13 files changed, 211 insertions, 80 deletions
diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index cc56c53591..0e4c783d9e 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.171 2024/03/02 11:04:51 tb Exp $
+# $OpenBSD: Makefile,v 1.172 2024/03/02 11:11:11 tb Exp $
 LIB=    crypto
 LIBREBUILD=y
@@ -40,11 +40,13 @@ CFLAGS+= -I${LCRYPTO_SRC}/evp
 CFLAGS+= -I${LCRYPTO_SRC}/hidden
 CFLAGS+= -I${LCRYPTO_SRC}/hmac
 CFLAGS+= -I${LCRYPTO_SRC}/kdf
+CFLAGS+= -I${LCRYPTO_SRC}/lhash
 CFLAGS+= -I${LCRYPTO_SRC}/modes
 CFLAGS+= -I${LCRYPTO_SRC}/ocsp
 CFLAGS+= -I${LCRYPTO_SRC}/pkcs12
 CFLAGS+= -I${LCRYPTO_SRC}/rsa
 CFLAGS+= -I${LCRYPTO_SRC}/sha
+CFLAGS+= -I${LCRYPTO_SRC}/stack
 CFLAGS+= -I${LCRYPTO_SRC}/ts
 CFLAGS+= -I${LCRYPTO_SRC}/x509
diff --git a/src/lib/libcrypto/Symbols.list b/src/lib/libcrypto/Symbols.list
index 644797f655..f14233f649 100644
--- a/src/lib/libcrypto/Symbols.list
+++ b/src/lib/libcrypto/Symbols.list
@@ -3434,6 +3434,7 @@ idea_set_encrypt_key
 lh_delete
 lh_doall
 lh_doall_arg
+lh_error
 lh_free
 lh_insert
 lh_new
diff --git a/src/lib/libcrypto/conf/conf_api.c b/src/lib/libcrypto/conf/conf_api.c
index 464edcd4ff..b78bd50c2c 100644
--- a/src/lib/libcrypto/conf/conf_api.c
+++ b/src/lib/libcrypto/conf/conf_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_api.c,v 1.17 2024/01/24 14:05:10 jsing Exp $ */
+/* $OpenBSD: conf_api.c,v 1.18 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -69,6 +69,8 @@
 #include <openssl/conf.h>
 #include <openssl/conf_api.h>
+#include "lhash_local.h"
 static void value_free_hash_doall_arg(CONF_VALUE *a,
    LHASH_OF(CONF_VALUE) *conf);
 static void value_free_stack_doall(CONF_VALUE *a);
diff --git a/src/lib/libcrypto/hidden/openssl/lhash.h b/src/lib/libcrypto/hidden/openssl/lhash.h
index eee272cf46..2cf5b2dc5a 100644
--- a/src/lib/libcrypto/hidden/openssl/lhash.h
+++ b/src/lib/libcrypto/hidden/openssl/lhash.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.h,v 1.3 2024/03/02 11:04:51 tb Exp $ */
+/* $OpenBSD: lhash.h,v 1.4 2024/03/02 11:11:11 tb Exp $ */
 /*
 * Copyright (c) 2023 Bob Beck <beck@openbsd.org>
 *
@@ -27,6 +27,7 @@
 LCRYPTO_USED(lh_new);
 LCRYPTO_USED(lh_free);
+LCRYPTO_USED(lh_error);
 LCRYPTO_USED(lh_insert);
 LCRYPTO_USED(lh_delete);
 LCRYPTO_USED(lh_retrieve);
diff --git a/src/lib/libcrypto/lhash/lhash.c b/src/lib/libcrypto/lhash/lhash.c
index 81660419c7..cd69f6fec1 100644
--- a/src/lib/libcrypto/lhash/lhash.c
+++ b/src/lib/libcrypto/lhash/lhash.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.c,v 1.21 2024/01/24 14:02:52 jsing Exp $ */
+/* $OpenBSD: lhash.c,v 1.22 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -103,6 +103,8 @@
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
+#include "lhash_local.h"
 #undef MIN_NODES
 #define MIN_NODES       16
 #define UP_LOAD         (2*LH_LOAD_MULT) /* load times 256  (default 2) */
@@ -157,6 +159,13 @@ lh_free(_LHASH *lh)
 }
 LCRYPTO_ALIAS(lh_free);
+int
+lh_error(_LHASH *lh)
+{
+        return lh->error;
+}
