202b0eac7bed180061bb53f4dd3504ccbd3f298d96b43bbaf8f0c2545be54c59830e1f343ca88bb9c6812c66bfbb59a6d68298985767a73d34fa69b52cea98d95d8305f97c4d4fd643b56c60fe31e3c2ee7e938ac2e4a5da2297e670931c1dea5fcbe9cf118c62a76a461495f10f640fb416ff7bc2478c0e8a1356bb840345f3d43476bc4cd990eb7f7cde7ccb96452d055397ee402be2ce395a29a4f4061ec3d85b99f086341441022435b636028a1a04c5d787abe1c24a5a55653b7063b1cacdaee40ae0de77b4034b9ac0e860a90c8834b352c71e353c02b1f46b135fa68fa7a5c1c719896987d79f3174b8d0b0c28ed64cf9f2907924497e35bf519d519a9199a4dd68025992c6f466604bb2ec3d7b13eba76e4803fb73bb125b83413998ae86691a0b35c0054e1418898f435ab26cc12a12fd4dcfa9e80887af7ebb6c856a7fc010cfcaef9e1c5a4dc24a91a622fb7307521faff0b8e8e966b7b6ae849ccc75d31c8d700a3b6a9c3f646b2a88d1e9391c2ddc6c9ff15db961874c87dd94bf0165cfc8f719806539a8beb8e28350610461b1252872f0f3ac273b3366abd78d9fe8868dca1a5eecb683ab8b50ced8cf4a5ed3b721e0fe6b205fb191985ca745ff5dae0010493f8296b6586e1c96f7f23fcb4ac4dda15eab811107c977aa0a16439b06986a9027640cf7a01051934dfc758215d22c6f06866d5b871dfdb6ed240a73dfde43f7f89c0ce6909b54b0a633a25f7253c10906166f81ae91a1419028d6182c1f277dc7872b824c7a5a22bc7afc02afeaa9ba4c271ee68882397e6cec34a955cfc672f4e6f5ed870a35ebce97f34542cf0a162938c91922230ee3fe9ed9a166a790ccf450b80cb5f483c3c6ae5b2e52e907824b45e69e5ab38226cbd6519de995e1a62a910fd45ed189540e0b4058ff01edbc6ba4eebd58d55c0e33702de299eb53d6518254b8471f282779533eaaef90602e52373be8b519c56a2f6fac0953c0f84135715c5674e45d15804fb94d9e0525ab493aa625fbf73ebdf74f0a1246e1eb0e4e2e261b24ab81d8da6e1770634c747542450cf0a2af23507f8b6766a16dbb2e67b2c94859228b91eec6c59f5a271902b340320412ae947398ad102073f8b9b8c021f81f786622c3483e61f812aa76232e6f9453eae044c5e918e6e4e0e18a78efaf6cb36f7b75929d0036c44edf928d6efe1ddc87b96288c7c624655d302b98865978ed7bc779c800e6113a0484dd225aef29796c8ba300b3f48dd566fd877dfeb5d25f96da5d07e643c5d
 shared_secret: d4b9a0f77a52d4f8b9c95951257348d1931725c27eede694ecc09204a931daf7
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: e8ac9e76377d67d84f85a142383e777157805be0d0f679ba89cefdfa61583780
 public_key = 038c5d80656805b427d0b9167abb3697444af88a0f3eb48bf658be44f36b01233902291860215084ec7bb3e170e517c65c623ecf4a488f69923f9045ea18334d5c8ee847381b5a8903a6233796b1def36e46d343cd3547f4a757d82c262278432bd555fb5430e7f936affb453ac1a031c70cb1b3a8f3762dbe226461501d13d10052fb621be30b8ce63ce93591979863816397f0d198a6c534b55213d778ae7bb1a20ef1809ec37b08382c43e82b4a758458d7758d23a350538b3e524d27c9074d1cc4e3e1a17a6b06fd71178c5b18803b1c439b9e903a0d63018d2f765fa7426a0684793ea789c30435657b9aed58886cb8788e14426ea0295da18293024eb1a39eb99a20619a3e2db48a93eb90dbf42b84fbcec1f0b9571946b6f150ef5a672686a30e52be2d536bf3664550f60c99a89b81f3c911784d8a371ebea0b97ff50e2af68f822a72e9a76cf473bcc1cb81fe2a03051771b1c91f1e1a444ab6119c0a83b25a434fd598bc767315881aef9cb4d4c51ceadbb3b1a1142e0b87d5826b161233ce253d2adc9a00bd00e3cc21fff09abd919b54e09ba6b505601a358e50593dfa117eb2b8d7458745a25e7c7321cda0c432aa5bb41aab60eb3dc7e03ce4017b245809a534c3dfa49e97f4474689901e814a97fc0892ca04d0c00e3dfc836b36bbf74256e77525a031160fb3bf8ac31502c049d0a264140104c7488e36a46d23a76f4535b5902677cb98a5abec57b9357b0cb3b36b68349b273a2f8396e6c8594b4a32f0aa8a622378b3ca0426f44443942c02162907b2651ac2168fd1279b040192716bb584211df4ba36cb363b8c3adc39b410977ae3cac26c21470426837a43b821f65d8ee1950c87b4765a034aba1a35579f4148b8c2f39949812cf9d850d5e25be7713ce62ba31366737c03ad45f23e9b226d1835c5ab01c081063dc193630d72821cfa2a56d16108c40ffc483177d075b6a7a1bbf5cac7da0834d755acd10b9b9850a7c97d90a1061ce94efa4b0c0707339dbc7f160a45eeec022815a4494334254c08ade388c07c34e3a07e51ea60fdeb9b20b4b9afdc6c3c2b63e872aac9b2a90b798bc2dc8d585c69c1b33c1d51372c583e835b9ed561c218a2968c044051f8a969a7b2db6a7031d20cc9e024bbaab4385a3ae13ca264c25f6c5b4170b5c0da13044664a10f335ae9045bd6319abe139bb2b8b635bb06e2f48427e256a16a0f71f119230a9acfb19f0fe07c71828063f42a844a5c703aab9a844f689944ead511d8c97127d99429fc87ede190e0fa002261494076b7a10496dbe12919f585685733ae780eab3ac168287aae3842cfb637a94483f68170f6a3092d51b82ef10496a6374572a527aa7a7d1a99315953f625842ec0bc8851180b98cbe411453027c9b8a4a07fc3bbe32b897fc09e5e65a0457556a8b28e5b7c8b28db24e5431893953c912c195ca52db5d125c3f595f2ea75a63b6c83c8cbca257824ac60ce16bb5be02b30488974a22a66d37b19531e3cf17b59bb43d738cea25326dbd6355243ceff3caae98446927351ff623260472f8c7a715016ca5480af5cecc001c6b65f41221b16bfa61863e225709775b5e6393e4b71920c0c539c6bc5ec5c609466000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 7c06bbeca8b58423e2ad420ec36064ed42c881e3655668f8865a2d643ecd1a4eecf915b6c64b37c98947f06c3ccc8e00bbd16017c246db88cc83f12c887aaad7db61b4d567c285841689169c3f928f1d178a0ddae50d8c46cfd95258667d6239c300595738defd2e806637ca46baa4c6c7b97f1a9b47d53cba9ffe074f88d104c4971d250d085b1800fcbd91584d8cc48e145fc81438290d74765e7ee8c1605e8048b37b9d22b050791fe008b9b84b7f23b0f49955e32c0eef78d7a3a0b2effe8b37d124e19d4cb6f6914204598a525239d9baa116e1c9c39c47f9f37f965941b2aef8519782c65f3ad3a6509d1e31e7efb67db21911e4edeb1f7e9c37b3f852c81d63a95e4775e3f2a8ff315a214680adf44d290e42ebab8ca95bf471140b9d7e03f5e9f97864289a0ae8c9a105e00409f714e413b69be366303b4a138ed51264ab0e5cca5f6dc9387c6608109e8859893efa3bc7384e9f418468b1078807dadb768e254094039d1b807d67353c8e0b5a03d28b8e41ffa0eb3ce0837a132144597908f7a059a097b79a1bac323757324e907b445d064e25c378d2069e7c5d671036871e4fe36705747635e40c6e835319e3ff81714cacc44515d671b703c5581dc76afca0b881f37c1ffc93f2e4afab1e8ac776ca883f3adf7f9ab99396f7e19541c26342a7d5618958523b81871326c357ad84ccc6d3574d97cbd875524e7b08a102263d80f318a48e510c22126568f76936c904c231700ad042d73137eec741c827a082de4a45d296745c55b8367719dd08b8295e38d8d3894b9f8e2f9b483b266e1fc71d6374353ca7d9ed1c6b73ab5a42f6abff7b2ba8fd484d1ae6928b5ea92ea3577be01dc1e88abcd0886eb771dca4d36e91c45bca4807c89736b7d6a927cf64b22c5f323077f5488f6044976f310b4b99f7d486335dcca60571157ac0e480a4dba79a826b4bac3dcb7327a33b16381eb41e1d39915e91a58750ceb71098ec7f1a2d7e44d4bab75bb7482eec277df206502c497eaa345109a145a4da6bed1900b680ad12fb028d33563bfb204ecf66e6ead587c5fe27f8a2eb0e27471925ea0f35eb9d5e53ef801eba3acaaa7790b105eb6128ace992668181c1d7cf203afdccdfefbac67dbd97cad05d499239df84e4cf7372117932c973957e5c70a8520f822be430758990296877df62069d818768513d14df0568be8e63e123bdde35036dcc69a98197f52dfbaae5e5e0cee4a48c67fdda605dad8a27651625c2b35e81dfcacd2a41a6d17f6d7067a67faf2479b3868673b248270f4a2d8ee26de9c787ce966ecf186c1401ad9d3bbf2c43b1d5de32bdd77f5433f4325427254a13985d733ab0863e62a4f3d484ab3f5d3b88f23049079143b058babffc8367cebdd9d2468d7af782979a3ef12841370da6ef2db03679e6bca0db72166c361adfbfc02234119abaf98d4fea8ddc6e8490c2fb5a1be4806a61bc7b36884cf4631cfd53138a23fdda11e597aed323748314282672473a1819ef2b9488f6744544ad
 shared_secret: c9d0cf3edb1172344364afec3615ba98477ce9316f92ca46ca5f42b73553a9f5
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 2fe6b9cf4510f212839e348d671b3345da68a477f57513ce363414e87299a717
 public_key = 7dd722a23522b0d8cb522a67d63a75af305c05f3659bc496f1c47e410582a0e58bbba80751bb2f5ab71414051627f46a78f9708e3139f8950b999378df4709a08b9b511982ab1b2cc4d51d177578ef263c8e12752f914733023d9e8068d4fc1aac34106fa72197f6b4e4bb26ab29ab64d7c848f98ef5557ec2b35edea70b67c084193921d8cb52e132a24372be7046aa2af66696007e2e0830df1c7b4396bcc8f27aca46932c463b49db0ed88882f3a45901a4b96ee3b74e78afb8dbae7bc653be895179f208c27c6ecd60c26e54152aecbc13bb5ece39840574c56fb39fd2385c76d62c59a41b3311702d5a99e366467b6c4f6c252a95db32e5096e61d1ba872924d358b346dc099a485c3df72a94e437a82a6cd778888995c473c203e091309ba42511950c19db3acbc5987259bea952b5a549839f197d7bf64ca0772cc1dc89572a0e04690fe651a79ffb3dc07388c30c06711c6b25572bbc83ba868a379d54c6439754bcd67c9b0364ab3790967a062948084ab33a80ac5971fa99830aa7d1e9263e7087af67ab6a83ab34f405dbd72b3fe46e9f2114e26cc6643b6d3adb9de63090394213e72b64ecbb2242266139579ea9cab2e51868ef82ababaac38e7ca0b9554d665365dd8b0b58f3020cc9218b866955f54d9f7b9af9634ab995a0b5e234fcc78cd1594e1cb8a845ca0cdbc82e3fbb35414c53423b76875ab267a702d51710149061e7655a0168695053aa61b990fa9439883640e7600345033ca90678925b1d632962deaa0ef5642b870610be3387eda90cf608254dc2b000c06632331680e12e9b277597d07633a31f6445318ac7b9cc1b087cb58bddd30a07ea6e1b1429950b7e7efb1a6b88b037c92cf987c904268ce39cba4bd3c163f5a8bdb9698488152a18b02bc98a83fb6c28a55a018b48979660ad5b42281b8745a4bdcb02cabd16735ab1523916adcb031e34ccbf4c50bf61bb7d562804d4104d3f6ac183f447e6608acb0bc40a34ada4897e9a91c542571877931864b612cec01c88010cbe039d42540835422f5900c944c7025ba3365543536d093a68c27abe1175bc227faa590f8fb8ca9ab1a87366574422379fd8659fe5bb5ec76e179666adebcedc7b54f1aa9388b2907a4ba5c48441ad90499c64a57768631d4a961d88976c816adb897da7715a100c75099cc122f3b1df183385673a3bbc98cbb0ccb0b090b3517993815e3f6b26b984bdda32c11947b2fa5411004c2c41f2a646036b86bba618e72be7f97ec6369af5ca2ab2dc9493d9078a0c8598841385205177c80a3be42a31d1166b02cd1dd2871148033c794242962e8645ae2e4867a3e5c74f71a1d978379ad45f7fa5c70066cbfc4cbfbe05cf23612b2dea551cc52dd90a8468ec771ff071371544e96400e288a82e9c9eefe807d6f4903ac567741abeaec9707533b38dd8c4366bb33cf86f77272478e43a2d8061293332c8d805a4516238d5ad1934a9683655674aa6b6d91610d4c82e966d74c41dfe7ac18e993c22d59b2d286a0b5272cd44988510b9b342405757a25731729e934c58c601f5c311a244a24dbcc772088a20dac4c8410167304fda18445f6c6126b9645d4042d6033419d246968848e1f5000000000000000000000000000000000000000000000000000000
 result: pass
 ciphertext: 83ea5ed982570cd981b7430de924469d4e2faba68e03261a74f5114ab8c448376cfcd1b9cb3e72bb031bf0fefe772bc40888abc6acffc1d335d46d267acde2cb89cf1b3c67a139796d6a5763805d5edcebb81070b44ffe021b6c2b3c6c3d5dfb6d9e546930223ab0139990c6c5d6257520fe394a3aa30c6a71d47f415ac86b68eb8c83b131a3c5cbf051971fef5ef3bda355d3868e71ed8a0e2c6de8a759bc0c9e760277cc2c04c783d29d1ad3d3385accb85cc88c39bc8348f84dd8c714c5feda50b0770414a333136d6678be6ccbc5df488bafdcade883fbb310c99cc648493aed72680fe1e43c0cf523d3dd06417d29dd97c98ce53089505d36a476c0ae6d89b165c3ff6b2c62ba954fb81ac5782ae648a6802bc057c64fabd3726559ba79de9c144aaa525f6a840ed55abf21b37231c6c4cbb0110fdbcd0004f6f4974ec644c33a8aea34ef4a0a146f7502650c3def5a313d2f309cb428880502d3bdf39196a99bee296f9231d87972efd1159d3cf59bea05f0d0373a0e218ee5e0528e1ac7132440980d1153b9423bb2e099d05fbc8241ec1f316bf0add575a69982f546e99c64457c12ac83951ad46a5f024f6a61c91b7d3853ba1fa41d5a95f6ca811610ba3f32addf011ea4091ef217cdd126ec5e45cc40ec6f1292602b16c02718419646370e5b2c7c55c1128fc5d6c767cc75248b79e2379d40f91a8617e8a3db43c42cabb5cd39a7a7969147f30344c4b03de7034b12d8a1c3639697c97c4483e4191ca0fa81d8659f40e31b899b4ef4610644b1314ab2ef14b8dd8dc0082826fe65dc17211572cb14fa376f1b1784a00033c8dcddc44d6a1128a200eea668b6516ba42585cbb2e2be2a42148120013d0a9378ed7c185071fa8fdc09102164c63a665fd09c08d34104c9abb64e394b2e2a00dd834f7c7f5de16f6c02906ae37acc923dd76e530c78f2143396bfc371d14e6c48bec072b6b4e18eeae967456beb3f897a06eae17de174cf09be1435e691350632c0b1eac69dd66549c1d980fb147fa295ca6f21b5dc398e63a7c4263c75b55c85b4f38fbd7cc0fad84aba90dda1f2c9ca88d88905602096162486dba1ed0a8caa6b897c99e25934152a35fd0d476de09fb211abf36565af3744f3fb737247f5d8f172fbf438ed04422a6b3e17bdfe2cb0f09a1d57f1f1a113a768697f23d61ab288f15abc760feb0f5c5d4d5c0b1c891d3dad6089a3b7e54516b8f9755d38430312cf17b21efeeecbfd2719b62480225b9b3ee8940b1f1784ed5630d152635a1233acdd16e5489a9a15eafa7bec99aff25b18d9cac1e726c9e424773a7083f213cea53dcd310b0037aecbde1d584657f32cf548a6872c6f5a1a3a70d4db29ee3773291c94b00b5a596e1691f7752e246ca0960561cd233ec7d5f54496d34ba65b359a856315f02d16c990cdf3db2051b17bf283fed1b808ac79a9ce8250c806896bf75f2cfe76465c09360aba4c9688acea341fe755363abe41c0cba3ebad00c6c7bcc3f7ce091f87079f60094b92
 shared_secret: 4bb6a6b27596869efae3d411c69c593afff99b1a703ee1f4ff3e0e7e9756e75b
-# Rho leads to a matrix with unusally large entries
+# Rho leads to a matrix with unusually large entries
 entropy: 86630b4f72820d19e9941784183b3a0d770609becd6fe0dc463cb6edac432d59
 public_key = 59b479b444b510d9b6d89b7001b237f4a34c57509f69208c7e6b956144bedc8b2d19b12c1baa725dd106f5418ed943370050808ed2636fa634add059541a7a8c7976b0990e59c20c00343d1c37bc3ab587e312991bb88a74227651b340346c58bbb174ac18c204f37445681bc5905354d834f86016d0921219fb467d829daf24901815666d664b8c4aae307485cb95885b7cb9125a14d4d988d3a42c0816ba7ef14de9b622e08871988b8c02d857626b65065551d5bcc81112384f979cd8d2b9ecb55c6afaa700e92e3ecbb285c01112a19cbdb90b8af135b235914c901e2314902a43c939d065481128f83ac801dc2fa69c912f2b69189736d72414df12646680c9c858a9afaa28b994531960b0f2b82fc6b9c6f10706930786ab5c6b0da61ae813cdb7387c27324499b111c6ca5767056070e608cf421af52cb45a842da82560dd86acf45a7e70245e0b535f7559a9fceb9369c44032c09302438cb4670925c7a831d52f083a7919e575be844d9e6a009957c15e6c5f84f050cc4801561876f9f483ded505b3c77a4a97788358801f012b59d716fed55975f8abd3464420d849d89c16dd2a95c372cf631a93a8897ddda2a038070adc2a97b5538778c0215cea399deb8279b2ade6c5ab84bbc8c6e181c091b7002a4d5f395bb60c817e03966b63ba76e88fb05b79d126ab0975c995b5bb2ae6550af78d80b96af40c9514f945d72b0c9602412242c81b60b2df97999fbbaec0404056195879535041231803aa7cf064b5fdfc8b86344d65eb30e52cc0d5b86947b8051ea93008d789914493b58abbd5395b657560f5823c387574db554118d06b26ba14b9660b4b390f8b828ba8a852870cba24a114a68094cf0168b721af8f0998e599b5db2135a3e9360b5754dd49155eea830f0035c2c116dbc9039cf69034c505ed998f8460a170eb5f09786d902664c8135ad77101d0b802248b6f3165a847b5c989131d7ee3135cbcb48b3cabfd100074c00f2e7bc85d4c84bec8980a6920e6f318a4bc805900b548fc7d98316c1b3c3b49f6c5d90595ff7a7b56465385620544aa3f39114e53581e851849726023d953b5df56b87be98854b253a39297f060449fc1c02725c3442a4ed8624f7f6abf3854cf04166b24c3b5a38358bae933ee4777df09720415314b152efc0b175b664c0c0a3521cac1817314d1e69fe03b351fe211c4c44639622a73a4547ef52d46b033aa52a79182baf49a8808fb259c048a04cc03f8a1038e9112eb30965c797f90c277b3549df4f757526351bd1a100767b4bcfa7489c17cb181b707986b9af85e766aa1f99b08aa2a7bc8a385d294277cb00d705b4ce2583e61c16be2b18445d051d7f0cee51703db3162bdd328cf0b0b24a424bd830c6574091088ab746a291c737e8cd595d1b51f9646c7813a8991f89c168489d1a3b61a82466d98ac9de55b4d5aa020243e638328fedbc93d341e1fdc7eb861bba3783a57c86a7184aaa7d5051b7018f3f18b40b69fd7780ae9609194db70123801729c561e973dff3a7ea5ba9045b24e5fe5bc63ea858c687184a8276612c80ab600cc37699583b9ffa8c5a1b7934f3c12873522dd1c4f976b73121bb79766803d247de1dff18807000000000000000000000000000000000000000000000000000000
 result: pass
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c b/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
index 5a61248090..d6451fafb8 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_iteration_tests.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_iteration_tests.c,v 1.2 2024/12/26 07:26:45 tb Exp $ */
+/*      $OpenBSD: mlkem_iteration_tests.c,v 1.9 2026/01/01 12:47:52 tb Exp $ */
 /*
 * Copyright (c) 2024 Google Inc.
 * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,7 +22,7 @@
 #include <stdio.h>
 #include <stdlib.h>
-#include "mlkem.h"
+#include <openssl/mlkem.h>
 #include "mlkem_internal.h"
 #include "mlkem_tests_util.h"
@@ -63,46 +63,49 @@ const uint8_t kExpectedAdam1024[32] = {
        0x04, 0xab, 0xdb, 0x94, 0x8b, 0x90, 0x8b, 0x75, 0xba, 0xd5
 };
-struct iteration_ctx {
-        uint8_t *encoded_public_key;
-        size_t encoded_public_key_len;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-        uint8_t *invalid_ciphertext;
-        size_t invalid_ciphertext_len;
-        void *priv;
-        void *pub;
-        mlkem_encode_private_key_fn encode_private_key;
-        mlkem_encap_external_entropy_fn encap_external_entropy;
-        mlkem_generate_key_external_entropy_fn generate_key_external_entropy;
-        mlkem_public_from_private_fn public_from_private;
-        mlkem_decap_fn decap;
-        const uint8_t *start;
-        size_t start_len;
-        const uint8_t *expected;
-        size_t expected_len;
-};
 static int
-MlkemIterativeTest(struct iteration_ctx *ctx)
+MlkemIterativeTest(int rank)
 {
-        uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
+        const uint8_t *start, *expected;
+        size_t start_len;
        uint8_t encap_entropy[MLKEM_ENCAP_ENTROPY];
-        uint8_t seed[MLKEM_SEED_BYTES] = {0};
+        uint8_t seed[MLKEM_SEED_LENGTH] = {0};
+        uint8_t *shared_secret = NULL;
        sha3_ctx drng, results;
        uint8_t out[32];
        int i;
+        start = kExpectedSeedStart;
+        start_len = sizeof(kExpectedSeedStart);
+        switch(rank){
+        case MLKEM768_RANK:
+                expected = kExpectedAdam768;
+                break;
+        case MLKEM1024_RANK:
+                expected = kExpectedAdam1024;
+                break;
+        default:
+                errx(1, "invalid rank %d", rank);
+        }
        shake128_init(&drng);
        shake128_init(&results);
        shake_xof(&drng);
        for (i = 0; i < 10000; i++) {
-                uint8_t *encoded_private_key = NULL;
+                uint8_t *encoded_public_key = NULL, *ciphertext = NULL,
-                size_t encoded_private_key_len;
+                    *encoded_private_key = NULL, *invalid_ciphertext = NULL;
+                size_t encoded_public_key_len, ciphertext_len,
+                    encoded_private_key_len, invalid_ciphertext_len;
+                MLKEM_private_key *priv;
+                MLKEM_public_key *pub;
+                size_t s_len = 0;
+                /* allocate keys for this iteration */
+                if ((priv = MLKEM_private_key_new(rank)) == NULL)
+                        errx(1, "malloc");
+                if ((pub = MLKEM_public_key_new(rank)) == NULL)
+                        errx(1, "malloc");
                /*
                 * This should draw both d and z from DRNG concatenating in
@@ -110,118 +113,91 @@ MlkemIterativeTest(struct iteration_ctx *ctx)
                 */
                shake_out(&drng, seed, sizeof(seed));
                if (i == 0) {
-                        if (compare_data(seed, ctx->start, ctx->start_len,
+                        if (compare_data(seed, start, start_len,
                            "seed start") != 0)
                                errx(1, "compare_data");
                }
                /* generate ek as encoded_public_key */
-                ctx->generate_key_external_entropy(ctx->encoded_public_key,
+                if (!MLKEM_generate_key_external_entropy(priv,
-                    ctx->priv, seed);
+                    &encoded_public_key, &encoded_public_key_len,
-                ctx->public_from_private(ctx->pub, ctx->priv);
+                    seed))
+                        errx(1, "generate_key_external_entropy");
+                if (!MLKEM_public_from_private(priv, pub))
+                        errx(1, "public_from_private");
                /* hash in ek */
-                shake_update(&results, ctx->encoded_public_key,
+                shake_update(&results, encoded_public_key,
-                    ctx->encoded_public_key_len);
+                    encoded_public_key_len);
                /* marshal priv to dk as encoded_private_key */
-                if (!ctx->encode_private_key(ctx->priv, &encoded_private_key,
+                if (!MLKEM_marshal_private_key(priv, &encoded_private_key,
                    &encoded_private_key_len))
-                        errx(1, "encode private key");
+                        errx(1, "marshal private key");
                /* hash in dk */
                shake_update(&results, encoded_private_key,
                    encoded_private_key_len);
-                free(encoded_private_key);
+                freezero(encoded_private_key, encoded_private_key_len);
                /* draw m as encap entropy from DRNG */
                shake_out(&drng, encap_entropy, sizeof(encap_entropy));
                /* generate ct as ciphertext, k as shared_secret */
-                ctx->encap_external_entropy(ctx->ciphertext, shared_secret,
+                if (!MLKEM_encap_external_entropy(pub, encap_entropy,
-                    ctx->pub, encap_entropy);
+                    &ciphertext, &ciphertext_len, &shared_secret, &s_len))
+                        errx(1, "encap_external_entropy");
                /* hash in ct */
-                shake_update(&results, ctx->ciphertext, ctx->ciphertext_len);
+                shake_update(&results, ciphertext, ciphertext_len);
                /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
+                shake_update(&results, shared_secret, s_len);
+                freezero(shared_secret, s_len);
+                shared_secret = NULL;
+                invalid_ciphertext_len = ciphertext_len;
+                if ((invalid_ciphertext = calloc(1, invalid_ciphertext_len))
+                    == NULL)
+                        errx(1, "malloc");
                /* draw ct as invalid_ciphertxt from DRNG */
-                shake_out(&drng, ctx->invalid_ciphertext,
+                shake_out(&drng, invalid_ciphertext, invalid_ciphertext_len);
-                    ctx->invalid_ciphertext_len);
                /* generate k as shared secret from invalid ciphertext */
-                if (!ctx->decap(shared_secret, ctx->invalid_ciphertext,
+                if (!MLKEM_decap(priv, invalid_ciphertext,
-                    ctx->invalid_ciphertext_len, ctx->priv))
+                    invalid_ciphertext_len, &shared_secret, &s_len))
-                        errx(1, "decap failed");
+                        errx(1, "decap failed, iteration %d", i);
                /* hash in k */
-                shake_update(&results, shared_secret, sizeof(shared_secret));
+                shake_update(&results, shared_secret, s_len);
+                freezero(shared_secret, s_len);
+                shared_secret = NULL;
+                freezero(invalid_ciphertext, invalid_ciphertext_len);
+                invalid_ciphertext = NULL;
+                /* free keys and intermediate products for this iteration */
+                MLKEM_private_key_free(priv);
+                MLKEM_public_key_free(pub);
+                freezero(encoded_public_key, encoded_public_key_len);
+                freezero(ciphertext, ciphertext_len);
        }
        shake_xof(&results);
        shake_out(&results, out, sizeof(out));
-        return compare_data(ctx->expected, out, sizeof(out), "final result hash");
+        return compare_data(expected, out, sizeof(out), "final result hash");
 }
 int
 main(void)
 {
-        uint8_t encoded_public_key768[MLKEM768_PUBLIC_KEY_BYTES];
-        uint8_t ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
-        uint8_t invalid_ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
-        struct MLKEM768_private_key priv768;
-        struct MLKEM768_public_key pub768;
-        struct iteration_ctx iteration768 = {
-                .encoded_public_key = encoded_public_key768,
-                .encoded_public_key_len = sizeof(encoded_public_key768),
-                .ciphertext = ciphertext768,
-                .ciphertext_len = sizeof(ciphertext768),
-                .invalid_ciphertext = invalid_ciphertext768,
-                .invalid_ciphertext_len = sizeof(invalid_ciphertext768),
-                .priv = &priv768,
-                .pub = &pub768,
-                .encap_external_entropy = mlkem768_encap_external_entropy,
-                .encode_private_key = mlkem768_encode_private_key,
-                .generate_key_external_entropy =
-                    mlkem768_generate_key_external_entropy,
-                .public_from_private = mlkem768_public_from_private,
-                .decap = mlkem768_decap,
-                .start = kExpectedSeedStart,
-                .start_len = sizeof(kExpectedSeedStart),
-                .expected = kExpectedAdam768,
-                .expected_len = sizeof(kExpectedAdam768),
-        };
-        uint8_t encoded_public_key1024[MLKEM1024_PUBLIC_KEY_BYTES];
-        uint8_t ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        uint8_t invalid_ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        struct MLKEM1024_private_key priv1024;
-        struct MLKEM1024_public_key pub1024;
-        struct iteration_ctx iteration1024 = {
-                .encoded_public_key = encoded_public_key1024,
-                .encoded_public_key_len = sizeof(encoded_public_key1024),
-                .ciphertext = ciphertext1024,
-                .ciphertext_len = sizeof(ciphertext1024),
-                .invalid_ciphertext = invalid_ciphertext1024,
-                .invalid_ciphertext_len = sizeof(invalid_ciphertext1024),
-                .priv = &priv1024,
-                .pub = &pub1024,
-                .encap_external_entropy = mlkem1024_encap_external_entropy,
-                .encode_private_key = mlkem1024_encode_private_key,
-                .generate_key_external_entropy =
-                    mlkem1024_generate_key_external_entropy,
-                .public_from_private = mlkem1024_public_from_private,
-                .decap = mlkem1024_decap,
-                .start = kExpectedSeedStart,
-                .start_len = sizeof(kExpectedSeedStart),
-                .expected = kExpectedAdam1024,
-                .expected_len = sizeof(kExpectedAdam1024),
-        };
        int failed = 0;
-        failed |= MlkemIterativeTest(&iteration768);
+        failed |= MlkemIterativeTest(MLKEM768_RANK);
-        failed |= MlkemIterativeTest(&iteration1024);
+        failed |= MlkemIterativeTest(MLKEM1024_RANK);
        return failed;
 }
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests.c b/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
index 2801a58890..5e8441307c 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests.c,v 1.2 2024/12/26 00:10:19 tb Exp $ */
+/*      $OpenBSD: mlkem_tests.c,v 1.11 2026/01/01 12:47:52 tb Exp $ */
 /*
 * Copyright (c) 2024 Google Inc.