+LCRYPTO_ALIAS(lh_error);
 void *
 lh_insert(_LHASH *lh, void *data)
 {
diff --git a/src/lib/libcrypto/lhash/lhash.h b/src/lib/libcrypto/lhash/lhash.h
index 8db0174a61..86d05544a0 100644
--- a/src/lib/libcrypto/lhash/lhash.h
+++ b/src/lib/libcrypto/lhash/lhash.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: lhash.h,v 1.13 2024/03/02 11:04:51 tb Exp $ */
+/* $OpenBSD: lhash.h,v 1.14 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -75,14 +75,6 @@
 extern "C" {
 #endif
-typedef struct lhash_node_st {
-        void *data;
-        struct lhash_node_st *next;
-#ifndef OPENSSL_NO_HASH_COMP
-        unsigned long hash;
-#endif
-} LHASH_NODE;
 typedef int (*LHASH_COMP_FN_TYPE)(const void *, const void *);
 typedef unsigned long (*LHASH_HASH_FN_TYPE)(const void *);
 typedef void (*LHASH_DOALL_FN_TYPE)(void *);
@@ -133,44 +125,13 @@ typedef void (*LHASH_DOALL_ARG_FN_TYPE)(void *, void *);
                name##_doall_arg(a, b); }
 #define LHASH_DOALL_ARG_FN(name) name##_LHASH_DOALL_ARG
-typedef struct lhash_st {
+typedef struct lhash_st _LHASH;
-        LHASH_NODE **b;
-        LHASH_COMP_FN_TYPE comp;
-        LHASH_HASH_FN_TYPE hash;
-        unsigned int num_nodes;
-        unsigned int num_alloc_nodes;
-        unsigned int p;
-        unsigned int pmax;
-        unsigned long up_load; /* load times 256 */
-        unsigned long down_load; /* load times 256 */
-        unsigned long num_items;
-        unsigned long num_expands;
-        unsigned long num_expand_reallocs;
-        unsigned long num_contracts;
-        unsigned long num_contract_reallocs;
-        unsigned long num_hash_calls;
-        unsigned long num_comp_calls;
-        unsigned long num_insert;
-        unsigned long num_replace;
-        unsigned long num_delete;
-        unsigned long num_no_delete;
-        unsigned long num_retrieve;
-        unsigned long num_retrieve_miss;
-        unsigned long num_hash_comps;
-        int error;
-} _LHASH;       /* Do not use _LHASH directly, use LHASH_OF
-                 * and friends */
 #define LH_LOAD_MULT    256
-/* Indicates a malloc() error in the last call, this is only bad
- * in lh_insert(). */
-#define lh_error(lh)    ((lh)->error)
 _LHASH *lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c);
 void lh_free(_LHASH *lh);
+int lh_error(_LHASH *lh);
 void *lh_insert(_LHASH *lh, void *data);
 void *lh_delete(_LHASH *lh, const void *data);
 void *lh_retrieve(_LHASH *lh, const void *data);
@@ -183,7 +144,7 @@ unsigned long lh_num_items(const _LHASH *lh);
 #define LHASH_OF(type) struct lhash_st_##type
-#define DECLARE_LHASH_OF(type) LHASH_OF(type) { int dummy; }
+#define DECLARE_LHASH_OF(type) LHASH_OF(type)
 #define CHECKED_LHASH_OF(type,lh) \
  ((_LHASH *)CHECKED_PTR_OF(LHASH_OF(type),lh))
@@ -206,7 +167,6 @@ unsigned long lh_num_items(const _LHASH *lh);
 #define LHM_lh_doall_arg(type, lh, fn, arg_type, arg) \
  lh_doall_arg(CHECKED_LHASH_OF(type, lh), fn, CHECKED_PTR_OF(arg_type, arg))