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -23,12 +23,11 @@
 #include <stdlib.h>
 #include <string.h>
-#include "bytestring.h"
+#include <openssl/mlkem.h>
-#include "mlkem.h"
+#include "bytestring.h"
 #include "mlkem_internal.h"
-#include "mlkem_tests_util.h"
 #include "parse_test_file.h"
 enum test_type {
@@ -39,11 +38,7 @@ enum test_type {
 struct decap_ctx {
        struct parse *parse_ctx;
-        void *private_key;
+        int rank;
-        size_t private_key_len;
-        mlkem_parse_private_key_fn parse_private_key;
-        mlkem_decap_fn decap;
 };
 enum decap_states {
@@ -102,8 +97,10 @@ static int
 MlkemDecapFileTest(struct decap_ctx *decap)
 {
        struct parse *p = decap->parse_ctx;
-        uint8_t shared_secret_buf[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv_key = NULL;
        CBS ciphertext, shared_secret, private_key;
+        uint8_t *shared_secret_buf = NULL;
+        size_t shared_secret_buf_len = 0;
        int should_fail;
        int failed = 1;
@@ -112,20 +109,31 @@ MlkemDecapFileTest(struct decap_ctx *decap)
        parse_get_cbs(p, DECAP_PRIVATE_KEY, &private_key);
        parse_get_int(p, DECAP_RESULT, &should_fail);
-        if (!decap->parse_private_key(decap->private_key, &private_key)) {
+        if ((priv_key = MLKEM_private_key_new(decap->rank)) == NULL)
+                parse_errx(p, "MLKEM_private_key_new");
+        if (!MLKEM_parse_private_key(priv_key,
+            CBS_data(&private_key), CBS_len(&private_key))) {
                if ((failed = !should_fail))
                        parse_info(p, "parse private key");
                goto err;
        }
-        if (!decap->decap(shared_secret_buf,
+        if (!MLKEM_decap(priv_key, CBS_data(&ciphertext), CBS_len(&ciphertext),
-            CBS_data(&ciphertext), CBS_len(&ciphertext), decap->private_key)) {
+            &shared_secret_buf, &shared_secret_buf_len)) {
                if ((failed = !should_fail))
                        parse_info(p, "decap");
                goto err;
        }
+        if (shared_secret_buf_len != MLKEM_SHARED_SECRET_LENGTH) {
+                if ((failed = !should_fail))
+                        parse_info(p, "shared secret length %zu != %d",
+                            shared_secret_buf_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
        failed = !parse_data_equal(p, "shared_secret", &shared_secret,
-            shared_secret_buf, sizeof(shared_secret_buf));
+            shared_secret_buf, shared_secret_buf_len);
        if (should_fail != failed) {
                parse_info(p, "FAIL: should_fail %d, failed %d",
@@ -134,6 +142,9 @@ MlkemDecapFileTest(struct decap_ctx *decap)
        }
 err:
+        MLKEM_private_key_free(priv_key);
+        freezero(shared_secret_buf, shared_secret_buf_len);
        return failed;
 }
@@ -192,35 +203,49 @@ static int
 MlkemNistDecapFileTest(struct decap_ctx *decap)
 {
        struct parse *p = decap->parse_ctx;
-        uint8_t shared_secret[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv_key = NULL;
        CBS dk, c, k;
+        uint8_t *shared_secret = NULL;
+        size_t shared_secret_len = 0;
        int failed = 1;
        parse_instruction_get_cbs(p, NIST_DECAP_DK, &dk);
        parse_get_cbs(p, NIST_DECAP_C, &c);
        parse_get_cbs(p, NIST_DECAP_K, &k);
+        if ((priv_key = MLKEM_private_key_new(decap->rank)) == NULL)
+                parse_errx(p, "MLKEM_private_key_new");
        if (!parse_length_equal(p, "private key",
-            decap->private_key_len, CBS_len(&dk)))
+            MLKEM_private_key_encoded_length(priv_key), CBS_len(&dk)))
                goto err;
        if (!parse_length_equal(p, "shared secret",
-            MLKEM_SHARED_SECRET_BYTES, CBS_len(&k)))
+            MLKEM_SHARED_SECRET_LENGTH, CBS_len(&k)))
                goto err;
-        if (!decap->parse_private_key(decap->private_key, &dk)) {
+        if (!MLKEM_parse_private_key(priv_key, CBS_data(&dk), CBS_len(&dk))) {
                parse_info(p, "parse private key");
                goto err;
        }
-        if (!decap->decap(shared_secret, CBS_data(&c), CBS_len(&c),
+        if (!MLKEM_decap(priv_key, CBS_data(&c), CBS_len(&c),
-            decap->private_key)) {
+            &shared_secret, &shared_secret_len)) {
                parse_info(p, "decap");
                goto err;
        }
+        if (shared_secret_len != MLKEM_SHARED_SECRET_LENGTH) {
+                parse_info(p, "shared secret length %zu != %d",
+                    shared_secret_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
        failed = !parse_data_equal(p, "shared secret", &k,
-            shared_secret, MLKEM_SHARED_SECRET_BYTES);
+            shared_secret, shared_secret_len);
 err:
+        MLKEM_private_key_free(priv_key);
+        freezero(shared_secret, shared_secret_len);
        return failed;
 }
@@ -244,46 +269,24 @@ static const struct test_parse nist_decap_parse = {
 };
 static int
-mlkem_decap_tests(const char *fn, size_t size, enum test_type test_type)
+mlkem_decap_tests(const char *fn, int rank, enum test_type test_type)
 {
-        struct MLKEM768_private_key private_key768;
+        struct decap_ctx decap = {
-        struct decap_ctx decap768 = {
+                .rank = rank,
-                .private_key = &private_key768,
-                .private_key_len = MLKEM768_PRIVATE_KEY_BYTES,
-                .parse_private_key = mlkem768_parse_private_key,
-                .decap = mlkem768_decap,
        };
-        struct MLKEM1024_private_key private_key1024;
-        struct decap_ctx decap1024 = {
-                .private_key = &private_key1024,
-                .private_key_len = MLKEM1024_PRIVATE_KEY_BYTES,
-                .parse_private_key = mlkem1024_parse_private_key,
+        if (test_type == TEST_TYPE_NORMAL)
-                .decap = mlkem1024_decap,
+                return parse_test_file(fn, &decap_parse, &decap);
-        };
+        if (test_type == TEST_TYPE_NIST)
+                return parse_test_file(fn, &nist_decap_parse, &decap);
-        if (size == 768 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &decap_parse, &decap768);
-        if (size == 768 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_decap_parse, &decap768);
-        if (size == 1024 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &decap_parse, &decap1024);
-        if (size == 1024 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_decap_parse, &decap1024);
-        errx(1, "unknown decap test: size %zu, type %d", size, test_type);
+        errx(1, "unknown decap test: rank %d, type %d", rank, test_type);
 }
 struct encap_ctx {
        struct parse *parse_ctx;
-        void *public_key;
+        int rank;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-        mlkem_parse_public_key_fn parse_public_key;
-        mlkem_encap_external_entropy_fn encap_external_entropy;
 };
 enum encap_states {
@@ -349,8 +352,12 @@ static int
 MlkemEncapFileTest(struct encap_ctx *encap)
 {
        struct parse *p = encap->parse_ctx;
-        uint8_t shared_secret_buf[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_public_key *pub_key = NULL;
        CBS entropy, public_key, ciphertext, shared_secret;
+        uint8_t *ciphertext_buf = NULL;
+        size_t ciphertext_buf_len = 0;
+        uint8_t *shared_secret_buf = NULL;
+        size_t shared_secret_buf_len = 0;
        int should_fail;
        int failed = 1;
@@ -360,18 +367,34 @@ MlkemEncapFileTest(struct encap_ctx *encap)
        parse_get_cbs(p, ENCAP_SHARED_SECRET, &shared_secret);
        parse_get_int(p, ENCAP_RESULT, &should_fail);
-        if (!encap->parse_public_key(encap->public_key, &public_key)) {
+        if ((pub_key = MLKEM_public_key_new(encap->rank)) == NULL)
+                parse_errx(p, "MLKEM_public_key_new");
+        if (!MLKEM_parse_public_key(pub_key,
+            CBS_data(&public_key), CBS_len(&public_key))) {
                if ((failed = !should_fail))
                        parse_info(p, "parse public key");
                goto err;
        }
-        encap->encap_external_entropy(encap->ciphertext, shared_secret_buf,
+        if (!MLKEM_encap_external_entropy(pub_key, CBS_data(&entropy),
-            encap->public_key, CBS_data(&entropy));
+            &ciphertext_buf, &ciphertext_buf_len,
+            &shared_secret_buf, &shared_secret_buf_len)) {
+                if ((failed = !should_fail))
+                        parse_info(p, "encap_external_entropy");
+                goto err;
+        }
+        if (shared_secret_buf_len != MLKEM_SHARED_SECRET_LENGTH) {
+                if ((failed = !should_fail))
+                        parse_info(p, "shared secret length %zu != %d",
+                            shared_secret_buf_len, MLKEM_SHARED_SECRET_LENGTH);
+                goto err;
+        }
        failed = !parse_data_equal(p, "shared_secret", &shared_secret,
-            shared_secret_buf, sizeof(shared_secret_buf));
+            shared_secret_buf, shared_secret_buf_len);
        failed |= !parse_data_equal(p, "ciphertext", &ciphertext,
-            encap->ciphertext, encap->ciphertext_len);
+            ciphertext_buf, ciphertext_buf_len);
        if (should_fail != failed) {
                parse_info(p, "FAIL: should_fail %d, failed %d",
@@ -380,6 +403,10 @@ MlkemEncapFileTest(struct encap_ctx *encap)
        }
 err:
+        MLKEM_public_key_free(pub_key);
+        freezero(ciphertext_buf, ciphertext_buf_len);
+        freezero(shared_secret_buf, shared_secret_buf_len);
        return failed;
 }
@@ -400,48 +427,19 @@ static const struct test_parse encap_parse = {
 };
 static int
-mlkem_encap_tests(const char *fn, size_t size)
+mlkem_encap_tests(const char *fn, int rank)
 {
-        struct MLKEM768_public_key public_key768;
+        struct encap_ctx encap = {
-        uint8_t ciphertext768[MLKEM768_CIPHERTEXT_BYTES];
+                .rank = rank,
-        struct encap_ctx encap768 = {
-                .public_key = &public_key768,
-                .ciphertext = ciphertext768,
-                .ciphertext_len = sizeof(ciphertext768),
-                .parse_public_key = mlkem768_parse_public_key,
-                .encap_external_entropy = mlkem768_encap_external_entropy,
-        };
-        struct MLKEM1024_public_key public_key1024;
-        uint8_t ciphertext1024[MLKEM1024_CIPHERTEXT_BYTES];
-        struct encap_ctx encap1024 = {
-                .public_key = &public_key1024,
-                .ciphertext = ciphertext1024,
-                .ciphertext_len = sizeof(ciphertext1024),
-                .parse_public_key = mlkem1024_parse_public_key,
-                .encap_external_entropy = mlkem1024_encap_external_entropy,
        };
-        if (size == 768)
+        return parse_test_file(fn, &encap_parse, &encap);
-                return parse_test_file(fn, &encap_parse, &encap768);
-        if (size == 1024)
-                return parse_test_file(fn, &encap_parse, &encap1024);
-        errx(1, "unknown encap test: size %zu", size);
 }
 struct keygen_ctx {
        struct parse *parse_ctx;
-        void *private_key;
+        int rank;
-        void *encoded_public_key;
-        size_t encoded_public_key_len;
-        size_t private_key_len;
-        size_t public_key_len;
-        mlkem_generate_key_external_entropy_fn generate_key_external_entropy;
-        mlkem_encode_private_key_fn encode_private_key;
 };
 enum keygen_states {
@@ -492,27 +490,38 @@ static int
 MlkemKeygenFileTest(struct keygen_ctx *keygen)
 {
        struct parse *p = keygen->parse_ctx;
+        MLKEM_private_key *priv_key = NULL;
        CBS seed, public_key, private_key;
        uint8_t *encoded_private_key = NULL;
        size_t encoded_private_key_len = 0;
+        uint8_t *encoded_public_key = NULL;
+        size_t encoded_public_key_len = 0;
        int failed = 1;
        parse_get_cbs(p, KEYGEN_SEED, &seed);
        parse_get_cbs(p, KEYGEN_PUBLIC_KEY, &public_key);
        parse_get_cbs(p, KEYGEN_PRIVATE_KEY, &private_key);
-        if (!parse_length_equal(p, "seed", MLKEM_SEED_BYTES, CBS_len(&seed)))
+        if (!parse_length_equal(p, "seed", MLKEM_SEED_LENGTH, CBS_len(&seed)))
                goto err;
+        if ((priv_key = MLKEM_private_key_new(keygen->rank)) == NULL)
+                parse_errx(p, "MLKEM_public_key_free");
+        if (!MLKEM_generate_key_external_entropy(priv_key,
+            &encoded_public_key, &encoded_public_key_len, CBS_data(&seed))) {
+                parse_info(p, "generate_key_external_entropy");
+                goto err;
+        }
        if (!parse_length_equal(p, "public key",
-            keygen->public_key_len, CBS_len(&public_key)))
+            encoded_public_key_len, CBS_len(&public_key)))
                goto err;
        if (!parse_length_equal(p, "private key",
-            keygen->private_key_len, CBS_len(&private_key)))
+            MLKEM_private_key_encoded_length(priv_key), CBS_len(&private_key)))
                goto err;
-        keygen->generate_key_external_entropy(keygen->encoded_public_key,
+        if (!MLKEM_marshal_private_key(priv_key,
-            keygen->private_key, CBS_data(&seed));
-        if (!keygen->encode_private_key(keygen->private_key,
            &encoded_private_key, &encoded_private_key_len)) {
                parse_info(p, "encode private key");
                goto err;
@@ -521,10 +530,12 @@ MlkemKeygenFileTest(struct keygen_ctx *keygen)
        failed = !parse_data_equal(p, "private key", &private_key,
            encoded_private_key, encoded_private_key_len);
        failed |= !parse_data_equal(p, "public key", &public_key,
-            keygen->encoded_public_key, keygen->encoded_public_key_len);
+            encoded_public_key, encoded_public_key_len);
 err:
+        MLKEM_private_key_free(priv_key);
        freezero(encoded_private_key, encoded_private_key_len);
+        freezero(encoded_public_key, encoded_public_key_len);
        return failed;
 }
@@ -584,12 +595,15 @@ static int
 MlkemNistKeygenFileTest(struct keygen_ctx *keygen)
 {
        struct parse *p = keygen->parse_ctx;
+        MLKEM_private_key *priv_key = NULL;
        CBB seed_cbb;
        CBS z, d, ek, dk;
-        uint8_t seed[MLKEM_SEED_BYTES];
+        uint8_t seed[MLKEM_SEED_LENGTH];
        size_t seed_len;
        uint8_t *encoded_private_key = NULL;
        size_t encoded_private_key_len = 0;
+        uint8_t *encoded_public_key = NULL;
+        size_t encoded_public_key_len = 0;
        int failed = 1;
        parse_get_cbs(p, NIST_KEYGEN_Z, &z);
@@ -606,24 +620,33 @@ MlkemNistKeygenFileTest(struct keygen_ctx *keygen)
        if (!CBB_finish(&seed_cbb, NULL, &seed_len))
                parse_errx(p, "CBB_finish");
-        if (!parse_length_equal(p, "bogus z or d", MLKEM_SEED_BYTES, seed_len))
+        if (!parse_length_equal(p, "bogus z or d", MLKEM_SEED_LENGTH, seed_len))
                goto err;
-        keygen->generate_key_external_entropy(keygen->encoded_public_key,
+        if ((priv_key = MLKEM_private_key_new(keygen->rank)) == NULL)
-            keygen->private_key, seed);
+                parse_errx(p, "MLKEM_private_key_new");
-        if (!keygen->encode_private_key(keygen->private_key,
+        if (!MLKEM_generate_key_external_entropy(priv_key,
+            &encoded_public_key, &encoded_public_key_len, seed)) {
+                parse_info(p, "MLKEM_generate_key_external_entropy");
+                goto err;
+        }
+        if (!MLKEM_marshal_private_key(priv_key,
            &encoded_private_key, &encoded_private_key_len)) {
                parse_info(p, "encode private key");
                goto err;
        }
        failed = !parse_data_equal(p, "public key", &ek,
-            keygen->encoded_public_key, keygen->encoded_public_key_len);
+            encoded_public_key, encoded_public_key_len);
        failed |= !parse_data_equal(p, "private key", &dk,
            encoded_private_key, encoded_private_key_len);
 err:
+        MLKEM_private_key_free(priv_key);
        freezero(encoded_private_key, encoded_private_key_len);
+        freezero(encoded_public_key, encoded_public_key_len);
        return failed;
 }
@@ -645,73 +668,45 @@ static const struct test_parse nist_keygen_parse = {
 };
 static int
-mlkem_keygen_tests(const char *fn, size_t size, enum test_type test_type)
+mlkem_keygen_tests(const char *fn, int rank, enum test_type test_type)
 {
-        struct MLKEM768_private_key private_key768;
+        struct keygen_ctx keygen = {
-        uint8_t encoded_public_key768[MLKEM768_PUBLIC_KEY_BYTES];
+                .rank = rank,
-        struct keygen_ctx keygen768 = {
-                .private_key = &private_key768,
-                .encoded_public_key = encoded_public_key768,
-                .encoded_public_key_len = sizeof(encoded_public_key768),
-                .private_key_len = MLKEM768_PRIVATE_KEY_BYTES,
-                .public_key_len = MLKEM768_PUBLIC_KEY_BYTES,
-                .generate_key_external_entropy =
-                    mlkem768_generate_key_external_entropy,
-                .encode_private_key =
-                    mlkem768_encode_private_key,
-        };
-        struct MLKEM1024_private_key private_key1024;
-        uint8_t encoded_public_key1024[MLKEM1024_PUBLIC_KEY_BYTES];
-        struct keygen_ctx keygen1024 = {
-                .private_key = &private_key1024,
-                .encoded_public_key = encoded_public_key1024,
-                .encoded_public_key_len = sizeof(encoded_public_key1024),
-                .private_key_len = MLKEM1024_PRIVATE_KEY_BYTES,
-                .public_key_len = MLKEM1024_PUBLIC_KEY_BYTES,
-                .generate_key_external_entropy =
-                    mlkem1024_generate_key_external_entropy,
-                .encode_private_key =
-                    mlkem1024_encode_private_key,
        };
-        if (size == 768 && test_type == TEST_TYPE_NORMAL)
+        if (test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &keygen_parse, &keygen768);
+                return parse_test_file(fn, &keygen_parse, &keygen);
-        if (size == 768 && test_type == TEST_TYPE_NIST)
+        if (test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_keygen_parse, &keygen768);
+                return parse_test_file(fn, &nist_keygen_parse, &keygen);
-        if (size == 1024 && test_type == TEST_TYPE_NORMAL)
-                return parse_test_file(fn, &keygen_parse, &keygen1024);
-        if (size == 1024 && test_type == TEST_TYPE_NIST)
-                return parse_test_file(fn, &nist_keygen_parse, &keygen1024);
-        errx(1, "unknown keygen test: size %zu, type %d", size, test_type);
+        errx(1, "unknown keygen test: rank %d, type %d", rank, test_type);
 }
 static int
 run_mlkem_test(const char *test, const char *fn)
 {
        if (strcmp(test, "mlkem768_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 768, TEST_TYPE_NORMAL);
+                return mlkem_decap_tests(fn, MLKEM768_RANK, TEST_TYPE_NORMAL);
        if (strcmp(test, "mlkem768_nist_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 768, TEST_TYPE_NIST);
+                return mlkem_decap_tests(fn, MLKEM768_RANK, TEST_TYPE_NIST);
        if (strcmp(test, "mlkem1024_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 1024, TEST_TYPE_NORMAL);
+                return mlkem_decap_tests(fn, MLKEM1024_RANK, TEST_TYPE_NORMAL);
        if (strcmp(test, "mlkem1024_nist_decap_tests") == 0)
-                return mlkem_decap_tests(fn, 1024, TEST_TYPE_NIST);
+                return mlkem_decap_tests(fn, MLKEM1024_RANK, TEST_TYPE_NIST);
        if (strcmp(test, "mlkem768_encap_tests") == 0)
-                return mlkem_encap_tests(fn, 768);
+                return mlkem_encap_tests(fn, MLKEM768_RANK);
        if (strcmp(test, "mlkem1024_encap_tests") == 0)
-                return mlkem_encap_tests(fn, 1024);
+                return mlkem_encap_tests(fn, MLKEM1024_RANK);
        if (strcmp(test, "mlkem768_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 768, TEST_TYPE_NORMAL);
+                return mlkem_keygen_tests(fn, MLKEM768_RANK, TEST_TYPE_NORMAL);
        if (strcmp(test, "mlkem768_nist_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 768, TEST_TYPE_NIST);
+                return mlkem_keygen_tests(fn, MLKEM768_RANK, TEST_TYPE_NIST);
        if (strcmp(test, "mlkem1024_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 1024, TEST_TYPE_NORMAL);
+                return mlkem_keygen_tests(fn, MLKEM1024_RANK, TEST_TYPE_NORMAL);
        if (strcmp(test, "mlkem1024_nist_keygen_tests") == 0)
-                return mlkem_keygen_tests(fn, 1024, TEST_TYPE_NIST);
+                return mlkem_keygen_tests(fn, MLKEM1024_RANK, TEST_TYPE_NIST);
        errx(1, "unknown test %s (test file %s)", test, fn);
 }
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
index 1bb2ed3a8b..d2e0fbd7c7 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests_util.c,v 1.5 2024/12/26 00:04:24 tb Exp $ */
+/*      $OpenBSD: mlkem_tests_util.c,v 1.10 2025/08/15 14:47:54 tb Exp $ */
 /*
 * Copyright (c) 2024 Google Inc.
 * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,11 +22,6 @@
 #include <stdio.h>
 #include <string.h>
-#include "bytestring.h"
-#include "mlkem.h"
-#include "mlkem_internal.h"
 #include "mlkem_tests_util.h"
 static void
@@ -59,209 +54,3 @@ compare_data(const uint8_t *want, const uint8_t *got, size_t len, const char *ms
        return 1;
 }
-int
-mlkem768_encode_private_key(const void *private_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM768_marshal_private_key(&cbb, private_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-        ret = 1;
- err:
-        CBB_cleanup(&cbb);
-        return ret;
-}
-int
-mlkem768_encode_public_key(const void *public_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-        if (!CBB_init(&cbb, MLKEM768_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM768_marshal_public_key(&cbb, public_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-        ret = 1;
- err:
-        CBB_cleanup(&cbb);
-        return ret;
-}
-int
-mlkem1024_encode_private_key(const void *private_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-        if (!CBB_init(&cbb, MLKEM1024_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM1024_marshal_private_key(&cbb, private_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-        ret = 1;
- err:
-        CBB_cleanup(&cbb);
-        return ret;
-}
-int
-mlkem1024_encode_public_key(const void *public_key, uint8_t **out_buf,
-    size_t *out_len)
-{
-        CBB cbb;
-        int ret = 0;
-        if (!CBB_init(&cbb, MLKEM1024_PUBLIC_KEY_BYTES))
-                goto err;
-        if (!MLKEM1024_marshal_public_key(&cbb, public_key))
-                goto err;
-        if (!CBB_finish(&cbb, out_buf, out_len))
-                goto err;
-        ret = 1;
- err:
-        CBB_cleanup(&cbb);
-        return ret;
-}
-int
-mlkem768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *private_key)
-{
-        return MLKEM768_decap(out_shared_secret, ciphertext, ciphertext_len,
-            private_key);
-}
-void
-mlkem768_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key)
-{
-        MLKEM768_encap(out_ciphertext, out_shared_secret, public_key);
-}
-void
-mlkem768_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key, const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
-{
-        MLKEM768_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-void
-mlkem768_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key)
-{
-        MLKEM768_generate_key(out_encoded_public_key, optional_out_seed,
-            out_private_key);
-}
-void
-mlkem768_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES])
-{
-        MLKEM768_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-int
-mlkem768_parse_private_key(void *out_private_key, CBS *private_key_cbs)
-{
-        return MLKEM768_parse_private_key(out_private_key, private_key_cbs);
-}
-int
-mlkem768_parse_public_key(void *out_public_key, CBS *public_key_cbs)
-{
-        return MLKEM768_parse_public_key(out_public_key, public_key_cbs);
-}
-void
-mlkem768_public_from_private(void *out_public_key, const void *private_key)
-{
-        MLKEM768_public_from_private(out_public_key, private_key);
-}
-int
-mlkem1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *private_key)
-{
-        return MLKEM1024_decap(out_shared_secret, ciphertext, ciphertext_len,
-            private_key);
-}
-void
-mlkem1024_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key)
-{
-        MLKEM1024_encap(out_ciphertext, out_shared_secret, public_key);
-}
-void
-mlkem1024_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const void *public_key, const uint8_t entropy[MLKEM_ENCAP_ENTROPY])
-{
-        MLKEM1024_encap_external_entropy(out_ciphertext, out_shared_secret,
-            public_key, entropy);
-}
-void
-mlkem1024_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key)
-{
-        MLKEM1024_generate_key(out_encoded_public_key, optional_out_seed,
-            out_private_key);
-}
-void
-mlkem1024_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES])
-{
-        MLKEM1024_generate_key_external_entropy(out_encoded_public_key,
-            out_private_key, entropy);
-}
-int
-mlkem1024_parse_private_key(void *out_private_key, CBS *private_key_cbs)
-{
-        return MLKEM1024_parse_private_key(out_private_key, private_key_cbs);
-}
-void
-mlkem1024_public_from_private(void *out_public_key, const void *private_key)
-{
-        MLKEM1024_public_from_private(out_public_key, private_key);
-}
-int
-mlkem1024_parse_public_key(void *out_public_key, CBS *public_key_cbs)
-{
-        return MLKEM1024_parse_public_key(out_public_key, public_key_cbs);
-}
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
index 7fbe6f76a9..514a309112 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_tests_util.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_tests_util.h,v 1.4 2024/12/26 00:04:24 tb Exp $ */
+/*      $OpenBSD: mlkem_tests_util.h,v 1.9 2025/08/15 14:47:54 tb Exp $ */
 /*
 * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -22,68 +22,7 @@
 #include <stddef.h>
 #include <stdint.h>
-#include "bytestring.h"
-#include "mlkem.h"
-#include "mlkem_internal.h"
 int compare_data(const uint8_t *want, const uint8_t *got, size_t len,
    const char *msg);
-int mlkem768_encode_private_key(const void *priv, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem768_encode_public_key(const void *pub, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem1024_encode_private_key(const void *priv, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem1024_encode_public_key(const void *pub, uint8_t **out_buf,
-    size_t *out_len);
-int mlkem768_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *priv);
-void mlkem768_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub);
-void mlkem768_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
-void mlkem768_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key);
-void mlkem768_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES]);
-int mlkem768_parse_private_key(void *priv, CBS *private_key_cbs);
-int mlkem768_parse_public_key(void *pub, CBS *in);
-void mlkem768_public_from_private(void *out_public_key, const void *private_key);
-int mlkem1024_decap(uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *ciphertext, size_t ciphertext_len, const void *priv);
-void mlkem1024_encap(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub);
-void mlkem1024_encap_external_entropy(uint8_t *out_ciphertext,
-    uint8_t out_shared_secret[MLKEM_SHARED_SECRET_BYTES], const void *pub,
-    const uint8_t entropy[MLKEM_ENCAP_ENTROPY]);
-void mlkem1024_generate_key(uint8_t *out_encoded_public_key,
-    uint8_t optional_out_seed[MLKEM_SEED_BYTES], void *out_private_key);
-void mlkem1024_generate_key_external_entropy(uint8_t *out_encoded_public_key,
-    void *out_private_key, const uint8_t entropy[MLKEM_SEED_BYTES]);
-int mlkem1024_parse_private_key(void *priv, CBS *private_key_cbs);
-int mlkem1024_parse_public_key(void *pub, CBS *in);
-void mlkem1024_public_from_private(void *out_public_key, const void *private_key);
-typedef int (*mlkem_encode_private_key_fn)(const void *, uint8_t **, size_t *);
-typedef int (*mlkem_encode_public_key_fn)(const void *, uint8_t **, size_t *);
-typedef int (*mlkem_decap_fn)(uint8_t [MLKEM_SHARED_SECRET_BYTES],
-    const uint8_t *, size_t, const void *);
-typedef void (*mlkem_encap_fn)(uint8_t *, uint8_t [MLKEM_SHARED_SECRET_BYTES],
-    const void *);
-typedef void (*mlkem_encap_external_entropy_fn)(uint8_t *,
-    uint8_t [MLKEM_SHARED_SECRET_BYTES], const void *,
-    const uint8_t [MLKEM_ENCAP_ENTROPY]);
-typedef void (*mlkem_generate_key_fn)(uint8_t *, uint8_t *, void *);
-typedef void (*mlkem_generate_key_external_entropy_fn)(uint8_t *, void *,
-    const uint8_t [MLKEM_SEED_BYTES]);
-typedef int (*mlkem_parse_private_key_fn)(void *, CBS *);
-typedef int (*mlkem_parse_public_key_fn)(void *, CBS *);
-typedef void (*mlkem_public_from_private_fn)(void *out_public_key,
-    const void *private_key);
 #endif /* MLKEM_TEST_UTIL_H */
diff --git a/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c b/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
index 23b3d8b261..1d8149b523 100644
--- a/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
+++ b/src/regress/lib/libcrypto/mlkem/mlkem_unittest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: mlkem_unittest.c,v 1.6 2024/12/26 12:35:25 tb Exp $ */
+/*      $OpenBSD: mlkem_unittest.c,v 1.16 2026/01/01 12:47:52 tb Exp $ */
 /*
 * Copyright (c) 2024 Google Inc.
 * Copyright (c) 2024 Bob Beck <beck@obtuse.com>
@@ -22,132 +22,201 @@
 #include <stdlib.h>
 #include <string.h>
-#include "bytestring.h"
+#include <openssl/mlkem.h>
-#include "mlkem.h"
+#include "mlkem_internal.h"
 #include "mlkem_tests_util.h"
-struct unittest_ctx {
-        void *priv;
-        void *pub;
-        void *priv2;
-        void *pub2;
-        uint8_t *encoded_public_key;
-        size_t encoded_public_key_len;
-        uint8_t *ciphertext;
-        size_t ciphertext_len;
-        mlkem_decap_fn decap;
-        mlkem_encap_fn encap;
-        mlkem_generate_key_fn generate_key;
-        mlkem_parse_private_key_fn parse_private_key;
-        mlkem_parse_public_key_fn parse_public_key;
-        mlkem_encode_private_key_fn encode_private_key;
-        mlkem_encode_public_key_fn encode_public_key;
-        mlkem_public_from_private_fn public_from_private;
-};
 static int
-MlKemUnitTest(struct unittest_ctx *ctx)
+MlKemUnitTest(int rank)
 {
-        uint8_t shared_secret1[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_private_key *priv = NULL, *priv2 = NULL, *priv3 = NULL;
-        uint8_t shared_secret2[MLKEM_SHARED_SECRET_BYTES];
+        MLKEM_public_key *pub = NULL, *pub2 = NULL, *pub3 = NULL;
+        uint8_t *encoded_public_key = NULL, *ciphertext = NULL,
+            *shared_secret2 = NULL, *shared_secret1 = NULL,
+            *encoded_private_key = NULL, *tmp_buf = NULL, *seed_buf = NULL;
+        size_t encoded_public_key_len, ciphertext_len,
+            encoded_private_key_len, tmp_buf_len;
        uint8_t first_two_bytes[2];
-        uint8_t *encoded_private_key = NULL, *tmp_buf = NULL;
+        size_t s_len = 0;
-        size_t encoded_private_key_len, tmp_buf_len;
-        CBS cbs;
        int failed = 0;
-        ctx->generate_key(ctx->encoded_public_key, NULL, ctx->priv);
+        if ((pub = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+        if ((pub2 = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+        if ((priv = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+        if ((priv2 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+        if (!MLKEM_generate_key(priv, &encoded_public_key,
+            &encoded_public_key_len, &seed_buf, &s_len)) {
+                warnx("generate_key failed");
+                failed |= 1;
+        }
+        if (s_len != MLKEM_SEED_LENGTH) {
+                warnx("seed length %zu != %d", s_len, MLKEM_SEED_LENGTH);
+                failed |= 1;
+        }
+        if ((priv3 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+        if ((pub3 = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
-        memcpy(first_two_bytes, ctx->encoded_public_key, sizeof(first_two_bytes));
+        if (!MLKEM_private_key_from_seed(priv3, seed_buf, s_len)) {
-        memset(ctx->encoded_public_key, 0xff, sizeof(first_two_bytes));
+                warnx("private_key_from_seed failed");
+                failed |= 1;
+        }
+        free(seed_buf);
+        seed_buf = NULL;
-        CBS_init(&cbs, ctx->encoded_public_key, ctx->encoded_public_key_len);
+        if (!MLKEM_public_from_private(priv3, pub3)) {
+                warnx("public_from_private");
+                failed |= 1;
+        }
+        memcpy(first_two_bytes, encoded_public_key, sizeof(first_two_bytes));
+        memset(encoded_public_key, 0xff, sizeof(first_two_bytes));
        /* Parsing should fail because the first coefficient is >= kPrime. */
-        if (ctx->parse_public_key(ctx->pub, &cbs)) {
+        if (MLKEM_parse_public_key(pub, encoded_public_key,
+            encoded_public_key_len)) {
                warnx("parse_public_key should have failed");
                failed |= 1;
        }
-        memcpy(ctx->encoded_public_key, first_two_bytes, sizeof(first_two_bytes));
+        memcpy(encoded_public_key, first_two_bytes, sizeof(first_two_bytes));
-        CBS_init(&cbs, ctx->encoded_public_key, ctx->encoded_public_key_len);
-        if (!ctx->parse_public_key(ctx->pub, &cbs)) {
+        MLKEM_public_key_free(pub);
-                warnx("MLKEM768_parse_public_key");
+        if ((pub = MLKEM_public_key_new(rank)) == NULL) {
+                warnx("public_key_new");
+                failed |= 1;
+        }
+        if (!MLKEM_parse_public_key(pub, encoded_public_key,
+            encoded_public_key_len)) {
+                warnx("MLKEM_parse_public_key");
                failed |= 1;
        }
-        if (CBS_len(&cbs) != 0u) {
+        if (!MLKEM_marshal_public_key(pub, &tmp_buf, &tmp_buf_len)) {
-                warnx("CBS_len must be 0");
+                warnx("marshal_public_key");
+                failed |= 1;
+        }
+        if (encoded_public_key_len != tmp_buf_len) {
+                warnx("encoded public key lengths differ %d != %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                failed |= 1;
        }
-        if (!ctx->encode_public_key(ctx->pub, &tmp_buf, &tmp_buf_len)) {
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
-                warnx("encode_public_key");
+            "encoded public keys") != 0) {
+                warnx("compare_data");
                failed |= 1;
        }
-        if (ctx->encoded_public_key_len != tmp_buf_len) {
+        free(tmp_buf);
-                warnx("encoded public key lengths differ");
+        tmp_buf = NULL;
+        tmp_buf_len = 0;
+        if (!MLKEM_marshal_public_key(pub3, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_public_key");
+                failed |= 1;
+        }
+        if (encoded_public_key_len != tmp_buf_len) {
+                warnx("encoded public key lengths differ %d != %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                failed |= 1;
        }
-        if (compare_data(ctx->encoded_public_key, tmp_buf, tmp_buf_len,
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
            "encoded public keys") != 0) {
                warnx("compare_data");
                failed |= 1;
        }
        free(tmp_buf);
        tmp_buf = NULL;
+        tmp_buf_len = 0;
-        ctx->public_from_private(ctx->pub2, ctx->priv);
+        if (!MLKEM_public_from_private(priv, pub2)) {
-        if (!ctx->encode_public_key(ctx->pub2, &tmp_buf, &tmp_buf_len)) {
+                warnx("public_from_private");
-                warnx("encode_public_key");
+                failed |= 1;
+        }
+        if (!MLKEM_marshal_public_key(pub2, &tmp_buf, &tmp_buf_len)) {
+                warnx("marshal_public_key");
                failed |= 1;
        }
-        if (ctx->encoded_public_key_len != tmp_buf_len) {
+        if (encoded_public_key_len != tmp_buf_len) {
-                warnx("encoded public key lengths differ");
+                warnx("encoded public key lengths differ %d %d",
+                    (int) encoded_public_key_len, (int) tmp_buf_len);
                failed |= 1;
        }
-        if (compare_data(ctx->encoded_public_key, tmp_buf, tmp_buf_len,
+        if (compare_data(encoded_public_key, tmp_buf, tmp_buf_len,
            "encoded public keys") != 0) {
                warnx("compare_data");
                failed |= 1;
        }
        free(tmp_buf);
        tmp_buf = NULL;
+        tmp_buf_len = 0;
-        if (!ctx->encode_private_key(ctx->priv, &encoded_private_key,
+        if (!MLKEM_marshal_private_key(priv, &encoded_private_key,
            &encoded_private_key_len)) {
-                warnx("mlkem768_encode_private_key");
+                warnx("marshal_private_key");
                failed |= 1;
        }
        memcpy(first_two_bytes, encoded_private_key, sizeof(first_two_bytes));
        memset(encoded_private_key, 0xff, sizeof(first_two_bytes));
-        CBS_init(&cbs, encoded_private_key, encoded_private_key_len);
        /*  Parsing should fail because the first coefficient is >= kPrime. */
-        if (ctx->parse_private_key(ctx->priv2, &cbs)) {
+        if (MLKEM_parse_private_key(priv2, encoded_private_key,
-                warnx("MLKEM768_parse_private_key should have failed");
+            encoded_private_key_len)) {
+                warnx("parse_private_key should have failed");
                failed |= 1;
        }
        memcpy(encoded_private_key, first_two_bytes, sizeof(first_two_bytes));
-        CBS_init(&cbs, encoded_private_key, encoded_private_key_len);
-        if (!ctx->parse_private_key(ctx->priv2, &cbs)) {
+        MLKEM_private_key_free(priv2);
-                warnx("MLKEM768_parse_private_key");
+        priv2 = NULL;
+        if ((priv2 = MLKEM_private_key_new(rank)) == NULL) {
+                warnx("private_key_new");
+                failed |= 1;
+        }
+        if (!MLKEM_parse_private_key(priv2, encoded_private_key,
+            encoded_private_key_len)) {
+                warnx("parse_private_key");
                failed |= 1;
        }
-        if (!ctx->encode_private_key(ctx->priv2, &tmp_buf, &tmp_buf_len)) {
+        if (!MLKEM_marshal_private_key(priv2, &tmp_buf, &tmp_buf_len)) {
-                warnx("encode_private_key");
+                warnx("marshal_private_key");
                failed |= 1;
        }
        if (encoded_private_key_len != tmp_buf_len) {
-                warnx("encode private key lengths differ");
+                warnx("encoded private key lengths differ");
                failed |= 1;
        }
@@ -160,100 +229,79 @@ MlKemUnitTest(struct unittest_ctx *ctx)
        free(tmp_buf);
        tmp_buf = NULL;
-        ctx->encap(ctx->ciphertext, shared_secret1, ctx->pub);
+        if (!MLKEM_encap(pub, &ciphertext, &ciphertext_len, &shared_secret1,
-        ctx->decap(shared_secret2, ctx->ciphertext, ctx->ciphertext_len,
+            &s_len)) {
-            ctx->priv);
+                warnx("encap failed using pub");
-        if (compare_data(shared_secret1, shared_secret2, MLKEM_SHARED_SECRET_BYTES,
+                failed |= 1;
+        }
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+        if (!MLKEM_decap(priv, ciphertext, ciphertext_len,
+            &shared_secret2, &s_len)) {
+                warnx("decap() failed using priv");
+                failed |= 1;
+        }
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+        if (compare_data(shared_secret1, shared_secret2, s_len,
            "shared secrets with priv") != 0) {
                warnx("compare_data");
                failed |= 1;
        }
-        ctx->decap(shared_secret2, ctx->ciphertext, ctx->ciphertext_len,
+        free(shared_secret2);
-            ctx->priv2);
+        shared_secret2 = NULL;
-        if (compare_data(shared_secret1, shared_secret2, MLKEM_SHARED_SECRET_BYTES,
+        if (!MLKEM_decap(priv2, ciphertext, ciphertext_len,
+            &shared_secret2, &s_len)){
+                warnx("decap() failed using priv2");
+                failed |= 1;
+        }
+        if (s_len != MLKEM_SHARED_SECRET_LENGTH) {
+                warnx("seed length %zu != %d", s_len,
+                    MLKEM_SHARED_SECRET_LENGTH);
+                failed |= 1;
+        }
+        if (compare_data(shared_secret1, shared_secret2, s_len,
            "shared secrets with priv2") != 0) {
                warnx("compare_data");
                failed |= 1;
        }
+        MLKEM_public_key_free(pub);
+        MLKEM_public_key_free(pub2);
+        MLKEM_public_key_free(pub3);
+        MLKEM_private_key_free(priv);
+        MLKEM_private_key_free(priv2);
+        MLKEM_private_key_free(priv3);
+        free(encoded_public_key);
+        free(ciphertext);
        free(encoded_private_key);
+        free(shared_secret1);
+        free(shared_secret2);
        return failed;
 }
-static int
-mlkem768_unittest(void)
-{
-        struct MLKEM768_private_key mlkem768_priv, mlkem768_priv2;
-        struct MLKEM768_public_key mlkem768_pub, mlkem768_pub2;
-        uint8_t mlkem768_encoded_public_key[MLKEM768_PUBLIC_KEY_BYTES];
-        uint8_t mlkem768_ciphertext[MLKEM768_CIPHERTEXT_BYTES];
-        struct unittest_ctx mlkem768_test = {
-                .priv = &mlkem768_priv,
-                .pub = &mlkem768_pub,
-                .priv2 = &mlkem768_priv2,
-                .pub2 = &mlkem768_pub2,
-                .encoded_public_key = mlkem768_encoded_public_key,
-                .encoded_public_key_len = sizeof(mlkem768_encoded_public_key),
-                .ciphertext = mlkem768_ciphertext,
-                .ciphertext_len = sizeof(mlkem768_ciphertext),
-                .decap = mlkem768_decap,
-                .encap = mlkem768_encap,
-                .generate_key = mlkem768_generate_key,
-                .parse_private_key = mlkem768_parse_private_key,
-                .parse_public_key = mlkem768_parse_public_key,
-                .encode_private_key = mlkem768_encode_private_key,
-                .encode_public_key = mlkem768_encode_public_key,
-                .public_from_private = mlkem768_public_from_private,
-        };
-        return MlKemUnitTest(&mlkem768_test);
-}
-static int
-mlkem1024_unittest(void)
-{
-        struct MLKEM1024_private_key mlkem1024_priv, mlkem1024_priv2;
-        struct MLKEM1024_public_key mlkem1024_pub, mlkem1024_pub2;
-        uint8_t mlkem1024_encoded_public_key[MLKEM1024_PUBLIC_KEY_BYTES];
-        uint8_t mlkem1024_ciphertext[MLKEM1024_CIPHERTEXT_BYTES];
-        struct unittest_ctx mlkem1024_test = {
-                .priv = &mlkem1024_priv,
-                .pub = &mlkem1024_pub,
-                .priv2 = &mlkem1024_priv2,
-                .pub2 = &mlkem1024_pub2,
-                .encoded_public_key = mlkem1024_encoded_public_key,
-                .encoded_public_key_len = sizeof(mlkem1024_encoded_public_key),
-                .ciphertext = mlkem1024_ciphertext,
-                .ciphertext_len = sizeof(mlkem1024_ciphertext),
-                .decap = mlkem1024_decap,
-                .encap = mlkem1024_encap,
-                .generate_key = mlkem1024_generate_key,
-                .parse_private_key = mlkem1024_parse_private_key,
-                .parse_public_key = mlkem1024_parse_public_key,
-                .encode_private_key = mlkem1024_encode_private_key,
-                .encode_public_key = mlkem1024_encode_public_key,
-                .public_from_private = mlkem1024_public_from_private,
-        };
-        return MlKemUnitTest(&mlkem1024_test);
-}
 int
 main(void)
 {
        int failed = 0;
-        /*
+        failed |= MlKemUnitTest(MLKEM768_RANK);
-         * XXX - this is split into two helper functions since having a few
+        failed |= MlKemUnitTest(MLKEM1024_RANK);
-         * ML-KEM key blobs on the stack makes Emscripten's stack explode,
-         * leading to inscrutable silent failures unles ASAN is enabled.
-         * Go figure.
-         */
-        failed |= mlkem768_unittest();
-        failed |= mlkem1024_unittest();
        return failed;
 }
diff --git a/src/regress/lib/libcrypto/mlkem/parse_test_file.c b/src/regress/lib/libcrypto/mlkem/parse_test_file.c
index b68dc50431..9f3e5f3a1a 100644
--- a/src/regress/lib/libcrypto/mlkem/parse_test_file.c
+++ b/src/regress/lib/libcrypto/mlkem/parse_test_file.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: parse_test_file.c,v 1.4 2025/04/13 09:14:56 tb Exp $ */
+/*      $OpenBSD: parse_test_file.c,v 1.6 2025/06/03 10:29:37 tb Exp $ */
 /*
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -646,7 +646,8 @@ parse_reinit(struct parse *p)
        p->state.running_test_case = 0;
        parse_line_data_clear(p);
        tctx->finish(p->ctx);
-        tctx->init(p->ctx, p);
+        if (!tctx->init(p->ctx, p))
+                parse_errx(p, "init failed");
 }
 static int
@@ -708,7 +709,8 @@ parse_init(struct parse *p, const char *fn, const struct test_parse *tctx,
        parse_state_init(&p->state, tctx->num_states, tctx->num_instructions);
        p->tctx = tctx;
        p->ctx = ctx;
-        tctx->init(ctx, p);
+        if (!tctx->init(p->ctx, p))
+                parse_errx(p, "init failed");
 }
 static int
@@ -734,7 +736,10 @@ parse_next_line(struct parse *p)
 static void
 parse_finish(struct parse *p)
 {
+        const struct test_parse *tctx = p->tctx;
        parse_state_finish(&p->state);
+        tctx->finish(p->ctx);
        free(p->buf);
diff --git a/src/regress/lib/libcrypto/rsa/rsa_method_test.c b/src/regress/lib/libcrypto/rsa/rsa_method_test.c
index d9c1cc4f9a..9d0a4c3592 100644
--- a/src/regress/lib/libcrypto/rsa/rsa_method_test.c
+++ b/src/regress/lib/libcrypto/rsa/rsa_method_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rsa_method_test.c,v 1.5 2025/01/05 18:21:36 tb Exp $ */
+/*      $OpenBSD: rsa_method_test.c,v 1.6 2025/08/26 05:07:50 tb Exp $ */
 /*
 * Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
@@ -221,7 +221,7 @@ sign_and_verify_test(void)
                errx(1, "%s: RSA_set_ex_data", __func__);
        if ((sign_verify_method = RSA_meth_dup(RSA_get_default_method())) == NULL)
-                errx(1, "%s: RSA_get_default_method", __func__);
+                errx(1, "%s: RSA_meth_dup", __func__);
        if (!RSA_meth_set0_app_data(sign_verify_method, rsa_priv))
                errx(1, "%s: RSA_meth_set0_app_data", __func__);
diff --git a/src/regress/lib/libcrypto/sha/Makefile b/src/regress/lib/libcrypto/sha/Makefile
index 6ec223116d..c6ab0398ba 100644
--- a/src/regress/lib/libcrypto/sha/Makefile
+++ b/src/regress/lib/libcrypto/sha/Makefile
@@ -1,9 +1,15 @@
-#       $OpenBSD: Makefile,v 1.5 2022/09/01 14:02:41 tb Exp $
+#       $OpenBSD: Makefile,v 1.6 2025/05/22 03:35:40 joshua Exp $
 PROG =          sha_test
 LDADD =         -lcrypto
 DPADD =         ${LIBCRYPTO}
 WARNINGS =      Yes
 CFLAGS +=       -DLIBRESSL_INTERNAL -Werror
+CFLAGS +=       -I${.CURDIR}/../test
+SRCS +=         sha_test.c
+SRCS +=         test.c
+SRCS +=         test_util.c
+.PATH: ${.CURDIR}/../test
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libcrypto/sha/sha_test.c b/src/regress/lib/libcrypto/sha/sha_test.c
index 82a0c4cceb..904924c890 100644
--- a/src/regress/lib/libcrypto/sha/sha_test.c
+++ b/src/regress/lib/libcrypto/sha/sha_test.c
@@ -1,6 +1,6 @@
-/*      $OpenBSD: sha_test.c,v 1.6 2023/07/19 15:11:42 joshua Exp $ */
+/*      $OpenBSD: sha_test.c,v 1.7 2025/05/22 03:35:40 joshua Exp $ */
 /*
- * Copyright (c) 2022, 2023 Joshua Sing <joshua@hypera.dev>
+ * Copyright (c) 2022, 2023, 2025 Joshua Sing <joshua@joshuasing.dev>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -21,6 +21,8 @@
 #include <stdint.h>
 #include <string.h>
+#include "test.h"
 struct sha_test {
        const int algorithm;
        const uint8_t in[128];
@@ -677,260 +679,240 @@ typedef unsigned char *(*sha_hash_func)(const unsigned char *, size_t,
    unsigned char *);
 static int
-sha_hash_from_algorithm(int algorithm, const char **out_label,
+sha_hash_from_algorithm(int algorithm, sha_hash_func *out_func,
-    sha_hash_func *out_func, const EVP_MD **out_md, size_t *out_len)
+    const EVP_MD **out_md)
 {
-        const char *label;
        sha_hash_func sha_func;
        const EVP_MD *md;
-        size_t len;
        switch (algorithm) {
        case NID_sha1:
-                label = SN_sha1;
                sha_func = SHA1;
                md = EVP_sha1();
-                len = SHA_DIGEST_LENGTH;
                break;
        case NID_sha224:
-                label = SN_sha224;
                sha_func = SHA224;
                md = EVP_sha224();
-                len = SHA224_DIGEST_LENGTH;
                break;
        case NID_sha256:
-                label = SN_sha256;
                sha_func = SHA256;
                md = EVP_sha256();
-                len = SHA256_DIGEST_LENGTH;
                break;
        case NID_sha384:
-                label = SN_sha384;
                sha_func = SHA384;
                md = EVP_sha384();
-                len = SHA384_DIGEST_LENGTH;
                break;
        case NID_sha512:
-                label = SN_sha512;
                sha_func = SHA512;
                md = EVP_sha512();
-                len = SHA512_DIGEST_LENGTH;
                break;
        case NID_sha3_224:
-                label = SN_sha3_224;
                sha_func = NULL;
                md = EVP_sha3_224();
-                len = 224 / 8;
                break;
        case NID_sha3_256:
-                label = SN_sha3_256;
                sha_func = NULL;
                md = EVP_sha3_256();
-                len = 256 / 8;
                break;
        case NID_sha3_384:
-                label = SN_sha3_384;
                sha_func = NULL;
                md = EVP_sha3_384();
-                len = 384 / 8;
                break;
        case NID_sha3_512:
-                label = SN_sha3_512;
                sha_func = NULL;
                md = EVP_sha3_512();
-                len = 512 / 8;
                break;
        default:
-                fprintf(stderr, "FAIL: unknown algorithm (%d)\n",
-                    algorithm);
                return 0;
        }
-        if (out_label != NULL)
-                *out_label = label;
        if (out_func != NULL)
                *out_func = sha_func;
        if (out_md != NULL)
                *out_md = md;
-        if (out_len != NULL)
-                *out_len = len;
        return 1;
 }
-static int
+static void
-sha_test(void)
+test_sha_tv(struct test *t, const void *arg)
 {
+        const struct sha_test *st = arg;
        sha_hash_func sha_func;
-        const struct sha_test *st;
        EVP_MD_CTX *hash = NULL;
        const EVP_MD *md;
        uint8_t out[EVP_MAX_MD_SIZE];
        size_t in_len, out_len;
-        size_t i;
-        const char *label;
-        int failed = 1;
        if ((hash = EVP_MD_CTX_new()) == NULL) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
+                test_errorf(t, "EVP_MD_CTX_new()");
-                goto failed;
+                goto fail;
        }
-        for (i = 0; i < N_SHA_TESTS; i++) {
+        if (!sha_hash_from_algorithm(st->algorithm, &sha_func, &md))
-                st = &sha_tests[i];
+                goto fail;
-                if (!sha_hash_from_algorithm(st->algorithm, &label, &sha_func,
-                    &md, &out_len))
-                        goto failed;
-                /* Digest */
-                if (sha_func != NULL) {
-                        memset(out, 0, sizeof(out));
-                        sha_func(st->in, st->in_len, out);
-                        if (memcmp(st->out, out, out_len) != 0) {
-                                fprintf(stderr, "FAIL (%s:%zu): mismatch\n",
-                                    label, i);
-                                goto failed;
-                        }
-                }
-                /* EVP single-shot digest */
+        out_len = EVP_MD_size(md);
-                memset(out, 0, sizeof(out));
-                if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
-                        fprintf(stderr, "FAIL (%s:%zu): EVP_Digest failed\n",
-                            label, i);
-                        goto failed;
-                }
+        /* Digest */
+        if (sha_func != NULL) {
+                memset(out, 0, sizeof(out));
+                sha_func(st->in, st->in_len, out);
                if (memcmp(st->out, out, out_len) != 0) {
-                        fprintf(stderr,
+                        test_errorf(t, "SHA: digest output mismatch");
-                            "FAIL (%s:%zu): EVP single-shot mismatch\n",
+                        test_hexdiff(t, out, out_len, st->out);
-                            label, i);
-                        goto failed;
                }
+        }
-                /* EVP digest */
+        /* EVP single-shot digest */
-                memset(out, 0, sizeof(out));
+        memset(out, 0, sizeof(out));
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
+        if (!EVP_Digest(st->in, st->in_len, out, NULL, md, NULL)) {
-                        fprintf(stderr,
+                test_errorf(t, "EVP_Digest()");
-                            "FAIL (%s:%zu): EVP_DigestInit_ex failed\n",
+                goto fail;
-                            label, i);
+        }
-                        goto failed;
-                }
-                in_len = st->in_len / 2;
+        if (memcmp(st->out, out, out_len) != 0) {
-                if (!EVP_DigestUpdate(hash, st->in, in_len)) {
+                test_errorf(t, "EVP single-shot: output diget mismatch");
-                        fprintf(stderr,
+                test_hexdiff(t, out, out_len, st->out);
-                            "FAIL (%s:%zu): EVP_DigestUpdate first half "
+        }
-                            "failed\n", label, i);
-                        goto failed;
-                }
-                if (!EVP_DigestUpdate(hash, st->in + in_len,
+        /* EVP digest */
-                    st->in_len - in_len)) {
+        memset(out, 0, sizeof(out));
-                        fprintf(stderr,
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                            "FAIL (%s:%zu): EVP_DigestUpdate second half "
+                test_errorf(t, "EVP_DigestInit_ex() ");
-                            "failed\n", label, i);
+                goto fail;
-                        goto failed;
+        }
-                }
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+        in_len = st->in_len / 2;
-                        fprintf(stderr,
+        if (!EVP_DigestUpdate(hash, st->in, in_len)) {
-                            "FAIL (%s:%zu): EVP_DigestFinal_ex failed\n",
+                test_errorf(t, "EVP_DigestUpdate() first half");
-                            label, i);
+                goto fail;
-                        goto failed;
+        }
-                }
-                if (memcmp(st->out, out, out_len) != 0) {
+        if (!EVP_DigestUpdate(hash, st->in + in_len,
-                        fprintf(stderr, "FAIL (%s:%zu): EVP mismatch\n",
+            st->in_len - in_len)) {
-                            label, i);
+                test_errorf(t, "EVP_DigestUpdate() second half");
-                        goto failed;
+                goto fail;
-                }
        }
-        failed = 0;
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+                test_errorf(t, "EVP_DigestFinal_ex()");
+                goto fail;
+        }
- failed:
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+        }
+ fail:
        EVP_MD_CTX_free(hash);
-        return failed;
 }
-static int
+static void
-sha_repetition_test(void)
+test_sha(struct test *t, const void *arg)
 {
-        const struct sha_repetition_test *st;
+        const struct sha_test *st;
+        size_t i;
+        char *name;
+        for (i = 0; i < N_SHA_TESTS; i++) {
+                st = &sha_tests[i];
+                if (asprintf(&name, "%s: '%s'", OBJ_nid2sn(st->algorithm), st->in) == -1) {
+                        test_errorf(t, "create test name failed");
+                        return;
+                }
+                test_run(t, name, test_sha_tv, st);
+                free(name);
+        }
+}
+static void
+test_sha_repetition_tv(struct test *t, const void *arg)
+{
+        const struct sha_repetition_test *st = arg;
        EVP_MD_CTX *hash = NULL;
        const EVP_MD *md;
        uint8_t buf[1024];
        uint8_t out[EVP_MAX_MD_SIZE];
        size_t out_len, part_len;
-        size_t i, j;
+        size_t i;
-        const char *label;
-        int failed = 1;
        if ((hash = EVP_MD_CTX_new()) == NULL) {
-                fprintf(stderr, "FAIL: EVP_MD_CTX_new() failed\n");
+                test_errorf(t, "EVP_MD_CTX_new()");
-                goto failed;
+                goto fail;
        }
-        for (i = 0; i < N_SHA_REPETITION_TESTS; i++) {
+        if (!sha_hash_from_algorithm(st->algorithm, NULL, &md))
-                st = &sha_repetition_tests[i];
+                goto fail;
-                if (!sha_hash_from_algorithm(st->algorithm, &label, NULL, &md,
-                    &out_len))
-                        goto failed;
-                /* EVP digest */
-                if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        fprintf(stderr,
-                            "FAIL (%s:%zu): EVP_DigestInit_ex failed\n",
-                            label, i);
-                        goto failed;
-                }
-                memset(buf, st->in, sizeof(buf));
+        out_len = EVP_MD_size(md);
-                for (j = 0; j < st->in_repetitions;) {
+        /* EVP digest */
-                        part_len = arc4random_uniform(sizeof(buf));
+        if (!EVP_DigestInit_ex(hash, md, NULL)) {
-                        if (part_len > st->in_repetitions - j)
+                test_errorf(t, "EVP_DigestInit_ex()");
-                                part_len = st->in_repetitions - j;
+                goto fail;
+        }
-                        if (!EVP_DigestUpdate(hash, buf, part_len)) {
+        memset(buf, st->in, sizeof(buf));
-                                fprintf(stderr,
-                                    "FAIL (%s:%zu): EVP_DigestUpdate failed\n",
-                                    label, i);
-                                goto failed;
-                        }
-                        j += part_len;
+        for (i = 0; i < st->in_repetitions;) {
-                }
+                part_len = arc4random_uniform(sizeof(buf));
+                if (part_len > st->in_repetitions - i)
+                        part_len = st->in_repetitions - i;
-                if (!EVP_DigestFinal_ex(hash, out, NULL)) {
+                if (!EVP_DigestUpdate(hash, buf, part_len)) {
-                        fprintf(stderr,
+                        test_errorf(t, "EVP_DigestUpdate()");
-                            "FAIL (%s:%zu): EVP_DigestFinal_ex failed\n",
+                        goto fail;
-                            label, i);
-                        goto failed;
                }
-                if (memcmp(st->out, out, out_len) != 0) {
+                i += part_len;
-                        fprintf(stderr, "FAIL (%s:%zu): EVP mismatch\n",
+        }
-                            label, i);
-                        goto failed;
+        if (!EVP_DigestFinal_ex(hash, out, NULL)) {
-                }
+                test_errorf(t, "EVP_DigestFinal_ex()");
+                goto fail;
        }
-        failed = 0;
+        if (memcmp(st->out, out, out_len) != 0) {
+                test_errorf(t, "EVP: digest output mismatch");
+                test_hexdiff(t, out, out_len, st->out);
+                goto fail;
+        }
- failed:
+ fail:
        EVP_MD_CTX_free(hash);
-        return failed;
+}
+static void
+test_sha_repetition(struct test *t, const void *arg)
+{
+        const struct sha_repetition_test *st;
+        size_t i;
+        char *name;
+        for (i = 0; i < N_SHA_REPETITION_TESTS; i++) {
+                st = &sha_repetition_tests[i];
+                if (asprintf(&name, "%s: '%hhu' x %zu", OBJ_nid2sn(st->algorithm),
+                    st->in, st->in_repetitions) == -1) {
+                        test_errorf(t, "create test name failed");
+                        return;
+                }
+                test_run(t, name, test_sha_repetition_tv, st);
+                free(name);
+        }
 }
 int
 main(int argc, char **argv)
 {
-        int failed = 0;
+        struct test *t = test_init();
-        failed |= sha_test();
+        test_run(t, "sha", test_sha, NULL);
-        failed |= sha_repetition_test();
+        test_run(t, "sha repetition", test_sha_repetition, NULL);
-        return failed;
+        return test_result(t);
 }
diff --git a/src/regress/lib/libcrypto/symbols/symbols.awk b/src/regress/lib/libcrypto/symbols/symbols.awk
index 8ea68b681e..253658e7a0 100644
--- a/src/regress/lib/libcrypto/symbols/symbols.awk
+++ b/src/regress/lib/libcrypto/symbols/symbols.awk
@@ -1,4 +1,4 @@
-# $OpenBSD: symbols.awk,v 1.13 2024/09/01 17:20:37 tb Exp $
+# $OpenBSD: symbols.awk,v 1.15 2025/08/22 15:52:34 tb Exp $
 # Copyright (c) 2018,2020 Theo Buehler <tb@openbsd.org>
 #
@@ -26,7 +26,7 @@ BEGIN {
        # Undefine aliases, so we don't accidentally leave them in Symbols.list.
        printf("#ifdef %s\n#undef %s\n#endif\n", $0, $0)
-        printf("static typeof(%s) *_libre_%s;\n", $0, $0);
+        printf("extern typeof(%s) *_libre_%s;\n", $0, $0);
 }
 END {
@@ -51,8 +51,12 @@ END {
        printf("\t\};\n\n")
-        printf("\tfor (i = 0; i < sizeof(symbols) / sizeof(symbols[0]); i++)\n")
+        printf("\tfor (i = 0; i < sizeof(symbols) / sizeof(symbols[0]); i++) {\n")
        printf("\t\tfprintf(stderr, \"%%s: %%p\\n\", symbols[i].name, symbols[i].addr);\n")
+        printf("#if defined(USE_LIBRESSL_NAMESPACE)\n")
+        printf("\t\tfprintf(stderr, \"_libre_%%s: %%p\\n\", symbols[i].name, symbols[i].libre_addr);\n")
+        printf("#endif\n")
+        printf("\t}\n")
        printf("\n\tprintf(\"OK\\n\");\n")
        printf("\n\treturn 0;\n}\n")
 }
diff --git a/src/regress/lib/libcrypto/test/test.c b/src/regress/lib/libcrypto/test/test.c
new file mode 100644
index 0000000000..c99e2c6acc
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test.c
@@ -0,0 +1,226 @@
+/*      $OpenBSD: test.c,v 1.6 2025/10/07 15:41:19 tb Exp $ */
+/*
+ * Copyright (c) 2025 Joshua Sing <joshua@joshuasing.dev>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <err.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "test.h"
+struct test {
+        struct test *parent;
+        char *name;
+        FILE *out;
+        int skipped;
+        int failed;
+};
+static struct test *
+test_new(struct test *pt, const char *name)
+{
+        struct test *t;
+        if ((t = calloc(1, sizeof(*t))) == NULL)
+                err(1, "calloc");
+        if (name != NULL) {
+                if ((t->name = strdup(name)) == NULL)
+                        err(1, "strdup");
+        }
+        if (pt != NULL)
+                t->out = pt->out;
+        t->parent = pt;
+        return t;
+}
+struct test *
+test_init(void)
+{
+        struct test *t;
+        char *tmp_file;
+        int out_fd;
+        char *v;
+        t = test_new(NULL, NULL);
+        t->out = stderr;
+        if (((v = getenv("TEST_VERBOSE")) != NULL) && strcmp(v, "0") != 0)
+                return t;
+        /* Create a temporary file for logging in non-verbose mode */
+        if ((tmp_file = strdup("/tmp/libressl-test.XXXXXXXX")) == NULL)
+                err(1, "strdup");
+        if ((out_fd = mkstemp(tmp_file)) == -1)
+                err(1, "mkstemp");
+        unlink(tmp_file);
+        free(tmp_file);
+        if ((t->out = fdopen(out_fd, "w+")) == NULL)
+                err(1, "fdopen");
+        return t;
+}
+static void
+test_cleanup(struct test *t)
+{
+        free(t->name);
+        free(t);
+}
+int
+test_result(struct test *t)
+{
+        int failed = t->failed;
+        if (t->parent == NULL && t->out != stderr)
+                fclose(t->out);
+        test_cleanup(t);
+        return failed;
+}
+void
+test_fail(struct test *t)
+{
+        t->failed = 1;
+        /* Also fail parent. */
+        if (t->parent != NULL)
+                test_fail(t->parent);
+}
+static void
+test_vprintf(struct test *t, const char *fmt, va_list ap)
+{
+        if (vfprintf(t->out, fmt, ap) == -1)
+                err(1, "vfprintf");
+}
+void
+test_printf(struct test *t, const char *fmt, ...)
+{
+        va_list ap;
+        va_start(ap, fmt);
+        test_vprintf(t, fmt, ap);
+        va_end(ap);
+}
+static void
+test_vlogf_internal(struct test *t, const char *label, const char *func,
+    const char *file, int line, const char *fmt, va_list ap)
+{
+        char *msg = NULL;
+        char *l = ": ";
+        const char *filename;
+        if (label == NULL) {
+                label = "";
+                l = "";
+        }
+        if (vasprintf(&msg, fmt, ap) == -1)
+                err(1, "vasprintf");
+        if ((filename = strrchr(file, '/')) != NULL)
+                filename++;
+        else
+                filename = file;
+        test_printf(t, "%s [%s:%d]%s%s: %s\n",
+            func, filename, line, l, label, msg);
+        free(msg);
+}
+void
+test_logf_internal(struct test *t, const char *label, const char *func,
+    const char *file, int line, const char *fmt, ...)
+{
+        va_list ap;
+        va_start(ap, fmt);
+        test_vlogf_internal(t, label, func, file, line, fmt, ap);
+        va_end(ap);
+}
+void
+test_skip(struct test *t, const char *reason)
+{
+        t->skipped = 1;
+        test_printf(t, "%s\n", reason);
+}
+void
+test_skipf(struct test *t, const char *fmt, ...)
+{
+        va_list ap;
+        t->skipped = 1;
+        va_start(ap, fmt);
+        test_vprintf(t, fmt, ap);
+        if (fputc('\n', t->out) == EOF)
+                err(1, "fputc");
+        va_end(ap);
+}
+void
+test_run(struct test *pt, const char *name, test_run_func *fn, const void *arg)
+{
+        struct test *t = test_new(pt, name);
+        char *status = "PASS";
+        char buf[1024];
+        size_t buflen;
+        int ferr;
+        /* Run test */
+        test_printf(t, "=== RUN   %s\n", t->name);
+        fn(t, arg);
+        if (t->skipped)
+                status = "SKIP";
+        if (t->failed)
+                status = "FAIL";
+        test_printf(t, "--- %s: %s\n\n", status, t->name);
+        /* Print result of test */
+        if (t->failed && t->out != stderr) {
+                /* Copy logs to stderr */
+                rewind(t->out);
+                while ((buflen = fread(buf, 1, sizeof(buf), t->out)) > 0)
+                        fwrite(buf, 1, buflen, stderr);
+                if ((ferr = ferror(t->out)) != 0)
+                        errx(1, "ferror: %d", ferr);
+        }
+        if (t->out != NULL && t->out != stderr)  {
+                /* Reset output file */
+                rewind(t->out);
+                ftruncate(fileno(t->out), 0);
+        }
+        test_cleanup(t);
+}
diff --git a/src/regress/lib/libcrypto/test/test.h b/src/regress/lib/libcrypto/test/test.h
new file mode 100644
index 0000000000..5df19b9be4
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test.h
@@ -0,0 +1,137 @@
+/*      $OpenBSD: test.h,v 1.5 2025/12/25 02:40:53 tb Exp $ */
+/*
+ * Copyright (c) 2025 Joshua Sing <joshua@joshuasing.dev>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#ifndef HEADER_TEST_H
+#define HEADER_TEST_H
+#include <stddef.h>
+#include <stdint.h>
+struct test;
+/*
+ * test_init creates a new root test struct.
+ *
+ * Additional tests may be run under the root test struct by calling test_run.
+ *
+ * If the TEST_VERBOSE environment variable is set and not equal to "0", then
+ * verbose mode will be enabled and all test logs will be written to stderr.
+ */
+struct test *test_init(void);
+/*
+ * test_result cleans up after all tests have completed and returns an
+ * appropriate exit code indicating the result of the tests.
+ */
+int test_result(struct test *_t);
+/*
+ * test_run_func is an individual test function. It is passed the test struct
+ * and an arbitrary argument which may be passed when test_run is called.
+ */
+typedef void (test_run_func)(struct test *_t, const void *_arg);
+/*
+ * test_fail marks the test and its parents as failed.
+ */
+void test_fail(struct test *_t);
+/*
+ * test_printf prints a test log message. When in verbose mode, the log message
+ * will be written to stderr, otherwise it will be buffered and only written to
+ * stderr if the test fails.
+ *
+ * This printf will write directly, without any additional formatting.
+ */
+void test_printf(struct test *_t, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+/*
+ * test_logf_internal prints a test log message. When in verbose mode, the
+ * log message will be written to stderr, otherwise it will be buffered and
+ * only written to stderr if the test fails.
+ *
+ * label is an optional label indicating the severity of the log.
+ * func, file and line are used to show where the log comes from and are
+ * automatically set in the test log macros.
+ *
+ * This function should never be called directly.
+ */
+void test_logf_internal(struct test *_t, const char *_label, const char *_func,
+    const char *_file, int _line, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 6, 7)))
+    __attribute__((__nonnull__ (6)));
+/*
+ * test_logf prints an informational log message. When in verbose mode, the log
+ * will be written to stderr, otherwise it will be buffered and only written to
+ * stderr if the test fails.
+ */
+#define test_logf(t, fmt, ...) \
+    do { \
+        test_logf_internal(t, NULL, __func__, __FILE__, __LINE__, fmt, ##__VA_ARGS__); \
+    } while (0)
+/*
+ * test_errorf prints an error message. It will also cause the test to fail.
+ * If the test cannot proceed, it is recommended to return or goto a cleanup
+ * label.
+ *
+ * Tests should not fail-fast if continuing will provide more detailed
+ * information about what is broken.
+ */
+#define test_errorf(t, fmt, ...) \
+    do { \
+        test_logf_internal(t, "ERROR", __func__, __FILE__, __LINE__, fmt, ##__VA_ARGS__); \
+        test_fail(t); \
+    } while (0)
+/*
+ * test_skip marks the test as skipped. Once called, the test should return.
+ */
+void test_skip(struct test *_t, const char *_reason);
+/*
+ * test_skipf marks the test as skipped with a formatted reason. Once called,
+ * the test should return.
+ */
+void test_skipf(struct test *_t, const char *_fmt, ...)
+    __attribute__((__format__ (printf, 2, 3)))
+    __attribute__((__nonnull__ (2)));
+/*
+ * test_run runs a test function. It will create a new test struct with the
+ * given test as the parent. An argument may be provided to pass data to the
+ * test function, otherwise NULL should be passed.
+ *
+ * Each test should have a unique and informational name.
+ */
+void test_run(struct test *_t, const char *_name, test_run_func *_fn, const void *_arg);
+/*
+ * test_hexdump prints the given data as hexadecimal.
+ */
+void test_hexdump(struct test *_t, const unsigned char *_buf, size_t _len);
+/*
+ * test_hexdiff prints the given data as hexadecimal. If a second comparison
+ * buffer is not NULL, any differing bytes will be marked with an asterisk.
+ */
+void test_hexdiff(struct test *_t, const uint8_t *_buf, size_t _len, const uint8_t *_compare);
+#endif /* HEADER_TEST_H */
diff --git a/src/regress/lib/libcrypto/test/test_util.c b/src/regress/lib/libcrypto/test/test_util.c
new file mode 100644
index 0000000000..6ecb574788
--- /dev/null
+++ b/src/regress/lib/libcrypto/test/test_util.c
@@ -0,0 +1,51 @@
+/*      $OpenBSD: test_util.c,v 1.1 2025/05/21 08:57:13 joshua Exp $ */
+/*
+ * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
+ * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <stdio.h>
+#include <stdint.h>
+#include "test.h"
+void
+test_hexdump(struct test *t, const unsigned char *buf, size_t len)
+{
+        size_t i;
+        for (i = 1; i <= len; i++)
+                test_printf(t, " 0x%02x,%s", buf[i - 1], i % 8 ? "" : "\n");
+        if ((len % 8) != 0)
+                test_printf(t, "\n");
+}
+void
+test_hexdiff(struct test *t, const uint8_t *buf, size_t len, const uint8_t *compare)
+{
+        const char *mark = "", *newline;
+        size_t i;
+        for (i = 1; i <= len; i++) {
+                if (compare != NULL)
+                        mark = (buf[i - 1] != compare[i - 1]) ? "*" : " ";
+                newline = i % 8 ? "" : "\n";
+                test_printf(t, " %s0x%02x,%s", mark, buf[i - 1], newline);
+        }
+        if ((len % 8) != 0)
+                test_printf(t, "\n");
+}
diff --git a/src/regress/lib/libcrypto/wycheproof/Makefile b/src/regress/lib/libcrypto/wycheproof/Makefile
index f2f7910b5b..ec737822b5 100644
--- a/src/regress/lib/libcrypto/wycheproof/Makefile
+++ b/src/regress/lib/libcrypto/wycheproof/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.9 2023/07/08 19:41:07 tb Exp $
+# $OpenBSD: Makefile,v 1.11 2025/09/05 14:41:29 tb Exp $
-WYCHEPROOF_TESTVECTORS = /usr/local/share/wycheproof/testvectors/
+WYCHEPROOF_TESTVECTORS = /usr/local/share/wycheproof/testvectors_v1/
 .if !exists(${WYCHEPROOF_TESTVECTORS})
 regress:
@@ -18,11 +18,17 @@ REGRESS_TARGETS += regress-wycheproof
 CLEANFILES +=   wycheproof
 wycheproof: wycheproof.go
-        go build -o wycheproof ${.CURDIR}/wycheproof.go
+        env GOCACHE=${.OBJDIR}/go-build go build -o wycheproof ${.CURDIR}/wycheproof.go
 regress-wycheproof: wycheproof
        ./wycheproof
+REGRESS_CLEANUP =       clean-go-cache
+clean-go-cache:
+        env GOCACHE=${.OBJDIR}/go-build go clean -cache
+        rm -rf ${.OBJDIR}/go-build
 . endif
 PROGS += wycheproof-primes
diff --git a/src/regress/lib/libcrypto/wycheproof/wycheproof-json.pl b/src/regress/lib/libcrypto/wycheproof/wycheproof-json.pl
index 45c7542b59..0eea14752c 100644
--- a/src/regress/lib/libcrypto/wycheproof/wycheproof-json.pl
+++ b/src/regress/lib/libcrypto/wycheproof/wycheproof-json.pl
@@ -1,4 +1,4 @@
-# $OpenBSD: wycheproof-json.pl,v 1.2 2022/07/08 14:33:56 tb Exp $
+# $OpenBSD: wycheproof-json.pl,v 1.3 2025/09/05 14:36:03 tb Exp $
 # Copyright (c) 2022 Joel Sing <jsing@openbsd.org>
 # Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
@@ -17,7 +17,7 @@
 use JSON::PP;
-$test_vector_path = "/usr/local/share/wycheproof/testvectors";
+$test_vector_path = "/usr/local/share/wycheproof/testvectors_v1";
 open JSON, "$test_vector_path/primality_test.json" or die;
 @json = <JSON>;
diff --git a/src/regress/lib/libcrypto/wycheproof/wycheproof-primes.c b/src/regress/lib/libcrypto/wycheproof/wycheproof-primes.c
index 57bd7a53da..e54fd484f9 100644
--- a/src/regress/lib/libcrypto/wycheproof/wycheproof-primes.c
+++ b/src/regress/lib/libcrypto/wycheproof/wycheproof-primes.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: wycheproof-primes.c,v 1.2 2022/12/01 13:49:12 tb Exp $ */
+/*      $OpenBSD: wycheproof-primes.c,v 1.3 2025/09/05 14:36:03 tb Exp $ */
 /*
 * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
 *
@@ -16,7 +16,9 @@
 */
 #include <err.h>
+#include <limits.h>
 #include <stdio.h>
+#include <string.h>
 #include <openssl/bn.h>
@@ -26,12 +28,31 @@ int
 primality_test(struct wycheproof_testcase *test)
 {
        BIGNUM *value = NULL;
+        size_t len;
        int ret;
        int failed = 1;
        if (!BN_hex2bn(&value, test->value))
                errx(1, "%d: failed to set value \"%s\"", test->id, test->value);
+        if ((len = strlen(test->value)) > INT_MAX / 4)
+                errx(1, "%d: overlong test string %zu", test->id, len);
+        if (len > 0 && test->value[0] >= '8') {
+                BIGNUM *pow2;
+                if ((pow2 = BN_new()) == NULL)
+                        errx(1, "BN_new");
+                if (!BN_set_bit(pow2, 4 * len))
+                        errx(1, "BN_set_bit");
+                if (!BN_sub(value, value, pow2))
+                        errx(1, "BN_sub");
+                BN_free(pow2);
+        }
        if ((ret = BN_is_prime_ex(value, BN_prime_checks, NULL, NULL)) < 0)
                errx(1, "%d: BN_is_prime_ex errored", test->id);
diff --git a/src/regress/lib/libcrypto/wycheproof/wycheproof.go b/src/regress/lib/libcrypto/wycheproof/wycheproof.go
index 8f0dfc8b2e..397958ac15 100644
--- a/src/regress/lib/libcrypto/wycheproof/wycheproof.go
+++ b/src/regress/lib/libcrypto/wycheproof/wycheproof.go
@@ -1,7 +1,7 @@
-/* $OpenBSD: wycheproof.go,v 1.161 2024/11/24 10:13:16 tb Exp $ */
+/* $OpenBSD: wycheproof.go,v 1.196 2026/01/01 12:47:52 tb Exp $ */
 /*
 * Copyright (c) 2018,2023 Joel Sing <jsing@openbsd.org>
- * Copyright (c) 2018,2019,2022-2024 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2018,2019,2022-2025 Theo Buehler <tb@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -36,6 +36,7 @@ package main
 #include <openssl/evp.h>
 #include <openssl/kdf.h>
 #include <openssl/hmac.h>
+#include <openssl/mlkem.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
@@ -81,16 +82,16 @@ import (
        "fmt"
        "io/ioutil"
        "log"
+        "math/big"
        "os"
        "path/filepath"
-        "regexp"
        "runtime"
        "strings"
        "sync"
        "unsafe"
 )
-const testVectorPath = "/usr/local/share/wycheproof/testvectors"
+const testVectorPath = "/usr/local/share/wycheproof/testvectors_v1"
 type testVariant int
@@ -125,6 +126,59 @@ func wycheproofFormatTestCase(tcid int, comment string, flags []string, result s
 var testc *testCoordinator
+type BigInt struct {
+        *big.Int
+}
+func mustConvertBigIntToBigNum(bi *BigInt) *C.BIGNUM {
+        value := bi.Bytes()
+        if len(value) == 0 {
+                value = append(value, 0)
+        }
+        bn := C.BN_new()
+        if bn == nil {
+                log.Fatal("BN_new failed")
+        }
+        if C.BN_bin2bn((*C.uchar)(unsafe.Pointer(&value[0])), C.int(len(value)), bn) == nil {
+                log.Fatal("BN_bin2bn failed")
+        }
+        if bi.Sign() == -1 {
+                C.BN_set_negative(bn, C.int(1))
+        }
+        return bn
+}
+func (bi *BigInt) UnmarshalJSON(data []byte) error {
+        if len(data) < 2 || data[0] != '"' || data[len(data)-1] != '"' {
+                log.Fatalf("Failed to decode %q: too short or unquoted", data)
+        }
+        data = data[1 : len(data)-1]
+        if len(data)%2 == 1 {
+                pad := make([]byte, 1, len(data)+1)
+                if data[0] >= '0' && data[0] <= '7' {
+                        pad[0] = '0'
+                } else {
+                        pad[0] = 'f'
+                }
+                data = append(pad, data...)