 #define LHM_lh_num_items(type, lh) lh_num_items(CHECKED_LHASH_OF(type, lh))
-#define LHM_lh_down_load(type, lh) (CHECKED_LHASH_OF(type, lh)->down_load)
 #define LHM_lh_free(type, lh) lh_free(CHECKED_LHASH_OF(type, lh))
 DECLARE_LHASH_OF(OPENSSL_STRING);
diff --git a/src/lib/libcrypto/lhash/lhash_local.h b/src/lib/libcrypto/lhash/lhash_local.h
new file mode 100644
index 0000000000..5466e554e7
--- /dev/null
+++ b/src/lib/libcrypto/lhash/lhash_local.h
@@ -0,0 +1,105 @@
+/* $OpenBSD: lhash_local.h,v 1.1 2024/03/02 11:11:11 tb Exp $ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* Header for dynamic hash table routines
+ * Author - Eric Young
+ */
+#include <openssl/opensslconf.h>
+#ifndef HEADER_LHASH_LOCAL_H
+#define HEADER_LHASH_LOCAL_H
+typedef struct lhash_node_st {
+        void *data;
+        struct lhash_node_st *next;
+#ifndef OPENSSL_NO_HASH_COMP
+        unsigned long hash;
+#endif
+} LHASH_NODE;
+struct lhash_st {
+        LHASH_NODE **b;
+        LHASH_COMP_FN_TYPE comp;
+        LHASH_HASH_FN_TYPE hash;
+        unsigned int num_nodes;
+        unsigned int num_alloc_nodes;
+        unsigned int p;
+        unsigned int pmax;
+        unsigned long up_load; /* load times 256 */
+        unsigned long down_load; /* load times 256 */
+        unsigned long num_items;
+        unsigned long num_expands;
+        unsigned long num_expand_reallocs;
+        unsigned long num_contracts;
+        unsigned long num_contract_reallocs;
+        unsigned long num_hash_calls;
+        unsigned long num_comp_calls;
+        unsigned long num_insert;
+        unsigned long num_replace;
+        unsigned long num_delete;
+        unsigned long num_no_delete;
+        unsigned long num_retrieve;
+        unsigned long num_retrieve_miss;
+        unsigned long num_hash_comps;
+        int error;
+} /* _LHASH */;
+#endif
diff --git a/src/lib/libcrypto/objects/obj_dat.c b/src/lib/libcrypto/objects/obj_dat.c
index 626036264f..b90c80316c 100644
--- a/src/lib/libcrypto/objects/obj_dat.c
+++ b/src/lib/libcrypto/objects/obj_dat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_dat.c,v 1.88 2024/03/02 09:49:45 tb Exp $ */
+/* $OpenBSD: obj_dat.c,v 1.89 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,6 +71,7 @@
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "lhash_local.h"
 /* obj_dat.h is generated from objects.h by obj_dat.pl */
 #include "obj_dat.h"
diff --git a/src/lib/libcrypto/stack/safestack.h b/src/lib/libcrypto/stack/safestack.h
index b64b865dc8..61770ef36f 100644
--- a/src/lib/libcrypto/stack/safestack.h
+++ b/src/lib/libcrypto/stack/safestack.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: safestack.h,v 1.30 2024/03/02 11:04:52 tb Exp $ */
+/* $OpenBSD: safestack.h,v 1.31 2024/03/02 11:11:11 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
@@ -84,16 +84,8 @@
 #define STACK_OF(type) struct stack_st_##type
 #define PREDECLARE_STACK_OF(type) STACK_OF(type);
-#define DECLARE_STACK_OF(type) \
+#define DECLARE_STACK_OF(type) STACK_OF(type);