+        }
+        src := make([]byte, hex.DecodedLen(len(data)))
+        _, err := hex.Decode(src, data)
+        if err != nil {
+                log.Fatalf("Failed to decode %q: %v", data, err)
+        }
+        bi.Int = &big.Int{}
+        bi.Int.SetBytes(src)
+        if data[0] >= '8' {
+                y := &big.Int{}
+                y.SetBit(y, 4*len(data), 1)
+                bi.Int.Sub(bi.Int, y)
+        }
+        return nil
+}
 type wycheproofJWKPublic struct {
        Crv string `json:"crv"`
        KID string `json:"kid"`
@@ -236,9 +290,9 @@ func (wt *wycheproofTestDSA) String() string {
 }
 type wycheproofTestGroupDSA struct {
-        Key    *wycheproofDSAKey    `json:"key"`
+        Key    *wycheproofDSAKey    `json:"publicKey"`
-        KeyDER string               `json:"keyDer"`
+        KeyDER string               `json:"publicKeyDer"`
-        KeyPEM string               `json:"keyPem"`
+        KeyPEM string               `json:"publicKeyPem"`
        SHA    string               `json:"sha"`
        Type   string               `json:"type"`
        Tests  []*wycheproofTestDSA `json:"tests"`
@@ -309,22 +363,38 @@ func (wt *wycheproofTestECDSA) String() string {
 }
 type wycheproofTestGroupECDSA struct {
-        Key    *wycheproofECDSAKey    `json:"key"`
+        Key    *wycheproofECDSAKey    `json:"publicKey"`
-        KeyDER string                 `json:"keyDer"`
+        KeyDER string                 `json:"publicKeyDer"`
-        KeyPEM string                 `json:"keyPem"`
+        KeyPEM string                 `json:"publicKeyPem"`
        SHA    string                 `json:"sha"`
        Type   string                 `json:"type"`
        Tests  []*wycheproofTestECDSA `json:"tests"`
 }
-type wycheproofTestGroupECDSAWebCrypto struct {
+type wycheproofTestEcCurve struct {
-        JWK    *wycheproofJWKPublic   `json:"jwk"`
+        TCID    int      `json:"tcId"`
-        Key    *wycheproofECDSAKey    `json:"key"`
+        Comment string   `json:"comment"`
-        KeyDER string                 `json:"keyDer"`
+        Flags   []string `json:"flags"`
-        KeyPEM string                 `json:"keyPem"`
+        Name    string   `json:"name"`
-        SHA    string                 `json:"sha"`
+        OID     string   `json:"oid"`
-        Type   string                 `json:"type"`
+        Ref     string   `json:"ref"`
-        Tests  []*wycheproofTestECDSA `json:"tests"`
+        P       *BigInt  `json:"p"`
+        N       *BigInt  `json:"n"`
+        A       *BigInt  `json:"a"`
+        B       *BigInt  `json:"b"`
+        Gx      *BigInt  `json:"gx"`
+        Gy      *BigInt  `json:"gy"`
+        H       int      `json:"h"`
+        Result  string   `json:"result"`
+}
+func (wt *wycheproofTestEcCurve) String() string {
+        return wycheproofFormatTestCase(wt.TCID, wt.Comment, wt.Flags, wt.Result)
+}
+type wycheproofTestGroupEcCurve struct {
+        Type  string                   `json:"type"`
+        Tests []*wycheproofTestEcCurve `json:"tests"`
 }
 type wycheproofJWKEdDSA struct {
@@ -357,10 +427,10 @@ func (wt *wycheproofTestEdDSA) String() string {
 }
 type wycheproofTestGroupEdDSA struct {
-        JWK    *wycheproofJWKEdDSA    `json:"jwk"`
+        JWK    *wycheproofJWKEdDSA    `json:"publicKeyJwk"`
-        Key    *wycheproofEdDSAKey    `json:"key"`
+        Key    *wycheproofEdDSAKey    `json:"publicKey"`
-        KeyDer string                 `json:"keyDer"`
+        KeyDer string                 `json:"publicKeyDer"`
-        KeyPem string                 `json:"keyPem"`
+        KeyPem string                 `json:"publicKeyPem"`
        Type   string                 `json:"type"`
        Tests  []*wycheproofTestEdDSA `json:"tests"`
 }
@@ -428,10 +498,54 @@ type wycheproofTestGroupKW struct {
        Tests   []*wycheproofTestKW `json:"tests"`
 }
+type wycheproofTestMLKEM struct {
+        TCID    int      `json:"tcId"`
+        Comment string   `json:"comment"`
+        Seed    string   `json:"seed"`
+        Ek      string   `json:"ek"`
+        Dk      string   `json:"dk"`
+        M       string   `json:"m"`
+        C       string   `json:"c"`
+        K       string   `json:"K"`
+        Result  string   `json:"result"`
+        Flags   []string `json:"flags"`
+}
+func (wt *wycheproofTestMLKEM) String() string {
+        return wycheproofFormatTestCase(wt.TCID, wt.Comment, wt.Flags, wt.Result)
+}
+type wycheproofTestGroupMLKEM struct {
+        Type         string                 `json:"type"`
+        ParameterSet string                 `json:"parameterSet"`
+        Tests        []*wycheproofTestMLKEM `json:"tests"`
+}
+type wycheproofTestPbkdf struct {
+        TCID           int      `json:"tcId"`
+        Comment        string   `json:"comment"`
+        Flags          []string `json:"string"`
+        Password       string   `json:"password"`
+        Salt           string   `json:"salt"`
+        IterationCount int      `json:"iterationCount"`
+        DkLen          int      `json:"dkLen"`
+        Dk             string   `json:"dk"`
+        Result         string   `json:"result"`
+}
+func (wt *wycheproofTestPbkdf) String() string {
+        return wycheproofFormatTestCase(wt.TCID, wt.Comment, wt.Flags, wt.Result)
+}
+type wycheproofTestGroupPbkdf2HmacSha struct {
+        Type  string                 `json:"type"`
+        Tests []*wycheproofTestPbkdf `json:"tests"`
+}
 type wycheproofTestPrimality struct {
        TCID    int      `json:"tcId"`
        Comment string   `json:"comment"`
-        Value   string   `json:"value"`
+        Value   *BigInt  `json:"value"`
        Result  string   `json:"result"`
        Flags   []string `json:"flags"`
 }
@@ -460,15 +574,31 @@ func (wt *wycheproofTestRSA) String() string {
 }
 type wycheproofTestGroupRSA struct {
-        E       string               `json:"e"`
+        PrivateKey *wycheproofRSAPrivateKey `json:"privateKey"`
-        KeyASN  string               `json:"keyAsn"`
+        PublicKey  *wycheproofRSAPublicKey  `json:"publicKey"`
-        KeyDER  string               `json:"keyDer"`
+        KeyASN     string                   `json:"keyAsn"`
-        KeyPEM  string               `json:"keyPem"`
+        KeyDER     string                   `json:"keyDer"`
-        KeySize int                  `json:"keysize"`
+        KeyPEM     string                   `json:"keyPem"`
-        N       string               `json:"n"`
+        KeySize    int                      `json:"keysize"`
-        SHA     string               `json:"sha"`
+        SHA        string                   `json:"sha"`
-        Type    string               `json:"type"`
+        Type       string                   `json:"type"`
-        Tests   []*wycheproofTestRSA `json:"tests"`
+        Tests      []*wycheproofTestRSA     `json:"tests"`
+}
+type wycheproofRSAPublicKey struct {
+        Modulus        string `json:"modulus"`
+        PublicExponent string `json:"publicExponent"`
+}
+type wycheproofRSAPrivateKey struct {
+        Modulus         string `json:"modulus"`
+        PrivateExponent string `json:"privateExponent"`
+        PublicExponent  string `json:"publicExponent"`
+        Prime1          string `json:"prime1"`
+        Prime2          string `json:"prime2"`
+        Exponent1       string `json:"exponent1"`
+        Exponent2       string `json:"exponent2"`
+        Coefficient     string `json:"coefficient"`
 }
 type wycheproofPrivateKeyJwk struct {
@@ -500,29 +630,25 @@ func (wt *wycheproofTestRsaes) String() string {
 }
 type wycheproofTestGroupRsaesOaep struct {
-        D               string                   `json:"d"`
+        Type            string                   `json:"type"`
-        E               string                   `json:"e"`
        KeySize         int                      `json:"keysize"`
+        SHA             string                   `json:"sha"`
        MGF             string                   `json:"mgf"`
        MGFSHA          string                   `json:"mgfSha"`
-        N               string                   `json:"n"`
+        PrivateKey      *wycheproofRSAPrivateKey `json:"privateKey"`
        PrivateKeyJwk   *wycheproofPrivateKeyJwk `json:"privateKeyJwk"`
        PrivateKeyPem   string                   `json:"privateKeyPem"`
        PrivateKeyPkcs8 string                   `json:"privateKeyPkcs8"`
-        SHA             string                   `json:"sha"`
-        Type            string                   `json:"type"`
        Tests           []*wycheproofTestRsaes   `json:"tests"`
 }
 type wycheproofTestGroupRsaesPkcs1 struct {
-        D               string                   `json:"d"`
+        Type            string                   `json:"type"`
-        E               string                   `json:"e"`
+        PrivateKey      *wycheproofRSAPrivateKey `json:"privateKey"`
-        KeySize         int                      `json:"keysize"`
-        N               string                   `json:"n"`
        PrivateKeyJwk   *wycheproofPrivateKeyJwk `json:"privateKeyJwk"`
        PrivateKeyPem   string                   `json:"privateKeyPem"`
        PrivateKeyPkcs8 string                   `json:"privateKeyPkcs8"`
-        Type            string                   `json:"type"`
+        KeySize         int                      `json:"keysize"`
        Tests           []*wycheproofTestRsaes   `json:"tests"`
 }
@@ -540,18 +666,18 @@ func (wt *wycheproofTestRsassa) String() string {
 }
 type wycheproofTestGroupRsassa struct {
-        E       string                  `json:"e"`
+        PrivateKey *wycheproofRSAPrivateKey `json:"privateKey"`
-        KeyASN  string                  `json:"keyAsn"`
+        PublicKey  *wycheproofRSAPublicKey  `json:"publicKey"`
-        KeyDER  string                  `json:"keyDer"`
+        KeyASN     string                   `json:"keyAsn"`
-        KeyPEM  string                  `json:"keyPem"`
+        KeyDER     string                   `json:"keyDer"`
-        KeySize int                     `json:"keysize"`
+        KeyPEM     string                   `json:"keyPem"`
-        MGF     string                  `json:"mgf"`
+        KeySize    int                      `json:"keysize"`
-        MGFSHA  string                  `json:"mgfSha"`
+        MGF        string                   `json:"mgf"`
-        N       string                  `json:"n"`
+        MGFSHA     string                   `json:"mgfSha"`
-        SLen    int                     `json:"sLen"`
+        SLen       int                      `json:"sLen"`
-        SHA     string                  `json:"sha"`
+        SHA        string                   `json:"sha"`
-        Type    string                  `json:"type"`
+        Type       string                   `json:"type"`
-        Tests   []*wycheproofTestRsassa `json:"tests"`
+        Tests      []*wycheproofTestRsassa  `json:"tests"`
 }
 type wycheproofTestX25519 struct {
@@ -578,13 +704,13 @@ type wycheproofTestGroupRunner interface {
        run(string, testVariant) bool
 }
-type wycheproofTestVectors struct {
+type wycheproofTestVectorsV1 struct {
-        Algorithm        string            `json:"algorithm"`
+        Algorithm     string            `json:"algorithm"`
-        GeneratorVersion string            `json:"generatorVersion"`
+        Schema        string            `json:"schema"`
-        Notes            map[string]string `json:"notes"`
+        NumberOfTests int               `json:"numberOfTests"`
-        NumberOfTests    int               `json:"numberOfTests"`
+        Header        []string          `json:"header"`
-        // Header
+        Notes         json.RawMessage   `json:"notes"`
-        TestGroups []json.RawMessage `json:"testGroups"`
+        TestGroups    []json.RawMessage `json:"testGroups"`
 }
 var nids = map[string]int{
@@ -641,10 +767,16 @@ func nidFromString(ns string) (int, error) {
        return -1, fmt.Errorf("unknown NID %q", ns)
 }
-func skipSmallCurve(nid int) bool {
+func skipHash(hash string) bool {
+        return hash == "SHAKE128" || hash == "SHAKE256"
+}
+func skipCurve(nid int) bool {
        switch C.int(nid) {
        case C.NID_secp160k1, C.NID_secp160r1, C.NID_secp160r2, C.NID_secp192k1, C.NID_X9_62_prime192v1:
                return true
+        case C.NID_sect283k1, C.NID_sect283r1, C.NID_sect409k1, C.NID_sect409r1, C.NID_sect571k1, C.NID_sect571r1:
+                return true
        }
        return false
 }
@@ -661,6 +793,7 @@ var evpMds = map[string]*C.EVP_MD{
        "SHA3-256":    C.EVP_sha3_256(),
        "SHA3-384":    C.EVP_sha3_384(),
        "SHA3-512":    C.EVP_sha3_512(),
+        "SM3":         C.EVP_sm3(),
 }
 func hashEvpMdFromString(hs string) (*C.EVP_MD, error) {
@@ -1266,7 +1399,7 @@ func runEvpChaCha20Poly1305Test(ctx *C.EVP_CIPHER_CTX, algorithm string, wt *wyc
                log.Fatal("Failed EVP_EncryptUpdate aad")
        }
-        sealed := make([]byte, ctLen + tagLen)
+        sealed := make([]byte, ctLen+tagLen)
        copy(sealed, msg)
        if C.EVP_EncryptUpdate(ctx, (*C.uchar)(unsafe.Pointer(&sealed[0])), (*C.int)(unsafe.Pointer(&len)), (*C.uchar)(unsafe.Pointer(&sealed[0])), (C.int)(msgLen)) != 1 {
                log.Fatal("Failed EVP_EncryptUpdate msg")
@@ -1281,7 +1414,7 @@ func runEvpChaCha20Poly1305Test(ctx *C.EVP_CIPHER_CTX, algorithm string, wt *wyc
        }
        outLen += (C.int)(tagLen)
-        if (C.int)(ctLen + tagLen) != outLen {
+        if (C.int)(ctLen+tagLen) != outLen {
                fmt.Printf("%s\n", wt)
        }
@@ -1290,7 +1423,7 @@ func runEvpChaCha20Poly1305Test(ctx *C.EVP_CIPHER_CTX, algorithm string, wt *wyc
        tagMatch := bytes.Equal(tag, sealed[ctLen:])
        if (ctMatch && tagMatch) == (wt.Result != "invalid") {
                sealSuccess = true
-        } else  {
+        } else {
                fmt.Printf("%s - ct match: %t tag match: %t\n", wt, ctMatch, tagMatch)
        }
@@ -1316,9 +1449,9 @@ func runEvpChaCha20Poly1305Test(ctx *C.EVP_CIPHER_CTX, algorithm string, wt *wyc
                ct = append(ct, 0)
        }
-        opened := make([]byte, msgLen + tagLen)
+        opened := make([]byte, msgLen+tagLen)
        copy(opened, ct)
-        if msgLen + aadLen == 0 {
+        if msgLen+aadLen == 0 {
                opened = append(opened, 0)
        }
@@ -1622,7 +1755,7 @@ func runECDHTest(nid int, variant testVariant, wt *wycheproofTestECDH) bool {
        shared, sharedLen := mustDecodeHexString(wt.Shared, "shared secret")
-        // XXX The shared fields of the secp224k1 test cases have a 0 byte preprended.
+        // XXX The shared fields of the secp224k1 test cases have a 0 byte prepended.
        if sharedLen == int(secLen)+1 && shared[0] == 0 {
                fmt.Printf("INFO: %s - prepending 0 byte.\n", wt)
                // shared = shared[1:];
@@ -1645,7 +1778,7 @@ func (wtg *wycheproofTestGroupECDH) run(algorithm string, variant testVariant) b
        if err != nil {
                log.Fatalf("Failed to get nid for curve: %v", err)
        }
-        if skipSmallCurve(nid) {
+        if skipCurve(nid) {
                return true
        }
@@ -1766,7 +1899,16 @@ func runECDSATest(ecKey *C.EC_KEY, md *C.EVP_MD, nid int, variant testVariant, w
        msg, msgLen := mustHashHexMessage(md, wt.Msg)
        var ret C.int
-        if variant == Webcrypto || variant == P1363 {
+        if variant == P1363 {
+                order_bytes := int((C.EC_GROUP_order_bits(C.EC_KEY_get0_group(ecKey)) + 7) / 8)
+                if len(wt.Sig)/2 != 2*order_bytes {
+                        if wt.Result == "valid" {
+                                fmt.Printf("FAIL: %s - incorrect signature length, %d, %d\n", wt, len(wt.Sig)/2, 2*order_bytes)
+                                return false
+                        }
+                        return true
+                }
                cDer, derLen := encodeECDSAWebCryptoSig(wt.Sig)
                if cDer == nil {
                        fmt.Print("FAIL: unable to decode signature")
@@ -1797,7 +1939,10 @@ func (wtg *wycheproofTestGroupECDSA) run(algorithm string, variant testVariant)
        if err != nil {
                log.Fatalf("Failed to get nid for curve: %v", err)
        }
-        if skipSmallCurve(nid) {
+        if skipCurve(nid) {
+                return true
+        }
+        if skipHash(wtg.SHA) {
                return true
        }
        ecKey := C.EC_KEY_new_by_curve_name(C.int(nid))
@@ -1892,55 +2037,73 @@ func encodeECDSAWebCryptoSig(wtSig string) (*C.uchar, C.int) {
        return cDer, derLen
 }
-func (wtg *wycheproofTestGroupECDSAWebCrypto) run(algorithm string, variant testVariant) bool {
+func runEcCurveTest(wt *wycheproofTestEcCurve) bool {
-        fmt.Printf("Running %v test group %v with curve %v, key size %d and %v...\n", algorithm, wtg.Type, wtg.Key.Curve, wtg.Key.KeySize, wtg.SHA)
+        oid := C.CString(wt.OID)
+        defer C.free(unsafe.Pointer(oid))
-        nid, err := nidFromString(wtg.JWK.Crv)
+        nid := C.OBJ_txt2nid(oid)
-        if err != nil {
+        if nid == C.NID_undef {
-                log.Fatalf("Failed to get nid for curve: %v", err)
+                fmt.Printf("INFO: %s: %s: unknown OID %s\n", wt, wt.Name, wt.OID)
-        }
+                return false
-        ecKey := C.EC_KEY_new_by_curve_name(C.int(nid))
-        if ecKey == nil {
-                log.Fatal("EC_KEY_new_by_curve_name failed")
        }
-        defer C.EC_KEY_free(ecKey)
-        x, err := base64.RawURLEncoding.DecodeString(wtg.JWK.X)
+        builtinGroup := C.EC_GROUP_new_by_curve_name(nid)
-        if err != nil {
+        defer C.EC_GROUP_free(builtinGroup)
-                log.Fatalf("Failed to base64 decode X: %v", err)
-        }
+        if builtinGroup == nil {
-        bnX := C.BN_bin2bn((*C.uchar)(unsafe.Pointer(&x[0])), C.int(len(x)), nil)
+                fmt.Printf("INFO: %s: %s: no builtin curve for OID %s\n", wt, wt.Name, wt.OID)
-        if bnX == nil {
+                return true
-                log.Fatal("Failed to decode X")
        }
-        defer C.BN_free(bnX)
-        y, err := base64.RawURLEncoding.DecodeString(wtg.JWK.Y)
+        p := mustConvertBigIntToBigNum(wt.P)
-        if err != nil {
+        defer C.BN_free(p)
-                log.Fatalf("Failed to base64 decode Y: %v", err)
+        a := mustConvertBigIntToBigNum(wt.A)
+        defer C.BN_free(a)
+        b := mustConvertBigIntToBigNum(wt.B)
+        defer C.BN_free(b)
+        n := mustConvertBigIntToBigNum(wt.N)
+        defer C.BN_free(n)
+        x := mustConvertBigIntToBigNum(wt.Gx)
+        defer C.BN_free(x)
+        y := mustConvertBigIntToBigNum(wt.Gy)
+        defer C.BN_free(y)
+        group := C.EC_GROUP_new_curve_GFp(p, a, b, (*C.BN_CTX)(nil))
+        defer C.EC_GROUP_free(group)
+        if group == nil {
+                log.Fatalf("EC_GROUP_new_curve_GFp failed")
        }
-        bnY := C.BN_bin2bn((*C.uchar)(unsafe.Pointer(&y[0])), C.int(len(y)), nil)
-        if bnY == nil {
+        point := C.EC_POINT_new(group)
-                log.Fatal("Failed to decode Y")
+        defer C.EC_POINT_free(point)
+        if point == nil {
+                log.Fatalf("EC_POINT_new failed")
        }
-        defer C.BN_free(bnY)
-        if C.EC_KEY_set_public_key_affine_coordinates(ecKey, bnX, bnY) != 1 {
+        if C.EC_POINT_set_affine_coordinates(group, point, x, y, (*C.BN_CTX)(nil)) == 0 {
-                log.Fatal("Failed to set EC public key")
+                log.Fatalf("EC_POINT_set_affine_coordinates failed")
        }
-        nid, err = nidFromString(wtg.SHA)
+        if C.EC_GROUP_set_generator(group, point, n, (*C.BIGNUM)(nil)) == 0 {
-        if err != nil {
+                log.Fatalf("EC_POINT_set_generator failed")
-                log.Fatalf("Failed to get MD NID: %v", err)
        }
-        md, err := hashEvpMdFromString(wtg.SHA)
-        if err != nil {
+        success := true
-                log.Fatalf("Failed to get hash: %v", err)
+        if C.EC_GROUP_cmp(group, builtinGroup, (*C.BN_CTX)(nil)) != 0 {
+                fmt.Printf("FAIL: %s %s builtin curve has wrong parameters\n", wt, wt.Name)
+                success = false
        }
+        return success
+}
+func (wtg *wycheproofTestGroupEcCurve) run(algorithm string, variant testVariant) bool {
+        fmt.Printf("Running %v test group %v...\n", algorithm, wtg.Type)
        success := true
        for _, wt := range wtg.Tests {
-                if !runECDSATest(ecKey, md, nid, Webcrypto, wt) {
+                if !runEcCurveTest(wt) {
                        success = false
                }
        }
@@ -1972,11 +2135,11 @@ func runEdDSATest(pkey *C.EVP_PKEY, wt *wycheproofTestEdDSA) bool {
 }
 func (wtg *wycheproofTestGroupEdDSA) run(algorithm string, variant testVariant) bool {
-        fmt.Printf("Running %v test group %v...\n", algorithm, wtg.Type)
+        if wtg.Key.Curve == "edwards25519" {
+                fmt.Printf("Running %v test group %v...\n", algorithm, wtg.Type)
-        if wtg.Key.Curve != "edwards25519" || wtg.Key.KeySize != 255 {
+        } else {
-                fmt.Printf("INFO: Unexpected curve or key size. want (\"edwards25519\", 255), got (%q, %d)\n", wtg.Key.Curve, wtg.Key.KeySize)
+                fmt.Printf("INFO: Skipping %v test group %v for %v...\n", algorithm, wtg.Type, wtg.Key.Curve)
-                return false
+                return true
        }
        pubKey, pubKeyLen := mustDecodeHexString(wtg.Key.Pk, "pubkey")
@@ -2110,6 +2273,10 @@ func (wtg *wycheproofTestGroupHmac) run(algorithm string, variant testVariant) b
        if strings.HasPrefix(algorithm, "HMACSHA3-") {
                prefix = "SHA"
        }
+        if algorithm == "HMACSM3" {
+                prefix = ""
+                algorithm = "SM3"
+        }
        md, err := hashEvpMdFromString(prefix + strings.TrimPrefix(algorithm, "HMACSHA"))
        if err != nil {
                log.Fatalf("Failed to get hash: %v", err)
@@ -2204,13 +2371,163 @@ func (wtg *wycheproofTestGroupKW) run(algorithm string, variant testVariant) boo
        return success
 }
-func runPrimalityTest(wt *wycheproofTestPrimality) bool {
+func runMLKEMTestGroup(rank C.int, wt *wycheproofTestMLKEM) bool {
-        var bnValue *C.BIGNUM
+        privKey := C.MLKEM_private_key_new(rank)
-        value := C.CString(wt.Value)
+        defer C.MLKEM_private_key_free(privKey)
-        if C.BN_hex2bn(&bnValue, value) == 0 {
+        if privKey == nil {
-                log.Fatal("Failed to set bnValue")
+                log.Fatal("MLKEM_private_key_new failed")
        }
-        C.free(unsafe.Pointer(value))
+        pubKey := C.MLKEM_public_key_new(rank)
+        defer C.MLKEM_public_key_free(pubKey)
+        if pubKey == nil {
+                log.Fatal("MLKEM_public_key_new failed")
+        }
+        seed, seedLen := mustDecodeHexString(wt.Seed, "seed")
+        ek, _ := mustDecodeHexString(wt.Ek, "ek")
+        if C.MLKEM_private_key_from_seed(privKey, (*C.uchar)(unsafe.Pointer(&seed[0])), C.size_t(seedLen)) != 1 {
+                fmt.Printf("%s - MLKEM_private_key_from_seed failed\n", wt)
+                return false
+        }
+        if C.MLKEM_public_from_private(privKey, pubKey) != 1 {
+                fmt.Printf("%s - MLKEM_public_from_private failed\n", wt)
+                return false
+        }
+        var marshalledPubKey *C.uchar
+        var marshalledPubKeyLen C.size_t
+        defer C.free(unsafe.Pointer(marshalledPubKey))
+        if C.MLKEM_marshal_public_key(pubKey, (**C.uchar)(unsafe.Pointer(&marshalledPubKey)), (*C.size_t)(unsafe.Pointer(&marshalledPubKeyLen))) != 1 {
+                fmt.Printf("%s - MLKEM_marshal_private_key failed\n", wt)
+                return false
+        }
+        gotEk := unsafe.Slice((*byte)(unsafe.Pointer(marshalledPubKey)), marshalledPubKeyLen)
+        if !bytes.Equal(ek, gotEk) {
+                fmt.Printf("FAIL: %s marshalledPubKey mismatch\n", wt)
+                return false
+        }
+        c, cLen := mustDecodeHexString(wt.C, "c")
+        var sharedSecret *C.uchar
+        var sharedSecretLen C.size_t
+        defer C.free(unsafe.Pointer(sharedSecret))
+        if C.MLKEM_decap(privKey, (*C.uchar)(unsafe.Pointer(&c[0])), C.size_t(cLen), (**C.uchar)(unsafe.Pointer(&sharedSecret)), (*C.size_t)(unsafe.Pointer(&sharedSecretLen))) != 1 {
+                fmt.Printf("%s - MLKEM_decap failed\n", wt)
+                return false
+        }
+        gotK := unsafe.Slice((*byte)(unsafe.Pointer(sharedSecret)), sharedSecretLen)
+        k, _ := mustDecodeHexString(wt.K, "K")
+        if !bytes.Equal(k, gotK) {
+                fmt.Printf("FAIL: %s sharedSecret mismatch\n", wt)
+                return false
+        }
+        return true
+}
+func runMLKEMEncapsTestGroup(rank C.int, wt *wycheproofTestMLKEM) bool {
+        pubKey := C.MLKEM_public_key_new(rank)
+        defer C.MLKEM_public_key_free(pubKey)
+        if pubKey == nil {
+                log.Fatal("MLKEM_public_key_new failed")
+        }
+        ek, ekLen := mustDecodeHexString(wt.C, "eK")
+        if C.MLKEM_parse_public_key(pubKey, (*C.uchar)(unsafe.Pointer(&ek[0])), (C.size_t)(ekLen)) != 0 || wt.Result != "invalid" {
+                fmt.Printf("FAIL: %s MLKEM_parse_public_key succeeded\n", wt)
+                return false
+        }
+        return true
+}
+func runMLKEMDecapsValidationTest(rank C.int, wt *wycheproofTestMLKEM) bool {
+        return true
+}
+func (wtg *wycheproofTestGroupMLKEM) run(algorithm string, variant testVariant) bool {
+        var rank C.int
+        switch wtg.ParameterSet {
+        case "ML-KEM-512":
+                fmt.Printf("INFO: skipping %v test group of type %v for %s\n", algorithm, wtg.Type, wtg.ParameterSet)
+                return true
+        case "ML-KEM-768":
+                rank = C.MLKEM768_RANK
+        case "ML-KEM-1024":
+                rank = C.MLKEM1024_RANK
+        default:
+                log.Fatalf("Unknown ML-KEM parameterSet %v", wtg.ParameterSet)
+        }
+        fmt.Printf("Running %v test group of type %v\n", algorithm, wtg.Type)
+        type MLKEMTestFunc func(C.int, *wycheproofTestMLKEM) bool
+        var runTest MLKEMTestFunc
+        switch wtg.Type {
+        case "MLKEMTest":
+                runTest = runMLKEMTestGroup
+        case "MLKEMEncapsTest":
+                runTest = runMLKEMEncapsTestGroup
+        case "MLKEMDecapsValidationTest":
+                runTest = runMLKEMDecapsValidationTest
+        default:
+                log.Fatalf("Unknown ML-KEM test type %v", wtg.Type)
+        }
+        success := true
+        for _, wt := range wtg.Tests {
+                if !runTest(rank, wt) {
+                        success = false
+                }
+        }
+        return success
+}
+func runPbkdfTest(md *C.EVP_MD, wt *wycheproofTestPbkdf) bool {
+        pw, pwLen := mustDecodeHexString(wt.Password, "password")
+        salt, saltLen := mustDecodeHexString(wt.Salt, "salt")
+        dk, _ := mustDecodeHexString(wt.Dk, "dk")
+        out := make([]byte, wt.DkLen)
+        ret := C.PKCS5_PBKDF2_HMAC((*C.char)(unsafe.Pointer(&pw[0])), C.int(pwLen), (*C.uchar)(unsafe.Pointer(&salt[0])), C.int(saltLen), C.int(wt.IterationCount), md, C.int(wt.DkLen), (*C.uchar)(unsafe.Pointer(&out[0])))
+        success := true
+        if ret != 1 || !bytes.Equal(dk, out) || wt.Result != "valid" {
+                fmt.Printf("%s - %d\n", wt, int(ret))
+                success = false
+        }
+        return success
+}
+func (wtg *wycheproofTestGroupPbkdf2HmacSha) run(algorithm string, variant testVariant) bool {
+        fmt.Printf("Running %v test group of type %v...\n", algorithm, wtg.Type)
+        md, err := hashEvpMdFromString("SHA-" + strings.TrimPrefix(algorithm, "PBKDF2-HMACSHA"))
+        if err != nil {
+                log.Fatalf("Failed to get hash: %v", err)
+        }
+        success := true
+        for _, wt := range wtg.Tests {
+                if !runPbkdfTest(md, wt) {
+                        success = false
+                }
+        }
+        return success
+}
+func runPrimalityTest(wt *wycheproofTestPrimality) bool {
+        bnValue := mustConvertBigIntToBigNum(wt.Value)
        defer C.BN_free(bnValue)
        ret := C.BN_is_prime_ex(bnValue, C.BN_prime_checks, (*C.BN_CTX)(unsafe.Pointer(nil)), (*C.BN_GENCB)(unsafe.Pointer(nil)))
@@ -2280,13 +2597,17 @@ func runRsaesOaepTest(rsa *C.RSA, sha *C.EVP_MD, mgfSha *C.EVP_MD, wt *wycheproo
 func (wtg *wycheproofTestGroupRsaesOaep) run(algorithm string, variant testVariant) bool {
        fmt.Printf("Running %v test group %v with key size %d MGF %v and %v...\n", algorithm, wtg.Type, wtg.KeySize, wtg.MGFSHA, wtg.SHA)
+        if skipHash(wtg.SHA) {
+                return true
+        }
        rsa := C.RSA_new()
        if rsa == nil {
                log.Fatal("RSA_new failed")
        }
        defer C.RSA_free(rsa)
-        d := C.CString(wtg.D)
+        d := C.CString(wtg.PrivateKey.PrivateExponent)
        var rsaD *C.BIGNUM
        defer C.BN_free(rsaD)
        if C.BN_hex2bn(&rsaD, d) == 0 {
@@ -2294,7 +2615,7 @@ func (wtg *wycheproofTestGroupRsaesOaep) run(algorithm string, variant testVaria
        }
        C.free(unsafe.Pointer(d))
-        e := C.CString(wtg.E)
+        e := C.CString(wtg.PrivateKey.PublicExponent)
        var rsaE *C.BIGNUM
        defer C.BN_free(rsaE)
        if C.BN_hex2bn(&rsaE, e) == 0 {
@@ -2302,7 +2623,7 @@ func (wtg *wycheproofTestGroupRsaesOaep) run(algorithm string, variant testVaria
        }
        C.free(unsafe.Pointer(e))
-        n := C.CString(wtg.N)
+        n := C.CString(wtg.PrivateKey.Modulus)
        var rsaN *C.BIGNUM
        defer C.BN_free(rsaN)
        if C.BN_hex2bn(&rsaN, n) == 0 {
@@ -2376,7 +2697,7 @@ func (wtg *wycheproofTestGroupRsaesPkcs1) run(algorithm string, variant testVari
        }
        defer C.RSA_free(rsa)
-        d := C.CString(wtg.D)
+        d := C.CString(wtg.PrivateKey.PrivateExponent)
        var rsaD *C.BIGNUM
        defer C.BN_free(rsaD)
        if C.BN_hex2bn(&rsaD, d) == 0 {
@@ -2384,7 +2705,7 @@ func (wtg *wycheproofTestGroupRsaesPkcs1) run(algorithm string, variant testVari
        }
        C.free(unsafe.Pointer(d))
-        e := C.CString(wtg.E)
+        e := C.CString(wtg.PrivateKey.PublicExponent)
        var rsaE *C.BIGNUM
        defer C.BN_free(rsaE)
        if C.BN_hex2bn(&rsaE, e) == 0 {
@@ -2392,7 +2713,7 @@ func (wtg *wycheproofTestGroupRsaesPkcs1) run(algorithm string, variant testVari
        }
        C.free(unsafe.Pointer(e))
-        n := C.CString(wtg.N)
+        n := C.CString(wtg.PrivateKey.Modulus)
        var rsaN *C.BIGNUM
        defer C.BN_free(rsaN)
        if C.BN_hex2bn(&rsaN, n) == 0 {
@@ -2451,13 +2772,30 @@ func runRsassaTest(rsa *C.RSA, sha *C.EVP_MD, mgfSha *C.EVP_MD, sLen int, wt *wy
 func (wtg *wycheproofTestGroupRsassa) run(algorithm string, variant testVariant) bool {
        fmt.Printf("Running %v test group %v with key size %d and %v...\n", algorithm, wtg.Type, wtg.KeySize, wtg.SHA)
+        if skipHash(wtg.SHA) {
+                return true
+        }
        rsa := C.RSA_new()
        if rsa == nil {
                log.Fatal("RSA_new failed")
        }
        defer C.RSA_free(rsa)
-        e := C.CString(wtg.E)
+        var publicExponent, modulus string
+        if wtg.PublicKey != nil {
+                publicExponent = wtg.PublicKey.PublicExponent
+                modulus = wtg.PublicKey.Modulus
+        } else if wtg.PrivateKey != nil {
+                publicExponent = wtg.PrivateKey.PublicExponent
+                modulus = wtg.PrivateKey.Modulus
+        }
+        if publicExponent == "" || modulus == "" {
+                return true
+        }
+        e := C.CString(publicExponent)
        var rsaE *C.BIGNUM
        defer C.BN_free(rsaE)
        if C.BN_hex2bn(&rsaE, e) == 0 {
@@ -2465,7 +2803,7 @@ func (wtg *wycheproofTestGroupRsassa) run(algorithm string, variant testVariant)
        }
        C.free(unsafe.Pointer(e))
-        n := C.CString(wtg.N)
+        n := C.CString(modulus)
        var rsaN *C.BIGNUM
        defer C.BN_free(rsaN)
        if C.BN_hex2bn(&rsaN, n) == 0 {
@@ -2522,7 +2860,19 @@ func (wtg *wycheproofTestGroupRSA) run(algorithm string, variant testVariant) bo
        }
        defer C.RSA_free(rsa)
-        e := C.CString(wtg.E)
+        var publicExponent, modulus string
+        if wtg.PublicKey != nil {
+                publicExponent = wtg.PublicKey.PublicExponent
+                modulus = wtg.PublicKey.Modulus
+        } else if wtg.PrivateKey != nil {
+                publicExponent = wtg.PrivateKey.PublicExponent
+                modulus = wtg.PrivateKey.Modulus
+        }
+        if publicExponent == "" || modulus == "" {
+                return true
+        }
+        e := C.CString(publicExponent)
        var rsaE *C.BIGNUM
        defer C.BN_free(rsaE)
        if C.BN_hex2bn(&rsaE, e) == 0 {
@@ -2530,7 +2880,7 @@ func (wtg *wycheproofTestGroupRSA) run(algorithm string, variant testVariant) bo
        }
        C.free(unsafe.Pointer(e))
-        n := C.CString(wtg.N)
+        n := C.CString(modulus)
        var rsaN *C.BIGNUM
        defer C.BN_free(rsaN)
        if C.BN_hex2bn(&rsaN, n) == 0 {
@@ -2586,7 +2936,12 @@ func runX25519Test(wt *wycheproofTestX25519) bool {
 }
 func (wtg *wycheproofTestGroupX25519) run(algorithm string, variant testVariant) bool {
-        fmt.Printf("Running %v test group with curve %v...\n", algorithm, wtg.Curve)
+        if wtg.Curve == "curve25519" {
+                fmt.Printf("Running %v test group with curve %v...\n", algorithm, wtg.Curve)
+        } else {
+                fmt.Printf("INFO: Skipping %v test group with curve %v...\n", algorithm, wtg.Curve)
+                return true
+        }
        success := true
        for _, wt := range wtg.Tests {
@@ -2597,59 +2952,119 @@ func (wtg *wycheproofTestGroupX25519) run(algorithm string, variant testVariant)
        return success
 }
-func testGroupFromAlgorithm(algorithm string, variant testVariant) wycheproofTestGroupRunner {
+func testGroupFromTestVector(wtv *wycheproofTestVectorsV1) (wycheproofTestGroupRunner, testVariant) {
-        if algorithm == "ECDH" && variant == Webcrypto {
+        variant := Normal
-                return &wycheproofTestGroupECDHWebCrypto{}
-        }
+        switch wtv.Algorithm {
-        if algorithm == "ECDSA" && variant == Webcrypto {
+        case "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512":
-                return &wycheproofTestGroupECDSAWebCrypto{}
+                return nil, Skip
-        }
+        case "AEGIS128", "AEGIS128L", "AEGIS256":
-        switch algorithm {
+                return nil, Skip
+        case "AEAD-AES-SIV-CMAC":
+                return nil, Skip
        case "AES-CBC-PKCS5":
-                return &wycheproofTestGroupAesCbcPkcs5{}
+                return &wycheproofTestGroupAesCbcPkcs5{}, variant
        case "AES-CCM", "AES-GCM":
-                return &wycheproofTestGroupAesAead{}
+                return &wycheproofTestGroupAesAead{}, variant
        case "AES-CMAC":
-                return &wycheproofTestGroupAesCmac{}
+                return &wycheproofTestGroupAesCmac{}, variant
+        case "AES-EAX", "AES-FF1", "AES-GCM-SIV", "AES-GMAC", "AES-KWP", "AES-SIV-CMAC", "AES-XTS":
+                return nil, Skip
+        case "AES-WRAP":
+                return &wycheproofTestGroupKW{}, variant
+        case "ARIA-CBC-PKCS5", "ARIA-CCM", "ARIA-CMAC", "ARIA-GCM", "ARIA-KWP", "ARIA-WRAP":
+                return nil, Skip
+        case "ASCON128", "ASCON128A", "ASCON80PQ":
+                return nil, Skip
+        case "CAMELLIA-CBC-PKCS5", "CAMELLIA-CCM", "CAMELLIA-CMAC", "CAMELLIA-WRAP":
+                return nil, Skip
        case "CHACHA20-POLY1305", "XCHACHA20-POLY1305":
-                return &wycheproofTestGroupChaCha{}
+                return &wycheproofTestGroupChaCha{}, variant
        case "DSA":
-                return &wycheproofTestGroupDSA{}
+                if wtv.Schema == "dsa_p1363_verify_schema_v1.json" {
+                        variant = P1363
+                }
+                return &wycheproofTestGroupDSA{}, variant
+        case "EcCurveTest":
+                return &wycheproofTestGroupEcCurve{}, variant
        case "ECDH":
-                return &wycheproofTestGroupECDH{}
+                if wtv.Schema == "ecdh_webcrypto_test_schema_v1.json" {
+                        return &wycheproofTestGroupECDHWebCrypto{}, Webcrypto
+                }
+                if wtv.Schema == "ecdh_ecpoint_test_schema_v1.json" {
+                        variant = EcPoint
+                }
+                if wtv.Schema == "ecdh_pem_test_schema_v1.json" {
+                        variant = Skip
+                }
+                return &wycheproofTestGroupECDH{}, variant
        case "ECDSA":
-                return &wycheproofTestGroupECDSA{}
+                if wtv.Schema == "ecdsa_bitcoin_verify_schema.json" {
+                        variant = Skip
+                }
+                if wtv.Schema == "ecdsa_p1363_verify_schema_v1.json" {
+                        variant = P1363
+                }
+                return &wycheproofTestGroupECDSA{}, variant
        case "EDDSA":
-                return &wycheproofTestGroupEdDSA{}
+                return &wycheproofTestGroupEdDSA{}, variant
        case "HKDF-SHA-1", "HKDF-SHA-256", "HKDF-SHA-384", "HKDF-SHA-512":
-                return &wycheproofTestGroupHkdf{}
+                return &wycheproofTestGroupHkdf{}, variant
-        case "HMACSHA1", "HMACSHA224", "HMACSHA256", "HMACSHA384", "HMACSHA512", "HMACSHA3-224", "HMACSHA3-256", "HMACSHA3-384", "HMACSHA3-512":
+        case "HMACSHA1", "HMACSHA224", "HMACSHA256", "HMACSHA384", "HMACSHA512", "HMACSHA512/224", "HMACSHA512/256", "HMACSHA3-224", "HMACSHA3-256", "HMACSHA3-384", "HMACSHA3-512", "HMACSM3":
-                return &wycheproofTestGroupHmac{}
+                return &wycheproofTestGroupHmac{}, variant
-        case "KW":
+        case "KMAC128", "KMAC256":
-                return &wycheproofTestGroupKW{}
+                return nil, Skip
+        case "ML-DSA-44", "ML-DSA-65", "ML-DSA-87":
+                return nil, Skip
+        case "ML-KEM":
+                return &wycheproofTestGroupMLKEM{}, Normal
+        case "MORUS640", "MORUS1280":
+                return nil, Skip
+        case "PbeWithHmacSha1AndAes_128", "PbeWithHmacSha1AndAes_192", "PbeWithHmacSha1AndAes_256", "PbeWithHmacSha224AndAes_128", "PbeWithHmacSha224AndAes_192", "PbeWithHmacSha224AndAes_256", "PbeWithHmacSha256AndAes_128", "PbeWithHmacSha256AndAes_192", "PbeWithHmacSha256AndAes_256", "PbeWithHmacSha384AndAes_128", "PbeWithHmacSha384AndAes_192", "PbeWithHmacSha384AndAes_256", "PbeWithHmacSha512AndAes_128", "PbeWithHmacSha512AndAes_192", "PbeWithHmacSha512AndAes_256":
+                return nil, Skip
+        case "PBKDF2-HMACSHA1", "PBKDF2-HMACSHA224", "PBKDF2-HMACSHA256", "PBKDF2-HMACSHA384", "PBKDF2-HMACSHA512":
+                return &wycheproofTestGroupPbkdf2HmacSha{}, Skip
        case "PrimalityTest":
-                return &wycheproofTestGroupPrimality{}
+                return &wycheproofTestGroupPrimality{}, variant
        case "RSAES-OAEP":
-                return &wycheproofTestGroupRsaesOaep{}
+                return &wycheproofTestGroupRsaesOaep{}, variant
        case "RSAES-PKCS1-v1_5":
-                return &wycheproofTestGroupRsaesPkcs1{}
+                return &wycheproofTestGroupRsaesPkcs1{}, variant
        case "RSASSA-PSS":
-                return &wycheproofTestGroupRsassa{}
+                return &wycheproofTestGroupRsassa{}, variant
        case "RSASSA-PKCS1-v1_5", "RSASig":
-                return &wycheproofTestGroupRSA{}
+                return &wycheproofTestGroupRSA{}, variant
-        case "XDH", "X25519":
+        case "SEED-CCM", "SEED-GCM", "SEED-WRAP":
-                return &wycheproofTestGroupX25519{}
+                return nil, Skip
+        case "SipHash-1-3", "SipHash-2-4", "SipHash-4-8", "SipHashX-2-4", "SipHashX-4-8":
+                return nil, Skip
+        case "SM4-CCM", "SM4-GCM":
+                return nil, Skip
+        case "VMAC-AES":
+                return nil, Skip
+        case "XDH":
+                switch wtv.Schema {
+                case "xdh_asn_comp_schema_v1.json", "xdh_jwk_comp_schema_v1.json", "xdh_pem_comp_schema_v1.json":
+                        variant = Skip
+                case "xdh_comp_schema_v1.json":
+                        variant = Normal
+                }
+                return &wycheproofTestGroupX25519{}, variant
        default:
-                return nil
+                // XXX - JOSE tests don't set an Algorithm...
+                if strings.HasPrefix(wtv.Schema, "json_web_") {
+                        return nil, Skip
+                }
+                return nil, Normal
        }
 }
-func runTestVectors(path string, variant testVariant) bool {
+func runTestVectors(path string) bool {
        b, err := ioutil.ReadFile(path)
        if err != nil {
                log.Fatalf("Failed to read test vectors: %v", err)
        }
-        wtv := &wycheproofTestVectors{}
+        wtv := &wycheproofTestVectorsV1{}
        if err := json.Unmarshal(b, wtv); err != nil {
                log.Fatalf("Failed to unmarshal JSON: %v", err)
        }
@@ -2657,10 +3072,13 @@ func runTestVectors(path string, variant testVariant) bool {
        success := true
        for _, tg := range wtv.TestGroups {
-                wtg := testGroupFromAlgorithm(wtv.Algorithm, variant)
+                wtg, variant := testGroupFromTestVector(wtv)
+                if variant == Skip {
+                        fmt.Printf("INFO: Skipping tests from \"%s\"\n", filepath.Base(path))
+                        return true
+                }
                if wtg == nil {
-                        log.Printf("INFO: Unknown test vector algorithm %q", wtv.Algorithm)
+                        log.Fatalf("INFO: Unknown test vector algorithm %qin \"%s\"", wtv.Algorithm, filepath.Base(path))
-                        return false
                }
                if err := json.Unmarshal(tg, wtg); err != nil {
                        log.Fatalf("Failed to unmarshal test groups JSON: %v", err)
@@ -2714,44 +3132,13 @@ func (tc *testCoordinator) shutdown() {
 }
 func main() {
-        if _, err := os.Stat(testVectorPath); os.IsNotExist(err) {
+        path := testVectorPath
+        if _, err := os.Stat(path); os.IsNotExist(err) {
                fmt.Printf("package wycheproof-testvectors is required for this regress\n")
                fmt.Printf("SKIPPED\n")
                os.Exit(0)
        }
-        tests := []struct {
-                name    string
-                pattern string
-                variant testVariant
-        }{
-                {"AES", "aes_[cg]*[^xv]_test.json", Normal}, // Skip AES-EAX, AES-GCM-SIV and AES-SIV-CMAC.
-                {"ChaCha20-Poly1305", "chacha20_poly1305_test.json", Normal},
-                {"DSA", "dsa_*test.json", Normal},
-                {"DSA", "dsa_*_p1363_test.json", P1363},
-                {"ECDH", "ecdh_test.json", Normal},
-                {"ECDH", "ecdh_[^w_]*_test.json", Normal},
-                {"ECDH EcPoint", "ecdh_*_ecpoint_test.json", EcPoint},
-                {"ECDH webcrypto", "ecdh_webcrypto_test.json", Webcrypto},
-                {"ECDSA", "ecdsa_test.json", Normal},
-                {"ECDSA", "ecdsa_[^w]*test.json", Normal},
-                {"ECDSA P1363", "ecdsa_*_p1363_test.json", P1363},
-                {"ECDSA webcrypto", "ecdsa_webcrypto_test.json", Webcrypto},
-                {"EDDSA", "eddsa_test.json", Normal},
-                {"ED448", "ed448_test.json", Skip},
-                {"HKDF", "hkdf_sha*_test.json", Normal},
-                {"HMAC", "hmac_sha*_test.json", Normal},
-                {"JSON webcrypto", "json_web_*_test.json", Skip},
-                {"KW", "kw_test.json", Normal},
-                {"Primality test", "primality_test.json", Normal},
-                {"RSA", "rsa_*test.json", Normal},
-                {"X25519", "x25519_test.json", Normal},
-                {"X25519 ASN", "x25519_asn_test.json", Skip},
-                {"X25519 JWK", "x25519_jwk_test.json", Skip},
-                {"X25519 PEM", "x25519_pem_test.json", Skip},
-                {"XCHACHA20-POLY1305", "xchacha20_poly1305_test.json", Normal},
-        }
        success := true
        var wg sync.WaitGroup
@@ -2764,33 +3151,25 @@ func main() {
        testc = newTestCoordinator()
-        skipNormal := regexp.MustCompile(`_(ecpoint|p1363|sect\d{3}[rk]1|secp(160|192))_`)
+        tvs, err := filepath.Glob(filepath.Join(path, "*.json"))
+        if err != nil {
-        for _, test := range tests {
+                log.Fatalf("Failed to glob test vectors: %v", err)
-                tvs, err := filepath.Glob(filepath.Join(testVectorPath, test.pattern))
+        }
-                if err != nil {
+        if len(tvs) == 0 {
-                        log.Fatalf("Failed to glob %v test vectors: %v", test.name, err)
+                log.Fatalf("Failed to find test vectors at %q\n", path)
-                }
+        }
-                if len(tvs) == 0 {
+        for _, tv := range tvs {
-                        log.Fatalf("Failed to find %v test vectors at %q\n", test.name, testVectorPath)
+                wg.Add(1)
-                }
+                <-vectorsRateLimitCh
-                for _, tv := range tvs {
+                go func(tv string) {
-                        if test.variant == Skip || (test.variant == Normal && skipNormal.Match([]byte(tv))) {
+                        select {
-                                fmt.Printf("INFO: Skipping tests from \"%s\"\n", strings.TrimPrefix(tv, testVectorPath+"/"))
+                        case resultCh <- runTestVectors(tv):
-                                continue
+                        default:
+                                log.Fatal("result channel is full")
                        }
-                        wg.Add(1)
+                        vectorsRateLimitCh <- true
-                        <-vectorsRateLimitCh
+                        wg.Done()
-                        go func(tv string, variant testVariant) {
+                }(tv)
-                                select {
-                                case resultCh <- runTestVectors(tv, variant):
-                                default:
-                                        log.Fatal("result channel is full")
-                                }
-                                vectorsRateLimitCh <- true
-                                wg.Done()
-                        }(tv, test.variant)
-                }
        }
        wg.Wait()
diff --git a/src/regress/lib/libcrypto/x509/Makefile b/src/regress/lib/libcrypto/x509/Makefile
index 19e65efddd..94e9e476a0 100644
--- a/src/regress/lib/libcrypto/x509/Makefile
+++ b/src/regress/lib/libcrypto/x509/Makefile
@@ -1,6 +1,6 @@
-#       $OpenBSD: Makefile,v 1.24 2025/03/15 06:37:49 tb Exp $
+#       $OpenBSD: Makefile,v 1.25 2025/05/05 06:33:34 tb Exp $
-PROGS = constraints verify x509attribute x509name x509req_ext callback
+PROGS = constraints verify x509attribute x509req_ext callback
 PROGS += expirecallback callbackfailures x509_asn1 x509_extensions_test
 PROGS += x509_name_test
 LDADD = -lcrypto
@@ -16,7 +16,7 @@ CFLAGS +=	-I${.CURDIR}/../../../../lib/libcrypto/bytestring
 SUBDIR += bettertls policy rfc3779
-CLEANFILES +=   x509name.result callback.out
+CLEANFILES +=   callback.out
 .if make(clean) || make(cleandir)
 . if ${.OBJDIR} != ${.CURDIR}
@@ -29,10 +29,6 @@ run-regress-verify: verify
        perl ${.CURDIR}/make-dir-roots.pl ${.CURDIR}/../certs .
        ./verify ${.CURDIR}/../certs
-run-regress-x509name: x509name
-        ./x509name > x509name.result
-        diff -u ${.CURDIR}/x509name.expected x509name.result
 run-regress-callback: callback
        ./callback ${.CURDIR}/../certs
        perl ${.CURDIR}/callback.pl callback.out
diff --git a/src/regress/lib/libcrypto/x509/bettertls/Makefile b/src/regress/lib/libcrypto/x509/bettertls/Makefile
index 2724140635..2a06239fc5 100644
--- a/src/regress/lib/libcrypto/x509/bettertls/Makefile
+++ b/src/regress/lib/libcrypto/x509/bettertls/Makefile
@@ -1,10 +1,10 @@
-#       $OpenBSD: Makefile,v 1.6 2024/12/27 08:02:27 tb Exp $
+#       $OpenBSD: Makefile,v 1.7 2025/07/23 07:46:12 tb Exp $
 PROGS =         verify
-.ifdef EOPENSSL33
+.ifdef EOPENSSL35
-LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl33 -L/usr/local/lib/eopenssl33
+LDADD +=        -Wl,-rpath,/usr/local/lib/eopenssl35 -L/usr/local/lib/eopenssl35
-CFLAGS +=       -I/usr/local/include/eopenssl33/
+CFLAGS +=       -I/usr/local/include/eopenssl35/
 .endif
 LDADD +=        -lcrypto
diff --git a/src/regress/lib/libcrypto/x509/x509_extensions_test.c b/src/regress/lib/libcrypto/x509/x509_extensions_test.c
index 2961b0612b..1a7dfe2019 100644
--- a/src/regress/lib/libcrypto/x509/x509_extensions_test.c
+++ b/src/regress/lib/libcrypto/x509/x509_extensions_test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_extensions_test.c,v 1.3 2024/06/17 05:04:54 tb Exp $ */
+/*      $OpenBSD: x509_extensions_test.c,v 1.4 2025/12/31 17:04:22 tb Exp $ */
 /*
 * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -215,7 +215,7 @@ test_x509v3_add1_i2d_single_nid(STACK_OF(X509_EXTENSION) **extensions)
        }
        if ((got = X509v3_get_ext_count(*extensions)) != 1) {
-                fprintf(stderr, "%s: FAIL: X509V3_ADD_DEFAULT second contraints "
+                fprintf(stderr, "%s: FAIL: X509V3_ADD_DEFAULT second constraints "
                    "expected 1 extension, have %d.\n", __func__, got);
                goto err;
        }
diff --git a/src/regress/lib/libcrypto/x509/x509_name_test.c b/src/regress/lib/libcrypto/x509/x509_name_test.c
index eaf7076d74..24e62cc766 100644
--- a/src/regress/lib/libcrypto/x509/x509_name_test.c
+++ b/src/regress/lib/libcrypto/x509/x509_name_test.c
@@ -1,7 +1,9 @@
-/*      $OpenBSD: x509_name_test.c,v 1.2 2025/03/19 11:19:17 tb Exp $ */
+/*      $OpenBSD: x509_name_test.c,v 1.3 2025/05/05 06:33:34 tb Exp $ */
 /*
 * Copyright (c) 2025 Theo Buehler <tb@openbsd.org>
+ * Copyright (c) 2025 Kenjiro Nakayama <nakayamakenjiro@gmail.com>
+ * Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@@ -288,12 +290,131 @@ x509_name_compat_test(void)
        return failed;
 }
+static const struct x509_name_entry_test {
+        const char *field;
+        const char *value;
+        int loc;
+        int set;
+        const char *expected_str;
+        const int expected_set[4];
+        const int expected_count;
+} entry_tests[] = {
+        {
+                .field = "ST",
+                .value = "BaWue",
+                .loc = -1,
+                .set = 0,
+                .expected_str = "ST=BaWue",
+                .expected_set = { 0 },
+                .expected_count = 1,
+        },
+        {
+                .field = "O",
+                .value = "KIT",
+                .loc = -1,
+                .set = 0,
+                .expected_str = "ST=BaWue, O=KIT",
+                .expected_set = { 0, 1 },
+                .expected_count = 2,
+        },
+        {
+                .field = "L",
+                .value = "Karlsruhe",
+                .loc = 1,
+                .set = 0,
+                .expected_str = "ST=BaWue, L=Karlsruhe, O=KIT",
+                .expected_set = { 0, 1, 2 },
+                .expected_count = 3,
+        },
+        {
+                .field = "C",
+                .value = "DE",
+                .loc = 0,
+                .set = 1,
+                .expected_str = "C=DE + ST=BaWue, L=Karlsruhe, O=KIT",
+                .expected_set = { 0, 0, 1, 2 },
+                .expected_count = 4,
+        },
+};
+#define N_ENTRY_TESTS (sizeof(entry_tests) / sizeof(entry_tests[0]))
+static int
+verify_x509_name_output(X509_NAME *name, const struct x509_name_entry_test *tc)
+{
+        BIO *bio;
+        char *got;
+        long got_len;
+        int loc, ret;
+        int failed = 1;
+        if ((bio = BIO_new(BIO_s_mem())) == NULL)
+                goto fail;
+        if ((ret = X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC)) == -1)
+                goto fail;
+        if ((got_len = BIO_get_mem_data(bio, &got)) < 0)
+                goto fail;
+        if (ret != got_len || strlen(tc->expected_str) != (size_t)ret)
+                goto fail;
+        if (strncmp(tc->expected_str, got, got_len) != 0)
+                goto fail;
+        if (X509_NAME_entry_count(name) != tc->expected_count)
+                goto fail;
+        for (loc = 0; loc < X509_NAME_entry_count(name); loc++) {
+                X509_NAME_ENTRY *e = X509_NAME_get_entry(name, loc);
+                if (e == NULL || X509_NAME_ENTRY_set(e) != tc->expected_set[loc])
+                        goto fail;
+        }
+        failed = 0;
+ fail:
+        BIO_free(bio);
+        return failed;
+}
+static int
+x509_name_add_entry_test(void)
+{
+        X509_NAME *name;
+        int failed = 1;
+        if ((name = X509_NAME_new()) == NULL)
+                goto done;
+        for (size_t i = 0; i < N_ENTRY_TESTS; i++) {
+                const struct x509_name_entry_test *t = &entry_tests[i];
+                if (!X509_NAME_add_entry_by_txt(name, t->field, MBSTRING_ASC,
+                    (const unsigned char *)t->value, -1, t->loc, t->set))
+                        goto done;
+                if (verify_x509_name_output(name, t))
+                        goto done;
+        }
+        failed = 0;
+ done:
+        X509_NAME_free(name);
+        return failed;
+}
 int
 main(void)
 {
        int failed = 0;
        failed |= x509_name_compat_test();
+        failed |= x509_name_add_entry_test();
        return failed;
 }
diff --git a/src/regress/lib/libcrypto/x509/x509name.c b/src/regress/lib/libcrypto/x509/x509name.c
deleted file mode 100644
index 9deeeb2986..0000000000
--- a/src/regress/lib/libcrypto/x509/x509name.c
+++ /dev/null
@@ -1,62 +0,0 @@
-/* $OpenBSD: x509name.c,v 1.3 2021/10/31 08:27:15 tb Exp $ */
-/*
- * Copyright (c) 2018 Ingo Schwarze <schwarze@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include <err.h>
-#include <stdio.h>
-#include <openssl/x509.h>
-static void      debug_print(X509_NAME *);
-static void
-debug_print(X509_NAME *name)
-{
-        int loc;
-        for (loc = 0; loc < X509_NAME_entry_count(name); loc++)
-                printf("%d:",
-                    X509_NAME_ENTRY_set(X509_NAME_get_entry(name, loc)));
-        putchar(' ');
-        X509_NAME_print_ex_fp(stdout, name, 0, XN_FLAG_SEP_CPLUS_SPC);
-        putchar('\n');
-}
-int
-main(void)
-{
-        X509_NAME *name;
-        if ((name = X509_NAME_new()) == NULL)
-                err(1, NULL);
-        X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_ASC,
-            "BaWue", -1, -1, 0);
-        X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
-            "KIT", -1, -1, 0);
-        debug_print(name);
-        X509_NAME_add_entry_by_txt(name, "L", MBSTRING_ASC,
-            "Karlsruhe", -1, 1, 0);
-        debug_print(name);
-        X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
-            "DE", -1, 0, 1);
-        debug_print(name);
-        X509_NAME_free(name);
-        return 0;
-}
diff --git a/src/regress/lib/libcrypto/x509/x509name.expected b/src/regress/lib/libcrypto/x509/x509name.expected
deleted file mode 100644
index 6cee7cc435..0000000000
--- a/src/regress/lib/libcrypto/x509/x509name.expected
+++ /dev/null
@@ -1,3 +0,0 @@
-0:1: ST=BaWue, O=KIT
-0:1:2: ST=BaWue, L=Karlsruhe, O=KIT
-0:0:1:2: C=DE + ST=BaWue, L=Karlsruhe, O=KIT
diff --git a/src/regress/lib/libssl/asn1/asn1test.c b/src/regress/lib/libssl/asn1/asn1test.c
index a81c502655..ad2301eace 100644
--- a/src/regress/lib/libssl/asn1/asn1test.c
+++ b/src/regress/lib/libssl/asn1/asn1test.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: asn1test.c,v 1.13 2024/07/22 14:50:45 jsing Exp $     */
+/*      $OpenBSD: asn1test.c,v 1.14 2025/10/24 11:45:08 tb Exp $        */
 /*
 * Copyright (c) 2014, 2016 Joel Sing <jsing@openbsd.org>
 *
@@ -371,7 +371,7 @@ session_cmp(SSL_SESSION *s1, SSL_SESSION *s2)
 static int
 do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat)
 {
-        SSL_SESSION *sp = NULL;
+        SSL_SESSION *sp = NULL, *sp_copy = NULL;
        unsigned char *ap, *asn1 = NULL;
        const unsigned char *pp;
        int i, len, rv = 1;
@@ -440,11 +440,31 @@ do_ssl_asn1_test(int test_no, struct ssl_asn1_test *sat)
                goto failed;
        }
+        if ((sp_copy = SSL_SESSION_dup(sp)) == NULL) {
+                fprintf(stderr, "FAIL: test %d - session dup failed\n", test_no);
+                goto failed;
+        }
+        if (session_cmp(sp, sp_copy) != 0) {
+                fprintf(stderr, "FAIL: test %d - sp and sp_dup differ\n", test_no);
+                goto failed;
+        }
+        /*
+         * session_cmp() checks that the certs compare as equal. Part of the
+         * documented API contract is that the certs are equal as pointers.
+         */
+        if (SSL_SESSION_get0_peer(sp) != SSL_SESSION_get0_peer(sp_copy)) {
+                fprintf(stderr, "FAIL: test %d - peer certs differ\n", test_no);
+                goto failed;
+        }
        rv = 0;
 failed:
        ERR_print_errors_fp(stderr);
        SSL_SESSION_free(sp);
+        SSL_SESSION_free(sp_copy);
        free(asn1);
        return (rv);
diff --git a/src/regress/lib/libssl/client/clienttest.c b/src/regress/lib/libssl/client/clienttest.c
index 7e96944fce..f9258105f8 100644
--- a/src/regress/lib/libssl/client/clienttest.c
+++ b/src/regress/lib/libssl/client/clienttest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: clienttest.c,v 1.45 2024/08/31 12:47:24 jsing Exp $ */
+/*      $OpenBSD: clienttest.c,v 1.46 2025/12/04 21:16:17 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 *
@@ -36,8 +36,8 @@
 #define TLS13_RANDOM_OFFSET (TLS13_HM_OFFSET + 2)
 #define TLS13_SESSION_OFFSET (TLS13_HM_OFFSET + 34)
 #define TLS13_CIPHER_OFFSET (TLS13_HM_OFFSET + 69)
-#define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 198)
+#define TLS13_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 200)
-#define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 112)
+#define TLS13_ONLY_KEY_SHARE_OFFSET (TLS13_HM_OFFSET + 114)
 #define TLS1_3_VERSION_ONLY (TLS1_3_VERSION | 0x10000)
@@ -265,8 +265,8 @@ static const uint8_t cipher_list_tls13_chacha[] = {
 };
 static const uint8_t client_hello_tls13[] = {
-        0x16, 0x03, 0x03, 0x01, 0x10, 0x01, 0x00, 0x01,
+        0x16, 0x03, 0x03, 0x05, 0xd6, 0x01, 0x00, 0x05,
-        0x0c, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0xd2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -286,20 +286,173 @@ static const uint8_t client_hello_tls13[] = {
        0x00, 0x45, 0x00, 0x9c, 0x00, 0x3c, 0x00, 0x2f,
        0x00, 0xba, 0x00, 0x41, 0xc0, 0x11, 0xc0, 0x07,
        0x00, 0x05, 0xc0, 0x12, 0xc0, 0x08, 0x00, 0x16,
-        0x00, 0x0a, 0x01, 0x00, 0x00, 0x67, 0x00, 0x2b,
+        0x00, 0x0a, 0x01, 0x00, 0x05, 0x2d, 0x00, 0x2b,
        0x00, 0x05, 0x04, 0x03, 0x04, 0x03, 0x03, 0x00,
-        0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00, 0x1d, 0x00,
+        0x0a, 0x00, 0x0c, 0x00, 0x0a, 0x11, 0xec, 0x00,
-        0x17, 0x00, 0x18, 0x00, 0x19, 0x00, 0x33, 0x00,
+        0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
-        0x26, 0x00, 0x24, 0x00, 0x1d, 0x00, 0x20, 0x00,
+        0x33, 0x04, 0xea, 0x04, 0xe8, 0x11, 0xec, 0x04,
+        0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x0d, 0x00, 0x18, 0x00, 0x16, 0x08,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x03, 0x02, 0x01, 0x02, 0x03,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00,
+        0x02, 0x01, 0x00, 0x00, 0x23, 0x00, 0x00, 0x00,
+        0x0d, 0x00, 0x18, 0x00, 0x16, 0x08, 0x06, 0x06,
+        0x01, 0x06, 0x03, 0x08, 0x05, 0x05, 0x01, 0x05,
+        0x03, 0x08, 0x04, 0x04, 0x01, 0x04, 0x03, 0x02,
+        0x01, 0x02, 0x03,
 };
 static const uint8_t cipher_list_tls13_only_aes[] = {
@@ -311,8 +464,8 @@ static const uint8_t cipher_list_tls13_only_chacha[] = {
 };
 static const uint8_t client_hello_tls13_only[] = {
-        0x16, 0x03, 0x03, 0x00, 0xb6, 0x01, 0x00, 0x00,
+        0x16, 0x03, 0x03, 0x05, 0x7c, 0x01, 0x00, 0x05,
-        0xb2, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x78, 0x03, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
@@ -322,19 +475,172 @@ static const uint8_t client_hello_tls13_only[] = {
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x13, 0x03,
        0x13, 0x02, 0x13, 0x01, 0x00, 0xff, 0x01, 0x00,
-        0x00, 0x61, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03,
+        0x05, 0x27, 0x00, 0x2b, 0x00, 0x03, 0x02, 0x03,
-        0x04, 0x00, 0x0a, 0x00, 0x0a, 0x00, 0x08, 0x00,
+        0x04, 0x00, 0x0a, 0x00, 0x0c, 0x00, 0x0a, 0x11,
-        0x1d, 0x00, 0x17, 0x00, 0x18, 0x00, 0x19, 0x00,
+        0xec, 0x00, 0x1d, 0x00, 0x17, 0x00, 0x18, 0x00,
-        0x33, 0x00, 0x26, 0x00, 0x24, 0x00, 0x1d, 0x00,
+        0x19, 0x00, 0x33, 0x04, 0xea, 0x04, 0xe8, 0x11,
-        0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0xec, 0x04, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x00, 0x00, 0x0b, 0x00, 0x02, 0x01, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x23, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x14, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x12, 0x08, 0x06, 0x06, 0x01, 0x06, 0x03, 0x08,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x05, 0x05, 0x01, 0x05, 0x03, 0x08, 0x04, 0x04,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x01, 0x04, 0x03,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x0b, 0x00, 0x02, 0x01, 0x00, 0x00, 0x23, 0x00,
+        0x00, 0x00, 0x0d, 0x00, 0x14, 0x00, 0x12, 0x08,
+        0x06, 0x06, 0x01, 0x06, 0x03, 0x08, 0x05, 0x05,
+        0x01, 0x05, 0x03, 0x08, 0x04, 0x04, 0x01, 0x04,
+        0x03,
 };
 struct client_hello_test {
@@ -702,7 +1008,7 @@ client_hello_test(int testno, const struct client_hello_test *cht)
                        memset(&wbuf[cht->session_start + 1], 0, session_len);
        }
        if (cht->key_share_start > 0)
-                memset(&wbuf[cht->key_share_start], 0, 32);
+                memset(&wbuf[cht->key_share_start], 0, 1252);
        if (memcmp(client_hello, wbuf, client_hello_len) != 0) {
                fprintf(stderr, "FAIL: ClientHello differs:\n");
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index bdc67f627a..e1e9633d37 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,6 +1,6 @@
-# $OpenBSD: Makefile,v 1.21 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.23 2025/07/25 16:33:15 tb Exp $
-SUBDIR =        libressl openssl33 openssl34
+SUBDIR =        libressl openssl35
 # the above binaries must have been built before we can continue
 SUBDIR +=       netcat
diff --git a/src/regress/lib/libssl/interop/botan/Makefile b/src/regress/lib/libssl/interop/botan/Makefile
index 85877d4290..56bcdaf4bd 100644
--- a/src/regress/lib/libssl/interop/botan/Makefile
+++ b/src/regress/lib/libssl/interop/botan/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 .include <bsd.own.mk>
@@ -20,11 +20,8 @@ CXX = /usr/local/bin/eg++
 .endif
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-LIBRARIES +=            openssl33
+LIBRARIES +=            openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
 .endif
 PROGS =         client
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 74c63c86a8..9698c56acd 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.14 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.16 2025/07/25 16:33:15 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 3.x.  Create client and server certificates
@@ -7,11 +7,8 @@
 # and check the result of certificate verification.
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-LIBRARIES +=            openssl33
+LIBRARIES +=            openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
 .endif
 .for cca in noca ca fakeca
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
index fa7e25f9ee..5bdc9089fe 100644
--- a/src/regress/lib/libssl/interop/cipher/Makefile
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.17 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.19 2025/07/25 16:33:15 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create lists of supported ciphers
@@ -7,11 +7,8 @@
 # have used correct cipher by grepping in their session print out.
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-LIBRARIES +=            openssl33
+LIBRARIES +=            openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
 .endif
 CLEANFILES =    *.tmp *.ciphers ciphers.mk
@@ -41,8 +38,7 @@ client-${clib}-server-${slib}.ciphers: \
        uniq -d <$@.tmp >$@
        # we are only interested in ciphers supported by libressl
        sort $@ client-libressl.ciphers >$@.tmp
-. if "${clib}" == "openssl33" || "${slib}" == "openssl33" || \
+. if "${clib}" == "openssl35" || "${slib}" == "openssl35"
-        "${clib}" == "openssl34" || "${slib}" == "openssl34"
        # OpenSSL's SSL_CTX_set_cipher_list doesn't accept TLSv1.3 ciphers
        sed -i '/^TLS_/d' $@.tmp
 . endif
@@ -70,8 +66,7 @@ regress: ciphers.mk
 .endif
 LEVEL_libressl =
-LEVEL_openssl33 = ,@SECLEVEL=0
+LEVEL_openssl35 = ,@SECLEVEL=0
-LEVEL_openssl34 = ,@SECLEVEL=0
 .for clib in ${LIBRARIES}
 .for slib in ${LIBRARIES}
@@ -132,7 +127,7 @@ check-cipher-${cipher}-client-${clib}-server-${slib}: \
 . endif
 . if "${clib}" == "libressl"
        # libressl client may prefer chacha-poly if aes-ni is not supported
-.  if "${slib}" == "openssl33" || "${slib}" == "openssl34"
+.  if "${slib}" == "openssl35"
        egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
 .  else
        egrep -q ' Cipher *: TLS_(AES_256_GCM_SHA384|CHACHA20_POLY1305_SHA256)$$' ${@:S/^check/server/}.out
diff --git a/src/regress/lib/libssl/interop/netcat/Makefile b/src/regress/lib/libssl/interop/netcat/Makefile
index 3b8e3f95be..cff6b7ea76 100644
--- a/src/regress/lib/libssl/interop/netcat/Makefile
+++ b/src/regress/lib/libssl/interop/netcat/Makefile
@@ -1,11 +1,8 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-LIBRARIES +=            openssl33
+LIBRARIES +=            openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
 .endif
 # run netcat server and connect with test client
diff --git a/src/regress/lib/libssl/interop/openssl33/Makefile b/src/regress/lib/libssl/interop/openssl33/Makefile
deleted file mode 100644
index eff61704d0..0000000000
--- a/src/regress/lib/libssl/interop/openssl33/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
-.if ! exists(/usr/local/bin/eopenssl33)
-regress:
-        # install openssl-3.3 from ports for interop tests
-        @echo 'Run "pkg_add openssl--%3.3" to run tests against OpenSSL 3.3'
-        @echo SKIPPED
-.else
-PROGS =                 client server
-CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
-CPPFLAGS =              -I /usr/local/include/eopenssl33
-LDFLAGS =               -L /usr/local/lib/eopenssl33
-LDADD =                 -lssl -lcrypto
-DPADD =                 /usr/local/lib/eopenssl33/libssl.a \
-                        /usr/local/lib/eopenssl33/libcrypto.a
-LD_LIBRARY_PATH =       /usr/local/lib/eopenssl33
-REGRESS_TARGETS =       run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-.for p in ${PROGS}
-run-ldd-$p: ldd-$p.out
-        # check that $p is linked with OpenSSL 3.3
-        grep -q /usr/local/lib/eopenssl33/libcrypto.so ldd-$p.out
-        grep -q /usr/local/lib/eopenssl33/libssl.so ldd-$p.out
-        # check that $p is not linked with LibreSSL
-        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-run-version-$p: $p-self.out
-        # check that runtime version is OpenSSL 3.3
-        grep 'SSLEAY_VERSION: OpenSSL 3.3' $p-self.out
-run-protocol-$p: $p-self.out
-        # check that OpenSSL 3.3 protocol version is TLS 1.3
-        grep 'Protocol *: TLSv1.3' $p-self.out
-.endfor
-.endif # exists(/usr/local/bin/eopenssl33)
-.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl34/Makefile b/src/regress/lib/libssl/interop/openssl34/Makefile
deleted file mode 100644
index 72246bb621..0000000000
--- a/src/regress/lib/libssl/interop/openssl34/Makefile
+++ /dev/null
@@ -1,44 +0,0 @@
-# $OpenBSD: Makefile,v 1.1 2025/01/15 10:54:17 tb Exp $
-.if ! exists(/usr/local/bin/eopenssl34)
-regress:
-        # install openssl-3.4 from ports for interop tests
-        @echo 'Run "pkg_add openssl--%3.4" to run tests against OpenSSL 3.4'
-        @echo SKIPPED
-.else
-PROGS =                 client server
-CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
-CPPFLAGS =              -I /usr/local/include/eopenssl34
-LDFLAGS =               -L /usr/local/lib/eopenssl34
-LDADD =                 -lssl -lcrypto
-DPADD =                 /usr/local/lib/eopenssl34/libssl.a \
-                        /usr/local/lib/eopenssl34/libcrypto.a
-LD_LIBRARY_PATH =       /usr/local/lib/eopenssl34
-REGRESS_TARGETS =       run-self-client-server
-.for p in ${PROGS}
-REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
-.endfor
-.for p in ${PROGS}
-run-ldd-$p: ldd-$p.out
-        # check that $p is linked with OpenSSL 3.4
-        grep -q /usr/local/lib/eopenssl34/libcrypto.so ldd-$p.out
-        grep -q /usr/local/lib/eopenssl34/libssl.so ldd-$p.out
-        # check that $p is not linked with LibreSSL
-        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
-run-version-$p: $p-self.out
-        # check that runtime version is OpenSSL 3.4
-        grep 'SSLEAY_VERSION: OpenSSL 3.4' $p-self.out
-run-protocol-$p: $p-self.out
-        # check that OpenSSL 3.4 protocol version is TLS 1.3
-        grep 'Protocol *: TLSv1.3' $p-self.out
-.endfor
-.endif # exists(/usr/local/bin/eopenssl34)
-.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl35/Makefile b/src/regress/lib/libssl/interop/openssl35/Makefile
new file mode 100644
index 0000000000..e11ad5dd20
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl35/Makefile
@@ -0,0 +1,44 @@
+# $OpenBSD: Makefile,v 1.1 2025/07/09 17:48:02 tb Exp $
+.if ! exists(/usr/local/bin/eopenssl35)
+regress:
+        # install openssl-3.5 from ports for interop tests
+        @echo 'Run "pkg_add openssl--%3.5" to run tests against OpenSSL 3.5'
+        @echo SKIPPED
+.else
+PROGS =                 client server
+CFLAGS +=               -DOPENSSL_SUPPRESS_DEPRECATED
+CPPFLAGS =              -I /usr/local/include/eopenssl35
+LDFLAGS =               -L /usr/local/lib/eopenssl35
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl35/libssl.a \
+                        /usr/local/lib/eopenssl35/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl35
+REGRESS_TARGETS =       run-self-client-server
+.for p in ${PROGS}
+REGRESS_TARGETS +=      run-ldd-$p run-version-$p run-protocol-$p
+.endfor
+.for p in ${PROGS}
+run-ldd-$p: ldd-$p.out
+        # check that $p is linked with OpenSSL 3.5
+        grep -q /usr/local/lib/eopenssl35/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl35/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v -e libc.so -e libpthread.so ldd-$p.out | grep /usr/lib/
+run-version-$p: $p-self.out
+        # check that runtime version is OpenSSL 3.5
+        grep 'SSLEAY_VERSION: OpenSSL 3.5' $p-self.out
+run-protocol-$p: $p-self.out
+        # check that OpenSSL 3.5 protocol version is TLS 1.3
+        grep 'Protocol *: TLSv1.3' $p-self.out
+.endfor
+.endif # exists(/usr/local/bin/eopenssl35)
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/session/Makefile b/src/regress/lib/libssl/interop/session/Makefile
index e9a353f99e..fff66b169b 100644
--- a/src/regress/lib/libssl/interop/session/Makefile
+++ b/src/regress/lib/libssl/interop/session/Makefile
@@ -1,11 +1,8 @@
-# $OpenBSD: Makefile,v 1.12 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.14 2025/07/25 16:33:15 tb Exp $
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-#LIBRARIES +=           openssl33
+#LIBRARIES +=           openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-#LIBRARIES +=           openssl34
 .endif
 run-session-client-libressl-server-libressl:
diff --git a/src/regress/lib/libssl/interop/version/Makefile b/src/regress/lib/libssl/interop/version/Makefile
index 605fba252f..5ee7d4c4f3 100644
--- a/src/regress/lib/libssl/interop/version/Makefile
+++ b/src/regress/lib/libssl/interop/version/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.10 2025/01/15 10:54:17 tb Exp $
+# $OpenBSD: Makefile,v 1.12 2025/07/25 16:33:15 tb Exp $
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or openssl 3.0.  Pin client or server to a fixed TLS
@@ -7,11 +7,8 @@
 # print out.
 LIBRARIES =             libressl
-.if exists(/usr/local/bin/eopenssl33)
+.if exists(/usr/local/bin/eopenssl35)
-LIBRARIES +=            openssl33
+LIBRARIES +=            openssl35
-.endif
-.if exists(/usr/local/bin/eopenssl34)
-LIBRARIES +=            openssl34
 .endif
 VERSIONS =      any TLS1_2 TLS1_3
@@ -29,8 +26,7 @@ FAIL_${cver}_${sver} = !
 .for slib in ${LIBRARIES}
 .if ("${cver}" != TLS1_3 && "${sver}" != TLS1_3) && \
-    ((("${clib}" != openssl33 && "${slib}" != openssl33)) || \
+    ((("${clib}" != openssl35 && "${slib}" != openssl35)) || \
-    (("${clib}" != openssl34 && "${slib}" != openssl34)) || \
    (("${cver}" != any && "${sver}" != any) && \
    ("${cver}" != TLS1 && "${sver}" != TLS1) && \
    ("${cver}" != TLS1_1 && "${sver}" != TLS1_1)))
diff --git a/src/regress/lib/libssl/openssl-ruby/Makefile b/src/regress/lib/libssl/openssl-ruby/Makefile
index af8083f662..19d2f2fc40 100644
--- a/src/regress/lib/libssl/openssl-ruby/Makefile
+++ b/src/regress/lib/libssl/openssl-ruby/Makefile
@@ -1,10 +1,10 @@
-#       $OpenBSD: Makefile,v 1.14 2024/08/31 11:14:58 tb Exp $
+#       $OpenBSD: Makefile,v 1.17 2025/06/27 03:32:08 tb Exp $
 OPENSSL_RUBY_TESTS =    /usr/local/share/openssl-ruby-tests
-.if exists(/usr/local/bin/ruby32)
+.if exists(/usr/local/bin/ruby33)
-RUBY_BINREV =           32
-.else
 RUBY_BINREV =           33
+.else
+RUBY_BINREV =           34
 .endif
 RUBY =                  ruby${RUBY_BINREV}
@@ -71,6 +71,21 @@ ${_t}: ${_BUILD_COOKIE}
                -n ${_t}
 .endfor
+# These tests can be a pain to run. To run a small set of individual
+# ssl tests, set the test names separated by spaces in the environment
+# variable RUBY_SSL_TEST_TARGETS - then you can type "make <test_name>"
+# to run a single ruby ssl test.
+.for _t in ${RUBY_SSL_TEST_TARGETS}
+REGRESS_TARGETS += ${_t}
+REGRESS_EXPECTED_FAILURES += ${_t}
+${_t}: ${_BUILD_COOKIE}
+        cd ${BUILDDIR} && \
+            ${RUBY} -I. -I${OPENSSL_RUBY_TESTS}/test/openssl \
+                -I${OPENSSL_RUBY_TESTS}/lib \
+                ${OPENSSL_RUBY_TESTS}/test/openssl/test_ssl.rb \
+                -n ${_t}
+.endfor
 CLEANFILES +=           ${_BUILD_COOKIE} ${_TEST_COOKIE} ${_BUILDDIR_COOKIE}
 . if make(clean) || make(cleandir)
diff --git a/src/regress/lib/libssl/pqueue/Makefile b/src/regress/lib/libssl/pqueue/Makefile
index 48c2cb7e61..05fe9a268d 100644
--- a/src/regress/lib/libssl/pqueue/Makefile
+++ b/src/regress/lib/libssl/pqueue/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.1 2016/11/04 19:45:12 jsing Exp $
+#       $OpenBSD: Makefile,v 1.2 2025/05/04 11:04:02 tb Exp $
 PROG=   pq_test
 SRC=    ${.CURDIR}/../../../../lib/libssl
@@ -9,9 +9,4 @@ DPADD=	${LIBSSL} ${LIBCRYPTO}
 WARNINGS=       Yes
 CFLAGS+=        -DLIBRESSL_INTERNAL -Werror
-REGRESS_TARGETS= regress-pq_test
-regress-pq_test: ${PROG}
-        ${.OBJDIR}/pq_test | cmp -s ${.CURDIR}/expected.txt /dev/stdin
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/pqueue/expected.txt b/src/regress/lib/libssl/pqueue/expected.txt
deleted file mode 100644
index c59d6cd838..0000000000
--- a/src/regress/lib/libssl/pqueue/expected.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-item    6966726167696c69
-item    7374696365787069
-item    737570657263616c
diff --git a/src/regress/lib/libssl/pqueue/pq_test.c b/src/regress/lib/libssl/pqueue/pq_test.c
index a078ba5366..822fdea961 100644
--- a/src/regress/lib/libssl/pqueue/pq_test.c
+++ b/src/regress/lib/libssl/pqueue/pq_test.c
@@ -59,60 +59,77 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "pqueue.h"
-/* remember to change expected.txt if you change these values */
+static const unsigned char *pq_expected[3] = {
-unsigned char prio1[8] = "supercal";
+        "ifragili",
-unsigned char prio2[8] = "ifragili";
+        "sticexpi",
-unsigned char prio3[8] = "sticexpi";
+        "supercal"
+};
-static void
+static int
-pqueue_print(pqueue pq)
+test_pqueue(void)
 {
-        pitem *iter, *item;
+        const unsigned char *prio1 = pq_expected[2];
+        const unsigned char *prio2 = pq_expected[0];
-        iter = pqueue_iterator(pq);
+        const unsigned char *prio3 = pq_expected[1];
-        for (item = pqueue_next(&iter); item != NULL;
+        pqueue pq = NULL;
-            item = pqueue_next(&iter)) {
+        pitem *item = NULL;
-                printf("item\t%02x%02x%02x%02x%02x%02x%02x%02x\n",
+        pitem *iter = NULL;
-                    item->priority[0], item->priority[1],
+        int i = 0;
-                    item->priority[2], item->priority[3],
+        int failed = 1;
-                    item->priority[4], item->priority[5],
-                    item->priority[6], item->priority[7]);
-        }
-}
-int
+        if ((pq = pqueue_new()) == NULL)
-main(void)
+                goto failure;
-{
-        pitem *item;
-        pqueue pq;
-        pq = pqueue_new();
+        if (!pqueue_insert(pq, pitem_new(prio3, NULL)))
+                goto failure;
+        if (!pqueue_insert(pq, pitem_new(prio1, NULL)))
+                goto failure;
+        if (!pqueue_insert(pq, pitem_new(prio2, NULL)))
+                goto failure;
-        item = pitem_new(prio3, NULL);
+        if (pqueue_size(pq) != 3)
-        pqueue_insert(pq, item);
+                goto failure;
-        item = pitem_new(prio1, NULL);
+        if ((item = pqueue_find(pq, prio1)) == NULL)
-        pqueue_insert(pq, item);
+                goto failure;
+        if ((item = pqueue_find(pq, prio2)) == NULL)
+                goto failure;
+        if ((item = pqueue_find(pq, prio3)) == NULL)
+                goto failure;
-        item = pitem_new(prio2, NULL);
+        if ((item = pqueue_peek(pq)) == NULL)
-        pqueue_insert(pq, item);
+                goto failure;
-        item = pqueue_find(pq, prio1);
+        if (memcmp(item->priority, pq_expected[0], 8))
-        fprintf(stderr, "found %p\n", item->priority);
+                goto failure;
-        item = pqueue_find(pq, prio2);
+        iter = pqueue_iterator(pq);
-        fprintf(stderr, "found %p\n", item->priority);
+        for (item = pqueue_next(&iter); item != NULL; item = pqueue_next(&iter)) {
+                if (memcmp(item->priority, pq_expected[i], 8) != 0)
+                        goto failure;
+                i++;
+        }
-        item = pqueue_find(pq, prio3);
+        failed = (i != 3);
-        fprintf(stderr, "found %p\n", item ? item->priority: 0);
-        pqueue_print(pq);
+ failure:
        for (item = pqueue_pop(pq); item != NULL; item = pqueue_pop(pq))
                pitem_free(item);
        pqueue_free(pq);
-        return 0;
+        return failed;
+}
+int
+main(void)
+{
+        int failed = 0;
+        failed |= test_pqueue();
+        return failed;
 }
diff --git a/src/regress/lib/libssl/tlsext/tlsexttest.c b/src/regress/lib/libssl/tlsext/tlsexttest.c
index 4adf27421d..4c3701a63d 100644
--- a/src/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/src/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.92 2024/09/11 15:04:16 tb Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.95 2025/12/04 21:03:42 beck Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -3665,7 +3665,7 @@ test_tlsext_keyshare_client(void)
        if ((ssl->s3->hs.key_share =
            tls_key_share_new_nid(NID_X25519)) == NULL)
                errx(1, "failed to create key share");
-        if (!tls_key_share_generate(ssl->s3->hs.key_share))
+        if (!tls_key_share_client_generate(ssl->s3->hs.key_share))
                errx(1, "failed to generate key share");
        ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
@@ -3740,6 +3740,11 @@ test_tlsext_keyshare_client(void)
                FAIL("Did not select a key share");
                goto done;
        }
+        if (tls_key_share_group(ssl->s3->hs.key_share) != 29) {
+                FAIL("wrong key share group: got %d, expected 29\n",
+                     tls_key_share_group(ssl->s3->hs.key_share));
+                goto done;
+        }
        /*
         * Pretend the client did not send the supported groups extension. We
@@ -3885,14 +3890,14 @@ test_tlsext_keyshare_server(void)
                goto done;
        }
-        if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
+        if (!tls_key_share_server_generate(ssl->s3->hs.key_share)) {
                FAIL("failed to generate key share");
                goto done;
        }
        CBS_init(&cbs, bogokey, sizeof(bogokey));
-        if (!tls_key_share_peer_public(ssl->s3->hs.key_share, &cbs,
+        if (!tls_key_share_server_peer_public(ssl->s3->hs.key_share, &cbs,
            &decode_error, NULL)) {
                FAIL("failed to load peer public key\n");
                goto done;
@@ -3921,7 +3926,7 @@ test_tlsext_keyshare_server(void)
                FAIL("failed to create key share");
                goto done;
        }
-        if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
+        if (!tls_key_share_server_generate(ssl->s3->hs.key_share)) {
                FAIL("failed to generate key share");
                goto done;
        }
@@ -4542,12 +4547,10 @@ test_tlsext_valid_hostnames(void)
 #define N_TLSEXT_RANDOMIZATION_TESTS 1000
 static int
-test_tlsext_check_extension_order(SSL *ssl)
+test_tlsext_check_psk_is_last_extension(SSL *ssl)
 {
        const struct tls_extension *ext;
        uint16_t type;
-        size_t alpn_idx, sni_idx;
-        size_t i;
        if (ssl->tlsext_build_order_len == 0) {
                FAIL("Unexpected zero build order length");
@@ -4560,34 +4563,6 @@ test_tlsext_check_extension_order(SSL *ssl)
                return 1;
        }
-        if (ssl->server)
-                return 0;
-        alpn_idx = sni_idx = ssl->tlsext_build_order_len;
-        for (i = 0; i < ssl->tlsext_build_order_len; i++) {
-                ext = ssl->tlsext_build_order[i];
-                if (tls_extension_type(ext) == TLSEXT_TYPE_alpn)
-                        alpn_idx = i;
-                if (tls_extension_type(ext) == TLSEXT_TYPE_server_name)
-                        sni_idx = i;
-        }
-        if (alpn_idx == ssl->tlsext_build_order_len) {
-                FAIL("could not find alpn extension\n");
-                return 1;
-        }
-        if (sni_idx == ssl->tlsext_build_order_len) {
-                FAIL("could not find alpn extension\n");
-                return 1;
-        }
-        if (sni_idx >= alpn_idx) {
-                FAIL("sni does not precede alpn: %zu >= %zu\n",
-                    sni_idx, alpn_idx);
-                return 1;
-        }
        return 0;
 }
@@ -4600,7 +4575,7 @@ test_tlsext_randomized_extensions(SSL *ssl)
        for (i = 0; i < N_TLSEXT_RANDOMIZATION_TESTS; i++) {
                if (!tlsext_randomize_build_order(ssl))
                        errx(1, "failed to randomize extensions");
-                failed |= test_tlsext_check_extension_order(ssl);
+                failed |= test_tlsext_check_psk_is_last_extension(ssl);
        }
        return failed;
diff --git a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
index 91aedad165..ff678ec9a8 100644
--- a/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
+++ b/src/regress/lib/libssl/tlsfuzzer/tlsfuzzer.py
@@ -1,4 +1,4 @@
-#   $OpenBSD: tlsfuzzer.py,v 1.56 2024/09/18 19:12:37 tb Exp $
+#   $OpenBSD: tlsfuzzer.py,v 1.57 2025/06/15 09:44:57 tb Exp $
 #
 # Copyright (c) 2020 Theo Buehler <tb@openbsd.org>
 #
@@ -72,7 +72,7 @@ def substitute_alert(want, got):
    return f"Expected alert description \"{want}\" " \
        + f"does not match received \"{got}\""
-# test-tls13-finished.py has 70 failing tests that expect a "decode_error"
+# test_tls13_finished.py has 70 failing tests that expect a "decode_error"
 # instead of the "decrypt_error" sent by tls13_server_finished_recv().
 # Both alerts appear to be reasonable in this context, so work around this
 # in the test instead of the library.
@@ -164,46 +164,46 @@ def generate_test_tls13_finished_args():
    return args
 tls13_tests = TestGroup("TLSv1.3 tests", [
-    Test("test-tls13-ccs.py"),
+    Test("test_tls13_ccs.py"),
-    Test("test-tls13-conversation.py"),
+    Test("test_tls13_conversation.py"),
-    Test("test-tls13-count-tickets.py"),
+    Test("test_tls13_count_tickets.py"),
-    Test("test-tls13-empty-alert.py"),
+    Test("test_tls13_empty_alert.py"),
-    Test("test-tls13-finished.py", generate_test_tls13_finished_args()),
+    Test("test_tls13_finished.py", generate_test_tls13_finished_args()),
-    Test("test-tls13-finished-plaintext.py"),
+    Test("test_tls13_finished_plaintext.py"),
-    Test("test-tls13-hrr.py"),
+    Test("test_tls13_hrr.py"),
-    Test("test-tls13-keyshare-omitted.py"),
+    Test("test_tls13_keyshare_omitted.py"),
-    Test("test-tls13-legacy-version.py"),
+    Test("test_tls13_legacy_version.py"),
-    Test("test-tls13-nociphers.py"),
+    Test("test_tls13_nociphers.py"),
-    Test("test-tls13-record-padding.py"),
+    Test("test_tls13_record_padding.py"),
    # Exclude QUIC transport parameters
-    Test("test-tls13-shuffled-extentions.py", [ "--exc", "57" ]),
+    Test("test_tls13_shuffled_extentions.py", [ "--exc", "57" ]),
-    Test("test-tls13-zero-content-type.py"),
+    Test("test_tls13_zero_content_type.py"),
    # The skipped tests fail due to a bug in BIO_gets() which masks the retry
    # signalled from an SSL_read() failure. Testing with httpd(8) shows we're
    # handling these corner cases correctly since tls13_record_layer.c -r1.47.
-    Test("test-tls13-zero-length-data.py", [
+    Test("test_tls13_zero_length_data.py", [
        "-e", "zero-length app data",
        "-e", "zero-length app data with large padding",
        "-e", "zero-length app data with padding",
    ]),
    # We don't currently handle NSTs
-    Test("test-tls13-connection-abort.py", ["-e", "After NewSessionTicket"]),
+    Test("test_tls13_connection_abort.py", ["-e", "After NewSessionTicket"]),
 ])
 # Tests that take a lot of time (> ~30s on an x280)
 tls13_slow_tests = TestGroup("slow TLSv1.3 tests", [
    # XXX: Investigate the occasional message
    # "Got shared secret with 1 most significant bytes equal to zero."
-    Test("test-tls13-dhe-shared-secret-padding.py", tls13_unsupported_ciphers),
+    Test("test_tls13_dhe_shared_secret_padding.py", tls13_unsupported_ciphers),
-    Test("test-tls13-invalid-ciphers.py"),
+    Test("test_tls13_invalid_ciphers.py"),
-    Test("test-tls13-serverhello-random.py", tls13_unsupported_ciphers),
+    Test("test_tls13_serverhello_random.py", tls13_unsupported_ciphers),
    # Mark two tests cases as xfail for now. The tests expect an arguably
    # correct decode_error while we send a decrypt_error (like fizz/boring).
-    Test("test-tls13-record-layer-limits.py", [
+    Test("test_tls13_record_layer_limits.py", [
        "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_AES_128_GCM_SHA256",
        "-X", substitute_alert("decode_error", "decrypt_error"),
        "-x", "max size payload (2**14) of Finished msg, with 16348 bytes of left padding, cipher TLS_CHACHA20_POLY1305_SHA256",
@@ -212,22 +212,22 @@ tls13_slow_tests = TestGroup("slow TLSv1.3 tests", [
    # We don't accept an empty ECPF extension since it must advertise the
    # uncompressed point format. Exclude this extension type from the test.
    Test(
-        "test-tls13-large-number-of-extensions.py",
+        "test_tls13_large_number_of_extensions.py",
        tls13_args = ["--exc", "11"],
    ),
 ])
 tls13_extra_cert_tests = TestGroup("TLSv1.3 certificate tests", [
    # need to set up client certs to run these
-    Test("test-tls13-certificate-request.py"),
+    Test("test_tls13_certificate_request.py"),
-    Test("test-tls13-certificate-verify.py"),
+    Test("test_tls13_certificate_verify.py"),
-    Test("test-tls13-ecdsa-in-certificate-verify.py"),
+    Test("test_tls13_ecdsa_in_certificate_verify.py"),
-    Test("test-tls13-eddsa-in-certificate-verify.py"),
+    Test("test_tls13_eddsa_in_certificate_verify.py"),
    # Test expects the server to have installed three certificates:
    # with P-256, P-384 and P-521 curve. Also SHA1+ECDSA is verified
    # to not work.
-    Test("test-tls13-ecdsa-support.py"),
+    Test("test_tls13_ecdsa_support.py"),
 ])
 tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
@@ -235,7 +235,7 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
    # With X25519, we accept weak peer public keys and fail when we actually
    # compute the keyshare.  Other tests seem to indicate that we could be
    # stricter about what keyshares we accept.
-    Test("test-tls13-crfg-curves.py", [
+    Test("test_tls13_crfg_curves.py", [
        '-e', 'all zero x448 key share',
        '-e', 'empty x448 key share',
        '-e', 'sanity x448 with compression ansiX962_compressed_char2',
@@ -245,7 +245,7 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
        '-e', 'too small x448 key share',
        '-e', 'x448 key share of "1"',
    ]),
-    Test("test-tls13-ecdhe-curves.py", [
+    Test("test_tls13_ecdhe_curves.py", [
        '-e', 'sanity - x448',
        '-e', 'x448 - key share from other curve',
        '-e', 'x448 - point at infinity',
@@ -258,21 +258,21 @@ tls13_failing_tests = TestGroup("failing TLSv1.3 tests", [
    # We have the logic corresponding to NSS's fix for CVE-2020-25648
    # https://hg.mozilla.org/projects/nss/rev/57bbefa793232586d27cee83e74411171e128361
    # so should not be affected by this issue.
-    Test("test-tls13-multiple-ccs-messages.py"),
+    Test("test_tls13_multiple_ccs_messages.py"),
    # https://github.com/openssl/openssl/issues/8369
-    Test("test-tls13-obsolete-curves.py"),
+    Test("test_tls13_obsolete_curves.py"),
    # 3 failing rsa_pss_pss tests
-    Test("test-tls13-rsa-signatures.py"),
+    Test("test_tls13_rsa_signatures.py"),
    # The failing tests all expect an ri extension.  What's up with that?
-    Test("test-tls13-version-negotiation.py"),
+    Test("test_tls13_version_negotiation.py"),
 ])
 tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
    # Other test failures bugs in keyshare/tlsext negotiation?
-    Test("test-tls13-unrecognised-groups.py"),    # unexpected closure
+    Test("test_tls13_unrecognised_groups.py"),    # unexpected closure
    # 5 occasional failures:
    #   'app data split, conversation with KeyUpdate msg'
@@ -280,43 +280,43 @@ tls13_slow_failing_tests = TestGroup("slow, failing TLSv1.3 tests", [
    #   'multiple KeyUpdate messages'
    #   'post-handshake KeyUpdate msg with update_not_request'
    #   'post-handshake KeyUpdate msg with update_request'
-    Test("test-tls13-keyupdate.py"),
+    Test("test_tls13_keyupdate.py"),
-    Test("test-tls13-symetric-ciphers.py"),       # unexpected message from peer
+    Test("test_tls13_symetric_ciphers.py"),       # unexpected message from peer
    # 6 tests fail: 'rsa_pkcs1_{md5,sha{1,224,256,384,512}} signature'
    # We send server hello, but the test expects handshake_failure
-    Test("test-tls13-pkcs-signature.py"),
+    Test("test_tls13_pkcs_signature.py"),
    # 8 tests fail: 'tls13 signature rsa_pss_{pss,rsae}_sha{256,384,512}
-    Test("test-tls13-rsapss-signatures.py"),
+    Test("test_tls13_rsapss_signatures.py"),
 ])
 tls13_unsupported_tests = TestGroup("TLSv1.3 tests for unsupported features", [
    # Tests for features we don't support
-    Test("test-tls13-0rtt-garbage.py"),
+    Test("test_tls13_0rtt_garbage.py"),
-    Test("test-tls13-ffdhe-groups.py"),
+    Test("test_tls13_ffdhe_groups.py"),
-    Test("test-tls13-ffdhe-sanity.py"),
+    Test("test_tls13_ffdhe_sanity.py"),
-    Test("test-tls13-psk_dhe_ke.py"),
+    Test("test_tls13_psk_dhe_ke.py"),
-    Test("test-tls13-psk_ke.py"),
+    Test("test_tls13_psk_ke.py"),
    # need server to react to HTTP GET for /keyupdate
-    Test("test-tls13-keyupdate-from-server.py"),
+    Test("test_tls13_keyupdate_from_server.py"),
    # needs an echo server
-    Test("test-tls13-lengths.py"),
+    Test("test_tls13_lengths.py"),
    # Weird test: tests servers that don't support 1.3
-    Test("test-tls13-non-support.py"),
+    Test("test_tls13_non_support.py"),
    # broken test script
    # UnboundLocalError: local variable 'cert' referenced before assignment
-    Test("test-tls13-post-handshake-auth.py"),
+    Test("test_tls13_post_handshake_auth.py"),
    # ExpectNewSessionTicket
-    Test("test-tls13-session-resumption.py"),
+    Test("test_tls13_session_resumption.py"),
    # Server must be configured to support only rsa_pss_rsae_sha512
-    Test("test-tls13-signature-algorithms.py"),
+    Test("test_tls13_signature_algorithms.py"),
 ])
 tls12_exclude_legacy_protocols = [
@@ -345,52 +345,52 @@ tls12_exclude_legacy_protocols = [
 tls12_tests = TestGroup("TLSv1.2 tests", [
    # Tests that pass as they are.
-    Test("test-aes-gcm-nonces.py"),
+    Test("test_aes_gcm_nonces.py"),
-    Test("test-connection-abort.py"),
+    Test("test_connection_abort.py"),
-    Test("test-conversation.py"),
+    Test("test_conversation.py"),
-    Test("test-cve-2016-2107.py"),
+    Test("test_cve_2016_2107.py"),
-    Test("test-cve-2016-6309.py"),
+    Test("test_cve_2016_6309.py"),
-    Test("test-dhe-rsa-key-exchange.py"),
+    Test("test_dhe_rsa_key_exchange.py"),
-    Test("test-early-application-data.py"),
+    Test("test_early_application_data.py"),
-    Test("test-empty-extensions.py"),
+    Test("test_empty_extensions.py"),
-    Test("test-extensions.py"),
+    Test("test_extensions.py"),
-    Test("test-fuzzed-MAC.py"),
+    Test("test_fuzzed_MAC.py"),
-    Test("test-fuzzed-ciphertext.py"),
+    Test("test_fuzzed_ciphertext.py"),
-    Test("test-fuzzed-finished.py"),
+    Test("test_fuzzed_finished.py"),
-    Test("test-fuzzed-padding.py"),
+    Test("test_fuzzed_padding.py"),
-    Test("test-fuzzed-plaintext.py"), # fails once in a while
+    Test("test_fuzzed_plaintext.py"), # fails once in a while
-    Test("test-hello-request-by-client.py"),
+    Test("test_hello_request_by_client.py"),
-    Test("test-invalid-cipher-suites.py"),
+    Test("test_invalid_cipher_suites.py"),
-    Test("test-invalid-content-type.py"),
+    Test("test_invalid_content_type.py"),
-    Test("test-invalid-session-id.py"),
+    Test("test_invalid_session_id.py"),
-    Test("test-invalid-version.py"),
+    Test("test_invalid_version.py"),
-    Test("test-large-number-of-extensions.py"),
+    Test("test_large_number_of_extensions.py"),
-    Test("test-lucky13.py"),
+    Test("test_lucky13.py"),
-    Test("test-message-skipping.py"),
+    Test("test_message_skipping.py"),
-    Test("test-no-heartbeat.py"),
+    Test("test_no_heartbeat.py"),
-    Test("test-record-layer-fragmentation.py"),
+    Test("test_record_layer_fragmentation.py"),
-    Test("test-sslv2-connection.py"),
+    Test("test_sslv2_connection.py"),
-    Test("test-truncating-of-finished.py"),
+    Test("test_truncating_of_finished.py"),
-    Test("test-truncating-of-kRSA-client-key-exchange.py"),
+    Test("test_truncating_of_kRSA_client_key_exchange.py"),
-    Test("test-unsupported-curve-fallback.py"),
+    Test("test_unsupported_curve_fallback.py"),
-    Test("test-version-numbers.py"),
+    Test("test_version_numbers.py"),
-    Test("test-zero-length-data.py"),
+    Test("test_zero_length_data.py"),
    # Tests that need tweaking for unsupported features and ciphers.
    Test(
-        "test-atypical-padding.py", [
+        "test_atypical_padding.py", [
            "-e", "sanity - encrypt then MAC",
            "-e", "2^14 bytes of AppData with 256 bytes of padding (SHA1 + Encrypt then MAC)",
        ]
    ),
    Test(
-        "test-ccs.py", [
+        "test_ccs.py", [
            "-x", "two bytes long CCS",
            "-X", substitute_alert("unexpected_message", "decode_error"),
        ]
    ),
    Test(
-        "test-dhe-rsa-key-exchange-signatures.py", [
+        "test_dhe_rsa_key_exchange_signatures.py", [
            "-e", "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA sha224 signature",
            "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 sha224 signature",
            "-e", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA sha224 signature",
@@ -398,14 +398,14 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
            "-e", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA sha224 signature",
        ]
    ),
-    Test("test-dhe-rsa-key-exchange-with-bad-messages.py", [
+    Test("test_dhe_rsa_key_exchange_with_bad_messages.py", [
        "-x", "invalid dh_Yc value - missing",
        "-X", substitute_alert("decode_error", "illegal_parameter"),
    ]),
-    Test("test-dhe-key-share-random.py", tls12_exclude_legacy_protocols),
+    Test("test_dhe_key_share_random.py", tls12_exclude_legacy_protocols),
-    Test("test-export-ciphers-rejected.py", ["--min-ver", "TLSv1.2"]),
+    Test("test_export_ciphers_rejected.py", ["--min-ver", "TLSv1.2"]),
    Test(
-        "test-downgrade-protection.py",
+        "test_downgrade_protection.py",
        tls12_args = ["--server-max-protocol", "TLSv1.2"],
        tls13_args = [
            "--server-max-protocol", "TLSv1.3",
@@ -414,7 +414,7 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
        ]
    ),
    Test(
-        "test-fallback-scsv.py",
+        "test_fallback_scsv.py",
        tls13_args = [
            "--tls-1.3",
            "-e", "FALLBACK - hello TLSv1.1 - pos 0",
@@ -428,7 +428,7 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
        ]
    ),
-    Test("test-invalid-compression-methods.py", [
+    Test("test_invalid_compression_methods.py", [
        "-x", "invalid compression methods",
        "-X", substitute_alert("illegal_parameter", "decode_error"),
        "-x", "only deflate compression method",
@@ -437,134 +437,134 @@ tls12_tests = TestGroup("TLSv1.2 tests", [
    # Skip extended_master_secret test. Since we don't support this
    # extension, we don't notice that it was dropped.
-    Test("test-renegotiation-changed-clienthello.py", [
+    Test("test_renegotiation_changed_clienthello.py", [
        "-e", "drop extended_master_secret in renegotiation",
    ]),
-    Test("test-sessionID-resumption.py", [
+    Test("test_sessionID_resumption.py", [
        "-x", "Client Hello too long session ID",
        "-X", substitute_alert("decode_error", "illegal_parameter"),
    ]),
    # Without --sig-algs-drop-ok, two tests fail since we do not currently
    # implement the signature_algorithms_cert extension (although we MUST).
-    Test("test-sig-algs-renegotiation-resumption.py", ["--sig-algs-drop-ok"]),
+    Test("test_sig_algs_renegotiation_resumption.py", ["--sig-algs-drop-ok"]),
-    Test("test-serverhello-random.py", args = tls12_exclude_legacy_protocols),
+    Test("test_serverhello_random.py", args = tls12_exclude_legacy_protocols),
-    Test("test-chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
+    Test("test_chacha20.py", [ "-e", "Chacha20 in TLS1.1" ]),
 ])
 tls12_slow_tests = TestGroup("slow TLSv1.2 tests", [
-    Test("test-cve-2016-7054.py"),
+    Test("test_cve_2016_7054.py"),
-    Test("test-dhe-no-shared-secret-padding.py", tls12_exclude_legacy_protocols),
+    Test("test_dhe_no_shared_secret_padding.py", tls12_exclude_legacy_protocols),
-    Test("test-ecdhe-padded-shared-secret.py", tls12_exclude_legacy_protocols),
+    Test("test_ecdhe_padded_shared_secret.py", tls12_exclude_legacy_protocols),
-    Test("test-ecdhe-rsa-key-share-random.py", tls12_exclude_legacy_protocols),
+    Test("test_ecdhe_rsa_key_share_random.py", tls12_exclude_legacy_protocols),
    # Start at extension number 58 to avoid QUIC transport parameters (57)
-    Test("test-large-hello.py", [ "-m", "58" ]),
+    Test("test_large_hello.py", [ "-m", "58" ]),
 ])
 tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
    # no shared cipher
-    Test("test-aesccm.py"),
+    Test("test_aesccm.py"),
    # need server to set up alpn
-    Test("test-alpn-negotiation.py"),
+    Test("test_alpn_negotiation.py"),
    # Failing on TLS_RSA_WITH_AES_128_CBC_SHA because server does not support it.
-    Test("test-bleichenbacher-timing-pregenerate.py"),
+    Test("test_bleichenbacher_timing_pregenerate.py"),
    # many tests fail due to unexpected server_name extension
-    Test("test-bleichenbacher-workaround.py"),
+    Test("test_bleichenbacher_workaround.py"),
    # need client key and cert plus extra server setup
-    Test("test-certificate-malformed.py"),
+    Test("test_certificate_malformed.py"),
-    Test("test-certificate-request.py"),
+    Test("test_certificate_request.py"),
-    Test("test-certificate-verify-malformed-sig.py"),
+    Test("test_certificate_verify_malformed_sig.py"),
-    Test("test-certificate-verify-malformed.py"),
+    Test("test_certificate_verify_malformed.py"),
-    Test("test-certificate-verify.py"),
+    Test("test_certificate_verify.py"),
-    Test("test-ecdsa-in-certificate-verify.py"),
+    Test("test_ecdsa_in_certificate_verify.py"),
-    Test("test-eddsa-in-certificate-verify.py"),
+    Test("test_eddsa_in_certificate_verify.py"),
-    Test("test-renegotiation-disabled-client-cert.py"),
+    Test("test_renegotiation_disabled_client_cert.py"),
-    Test("test-rsa-pss-sigs-on-certificate-verify.py"),
+    Test("test_rsa_pss_sigs_on_certificate_verify.py"),
-    Test("test-rsa-sigs-on-certificate-verify.py"),
+    Test("test_rsa_sigs_on_certificate_verify.py"),
    # test doesn't expect session ticket
-    Test("test-client-compatibility.py"),
+    Test("test_client_compatibility.py"),
    # abrupt closure
-    Test("test-client-hello-max-size.py"),
+    Test("test_client_hello_max_size.py"),
    # unknown signature algorithms
-    Test("test-clienthello-md5.py"),
+    Test("test_clienthello_md5.py"),
    # Tests expect an illegal_parameter or a decode_error alert.  Should be
    # added to ssl3_get_client_key_exchange on kex function failure.
-    Test("test-ecdhe-rsa-key-exchange-with-bad-messages.py"),
+    Test("test_ecdhe_rsa_key_exchange_with_bad_messages.py"),
    # We send a handshake_failure due to no shared ciphers while the
    # test expects to succeed.
-    Test("test-ecdhe-rsa-key-exchange.py"),
+    Test("test_ecdhe_rsa_key_exchange.py"),
    # no shared cipher
-    Test("test-ecdsa-sig-flexibility.py"),
+    Test("test_ecdsa_sig_flexibility.py"),
    # Tests expect SH but we send unexpected_message or handshake_failure
    #   'Application data inside Client Hello'
    #   'Application data inside Client Key Exchange'
    #   'Application data inside Finished'
-    Test("test-interleaved-application-data-and-fragmented-handshakes-in-renegotiation.py"),
+    Test("test_interleaved_application_data_and_fragmented_handshakes_in_renegotiation.py"),
    # Tests expect SH but we send handshake_failure
    #   'Application data before Change Cipher Spec'
    #   'Application data before Client Key Exchange'
    #   'Application data before Finished'
-    Test("test-interleaved-application-data-in-renegotiation.py"),
+    Test("test_interleaved_application_data_in_renegotiation.py"),
    # broken test script
    # TypeError: '<' not supported between instances of 'int' and 'NoneType'
-    Test("test-invalid-client-hello-w-record-overflow.py"),
+    Test("test_invalid_client_hello_w_record_overflow.py"),
    # Lots of failures. abrupt closure
-    Test("test-invalid-client-hello.py"),
+    Test("test_invalid_client_hello.py"),
    # abrupt closure
    # 'encrypted premaster set to all zero (n)' n in 256 384 512
-    Test("test-invalid-rsa-key-exchange-messages.py"),
+    Test("test_invalid_rsa_key_exchange_messages.py"),
    # test expects illegal_parameter, we send unrecognized_name (which seems
    # correct according to rfc 6066?)
-    Test("test-invalid-server-name-extension-resumption.py"),
+    Test("test_invalid_server_name_extension_resumption.py"),
    # let through some server names without sending an alert
    # again illegal_parameter vs unrecognized_name
-    Test("test-invalid-server-name-extension.py"),
+    Test("test_invalid_server_name_extension.py"),
    # 4 failures:
    #   'insecure (legacy) renegotiation with GET after 2nd handshake'
    #   'insecure (legacy) renegotiation with incomplete GET'
    #   'secure renegotiation with GET after 2nd handshake'
    #   'secure renegotiation with incomplete GET'
-    Test("test-legacy-renegotiation.py"),
+    Test("test_legacy_renegotiation.py"),
    # 1 failure (timeout): we don't send the unexpected_message alert
    # 'duplicate change cipher spec after Finished'
-    Test("test-message-duplication.py"),
+    Test("test_message_duplication.py"),
    # server should send status_request
-    Test("test-ocsp-stapling.py"),
+    Test("test_ocsp_stapling.py"),
    # unexpected closure
-    Test("test-openssl-3712.py"),
+    Test("test_openssl_3712.py"),
    # failed: 3 (expect an alert, we send AD)
    # 'try insecure (legacy) renegotiation with incomplete GET'
    # 'try secure renegotiation with GET after 2nd CH'
    # 'try secure renegotiation with incomplete GET'
-    Test("test-renegotiation-disabled.py"),
+    Test("test_renegotiation_disabled.py"),
    # 'resumption of safe session with NULL cipher'
    # 'resumption with cipher from old CH but not selected by server'
-    Test("test-resumption-with-wrong-ciphers.py"),
+    Test("test_resumption_with_wrong_ciphers.py"),
    # 'session resumption with empty session_id'
    # 'session resumption with random session_id'
    # 'session resumption with renegotiation'
    # AssertionError: Server did not send extension(s): session_ticket
-    Test("test-session-ticket-resumption.py"),
+    Test("test_session_ticket_resumption.py"),
    # 5 failures:
    #   'empty sigalgs'
@@ -572,7 +572,7 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
    #   'rsa_pss_pss_sha256 only'
    #   'rsa_pss_pss_sha384 only'
    #   'rsa_pss_pss_sha512 only'
-    Test("test-sig-algs.py"),
+    Test("test_sig_algs.py"),
    # 13 failures:
    #   'duplicated n non-rsa schemes' for n in 202 2342 8119 23741 32744
@@ -581,51 +581,51 @@ tls12_failing_tests = TestGroup("failing TLSv1.2 tests", [
    #   'tolerance 32758 methods with sig_alg_cert'
    #   'tolerance max 32744 number of methods with sig_alg_cert'
    #   'tolerance max (32760) number of methods'
-    Test("test-signature-algorithms.py"),
+    Test("test_signature_algorithms.py"),
    # times out
-    Test("test-ssl-death-alert.py"),
+    Test("test_ssl_death_alert.py"),
    # 17 pass, 13 fail. padding and truncation
-    Test("test-truncating-of-client-hello.py"),
+    Test("test_truncating_of_client_hello.py"),
    # x448 tests need disabling plus x25519 corner cases need sorting out
-    Test("test-x25519.py"),
+    Test("test_x25519.py"),
    # Needs TLS 1.0 or 1.1
-    Test("test-TLSv1_2-rejected-without-TLSv1_2.py"),
+    Test("test_TLSv1_2_rejected_without_TLSv1_2.py"),
 ])
 tls12_unsupported_tests = TestGroup("TLSv1.2 for unsupported features", [
    # protocol_version
-    Test("test-SSLv3-padding.py"),
+    Test("test_SSLv3_padding.py"),
    # we don't do RSA key exchanges
-    Test("test-bleichenbacher-timing.py"),
+    Test("test_bleichenbacher_timing.py"),
    # no encrypt-then-mac
-    Test("test-encrypt-then-mac-renegotiation.py"),
+    Test("test_encrypt_then_mac_renegotiation.py"),
-    Test("test-encrypt-then-mac.py"),
+    Test("test_encrypt_then_mac.py"),
    # no EME support
-    Test("test-extended-master-secret-extension-with-client-cert.py"),
+    Test("test_extended_master_secret_extension_with_client_cert.py"),
-    Test("test-extended-master-secret-extension.py"),
+    Test("test_extended_master_secret_extension.py"),
    # no ffdhe
-    Test("test-ffdhe-expected-params.py"),
+    Test("test_ffdhe_expected_params.py"),
-    Test("test-ffdhe-negotiation.py"),
+    Test("test_ffdhe_negotiation.py"),
    # record_size_limit/max_fragment_length extension (RFC 8449)
-    Test("test-record-size-limit.py"),
+    Test("test_record_size_limit.py"),
    # expects the server to send the heartbeat extension
-    Test("test-heartbeat.py"),
+    Test("test_heartbeat.py"),
    # needs an echo server
-    Test("test-lengths.py"),
+    Test("test_lengths.py"),
 ])
 # These tests take a ton of time to fail against an 1.3 server,
 # so don't run them against 1.3 pending further investigation.
 legacy_tests = TestGroup("Legacy protocol tests", [
-    Test("test-sslv2-force-cipher-3des.py"),
+    Test("test_sslv2_force_cipher_3des.py"),
-    Test("test-sslv2-force-cipher-non3des.py"),
+    Test("test_sslv2_force_cipher_non3des.py"),
-    Test("test-sslv2-force-cipher.py"),
+    Test("test_sslv2_force_cipher.py"),
-    Test("test-sslv2-force-export-cipher.py"),
+    Test("test_sslv2_force_export_cipher.py"),
-    Test("test-sslv2hello-protocol.py"),
+    Test("test_sslv2hello_protocol.py"),
 ])
 all_groups = [
diff --git a/src/regress/lib/libssl/unit/Makefile b/src/regress/lib/libssl/unit/Makefile
index 6a925069ca..edc0d910c4 100644
--- a/src/regress/lib/libssl/unit/Makefile
+++ b/src/regress/lib/libssl/unit/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.16 2023/05/24 09:15:14 tb Exp $
+#       $OpenBSD: Makefile,v 1.17 2025/10/24 11:44:08 tb Exp $
 PROGS += cipher_list
 PROGS += ssl_get_shared_ciphers
@@ -16,6 +16,4 @@ CFLAGS+=	-DLIBRESSL_INTERNAL -Wall -Wundef -Werror
 CFLAGS+=        -DCERTSDIR=\"${.CURDIR}/../certs\"
 CFLAGS+=        -I${.CURDIR}/../../../../lib/libssl
-LDADD_ssl_verify_param = ${LIBSSL} ${CRYPTO_INT}
 .include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/unit/ssl_verify_param.c b/src/regress/lib/libssl/unit/ssl_verify_param.c
index cdb52c56a8..05af9be2be 100644
--- a/src/regress/lib/libssl/unit/ssl_verify_param.c
+++ b/src/regress/lib/libssl/unit/ssl_verify_param.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssl_verify_param.c,v 1.1 2023/05/24 08:54:59 tb Exp $ */
+/*      $OpenBSD: ssl_verify_param.c,v 1.3 2025/10/24 11:43:34 tb Exp $ */
 /*
 * Copyright (c) 2023 Theo Buehler <tb@openbsd.org>
@@ -20,10 +20,9 @@
 #include <stdio.h>
 #include <openssl/ssl.h>
+#include <openssl/x509_vfy.h>
 #include <openssl/x509v3.h>
-unsigned int X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param);
 static int
 ssl_verify_param_flags_inherited(void)
 {
diff --git a/src/regress/lib/libtls/tls/tlstest.c b/src/regress/lib/libtls/tls/tlstest.c
index b675c798b4..d52156128d 100644
--- a/src/regress/lib/libtls/tls/tlstest.c
+++ b/src/regress/lib/libtls/tls/tlstest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlstest.c,v 1.16 2024/08/02 15:02:22 tb Exp $ */
+/* $OpenBSD: tlstest.c,v 1.17 2025/06/04 10:28:00 tb Exp $ */
 /*
 * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
 *
@@ -531,6 +531,142 @@ do_tls_version_tests(void)
        return failure;
 }
+static int
+test_tls_alpn(const char *client_alpn, const char *server_alpn,
+    const char *selected)
+{
+        struct tls_config *client_cfg, *server_cfg;
+        struct tls *client, *server, *server_cctx;
+        const char *got_server, *got_client;
+        int failed = 1;
+        if ((client = tls_client()) == NULL)
+                errx(1, "failed to create tls client");
+        if ((client_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls client config");
+        tls_config_insecure_noverifyname(client_cfg);
+        if (tls_config_set_alpn(client_cfg, client_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(client_cfg));
+        if (tls_config_set_ca_file(client_cfg, cafile) == -1)
+                errx(1, "failed to set ca: %s", tls_config_error(client_cfg));
+        if ((server = tls_server()) == NULL)
+                errx(1, "failed to create tls server");
+        if ((server_cfg = tls_config_new()) == NULL)
+                errx(1, "failed to create tls server config");
+        if (tls_config_set_alpn(server_cfg, server_alpn) == -1)
+                errx(1, "failed to set alpn: %s", tls_config_error(server_cfg));
+        if (tls_config_set_keypair_file(server_cfg, certfile, keyfile) == -1)
+                errx(1, "failed to set keypair: %s",
+                    tls_config_error(server_cfg));
+        if (tls_configure(client, client_cfg) == -1)
+                errx(1, "failed to configure client: %s", tls_error(client));
+        tls_reset(server);
+        if (tls_configure(server, server_cfg) == -1)
+                errx(1, "failed to configure server: %s", tls_error(server));
+        tls_config_free(client_cfg);
+        tls_config_free(server_cfg);
+        circular_init();
+        if (tls_accept_cbs(server, &server_cctx, server_read, server_write,
+            NULL) == -1)
+                errx(1, "failed to accept: %s", tls_error(server));
+        if (tls_connect_cbs(client, client_read, client_write, NULL,
+            "test") == -1)
+                errx(1, "failed to connect: %s", tls_error(client));
+        if (do_client_server_test("alpn", client, server_cctx) != 0)
+                goto fail;
+        got_server = tls_conn_alpn_selected(server_cctx);
+        got_client = tls_conn_alpn_selected(client);
+        if (got_server == NULL || got_client == NULL) {
+                printf("FAIL: expected ALPN for server and client, got "
+                    "server: %p, client %p\n", got_server, got_client);
+                goto fail;
+        }
+        if (strcmp(got_server, got_client) != 0) {
+                printf("FAIL: ALPN mismatch: server %s, client %s\n",
+                    got_server, got_client);
+                goto fail;
+        }
+        if (strcmp(selected, got_server) != 0) {
+                printf("FAIL: ALPN mismatch: want %s, got %s\n",
+                    selected, got_server);
+                goto fail;
+        }
+        failed = 0;
+ fail:
+        tls_free(client);
+        tls_free(server);
+        tls_free(server_cctx);
+        return (failed);
+}
+static const struct test_alpn {
+        const char *client;
+        const char *server;
+        const char *selected;
+} tls_test_alpn[] = {
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/1.1,http/2",
+                .server = "http/2,http/1.1",
+                .selected = "http/2",
+        },
+        {
+                .client = "http/2,http/1.1",
+                .server = "http/1.1,http/2",
+                .selected = "http/1.1",
+        },
+        {
+                .client = "http/1.1",
+                .server = "http/2,http/1.1",
+                .selected = "http/1.1",
+        },
+};
+#define N_TLS_ALPN_TESTS (sizeof(tls_test_alpn) / sizeof(tls_test_alpn[0]))
+static int
+do_tls_alpn_tests(void)
+{
+        const struct test_alpn *ta;
+        int failure = 0;
+        size_t i;
+        printf("== TLS alpn tests ==\n");
+        for (i = 0; i < N_TLS_ALPN_TESTS; i++) {
+                ta = &tls_test_alpn[i];
+                printf("INFO: alpn test %zu - client alpn '%s' "
+                    "and server alpn '%s'\n", i, ta->client, ta->server);
+                failure |= test_tls_alpn(ta->client, ta->server, ta->selected);
+                printf("\n");
+        }
+        return failure;
+}
 int
 main(int argc, char **argv)
 {
@@ -549,6 +685,7 @@ main(int argc, char **argv)
        failure |= do_tls_tests();
        failure |= do_tls_ordering_tests();
        failure |= do_tls_version_tests();
+        failure |= do_tls_alpn_tests();
        return (failure);
 }
diff --git a/src/regress/usr.bin/openssl/appstest.sh b/src/regress/usr.bin/openssl/appstest.sh
index e394102f0d..d878a44a6a 100755
--- a/src/regress/usr.bin/openssl/appstest.sh
+++ b/src/regress/usr.bin/openssl/appstest.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $OpenBSD: appstest.sh,v 1.67 2025/01/19 11:04:35 tb Exp $
+# $OpenBSD: appstest.sh,v 1.69 2025/12/20 07:04:28 tb Exp $
 #
 # Copyright (c) 2016 Kinichiro Inoguchi <inoguchi@openbsd.org>
 #
@@ -1189,10 +1189,6 @@ __EOF__
        diff -b $cms_dgv $cms_txt
        check_exit_status $?
-        # compress
-        # uncompress
        # EncryptedData_encrypt
        start_message "cms ... EncryptedData_encrypt"
@@ -1456,13 +1452,14 @@ function test_sc_by_protocol_version {
                check_exit_status $?
        fi
-        # check HRR hash
+# This breaks since we added mlkem, I believe because the HRR value has changed.
-        if [ $ver = "tls1_3" ] ; then
+#       # check HRR hash
-                perl -0ne \
+#       if [ $ver = "tls1_3" ] ; then
-                    'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c 5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \
+#               perl -0ne \
-                    $s_client_out
+##                  'exit (!/ServerHello\n.*cf 21 ad 74 e5 9a 61 11 be 1d\n.*8c 02 1e 65 b8 91 c2 a2 11 16 7a bb 8c #5e 07 9e\n.*09 e2 c8 a8 33 9c/m)' \
-                check_exit_status $?
+#                   $s_client_out
-        fi
+#               check_exit_status $?
+#       fi
        if [ $ver = "tls1_3" ] ; then
                grep 'Server Temp Key: ECDH, .*384.*, 384 bits' $s_client_out \
diff --git a/src/usr.bin/nc/nc.1 b/src/usr.bin/nc/nc.1
index 76b6dc018e..2ffdcd1ea6 100644
--- a/src/usr.bin/nc/nc.1
+++ b/src/usr.bin/nc/nc.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: nc.1,v 1.98 2024/04/01 12:40:18 deraadt Exp $
+.\"     $OpenBSD: nc.1,v 1.101 2025/06/24 13:37:39 tb Exp $
 .\"
 .\" Copyright (c) 1996 David Sacerdote
 .\" All rights reserved.
@@ -25,7 +25,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 1 2024 $
+.Dd $Mdocdate: June 24 2025 $
 .Dt NC 1
 .Os
 .Sh NAME
@@ -257,6 +257,10 @@ with the handshake.
 The following TLS options specify a value in the form of a
 .Ar key Ns = Ns Ar value
 pair:
+.Cm alpn ,
+which allows the TLS ALPN to be specified (see
+.Xr tls_config_set_alpn 3
+for further details);
 .Cm ciphers ,
 which allows the supported TLS ciphers to be specified (see
 .Xr tls_config_set_ciphers 3
@@ -338,12 +342,18 @@ when talking to the proxy server.
 Supported protocols are
 .Cm 4
 (SOCKS v.4),
+.Cm 4A
+(SOCKS v.4A),
 .Cm 5
 (SOCKS v.5)
 and
 .Cm connect
 (HTTPS proxy).
 If the protocol is not specified, SOCKS version 5 is used.
+Note that the SOCKS v.4 protocol is very limited and can only be used when
+the destination host can be resolved to an IPv4 address.
+The other protocols pass the destination as a string to be interpreted
+by the remote proxy and do not have this limitation.
 .It Fl x Ar proxy_address Ns Op : Ns Ar port
 Connect to
 .Ar destination
diff --git a/src/usr.bin/nc/netcat.c b/src/usr.bin/nc/netcat.c
index 8c60fd1882..6438fbbc5d 100644
--- a/src/usr.bin/nc/netcat.c
+++ b/src/usr.bin/nc/netcat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.229 2024/11/02 17:19:27 tb Exp $ */
+/* $OpenBSD: netcat.c,v 1.237 2025/12/06 09:48:30 phessler Exp $ */
 /*
 * Copyright (c) 2001 Eric Jackson <ericj@monkey.org>
 * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -108,6 +108,7 @@ char	*tls_expectname;			/* required name in peer cert */
 char    *tls_expecthash;                        /* required hash of peer cert */
 char    *tls_ciphers;                           /* TLS ciphers */
 char    *tls_protocols;                         /* TLS protocols */
+char    *tls_alpn;                              /* TLS ALPN */
 FILE    *Zflag;                                 /* file to save peer cert */
 int recvcount, recvlimit;
@@ -190,6 +191,8 @@ main(int argc, char *argv[])
                                socksv = -1; /* HTTP proxy CONNECT */
                        else if (strcmp(optarg, "4") == 0)
                                socksv = 4; /* SOCKS v.4 */
+                        else if (strcasecmp(optarg, "4A") == 0)
+                                socksv = 44; /* SOCKS v.4A */
                        else if (strcmp(optarg, "5") == 0)
                                socksv = 5; /* SOCKS v.5 */
                        else
@@ -532,6 +535,8 @@ main(int argc, char *argv[])
                        errx(1, "%s", tls_config_error(tls_cfg));
                if (tls_config_set_ciphers(tls_cfg, tls_ciphers) == -1)
                        errx(1, "%s", tls_config_error(tls_cfg));
+                if (tls_alpn != NULL && tls_config_set_alpn(tls_cfg, tls_alpn) == -1)
+                        errx(1, "%s", tls_config_error(tls_cfg));
                if (!lflag && (TLSopt & TLS_CCERT))
                        errx(1, "clientcert is only valid with -l");
                if (TLSopt & TLS_NONAME)
@@ -1537,7 +1542,12 @@ connection_info(const char *host, const char *port, const char *proto,
        /* Look up service name unless -n. */
        if (!nflag) {
-                sv = getservbyport(ntohs(atoi(port)), proto);
+                const char *errstr;
+                int p = strtonum(port, 1, PORT_MAX, &errstr);
+                if (errstr)
+                        errx(1, "port number %s: %s", errstr, port);
+                sv = getservbyport(htons(p), proto);
                if (sv != NULL)
                        service = sv->s_name;
        }
@@ -1645,6 +1655,7 @@ process_tos_opt(char *s, int *val)
                { "netcontrol",         IPTOS_PREC_NETCONTROL },
                { "reliability",        IPTOS_RELIABILITY },
                { "throughput",         IPTOS_THROUGHPUT },
+                { "va",                 IPTOS_DSCP_VA },
                { NULL,                 -1 },
        };
@@ -1669,11 +1680,12 @@ process_tls_opt(char *s, int *flags)
                int              flag;
                char            **value;
        } *t, tlskeywords[] = {
+                { "alpn",               -1,                     &tls_alpn },
                { "ciphers",            -1,                     &tls_ciphers },
                { "clientcert",         TLS_CCERT,              NULL },
                { "muststaple",         TLS_MUSTSTAPLE,         NULL },
-                { "noverify",           TLS_NOVERIFY,           NULL },
                { "noname",             TLS_NONAME,             NULL },
+                { "noverify",           TLS_NOVERIFY,           NULL },
                { "protocols",          -1,                     &tls_protocols },
                { NULL,                 -1,                     NULL },
        };
@@ -1692,6 +1704,8 @@ process_tls_opt(char *s, int *flags)
                                        errx(1, "invalid tls value `%s'", s);
                                *t->value = v;
                        } else {
+                                if (v != NULL)
+                                        errx(1, "invalid tls value `%s'", s);
                                *flags |= t->flag;
                        }
                        return 1;
@@ -1718,7 +1732,7 @@ void
 report_tls(struct tls *tls_ctx, char *host)
 {
        time_t t;
-        const char *ocsp_url;
+        const char *alpn_proto, *ocsp_url;
        fprintf(stderr, "TLS handshake negotiated %s/%s with host %s\n",
            tls_conn_version(tls_ctx), tls_conn_cipher(tls_ctx), host);
@@ -1770,6 +1784,8 @@ report_tls(struct tls *tls_ctx, char *host)
                    tls_peer_ocsp_result(tls_ctx));
                break;
        }
+        if ((alpn_proto = tls_conn_alpn_selected(tls_ctx)) != NULL)
+                fprintf(stderr, "Application Layer Protocol: %s\n", alpn_proto);
 }
 void
@@ -1842,7 +1858,7 @@ help(void)
        \t-v            Verbose\n\
        \t-W recvlimit  Terminate after receiving a number of packets\n\
        \t-w timeout    Timeout for connects and final net reads\n\
-        \t-X proto      Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\
+        \t-X proto      Proxy protocol: \"4\", \"4A\", \"5\" (SOCKS) or \"connect\"\n\
        \t-x addr[:port]\tSpecify proxy address and port\n\
        \t-Z            Peer certificate file\n\
        \t-z            Zero-I/O mode [used for scanning]\n\
diff --git a/src/usr.bin/nc/socks.c b/src/usr.bin/nc/socks.c
index 7c7448c9c5..1f1fb96e2a 100644
--- a/src/usr.bin/nc/socks.c
+++ b/src/usr.bin/nc/socks.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: socks.c,v 1.31 2022/06/08 20:20:26 djm Exp $  */
+/*      $OpenBSD: socks.c,v 1.34 2025/05/22 06:40:26 djm Exp $  */
 /*
 * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -293,19 +293,33 @@ socks_connect(const char *host, const char *port,
                default:
                        errx(1, "connection failed, unsupported address type");
                }
-        } else if (socksv == 4) {
+        } else if (socksv == 4 || socksv == 44) {
-                /* This will exit on lookup failure */
+                if (socksv == 4) {
-                decode_addrport(host, port, (struct sockaddr *)&addr,
+                        /* This will exit on lookup failure */
-                    sizeof(addr), 1, 0);
+                        decode_addrport(host, port, (struct sockaddr *)&addr,
+                            sizeof(addr), 1, 0);
+                }
                /* Version 4 */
                buf[0] = SOCKS_V4;
                buf[1] = SOCKS_CONNECT; /* connect */
                memcpy(buf + 2, &in4->sin_port, sizeof in4->sin_port);
-                memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+                if (socksv == 4) {
+                        memcpy(buf + 4, &in4->sin_addr, sizeof in4->sin_addr);
+                } else {
+                        /* SOCKS4A uses addr of 0.0.0.x, and hostname later */
+                        buf[4] = buf[5] = buf[6] = 0;
+                        buf[7] = 1;
+                }
                buf[8] = 0;     /* empty username */
                wlen = 9;
+                if (socksv == 44) {
+                        /* SOCKS4A has nul-terminated hostname after user */
+                        if (strlcpy(buf + 9, host,
+                            sizeof(buf) - 9) >= sizeof(buf) - 9)
+                                errx(1, "hostname too big");
+                        wlen = 9 + strlen(host) + 1;
+                }
                cnt = atomicio(vwrite, proxyfd, buf, wlen);
                if (cnt != wlen)
                        err(1, "write failed (%zu/%zu)", cnt, wlen);
@@ -373,16 +387,16 @@ socks_connect(const char *host, const char *port,
                /* Read status reply */
                proxy_read_line(proxyfd, buf, sizeof(buf));
                if (proxyuser != NULL &&
-                    (strncmp(buf, "HTTP/1.0 407 ", 12) == 0 ||
+                    (strncmp(buf, "HTTP/1.0 407 ", 13) == 0 ||
-                    strncmp(buf, "HTTP/1.1 407 ", 12) == 0)) {
+                    strncmp(buf, "HTTP/1.1 407 ", 13) == 0)) {
                        if (authretry > 1) {
                                fprintf(stderr, "Proxy authentication "
                                    "failed\n");
                        }
                        close(proxyfd);
                        goto again;
-                } else if (strncmp(buf, "HTTP/1.0 200 ", 12) != 0 &&
+                } else if (strncmp(buf, "HTTP/1.0 200 ", 13) != 0 &&
-                    strncmp(buf, "HTTP/1.1 200 ", 12) != 0)
+                    strncmp(buf, "HTTP/1.1 200 ", 13) != 0)
                        errx(1, "Proxy error: \"%s\"", buf);
                /* Headers continue until we hit an empty line */
diff --git a/src/usr.bin/openssl/asn1pars.c b/src/usr.bin/openssl/asn1pars.c
index 355784169e..52991c392e 100644
--- a/src/usr.bin/openssl/asn1pars.c
+++ b/src/usr.bin/openssl/asn1pars.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1pars.c,v 1.17 2025/01/02 12:31:44 tb Exp $ */
+/* $OpenBSD: asn1pars.c,v 1.18 2025/11/27 08:22:32 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -241,7 +241,7 @@ asn1parse_main(int argc, char **argv)
        BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
        char *str = NULL;
        const char *errstr = NULL;
-        unsigned char *tmpbuf;
+        const unsigned char *tmpbuf;
        const unsigned char *ctmpbuf;
        BUF_MEM *buf = NULL;
        ASN1_TYPE *at = NULL;
@@ -368,8 +368,8 @@ asn1parse_main(int argc, char **argv)
                                goto end;
                        }
                        /* hmm... this is a little evil but it works */
-                        tmpbuf = at->value.asn1_string->data;
+                        tmpbuf = ASN1_STRING_get0_data(at->value.asn1_string);
-                        tmplen = at->value.asn1_string->length;
+                        tmplen = ASN1_STRING_length(at->value.asn1_string);
                }
                str = (char *) tmpbuf;
                num = tmplen;
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index b644b746b9..a2e8a68368 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.62 2025/04/14 08:39:27 tb Exp $ */
+/* $OpenBSD: ca.c,v 1.64 2025/12/21 07:14:47 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -69,6 +69,7 @@
 #include "apps.h"
+#include <openssl/asn1.h>
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
@@ -1652,6 +1653,54 @@ certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 }
 static int
+is_printablestring_octet(const uint8_t u8)
+{
+        /*
+         * X.680, 41.4, Table 10 lists the allowed characters in this order.
+         */
+        if (u8 >= 'A' && u8 <= 'Z')
+                return 1;
+        if (u8 >= 'a' && u8 <= 'z')
+                return 1;
+        if (u8 >= '0' && u8 <= '9')
+                return 1;
+        return u8 == ' ' || u8 == '\'' || u8 == '(' || u8 == ')' || u8 == '+' ||
+            u8 == ',' || u8 == '-' || u8 == '.' || u8 == '/' || u8 == ':' ||
+            u8 == '=' || u8 == '?';
+}
+/*
+ * Allows the high bit to be set only for UTF8, BMP and T61 strings, and
+ * checks that a PrintableString only contains the specified characters.
+ */
+static int
+validate_octets(const ASN1_STRING *astr)
+{
+        const uint8_t *buf = ASN1_STRING_get0_data(astr);
+        int type = ASN1_STRING_type(astr);
+        int i;
+        if (type == V_ASN1_BMPSTRING || type == V_ASN1_UTF8STRING ||
+            type == V_ASN1_T61STRING)
+                return 1;
+        for (i = 0; i < ASN1_STRING_length(astr); i++) {
+                if (is_printablestring_octet(buf[i]))
+                        continue;
+                if (type == V_ASN1_PRINTABLESTRING)
+                        return 0;
+                if ((buf[i] & 0x80) != 0)
+                        return 0;
+        }
+        return 1;
+}
+static int
 do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
    STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy,
    CA_DB *db, BIGNUM *serial, char *subj, unsigned long chtype, int multirdn,
@@ -1717,22 +1766,17 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                /* check some things */
                if ((OBJ_obj2nid(obj) == NID_pkcs9_emailAddress) &&
-                    (str->type != V_ASN1_IA5STRING)) {
+                    (ASN1_STRING_type(str) != V_ASN1_IA5STRING)) {
                        BIO_printf(bio_err,
                            "\nemailAddress type needs to be of type IA5STRING\n");
                        goto err;
                }
-                if ((str->type != V_ASN1_BMPSTRING) &&
-                    (str->type != V_ASN1_UTF8STRING)) {
+                if (!validate_octets(str)) {
-                        j = ASN1_PRINTABLE_type(str->data, str->length);
+                        BIO_printf(bio_err,
-                        if (((j == V_ASN1_T61STRING) &&
+                            "\nThe string contains characters that are illegal "
-                            (str->type != V_ASN1_T61STRING)) ||
+                            "for the ASN.1 type\n");
-                            ((j == V_ASN1_IA5STRING) &&
+                        goto err;
-                            (str->type == V_ASN1_PRINTABLESTRING))) {
-                                BIO_printf(bio_err,
-                                    "\nThe string contains characters that are illegal for the ASN.1 type\n");
-                                goto err;
-                        }
                }
                if (default_op)
                        old_entry_print(bio_err, obj, str);
@@ -1830,9 +1874,9 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                                        BIO_printf(bio_err,
                                            "The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",
                                            cv->name, ((str2 == NULL) ?
-                                            "NULL" : (char *) str2->data),
+                                            "NULL" : (const char *) ASN1_STRING_get0_data(str2)),
                                            ((str == NULL) ?
-                                            "NULL" : (char *) str->data));
+                                            "NULL" : (const char *) ASN1_STRING_get0_data(str)));
                                        goto err;
                                }
                        } else {
@@ -2153,7 +2197,8 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        if ((tm = X509_get_notAfter(ret)) == NULL)
                goto err;
-        row[DB_exp_date] = strndup(tm->data, tm->length);
+        row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
+            ASN1_STRING_length(tm));
        if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
                BIO_printf(bio_err, "Memory allocation failure\n");
                goto err;
@@ -2280,7 +2325,8 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                if ((tm = X509_get_notAfter(x509)) == NULL)
                        goto err;
-                row[DB_exp_date] = strndup(tm->data, tm->length);
+                row[DB_exp_date] = strndup(ASN1_STRING_get0_data(tm),
+                    ASN1_STRING_length(tm));
                if (row[DB_type] == NULL || row[DB_exp_date] == NULL) {
                        BIO_printf(bio_err, "Memory allocation failure\n");
                        goto err;
@@ -2443,7 +2489,7 @@ do_updatedb(CA_DB *db)
                cnt = -1;
                goto err;
        }
-        a_tm_s = strndup(a_tm->data, a_tm->length);
+        a_tm_s = strndup(ASN1_STRING_get0_data(a_tm), ASN1_STRING_length(a_tm));
        if (a_tm_s == NULL) {
                cnt = -1;
                goto err;
@@ -2579,7 +2625,7 @@ make_revocation_str(int rev_type, char *rev_arg)
        if (revtm == NULL)
                return NULL;
-        if (asprintf(&str, "%s%s%s%s%s", revtm->data,
+        if (asprintf(&str, "%s%s%s%s%s", ASN1_STRING_get0_data(revtm),
            reason ? "," : "", reason ? reason : "",
            other ? "," : "", other ? other : "") == -1)
                str = NULL;
@@ -2652,7 +2698,8 @@ make_revoked(X509_REVOKED *rev, const char *str)
 int
 old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
 {
-        char buf[25], *pbuf, *p;
+        const char *p;
+        char buf[25], *pbuf;
        int j;
        j = i2a_ASN1_OBJECT(bp, obj);
@@ -2663,19 +2710,19 @@ old_entry_print(BIO *bp, ASN1_OBJECT *obj, ASN1_STRING *str)
        *(pbuf++) = '\0';
        BIO_puts(bp, buf);
-        if (str->type == V_ASN1_PRINTABLESTRING)
+        if (ASN1_STRING_type(str) == V_ASN1_PRINTABLESTRING)
                BIO_printf(bp, "PRINTABLE:'");
-        else if (str->type == V_ASN1_T61STRING)
+        else if (ASN1_STRING_type(str) == V_ASN1_T61STRING)
                BIO_printf(bp, "T61STRING:'");
-        else if (str->type == V_ASN1_IA5STRING)
+        else if (ASN1_STRING_type(str) == V_ASN1_IA5STRING)
                BIO_printf(bp, "IA5STRING:'");
-        else if (str->type == V_ASN1_UNIVERSALSTRING)
+        else if (ASN1_STRING_type(str) == V_ASN1_UNIVERSALSTRING)
                BIO_printf(bp, "UNIVERSALSTRING:'");
        else
-                BIO_printf(bp, "ASN.1 %2d:'", str->type);
+                BIO_printf(bp, "ASN.1 %2d:'", ASN1_STRING_type(str));
-        p = (char *) str->data;
+        p = (const char *) ASN1_STRING_get0_data(str);
-        for (j = str->length; j > 0; j--) {
+        for (j = ASN1_STRING_length(str); j > 0; j--) {
                if ((*p >= ' ') && (*p <= '~'))
                        BIO_printf(bp, "%c", *p);
                else if (*p & 0x80)
diff --git a/src/usr.bin/openssl/certhash.c b/src/usr.bin/openssl/certhash.c
index 5ee29b8d01..1ee1165516 100644
--- a/src/usr.bin/openssl/certhash.c
+++ b/src/usr.bin/openssl/certhash.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: certhash.c,v 1.21 2023/03/06 14:32:05 tb Exp $ */
+/*      $OpenBSD: certhash.c,v 1.22 2025/07/27 14:46:20 joshua Exp $ */
 /*
 * Copyright (c) 2014, 2015 Joel Sing <jsing@openbsd.org>
 *
@@ -297,11 +297,10 @@ hashinfo_from_linkname(const char *linkname, const char *target)
 }
 static struct hashinfo *
-certhash_cert(BIO *bio, const char *filename)
+certhash_cert(BIO *bio, const char *filename, const EVP_MD *digest)
 {
        unsigned char fingerprint[EVP_MAX_MD_SIZE];
        struct hashinfo *hi = NULL;
-        const EVP_MD *digest;
        X509 *cert = NULL;
        unsigned long hash;
        unsigned int len;
@@ -311,7 +310,6 @@ certhash_cert(BIO *bio, const char *filename)
        hash = X509_subject_name_hash(cert);
-        digest = EVP_sha256();
        if (X509_digest(cert, digest, fingerprint, &len) != 1) {
                fprintf(stderr, "out of memory\n");
                goto err;
@@ -326,11 +324,10 @@ certhash_cert(BIO *bio, const char *filename)
 }
 static struct hashinfo *
-certhash_crl(BIO *bio, const char *filename)
+certhash_crl(BIO *bio, const char *filename, const EVP_MD *digest)
 {
        unsigned char fingerprint[EVP_MAX_MD_SIZE];
        struct hashinfo *hi = NULL;
-        const EVP_MD *digest;
        X509_CRL *crl = NULL;
        unsigned long hash;
        unsigned int len;
@@ -340,7 +337,6 @@ certhash_crl(BIO *bio, const char *filename)
        hash = X509_NAME_hash(X509_CRL_get_issuer(crl));
-        digest = EVP_sha256();
        if (X509_CRL_digest(crl, digest, fingerprint, &len) != 1) {
                fprintf(stderr, "out of memory\n");
                goto err;
@@ -509,7 +505,7 @@ certhash_link(struct dirent *dep, struct hashinfo **links)
 static int
 certhash_file(struct dirent *dep, struct hashinfo **certs,
-    struct hashinfo **crls)
+    struct hashinfo **crls, const EVP_MD *digest)
 {
        struct hashinfo *hi = NULL;
        int has_cert, has_crl;
@@ -529,7 +525,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
                goto err;
        }
-        if ((hi = certhash_cert(bio, dep->d_name)) != NULL) {
+        if ((hi = certhash_cert(bio, dep->d_name, digest)) != NULL) {
                has_cert = 1;
                *certs = hashinfo_chain(*certs, hi);
        }
@@ -539,7 +535,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
                goto err;
        }
-        if ((hi = certhash_crl(bio, dep->d_name)) != NULL) {
+        if ((hi = certhash_crl(bio, dep->d_name, digest)) != NULL) {
                has_crl = hi->is_crl = 1;
                *crls = hashinfo_chain(*crls, hi);
        }
@@ -557,7 +553,7 @@ certhash_file(struct dirent *dep, struct hashinfo **certs,
 }
 static int
-certhash_directory(const char *path)
+certhash_directory(const char *path, const EVP_MD *digest)
 {
        struct hashinfo *links = NULL, *certs = NULL, *crls = NULL, *link;
        int ret = 0;
@@ -579,7 +575,7 @@ certhash_directory(const char *path)
                                goto err;
                }
                if (filename_is_pem(dep->d_name)) {
-                        if (certhash_file(dep, &certs, &crls) == -1)
+                        if (certhash_file(dep, &certs, &crls, digest) == -1)
                                goto err;
                }
        }
@@ -678,7 +674,7 @@ certhash_main(int argc, char **argv)
                        ret = 1;
                        continue;
                }
-                ret |= certhash_directory(argv[i]);
+                ret |= certhash_directory(argv[i], EVP_sha256());
                if (fchdir(cwdfd) == -1) {
                        perror("failed to restore current directory");
                        ret = 1;
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index 7420d0ab8c..7430f4c935 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.36 2024/08/12 15:34:58 job Exp $ */
+/* $OpenBSD: cms.c,v 1.40 2025/12/20 07:02:37 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -89,12 +89,10 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
 #define SMIME_DATA_CREATE       (8 | SMIME_OP)
 #define SMIME_DIGEST_VERIFY     (9 | SMIME_IP)
 #define SMIME_DIGEST_CREATE     (10 | SMIME_OP)
-#define SMIME_UNCOMPRESS        (11 | SMIME_IP)
+#define SMIME_ENCRYPTED_DECRYPT (11 | SMIME_IP)
-#define SMIME_COMPRESS          (12 | SMIME_OP)
+#define SMIME_ENCRYPTED_ENCRYPT (12 | SMIME_OP)
-#define SMIME_ENCRYPTED_DECRYPT (13 | SMIME_IP)
+#define SMIME_SIGN_RECEIPT      (13 | SMIME_IP | SMIME_OP)
-#define SMIME_ENCRYPTED_ENCRYPT (14 | SMIME_OP)
+#define SMIME_VERIFY_RECEIPT    (14 | SMIME_IP)
-#define SMIME_SIGN_RECEIPT      (15 | SMIME_IP | SMIME_OP)
-#define SMIME_VERIFY_RECEIPT    (16 | SMIME_IP)
 int verify_err = 0;
@@ -193,15 +191,33 @@ get_cipher_by_name(char *name)
 static int
 cms_opt_cipher(int argc, char **argv, int *argsused)
 {
+        const EVP_CIPHER *cipher;
        char *name = argv[0];
        if (*name++ != '-')
                return (1);
-        if ((cfg.cipher = get_cipher_by_name(name)) == NULL)
+        if ((cipher = get_cipher_by_name(name)) == NULL)
-                if ((cfg.cipher = EVP_get_cipherbyname(name)) == NULL)
+                if ((cipher = EVP_get_cipherbyname(name)) == NULL)
                        return (1);
+        /*
+         * XXX - this should really be done in CMS_{encrypt,decrypt}() until
+         * we have proper support for AuthEnvelopedData (RFC 5084), but this
+         * is good enough for now to avoid outputting garbage with this rusty
+         * swiss army knife.
+         */
+        if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
+                BIO_printf(bio_err, "AuthEnvelopedData is not supported\n");
+                return (1);
+        }
+        if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE) {
+                BIO_printf(bio_err, "XTS mode not supported\n");
+                return (1);
+        }
+        cfg.cipher = cipher;
        *argsused = 1;
        return (0);
 }
@@ -475,7 +491,7 @@ static const struct option cms_options[] = {
        },
        {
                .name = "aes256",
-                .desc = "Encrypt PEM output with CBC AES",
+                .desc = "Encrypt PEM output with CBC AES (default)",
                .type = OPTION_ARGV_FUNC,
                .opt.argvfunc = cms_opt_cipher,
        },
@@ -509,7 +525,7 @@ static const struct option cms_options[] = {
        },
        {
                .name = "des3",
-                .desc = "Encrypt with triple DES (default)",
+                .desc = "Encrypt with triple DES",
                .type = OPTION_ARGV_FUNC,
                .opt.argvfunc = cms_opt_cipher,
        },
@@ -584,13 +600,6 @@ static const struct option cms_options[] = {
                .value = SMIME_CMSOUT,
        },
        {
-                .name = "compress",
-                .desc = "Create CMS CompressedData type",
-                .type = OPTION_VALUE,
-                .opt.value = &cfg.operation,
-                .value = SMIME_COMPRESS,
-        },
-        {
                .name = "content",
                .argname = "file",
                .desc = "Supply or override content for detached signature",
@@ -980,13 +989,6 @@ static const struct option cms_options[] = {
                .opt.arg = &cfg.to,
        },
        {
-                .name = "uncompress",
-                .desc = "Uncompress CMS CompressedData type",
-                .type = OPTION_VALUE,
-                .opt.value = &cfg.operation,
-                .value = SMIME_UNCOMPRESS,
-        },
-        {
                .name = "verify",
                .desc = "Verify signed message",
                .type = OPTION_VALUE,
@@ -1120,7 +1122,7 @@ cms_usage(void)
            "    -camellia192 | -camellia256 | -des | -des3 |\n"
            "    -rc2-40 | -rc2-64 | -rc2-128] [-CAfile file]\n"
            "    [-CApath directory] [-CRLfile file] [-binary]\n"
-            "    [-certfile file] [-certsout file] [-cmsout] [-compress]\n"
+            "    [-certfile file] [-certsout file] [-cmsout]\n"
            "    [-content file] [-crlfeol] [-data_create] [-data_out]\n"
            "    [-debug_decrypt] [-decrypt] [-digest_create] [-digest_verify]\n"
            "    [-econtent_type type] [-encrypt] [-EncryptedData_decrypt]\n"
@@ -1138,7 +1140,7 @@ cms_usage(void)
            "    [-receipt_request_to addr] [-recip file] [-resign]\n"
            "    [-secretkey key] [-secretkeyid id] [-sign] [-sign_receipt]\n"
            "    [-signer file] [-stream | -indef | -noindef] [-subject s]\n"
-            "    [-text] [-to addr] [-uncompress] [-verify]\n"
+            "    [-text] [-to addr] [-verify]\n"
            "    [-verify_receipt file] [-verify_retcode] [cert.pem ...]\n\n");
        options_usage(cms_options);
@@ -1291,14 +1293,8 @@ cms_main(int argc, char **argv)
        }
        if (cfg.operation == SMIME_ENCRYPT) {
-                if (cfg.cipher == NULL) {
+                if (cfg.cipher == NULL)
-#ifndef OPENSSL_NO_DES
+                        cfg.cipher = EVP_aes_256_cbc();
-                        cfg.cipher = EVP_des_ede3_cbc();
-#else
-                        BIO_printf(bio_err, "No cipher selected\n");
-                        goto end;
-#endif
-                }
                if (cfg.secret_key != NULL &&
                    cfg.secret_keyid == NULL) {
                        BIO_printf(bio_err, "No secret key id\n");
@@ -1470,8 +1466,6 @@ cms_main(int argc, char **argv)
        } else if (cfg.operation == SMIME_DIGEST_CREATE) {
                cms = CMS_digest_create(in, cfg.sign_md,
                    cfg.flags);
-        } else if (cfg.operation == SMIME_COMPRESS) {
-                cms = CMS_compress(in, -1, cfg.flags);
        } else if (cfg.operation == SMIME_ENCRYPT) {
                int i;
                cfg.flags |= CMS_PARTIAL;
@@ -1679,9 +1673,6 @@ cms_main(int argc, char **argv)
        } else if (cfg.operation == SMIME_DATAOUT) {
                if (!CMS_data(cms, out, cfg.flags))
                        goto end;
-        } else if (cfg.operation == SMIME_UNCOMPRESS) {
-                if (!CMS_uncompress(cms, indata, out, cfg.flags))
-                        goto end;
        } else if (cfg.operation == SMIME_DIGEST_VERIFY) {
                if (CMS_digest_verify(cms, indata, out, cfg.flags) > 0)
                        BIO_printf(bio_err, "Verification successful\n");
@@ -1872,14 +1863,14 @@ receipt_request_print(BIO *out, CMS_ContentInfo *cms)
                        BIO_puts(bio_err, "  Receipt Request Parse Error\n");
                        ERR_print_errors(bio_err);
                } else {
-                        char *id;
+                        const char *id;
                        int idlen;
                        CMS_ReceiptRequest_get0_values(rr, &scid, &allorfirst,
                            &rlist, &rto);
                        BIO_puts(out, "  Signed Content ID:\n");
                        idlen = ASN1_STRING_length(scid);
-                        id = (char *) ASN1_STRING_data(scid);
+                        id = (const char *) ASN1_STRING_get0_data(scid);
                        BIO_dump_indent(out, id, idlen, 4);
                        BIO_puts(out, "  Receipts From");
                        if (rlist != NULL) {
diff --git a/src/usr.bin/openssl/dgst.c b/src/usr.bin/openssl/dgst.c
index 3979966481..30a0e50f62 100644
--- a/src/usr.bin/openssl/dgst.c
+++ b/src/usr.bin/openssl/dgst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dgst.c,v 1.21 2023/03/06 14:32:05 tb Exp $ */
+/* $OpenBSD: dgst.c,v 1.22 2026/01/02 00:05:48 kenjiro Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -85,7 +85,6 @@ static struct {
        char *hmac_key;
        char *keyfile;
        int keyform;
-        const EVP_MD *m;
        char *mac_name;
        STACK_OF(OPENSSL_STRING) *macopts;
        const EVP_MD *md;
@@ -122,11 +121,9 @@ dgst_opt_md(int argc, char **argv, int *argsused)
        if (*name++ != '-')
                return (1);
-        if ((cfg.m = EVP_get_digestbyname(name)) == NULL)
+        if ((cfg.md = EVP_get_digestbyname(name)) == NULL)
                return (1);
-        cfg.md = cfg.m;
        *argsused = 1;
        return (0);
 }
diff --git a/src/usr.bin/openssl/gendsa.c b/src/usr.bin/openssl/gendsa.c
index 00635c4551..69a7994da7 100644
--- a/src/usr.bin/openssl/gendsa.c
+++ b/src/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.17 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: gendsa.c,v 1.18 2025/06/07 08:33:58 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -80,7 +80,8 @@ static struct {
        char *passargout;
 } cfg;
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
        if (name == NULL || strcmp(name, "") == 0)
                return (NULL);
diff --git a/src/usr.bin/openssl/genrsa.c b/src/usr.bin/openssl/genrsa.c
index 0b5323fa5f..647780d8fa 100644
--- a/src/usr.bin/openssl/genrsa.c
+++ b/src/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.22 2023/03/06 14:32:06 tb Exp $ */
+/* $OpenBSD: genrsa.c,v 1.23 2025/06/07 08:33:58 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -108,7 +108,8 @@ set_public_exponent(int argc, char **argv, int *argsused)
        return (0);
 }
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
        if (name == NULL || strcmp(name, "") == 0)
                return (NULL);
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index d35940a7ae..01d28aa1f0 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.26 2024/08/31 18:39:25 tb Exp $ */
+/* $OpenBSD: ocsp.c,v 1.27 2025/05/09 12:50:59 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -194,18 +194,18 @@ x509v3_add_value(const char *name, const char *value,
        int ret = 0;
        if ((conf_value = calloc(1, sizeof(*conf_value))) == NULL) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("calloc");
                goto err;
        }
        if (name != NULL) {
                if ((conf_value->name = strdup(name)) == NULL) {
-                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        perror("strdup");
                        goto err;
                }
        }
        if (value != NULL) {
                if ((conf_value->value = strdup(value)) == NULL) {
-                        X509V3error(ERR_R_MALLOC_FAILURE);
+                        perror("strdup");
                        goto err;
                }
        }
@@ -213,12 +213,12 @@ x509v3_add_value(const char *name, const char *value,
        if ((extlist = *out_extlist) == NULL)
                extlist = sk_CONF_VALUE_new_null();
        if (extlist == NULL) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("sk_CONF_VALUE_new_null");
                goto err;
        }
        if (!sk_CONF_VALUE_push(extlist, conf_value)) {
-                X509V3error(ERR_R_MALLOC_FAILURE);
+                perror("sk_CONF_VALUE_push");
                goto err;
        }
        conf_value = NULL;
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index a095c01f0a..f3e0be15ed 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.163 2025/04/14 08:40:10 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.168 2025/12/20 07:02:37 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: April 14 2025 $
+.Dd $Mdocdate: December 20 2025 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -931,7 +931,6 @@ but without cipher suite codes.
 .Op Fl certfile Ar file
 .Op Fl certsout Ar file
 .Op Fl cmsout
-.Op Fl compress
 .Op Fl content Ar file
 .Op Fl crlfeol
 .Op Fl data_create
@@ -985,7 +984,6 @@ but without cipher suite codes.
 .Op Fl subject Ar s
 .Op Fl text
 .Op Fl to Ar addr
-.Op Fl uncompress
 .Op Fl verify
 .Op Fl verify_receipt Ar file
 .Op Fl verify_retcode
@@ -996,8 +994,7 @@ but without cipher suite codes.
 The
 .Nm cms
 command handles S/MIME v3.1 mail.
-It can encrypt, decrypt, sign and verify, compress and uncompress S/MIME
+It can encrypt, decrypt, sign and verify S/MIME messages.
-messages.
 .Pp
 The MIME message must be sent without any blank lines between the headers and
 the output.
@@ -1053,12 +1050,6 @@ Output a content from the input CMS Data type.
 Create a CMS DigestedData type.
 .It Fl digest_verify
 Verify a CMS DigestedData type and output the content.
-.It Fl compress
-Create a CMS CompressedData type.
-Must be compiled with zlib support for this option to work.
-.It Fl uncompress
-Uncompress a CMS CompressedData type and output the content.
-Must be compiled with zlib support for this option to work.
 .It Fl EncryptedData_encrypt
 Encrypt a content using supplied symmetric key and algorithm using a
 CMS EncryptedData type.
@@ -1091,7 +1082,7 @@ The encryption algorithm to use.
 128-, 192-, or 256-bit AES, 128-, 192-, or 256-bit CAMELLIA,
 DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, triple DES is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt
@@ -2973,9 +2964,6 @@ command processes private keys
 (both encrypted and unencrypted)
 in PKCS#8 format
 with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
-The default encryption is only 56 bits;
-keys encrypted using PKCS#5 v2.0 algorithms and high iteration counts
-are more secure.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3021,16 +3009,12 @@ which allow strong encryption algorithms like triple DES or 128-bit RC2.
 .El
 .It Fl v2 Ar alg
 Use PKCS#5 v2.0 algorithms.
-Supports algorithms such as 168-bit triple DES or 128-bit RC2,
+These are block ciphers used in CBC mode.
-however not many implementations support PKCS#5 v2.0 yet
+The default is AES-256-CBC.
-(if using private keys with
+With the exception of AES, the choices available in RFC 8018
-.Nm openssl
+are considered decrepit.
-this doesn't matter).
+They can be enabled with des, des3, and rc2
-.Pp
+(rc5 is no longer supported).
-.Ar alg
-is the encryption algorithm to use;
-valid values include des, des3, and rc2.
-It is recommended that des3 is used.
 .El
 .Tg pkcs12
 .Sh PKCS12
@@ -5105,7 +5089,7 @@ The remaining options are as follows:
 The encryption algorithm to use.
 128-, 192-, or 256-bit AES, DES (56 bits), triple DES (168 bits),
 or 40-, 64-, or 128-bit RC2, respectively;
-if not specified, 40-bit RC2 is
+if not specified, 256-bit AES is
 used.
 Only used with
 .Fl encrypt .
@@ -6148,7 +6132,7 @@ either using a list of comma-separated options or by specifying
 .Fl nameopt
 multiple times.
 The default behaviour is to use the
-.Cm oneline
+.Cm compat
 format.
 The options,
 which can be preceded by a dash to turn them off,
@@ -6230,7 +6214,7 @@ A one line format which is more readable than
 .Cm RFC2253 .
 Equivalent to
 .Cm esc_2253 , esc_ctrl , esc_msb , utf8 ,
-.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_spc ,
+.Cm dump_nostr , dump_der , use_quote , sep_comma_plus_space ,
 .Cm space_eq ,
 and
 .Cm sname .
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 75a0e4d266..056912a9ed 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.39 2025/01/02 13:10:03 tb Exp $ */
+/* $OpenBSD: openssl.c,v 1.41 2026/01/02 00:14:24 kenjiro Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -231,13 +231,14 @@ FUNCTION functions[] = {
 #ifndef OPENSSL_NO_SHA512
        { FUNC_TYPE_MD, "sha512", dgst_main },
 #endif
+        { FUNC_TYPE_MD, "sha3-224", dgst_main },
+        { FUNC_TYPE_MD, "sha3-256", dgst_main },
+        { FUNC_TYPE_MD, "sha3-384", dgst_main },
+        { FUNC_TYPE_MD, "sha3-512", dgst_main },
 #ifndef OPENSSL_NO_SM3
        { FUNC_TYPE_MD, "sm3", dgst_main },
        { FUNC_TYPE_MD, "sm3WithRSAEncryption", dgst_main },
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-        { FUNC_TYPE_MD, "whirlpool", dgst_main },
-#endif
        /* Ciphers. */
        { FUNC_TYPE_CIPHER, "base64", enc_main },
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index 1407a96e03..d29a12ce60 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.29 2024/12/26 14:10:48 tb Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.31 2025/11/27 08:26:32 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -88,7 +88,6 @@ static int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass,
    int passlen, int options, char *pempass);
 static int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
    const char *name);
-static void hex_prin(BIO *out, unsigned char *buf, int len);
 static int alg_print(BIO *x, const X509_ALGOR *alg);
 static int set_pbe(BIO *err, int *ppbe, const char *str);
@@ -152,7 +151,8 @@ pkcs12_opt_passarg(char *arg)
        return (0);
 }
-static const EVP_CIPHER *get_cipher_by_name(char *name)
+static const EVP_CIPHER *
+get_cipher_by_name(char *name)
 {
        if (name == NULL || strcmp(name, "") == 0)
                return (NULL);
@@ -1020,6 +1020,17 @@ alg_print(BIO *x, const X509_ALGOR *alg)
        return 1;
 }
+static void
+hex_print(BIO *out, const ASN1_STRING *str)
+{
+        const unsigned char *buf = ASN1_STRING_get0_data(str);
+        int len = ASN1_STRING_length(str);
+        int i;
+        for (i = 0; i < len; i++)
+                BIO_printf(out, "%02X ", buf[i]);
+}
 /* Generalised attribute print: handle PKCS#8 and bag attributes */
 static void
 print_attribute(BIO *out, const ASN1_TYPE *av)
@@ -1029,21 +1040,19 @@ print_attribute(BIO *out, const ASN1_TYPE *av)
        switch (av->type) {
        case V_ASN1_BMPSTRING:
                value = OPENSSL_uni2asc(
-                    av->value.bmpstring->data,
+                    ASN1_STRING_get0_data(av->value.bmpstring),
-                    av->value.bmpstring->length);
+                    ASN1_STRING_length(av->value.bmpstring));
-                BIO_printf(out, "%s\n", value);
+                BIO_printf(out, "%s\n", value != NULL ? value : "(null)");
                free(value);
                break;
        case V_ASN1_OCTET_STRING:
-                hex_prin(out, av->value.octet_string->data,
+                hex_print(out, av->value.octet_string);
-                    av->value.octet_string->length);
                BIO_printf(out, "\n");
                break;
        case V_ASN1_BIT_STRING:
-                hex_prin(out, av->value.bit_string->data,
+                hex_print(out, av->value.bit_string);
-                    av->value.bit_string->length);
                BIO_printf(out, "\n");
                break;
@@ -1095,15 +1104,6 @@ print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
        return 1;
 }
-static void
-hex_prin(BIO *out, unsigned char *buf, int len)
-{
-        int i;
-        for (i = 0; i < len; i++)
-                BIO_printf(out, "%02X ", buf[i]);
-}
 static int
 set_pbe(BIO *err, int *ppbe, const char *str)
 {
diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index 10fad7aed1..5d7c52f865 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.18 2025/01/02 12:31:44 tb Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.19 2025/05/24 02:35:25 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999-2004.
 */
@@ -224,8 +224,8 @@ pkcs8_main(int argc, char **argv)
                BIO_printf(bio_err, "Error getting passwords\n");
                goto end;
        }
-        if ((cfg.pbe_nid == -1) && !cfg.cipher)
+        if (cfg.pbe_nid == -1 && cfg.cipher == NULL)
-                cfg.pbe_nid = NID_pbeWithMD5AndDES_CBC;
+                cfg.cipher = EVP_aes_256_cbc();
        if (cfg.infile) {
                if (!(in = BIO_new_file(cfg.infile, "rb"))) {
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index 46bfa08679..f9d7049ff9 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.20 2023/04/14 15:27:13 tb Exp $ */
+/* $OpenBSD: smime.c,v 1.21 2025/06/07 08:28:49 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -271,7 +271,7 @@ static const struct option smime_options[] = {
        },
        {
                .name = "aes256",
-                .desc = "Encrypt PEM output with CBC AES",
+                .desc = "Encrypt PEM output with CBC AES (default)",
                .type = OPTION_ARGV_FUNC,
                .opt.argvfunc = smime_opt_cipher,
        },
@@ -313,7 +313,7 @@ static const struct option smime_options[] = {
 #ifndef OPENSSL_NO_RC2
        {
                .name = "rc2-40",
-                .desc = "Encrypt with RC2-40 (default)",
+                .desc = "Encrypt with RC2-40",
                .type = OPTION_ARGV_FUNC,
                .opt.argvfunc = smime_opt_cipher,
        },
@@ -825,14 +825,8 @@ smime_main(int argc, char **argv)
        }
        if (cfg.operation == SMIME_ENCRYPT) {
-                if (cfg.cipher == NULL) {
+                if (cfg.cipher == NULL)
-#ifndef OPENSSL_NO_RC2
+                        cfg.cipher = EVP_aes_256_cbc();
-                        cfg.cipher = EVP_rc2_40_cbc();
-#else
-                        BIO_printf(bio_err, "No cipher selected\n");
-                        goto end;
-#endif
-                }
                if ((encerts = sk_X509_new_null()) == NULL)
                        goto end;
                while (*args != NULL) {
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 9d03c6516e..1ece133f2e 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.41 2025/01/02 13:37:43 tb Exp $ */
+/* $OpenBSD: speed.c,v 1.50 2025/12/13 01:58:53 kenjiro Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -142,9 +142,6 @@
 #ifndef OPENSSL_NO_SHA
 #include <openssl/sha.h>
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-#include <openssl/whrlpool.h>
-#endif
 #define BUFSIZE (1024*8+64)
 volatile sig_atomic_t run;
@@ -152,29 +149,78 @@ volatile sig_atomic_t run;
 static int mr = 0;
 static int usertime = 1;
-static double Time_F(int s);
+static void print_message(const char *s, int length);
-static void print_message(const char *s, long num, int length);
 static void
 pkey_print_message(const char *str, const char *str2,
-    long num, int bits, int sec);
+    int bits, int sec);
 static void print_result(int alg, int run_no, int count, double time_used);
 static int do_multi(int multi);
-#define ALGOR_NUM       32
 #define SIZE_NUM        5
-#define RSA_NUM         4
+#define MAX_ECDH_SIZE   256
-#define DSA_NUM         3
+enum {
+        D_MD4,
+        D_MD5,
+        D_HMAC,
+        D_SHA1,
+        D_RMD160,
+        D_RC4,
+        D_CBC_DES,
+        D_EDE3_DES,
+        D_CBC_IDEA,
+        D_CBC_RC2,
+        D_CBC_BF,
+        D_CBC_CAST,
+        D_CBC_128_AES,
+        D_CBC_192_AES,
+        D_CBC_256_AES,
+        D_CBC_128_CML,
+        D_CBC_192_CML,
+        D_CBC_256_CML,
+        D_EVP,
+        D_SHA256,
+        D_SHA512,
+        D_IGE_128_AES,
+        D_IGE_192_AES,
+        D_IGE_256_AES,
+        D_GHASH,
+        D_AES_128_GCM,
+        D_AES_256_GCM,
+        D_CHACHA20_POLY1305,
+        ALGOR_NUM,
+};
+enum {
+        R_DSA_512,
+        R_DSA_1024,
+        R_DSA_2048,
+        DSA_NUM,
+};
+enum {
+        R_RSA_512,
+        R_RSA_1024,
+        R_RSA_2048,
+        R_RSA_4096,
+        RSA_NUM,
+};
-#define EC_NUM          4
+enum {
-#define MAX_ECDH_SIZE 256
+        R_EC_P224,
+        R_EC_P256,
+        R_EC_P384,
+        R_EC_P521,
+        EC_NUM,
+};
 static const char *names[ALGOR_NUM] = {
-        "md2", "md4", "md5", "hmac(md5)", "sha1", "rmd160",
+        "md4", "md5", "hmac(sha256)", "sha1", "rmd160",
-        "rc4", "des cbc", "des ede3", "idea cbc", "seed cbc",
+        "rc4", "des cbc", "des ede3", "idea cbc",
-        "rc2 cbc", "rc5-32/12 cbc", "blowfish cbc", "cast cbc",
+        "rc2 cbc", "blowfish cbc", "cast cbc",
        "aes-128 cbc", "aes-192 cbc", "aes-256 cbc",
        "camellia-128 cbc", "camellia-192 cbc", "camellia-256 cbc",
-        "evp", "sha256", "sha512", "whirlpool",
+        "evp", "sha256", "sha512",
        "aes-128 ige", "aes-192 ige", "aes-256 ige", "ghash",
        "aes-128 gcm", "aes-256 gcm", "chacha20 poly1305",
 };
@@ -895,6 +941,22 @@ static const unsigned char test4096[] = {
        0xaf, 0xf8, 0x2a, 0x91, 0x9d, 0x50, 0x44, 0x21, 0x17,
 };
+static const unsigned char key16[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+};
+static const unsigned char key24[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+};
+static const unsigned char key32[] = {
+        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
+        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
+        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
+        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56,
+};
 static void
 sig_done(int sig)
 {
@@ -904,16 +966,14 @@ sig_done(int sig)
 #define START   TM_RESET
 #define STOP    TM_GET
 static double
-Time_F(int s)
+time_f(int s)
 {
        if (usertime)
                return app_timer_user(s);
-        else
-                return app_timer_real(s);
-}
+        return app_timer_real(s);
+}
 static const int KDF1_SHA1_len = 20;
 static void *
@@ -937,33 +997,12 @@ speed_main(int argc, char **argv)
        unsigned char *buf = NULL, *buf2 = NULL;
        size_t unaligned = 0;
        int mret = 1;
-        long count = 0, save_count = 0;
+        long count = 0;
        int i, j, k;
        long rsa_count;
        unsigned rsa_num;
        unsigned char md[EVP_MAX_MD_SIZE];
-#ifndef OPENSSL_NO_MD4
-        unsigned char md4[MD4_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_MD5
-        unsigned char md5[MD5_DIGEST_LENGTH];
-        unsigned char hmac[MD5_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_SHA
-        unsigned char sha[SHA_DIGEST_LENGTH];
-#ifndef OPENSSL_NO_SHA256
-        unsigned char sha256[SHA256_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_SHA512
-        unsigned char sha512[SHA512_DIGEST_LENGTH];
-#endif
-#endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-        unsigned char whirlpool[WHIRLPOOL_DIGEST_LENGTH];
-#endif
-#ifndef OPENSSL_NO_RIPEMD
-        unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
-#endif
 #ifndef OPENSSL_NO_RC4
        RC4_KEY rc4_ks;
 #endif
@@ -979,38 +1018,8 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAST
        CAST_KEY cast_ks;
 #endif
-        static const unsigned char key16[16] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
-#ifndef OPENSSL_NO_AES
-        static const unsigned char key24[24] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
-        static const unsigned char key32[32] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-                0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
-        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
-#endif
-#ifndef OPENSSL_NO_CAMELLIA
-        static const unsigned char ckey24[24] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34};
-        static const unsigned char ckey32[32] =
-        {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
-                0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
-                0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
-        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56};
-#endif
-#ifndef OPENSSL_NO_AES
-#define MAX_BLOCK_SIZE 128
-#else
-#define MAX_BLOCK_SIZE 64
-#endif
        unsigned char DES_iv[8];
-        unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
+        unsigned char iv[2 * 16];
 #ifndef OPENSSL_NO_DES
        static DES_cblock key = {0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0};
        static DES_cblock key2 = {0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12};
@@ -1025,55 +1034,9 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAMELLIA
        CAMELLIA_KEY camellia_ks1, camellia_ks2, camellia_ks3;
 #endif
-#define D_MD2           0
-#define D_MD4           1
-#define D_MD5           2
-#define D_HMAC          3
-#define D_SHA1          4
-#define D_RMD160        5
-#define D_RC4           6
-#define D_CBC_DES       7
-#define D_EDE3_DES      8
-#define D_CBC_IDEA      9
-#define D_CBC_SEED      10
-#define D_CBC_RC2       11
-#define D_CBC_RC5       12
-#define D_CBC_BF        13
-#define D_CBC_CAST      14
-#define D_CBC_128_AES   15
-#define D_CBC_192_AES   16
-#define D_CBC_256_AES   17
-#define D_CBC_128_CML   18
-#define D_CBC_192_CML   19
-#define D_CBC_256_CML   20
-#define D_EVP           21
-#define D_SHA256        22
-#define D_SHA512        23
-#define D_WHIRLPOOL     24
-#define D_IGE_128_AES   25
-#define D_IGE_192_AES   26
-#define D_IGE_256_AES   27
-#define D_GHASH         28
-#define D_AES_128_GCM   29
-#define D_AES_256_GCM   30
-#define D_CHACHA20_POLY1305     31
        double d = 0.0;
-        long c[ALGOR_NUM][SIZE_NUM];
-#define R_DSA_512       0
-#define R_DSA_1024      1
-#define R_DSA_2048      2
-#define R_RSA_512       0
-#define R_RSA_1024      1
-#define R_RSA_2048      2
-#define R_RSA_4096      3
-#define R_EC_P224    0
-#define R_EC_P256    1
-#define R_EC_P384    2
-#define R_EC_P521    3
        RSA *rsa_key[RSA_NUM];
-        long rsa_c[RSA_NUM][2];
        static unsigned int rsa_bits[RSA_NUM] = {512, 1024, 2048, 4096};
        static const unsigned char *rsa_data[RSA_NUM] =
        {test512, test1024, test2048, test4096};
@@ -1081,7 +1044,6 @@ speed_main(int argc, char **argv)
                sizeof(test512), sizeof(test1024),
        sizeof(test2048), sizeof(test4096)};
        DSA *dsa_key[DSA_NUM];
-        long dsa_c[DSA_NUM][2];
        static unsigned int dsa_bits[DSA_NUM] = {512, 1024, 2048};
 #ifndef OPENSSL_NO_EC
        /*
@@ -1111,14 +1073,12 @@ speed_main(int argc, char **argv)
        unsigned char ecdsasig[256];
        unsigned int ecdsasiglen;
        EC_KEY *ecdsa[EC_NUM];
-        long ecdsa_c[EC_NUM][2];
        EC_KEY *ecdh_a[EC_NUM], *ecdh_b[EC_NUM];
        unsigned char secret_a[MAX_ECDH_SIZE], secret_b[MAX_ECDH_SIZE];
        int secret_size_a, secret_size_b;
        int ecdh_checks = 0;
        int secret_idx = 0;
-        long ecdh_c[EC_NUM][2];
        int rsa_doit[RSA_NUM];
        int dsa_doit[DSA_NUM];
@@ -1161,7 +1121,6 @@ speed_main(int argc, char **argv)
                BIO_printf(bio_err, "out of memory\n");
                goto end;
        }
-        memset(c, 0, sizeof(c));
        memset(DES_iv, 0, sizeof(DES_iv));
        memset(iv, 0, sizeof(iv));
@@ -1275,11 +1234,6 @@ speed_main(int argc, char **argv)
                else
 #endif
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-                if (strcmp(*argv, "whirlpool") == 0)
-                        doit[D_WHIRLPOOL] = 1;
-                else
-#endif
 #ifndef OPENSSL_NO_RIPEMD
                if (strcmp(*argv, "ripemd") == 0)
                        doit[D_RMD160] = 1;
@@ -1462,16 +1416,12 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA512
                        BIO_printf(bio_err, "sha512   ");
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-                        BIO_printf(bio_err, "whirlpool");
-#endif
 #ifndef OPENSSL_NO_RIPEMD160
                        BIO_printf(bio_err, "rmd160");
 #endif
 #if !defined(OPENSSL_NO_MD2) || \
    !defined(OPENSSL_NO_MD4) || !defined(OPENSSL_NO_MD5) || \
-    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160) || \
+    !defined(OPENSSL_NO_SHA1) || !defined(OPENSSL_NO_RIPEMD160)
-    !defined(OPENSSL_NO_WHIRLPOOL)
                        BIO_printf(bio_err, "\n");
 #endif
@@ -1602,8 +1552,8 @@ speed_main(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
        Camellia_set_key(key16, 128, &camellia_ks1);
-        Camellia_set_key(ckey24, 192, &camellia_ks2);
+        Camellia_set_key(key24, 192, &camellia_ks2);
-        Camellia_set_key(ckey32, 256, &camellia_ks3);
+        Camellia_set_key(key32, 256, &camellia_ks3);
 #endif
 #ifndef OPENSSL_NO_IDEA
        idea_set_encrypt_key(key16, &idea_ks);
@@ -1620,8 +1570,7 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAST
        CAST_set_key(&cast_ks, 16, key16);
 #endif
-        memset(rsa_c, 0, sizeof(rsa_c));
+#define COND    (run && count<0x7fffffff)
-#define COND(c) (run && count<0x7fffffff)
 #define COUNT(d) (count)
        memset(&sa, 0, sizeof(sa));
@@ -1633,11 +1582,11 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_MD4
        if (doit[D_MD4]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_MD4], c[D_MD4][j], lengths[j]);
+                        print_message(names[D_MD4], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_MD4][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md4[0]), NULL, EVP_md4(), NULL);
+                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], md, NULL, EVP_md4(), NULL);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_MD4, j, count, d);
                }
        }
@@ -1646,17 +1595,17 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_MD5
        if (doit[D_MD5]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_MD5], c[D_MD5][j], lengths[j]);
+                        print_message(names[D_MD5], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_MD5][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], &(md5[0]), NULL, EVP_get_digestbyname("md5"), NULL);
+                                EVP_Digest(&(buf[0]), (unsigned long) lengths[j], md, NULL, EVP_get_digestbyname("md5"), NULL);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_MD5, j, count, d);
                }
        }
 #endif
-#if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_HMAC)
+#if !defined(OPENSSL_NO_SHA256) && !defined(OPENSSL_NO_HMAC)
        if (doit[D_HMAC]) {
                HMAC_CTX *hctx;
@@ -1666,12 +1615,12 @@ speed_main(int argc, char **argv)
                }
                HMAC_Init_ex(hctx, (unsigned char *) "This is a key...",
-                    16, EVP_md5(), NULL);
+                    16, EVP_sha256(), NULL);
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_HMAC], c[D_HMAC][j], lengths[j]);
+                        print_message(names[D_HMAC], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_HMAC][j]); count++) {
+                        for (count = 0, run = 1; COND; count++) {
                                if (!HMAC_Init_ex(hctx, NULL, 0, NULL, NULL)) {
                                        HMAC_CTX_free(hctx);
                                        goto end;
@@ -1680,12 +1629,12 @@ speed_main(int argc, char **argv)
                                        HMAC_CTX_free(hctx);
                                        goto end;
                                }
-                                if (!HMAC_Final(hctx, &(hmac[0]), NULL)) {
+                                if (!HMAC_Final(hctx, md, NULL)) {
                                        HMAC_CTX_free(hctx);
                                        goto end;
                                }
                        }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_HMAC, j, count, d);
                }
                HMAC_CTX_free(hctx);
@@ -1694,22 +1643,22 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA
        if (doit[D_SHA1]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_SHA1], c[D_SHA1][j], lengths[j]);
+                        print_message(names[D_SHA1], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_SHA1][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                EVP_Digest(buf, (unsigned long) lengths[j], &(sha[0]), NULL, EVP_sha1(), NULL);
+                                EVP_Digest(buf, (unsigned long) lengths[j], md, NULL, EVP_sha1(), NULL);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_SHA1, j, count, d);
                }
        }
 #ifndef OPENSSL_NO_SHA256
        if (doit[D_SHA256]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_SHA256], c[D_SHA256][j], lengths[j]);
+                        print_message(names[D_SHA256], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_SHA256][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                SHA256(buf, lengths[j], sha256);
+                                SHA256(buf, lengths[j], md);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_SHA256, j, count, d);
                }
        }
@@ -1718,38 +1667,25 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SHA512
        if (doit[D_SHA512]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_SHA512], c[D_SHA512][j], lengths[j]);
+                        print_message(names[D_SHA512], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_SHA512][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                SHA512(buf, lengths[j], sha512);
+                                SHA512(buf, lengths[j], md);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_SHA512, j, count, d);
                }
        }
 #endif
 #endif
-#ifndef OPENSSL_NO_WHIRLPOOL
-        if (doit[D_WHIRLPOOL]) {
-                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_WHIRLPOOL], c[D_WHIRLPOOL][j], lengths[j]);
-                        Time_F(START);
-                        for (count = 0, run = 1; COND(c[D_WHIRLPOOL][j]); count++)
-                                WHIRLPOOL(buf, lengths[j], whirlpool);
-                        d = Time_F(STOP);
-                        print_result(D_WHIRLPOOL, j, count, d);
-                }
-        }
-#endif
 #ifndef OPENSSL_NO_RIPEMD
        if (doit[D_RMD160]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_RMD160], c[D_RMD160][j], lengths[j]);
+                        print_message(names[D_RMD160], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_RMD160][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
-                                EVP_Digest(buf, (unsigned long) lengths[j], &(rmd160[0]), NULL, EVP_ripemd160(), NULL);
+                                EVP_Digest(buf, (unsigned long) lengths[j], md, NULL, EVP_ripemd160(), NULL);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_RMD160, j, count, d);
                }
        }
@@ -1757,12 +1693,12 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_RC4
        if (doit[D_RC4]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_RC4], c[D_RC4][j], lengths[j]);
+                        print_message(names[D_RC4], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_RC4][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                RC4(&rc4_ks, (unsigned int) lengths[j],
                                    buf, buf);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_RC4, j, count, d);
                }
        }
@@ -1770,24 +1706,24 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_DES
        if (doit[D_CBC_DES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_DES], c[D_CBC_DES][j], lengths[j]);
+                        print_message(names[D_CBC_DES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_DES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                DES_ncbc_encrypt(buf, buf, lengths[j], &sch,
                                    &DES_iv, DES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_DES, j, count, d);
                }
        }
        if (doit[D_EDE3_DES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_EDE3_DES], c[D_EDE3_DES][j], lengths[j]);
+                        print_message(names[D_EDE3_DES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_EDE3_DES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                DES_ede3_cbc_encrypt(buf, buf, lengths[j],
                                    &sch, &sch2, &sch3,
                                    &DES_iv, DES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_EDE3_DES, j, count, d);
                }
        }
@@ -1795,73 +1731,73 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_AES
        if (doit[D_CBC_128_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][j], lengths[j]);
+                        print_message(names[D_CBC_128_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_128_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &aes_ks1,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_128_AES, j, count, d);
                }
        }
        if (doit[D_CBC_192_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_192_AES], c[D_CBC_192_AES][j], lengths[j]);
+                        print_message(names[D_CBC_192_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_192_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &aes_ks2,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_192_AES, j, count, d);
                }
        }
        if (doit[D_CBC_256_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_256_AES], c[D_CBC_256_AES][j], lengths[j]);
+                        print_message(names[D_CBC_256_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_256_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &aes_ks3,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_256_AES, j, count, d);
                }
        }
        if (doit[D_IGE_128_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_IGE_128_AES], c[D_IGE_128_AES][j], lengths[j]);
+                        print_message(names[D_IGE_128_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_IGE_128_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_ige_encrypt(buf, buf2,
                                    (unsigned long) lengths[j], &aes_ks1,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_IGE_128_AES, j, count, d);
                }
        }
        if (doit[D_IGE_192_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_IGE_192_AES], c[D_IGE_192_AES][j], lengths[j]);
+                        print_message(names[D_IGE_192_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_IGE_192_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_ige_encrypt(buf, buf2,
                                    (unsigned long) lengths[j], &aes_ks2,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_IGE_192_AES, j, count, d);
                }
        }
        if (doit[D_IGE_256_AES]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_IGE_256_AES], c[D_IGE_256_AES][j], lengths[j]);
+                        print_message(names[D_IGE_256_AES], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_IGE_256_AES][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                AES_ige_encrypt(buf, buf2,
                                    (unsigned long) lengths[j], &aes_ks3,
                                    iv, AES_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_IGE_256_AES, j, count, d);
                }
        }
@@ -1870,11 +1806,11 @@ speed_main(int argc, char **argv)
                CRYPTO_gcm128_setiv(ctx, (unsigned char *) "0123456789ab", 12);
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_GHASH], c[D_GHASH][j], lengths[j]);
+                        print_message(names[D_GHASH], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_GHASH][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                CRYPTO_gcm128_aad(ctx, buf, lengths[j]);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_GHASH, j, count, d);
                }
                CRYPTO_gcm128_release(ctx);
@@ -1896,12 +1832,12 @@ speed_main(int argc, char **argv)
                nonce_len = EVP_AEAD_nonce_length(aead);
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_AES_128_GCM],c[D_AES_128_GCM][j],lengths[j]);
+                        print_message(names[D_AES_128_GCM], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_AES_128_GCM][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                    nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_AES_128_GCM,j,count,d);
                }
                EVP_AEAD_CTX_free(ctx);
@@ -1924,12 +1860,12 @@ speed_main(int argc, char **argv)
                nonce_len = EVP_AEAD_nonce_length(aead);
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_AES_256_GCM],c[D_AES_256_GCM][j],lengths[j]);
+                        print_message(names[D_AES_256_GCM], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_AES_256_GCM][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                    nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_AES_256_GCM, j, count, d);
                }
                EVP_AEAD_CTX_free(ctx);
@@ -1953,13 +1889,12 @@ speed_main(int argc, char **argv)
                nonce_len = EVP_AEAD_nonce_length(aead);
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CHACHA20_POLY1305],
+                        print_message(names[D_CHACHA20_POLY1305], lengths[j]);
-                            c[D_CHACHA20_POLY1305][j], lengths[j]);
+                        time_f(START);
-                        Time_F(START);
+                        for (count = 0, run = 1; COND; count++)
-                        for (count = 0, run = 1; COND(c[D_CHACHA20_POLY1305][j]); count++)
                                EVP_AEAD_CTX_seal(ctx, buf, &buf_len, BUFSIZE, nonce,
                                    nonce_len, buf, lengths[j], NULL, 0);
-                        d=Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CHACHA20_POLY1305, j, count, d);
                }
                EVP_AEAD_CTX_free(ctx);
@@ -1968,37 +1903,37 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAMELLIA
        if (doit[D_CBC_128_CML]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][j], lengths[j]);
+                        print_message(names[D_CBC_128_CML], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_128_CML][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                Camellia_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &camellia_ks1,
                                    iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_128_CML, j, count, d);
                }
        }
        if (doit[D_CBC_192_CML]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_192_CML], c[D_CBC_192_CML][j], lengths[j]);
+                        print_message(names[D_CBC_192_CML], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_192_CML][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                Camellia_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &camellia_ks2,
                                    iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_192_CML, j, count, d);
                }
        }
        if (doit[D_CBC_256_CML]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][j], lengths[j]);
+                        print_message(names[D_CBC_256_CML], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_256_CML][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                Camellia_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &camellia_ks3,
                                    iv, CAMELLIA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_256_CML, j, count, d);
                }
        }
@@ -2006,13 +1941,13 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_IDEA
        if (doit[D_CBC_IDEA]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][j], lengths[j]);
+                        print_message(names[D_CBC_IDEA], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_IDEA][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                idea_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &idea_ks,
                                    iv, IDEA_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_IDEA, j, count, d);
                }
        }
@@ -2020,13 +1955,13 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_RC2
        if (doit[D_CBC_RC2]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_RC2], c[D_CBC_RC2][j], lengths[j]);
+                        print_message(names[D_CBC_RC2], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_RC2][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                RC2_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &rc2_ks,
                                    iv, RC2_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_RC2, j, count, d);
                }
        }
@@ -2034,13 +1969,13 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_BF
        if (doit[D_CBC_BF]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_BF], c[D_CBC_BF][j], lengths[j]);
+                        print_message(names[D_CBC_BF], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_BF][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                BF_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &bf_ks,
                                    iv, BF_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_BF, j, count, d);
                }
        }
@@ -2048,13 +1983,13 @@ speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_CAST
        if (doit[D_CBC_CAST]) {
                for (j = 0; j < SIZE_NUM; j++) {
-                        print_message(names[D_CBC_CAST], c[D_CBC_CAST][j], lengths[j]);
+                        print_message(names[D_CBC_CAST], lengths[j]);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(c[D_CBC_CAST][j]); count++)
+                        for (count = 0, run = 1; COND; count++)
                                CAST_cbc_encrypt(buf, buf,
                                    (unsigned long) lengths[j], &cast_ks,
                                    iv, CAST_ENCRYPT);
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        print_result(D_CBC_CAST, j, count, d);
                }
        }
@@ -2073,8 +2008,7 @@ speed_main(int argc, char **argv)
                                 * optimization here!  names[D_EVP] somehow
                                 * becomes NULL
                                 */
-                                print_message(names[D_EVP], save_count,
+                                print_message(names[D_EVP], lengths[j]);
-                                    lengths[j]);
                                if ((ctx = EVP_CIPHER_CTX_new()) == NULL) {
                                        BIO_printf(bio_err, "Failed to "
@@ -2087,30 +2021,29 @@ speed_main(int argc, char **argv)
                                        EVP_EncryptInit_ex(ctx, evp_cipher, NULL, key16, iv);
                                EVP_CIPHER_CTX_set_padding(ctx, 0);
-                                Time_F(START);
+                                time_f(START);
                                if (decrypt)
-                                        for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
+                                        for (count = 0, run = 1; COND; count++)
                                                EVP_DecryptUpdate(ctx, buf, &outl, buf, lengths[j]);
                                else
-                                        for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
+                                        for (count = 0, run = 1; COND; count++)
                                                EVP_EncryptUpdate(ctx, buf, &outl, buf, lengths[j]);
                                if (decrypt)
                                        EVP_DecryptFinal_ex(ctx, buf, &outl);
                                else
                                        EVP_EncryptFinal_ex(ctx, buf, &outl);
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                                EVP_CIPHER_CTX_free(ctx);
                        }
                        if (evp_md) {
                                names[D_EVP] = OBJ_nid2ln(EVP_MD_type(evp_md));
-                                print_message(names[D_EVP], save_count,
+                                print_message(names[D_EVP], lengths[j]);
-                                    lengths[j]);
-                                Time_F(START);
+                                time_f(START);
-                                for (count = 0, run = 1; COND(save_count * 4 * lengths[0] / lengths[j]); count++)
+                                for (count = 0, run = 1; COND; count++)
                                        EVP_Digest(buf, lengths[j], &(md[0]), NULL, evp_md, NULL);
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                        }
                        print_result(D_EVP, j, count, d);
                }
@@ -2127,11 +2060,11 @@ speed_main(int argc, char **argv)
                        rsa_count = 1;
                } else {
                        pkey_print_message("private", "rsa",
-                            rsa_c[j][0], rsa_bits[j],
+                            rsa_bits[j],
                            RSA_SECONDS);
 /*                      RSA_blinding_on(rsa_key[j],NULL); */
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(rsa_c[j][0]); count++) {
+                        for (count = 0, run = 1; COND; count++) {
                                ret = RSA_sign(NID_md5_sha1, buf, 36, buf2,
                                    &rsa_num, rsa_key[j]);
                                if (ret == 0) {
@@ -2142,7 +2075,7 @@ speed_main(int argc, char **argv)
                                        break;
                                }
                        }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        BIO_printf(bio_err, mr ? "+R1:%ld:%d:%.2f\n"
                            : "%ld %d bit private RSA in %.2fs\n",
                            count, rsa_bits[j], d);
@@ -2157,10 +2090,10 @@ speed_main(int argc, char **argv)
                        rsa_doit[j] = 0;
                } else {
                        pkey_print_message("public", "rsa",
-                            rsa_c[j][1], rsa_bits[j],
+                            rsa_bits[j],
                            RSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(rsa_c[j][1]); count++) {
+                        for (count = 0, run = 1; COND; count++) {
                                ret = RSA_verify(NID_md5_sha1, buf, 36, buf2,
                                    rsa_num, rsa_key[j]);
                                if (ret <= 0) {
@@ -2171,7 +2104,7 @@ speed_main(int argc, char **argv)
                                        break;
                                }
                        }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        BIO_printf(bio_err, mr ? "+R2:%ld:%d:%.2f\n"
                            : "%ld %d bit public RSA in %.2fs\n",
                            count, rsa_bits[j], d);
@@ -2202,10 +2135,10 @@ speed_main(int argc, char **argv)
                        rsa_count = 1;
                } else {
                        pkey_print_message("sign", "dsa",
-                            dsa_c[j][0], dsa_bits[j],
+                            dsa_bits[j],
                            DSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(dsa_c[j][0]); count++) {
+                        for (count = 0, run = 1; COND; count++) {
                                ret = DSA_sign(EVP_PKEY_DSA, buf, 20, buf2,
                                    &kk, dsa_key[j]);
                                if (ret == 0) {
@@ -2216,7 +2149,7 @@ speed_main(int argc, char **argv)
                                        break;
                                }
                        }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        BIO_printf(bio_err, mr ? "+R3:%ld:%d:%.2f\n"
                            : "%ld %d bit DSA signs in %.2fs\n",
                            count, dsa_bits[j], d);
@@ -2232,10 +2165,10 @@ speed_main(int argc, char **argv)
                        dsa_doit[j] = 0;
                } else {
                        pkey_print_message("verify", "dsa",
-                            dsa_c[j][1], dsa_bits[j],
+                            dsa_bits[j],
                            DSA_SECONDS);
-                        Time_F(START);
+                        time_f(START);
-                        for (count = 0, run = 1; COND(dsa_c[j][1]); count++) {
+                        for (count = 0, run = 1; COND; count++) {
                                ret = DSA_verify(EVP_PKEY_DSA, buf, 20, buf2,
                                    kk, dsa_key[j]);
                                if (ret <= 0) {
@@ -2246,7 +2179,7 @@ speed_main(int argc, char **argv)
                                        break;
                                }
                        }
-                        d = Time_F(STOP);
+                        d = time_f(STOP);
                        BIO_printf(bio_err, mr ? "+R4:%ld:%d:%.2f\n"
                            : "%ld %d bit DSA verify in %.2fs\n",
                            count, dsa_bits[j], d);
@@ -2283,13 +2216,11 @@ speed_main(int argc, char **argv)
                                rsa_count = 1;
                        } else {
                                pkey_print_message("sign", "ecdsa",
-                                    ecdsa_c[j][0],
                                    test_curves_bits[j],
                                    ECDSA_SECONDS);
-                                Time_F(START);
+                                time_f(START);
-                                for (count = 0, run = 1; COND(ecdsa_c[j][0]);
+                                for (count = 0, run = 1; COND; count++) {
-                                    count++) {
                                        ret = ECDSA_sign(0, buf, 20,
                                            ecdsasig, &ecdsasiglen,
                                            ecdsa[j]);
@@ -2300,7 +2231,7 @@ speed_main(int argc, char **argv)
                                                break;
                                        }
                                }
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                                BIO_printf(bio_err, mr ? "+R5:%ld:%d:%.2f\n" :
                                    "%ld %d bit ECDSA signs in %.2fs \n",
@@ -2318,11 +2249,10 @@ speed_main(int argc, char **argv)
                                ecdsa_doit[j] = 0;
                        } else {
                                pkey_print_message("verify", "ecdsa",
-                                    ecdsa_c[j][1],
                                    test_curves_bits[j],
                                    ECDSA_SECONDS);
-                                Time_F(START);
+                                time_f(START);
-                                for (count = 0, run = 1; COND(ecdsa_c[j][1]); count++) {
+                                for (count = 0, run = 1; COND; count++) {
                                        ret = ECDSA_verify(0, buf, 20, ecdsasig, ecdsasiglen, ecdsa[j]);
                                        if (ret != 1) {
                                                BIO_printf(bio_err, "ECDSA verify failure\n");
@@ -2331,7 +2261,7 @@ speed_main(int argc, char **argv)
                                                break;
                                        }
                                }
-                                d = Time_F(STOP);
+                                d = time_f(STOP);
                                BIO_printf(bio_err, mr ? "+R6:%ld:%d:%.2f\n"
                                    : "%ld %d bit ECDSA verify in %.2fs\n",
                                    count, test_curves_bits[j], d);
@@ -2405,18 +2335,16 @@ speed_main(int argc, char **argv)
                                        rsa_count = 1;
                                } else {
                                        pkey_print_message("", "ecdh",
-                                            ecdh_c[j][0],
                                            test_curves_bits[j],
                                            ECDH_SECONDS);
-                                        Time_F(START);
+                                        time_f(START);
-                                        for (count = 0, run = 1;
+                                        for (count = 0, run = 1; COND; count++) {
-                                             COND(ecdh_c[j][0]); count++) {
                                                ECDH_compute_key(secret_a,
                                                    outlen,
                                                    EC_KEY_get0_public_key(ecdh_b[j]),
                                                    ecdh_a[j], kdf);
                                        }
-                                        d = Time_F(STOP);
+                                        d = time_f(STOP);
                                        BIO_printf(bio_err, mr
                                            ? "+R7:%ld:%d:%.2f\n"
                                            : "%ld %d-bit ECDH ops in %.2fs\n",
@@ -2569,7 +2497,7 @@ show_res:
 }
 static void
-print_message(const char *s, long num, int length)
+print_message(const char *s, int length)
 {
        BIO_printf(bio_err, mr ? "+DT:%s:%d:%d\n"
            : "Doing %s for %ds on %d size blocks: ", s, SECONDS, length);
@@ -2578,7 +2506,7 @@ print_message(const char *s, long num, int length)
 }
 static void
-pkey_print_message(const char *str, const char *str2, long num,
+pkey_print_message(const char *str, const char *str2,
    int bits, int tm)
 {
        BIO_printf(bio_err, mr ? "+DTP:%d:%s:%s:%d\n"
diff --git a/src/usr.bin/openssl/ts.c b/src/usr.bin/openssl/ts.c
index 2bb35d84a4..29485bf7dc 100644
--- a/src/usr.bin/openssl/ts.c
+++ b/src/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.29 2024/08/26 18:40:50 tb Exp $ */
+/* $OpenBSD: ts.c,v 1.30 2025/11/21 08:25:43 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -736,33 +736,23 @@ create_digest(BIO *input, char *digest, const EVP_MD *md,
 static ASN1_INTEGER *
 create_nonce(int bits)
 {
-        unsigned char buf[20];
+        BIGNUM *bn;
        ASN1_INTEGER *nonce = NULL;
-        int len = (bits - 1) / 8 + 1;
-        int i;
-        /* Generating random byte sequence. */
+        if ((bn = BN_new()) == NULL)
-        if (len > (int) sizeof(buf))
                goto err;
-        arc4random_buf(buf, len);
+        if (!BN_rand(bn, bits, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY))
-        /* Find the first non-zero byte and creating ASN1_INTEGER object. */
-        for (i = 0; i < len && !buf[i]; ++i)
-                ;
-        if ((nonce = ASN1_INTEGER_new()) == NULL)
                goto err;
-        free(nonce->data);
+        if ((nonce = BN_to_ASN1_INTEGER(bn, NULL)) == NULL)
-        /* Allocate at least one byte. */
-        nonce->length = len - i;
-        if ((nonce->data = malloc(nonce->length + 1)) == NULL)
                goto err;
-        memcpy(nonce->data, buf + i, nonce->length);
+        BN_free(bn);
        return nonce;
 err:
        BIO_printf(bio_err, "could not create nonce\n");
        ASN1_INTEGER_free(nonce);
+        BN_free(bn);
        return NULL;
 }