-STACK_OF(type) \
+#define DECLARE_SPECIAL_STACK_OF(type, type2) STACK_OF(type);
-    { \
-    _STACK stack; \
-    };
-#define DECLARE_SPECIAL_STACK_OF(type, type2) \
-STACK_OF(type) \
-    { \
-    _STACK stack; \
-    };
 #define IMPLEMENT_STACK_OF(type) /* nada (obsolete in new safestack approach)*/
@@ -1815,7 +1807,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(ADDED_OBJ,lh,fn,arg_type,arg)
 #define lh_ADDED_OBJ_error(lh) LHM_lh_error(ADDED_OBJ,lh)
 #define lh_ADDED_OBJ_num_items(lh) LHM_lh_num_items(ADDED_OBJ,lh)
-#define lh_ADDED_OBJ_down_load(lh) LHM_lh_down_load(ADDED_OBJ,lh)
 #define lh_ADDED_OBJ_free(lh) LHM_lh_free(ADDED_OBJ,lh)
 #define lh_CONF_VALUE_new() LHM_lh_new(CONF_VALUE,conf_value)
@@ -1827,7 +1818,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(CONF_VALUE,lh,fn,arg_type,arg)
 #define lh_CONF_VALUE_error(lh) LHM_lh_error(CONF_VALUE,lh)
 #define lh_CONF_VALUE_num_items(lh) LHM_lh_num_items(CONF_VALUE,lh)
-#define lh_CONF_VALUE_down_load(lh) LHM_lh_down_load(CONF_VALUE,lh)
 #define lh_CONF_VALUE_free(lh) LHM_lh_free(CONF_VALUE,lh)
 #define lh_ERR_STATE_new() LHM_lh_new(ERR_STATE,err_state)
@@ -1839,7 +1829,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(ERR_STATE,lh,fn,arg_type,arg)
 #define lh_ERR_STATE_error(lh) LHM_lh_error(ERR_STATE,lh)
 #define lh_ERR_STATE_num_items(lh) LHM_lh_num_items(ERR_STATE,lh)
-#define lh_ERR_STATE_down_load(lh) LHM_lh_down_load(ERR_STATE,lh)
 #define lh_ERR_STATE_free(lh) LHM_lh_free(ERR_STATE,lh)
 #define lh_ERR_STRING_DATA_new() LHM_lh_new(ERR_STRING_DATA,err_string_data)
@@ -1851,7 +1840,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(ERR_STRING_DATA,lh,fn,arg_type,arg)
 #define lh_ERR_STRING_DATA_error(lh) LHM_lh_error(ERR_STRING_DATA,lh)
 #define lh_ERR_STRING_DATA_num_items(lh) LHM_lh_num_items(ERR_STRING_DATA,lh)
-#define lh_ERR_STRING_DATA_down_load(lh) LHM_lh_down_load(ERR_STRING_DATA,lh)
 #define lh_ERR_STRING_DATA_free(lh) LHM_lh_free(ERR_STRING_DATA,lh)
 #define lh_EX_CLASS_ITEM_new() LHM_lh_new(EX_CLASS_ITEM,ex_class_item)
@@ -1863,7 +1851,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(EX_CLASS_ITEM,lh,fn,arg_type,arg)
 #define lh_EX_CLASS_ITEM_error(lh) LHM_lh_error(EX_CLASS_ITEM,lh)
 #define lh_EX_CLASS_ITEM_num_items(lh) LHM_lh_num_items(EX_CLASS_ITEM,lh)
-#define lh_EX_CLASS_ITEM_down_load(lh) LHM_lh_down_load(EX_CLASS_ITEM,lh)
 #define lh_EX_CLASS_ITEM_free(lh) LHM_lh_free(EX_CLASS_ITEM,lh)
 #define lh_FUNCTION_new() LHM_lh_new(FUNCTION,function)
@@ -1875,7 +1862,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(FUNCTION,lh,fn,arg_type,arg)
 #define lh_FUNCTION_error(lh) LHM_lh_error(FUNCTION,lh)
 #define lh_FUNCTION_num_items(lh) LHM_lh_num_items(FUNCTION,lh)
-#define lh_FUNCTION_down_load(lh) LHM_lh_down_load(FUNCTION,lh)
 #define lh_FUNCTION_free(lh) LHM_lh_free(FUNCTION,lh)
 #define lh_OBJ_NAME_new() LHM_lh_new(OBJ_NAME,obj_name)
@@ -1887,7 +1873,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(OBJ_NAME,lh,fn,arg_type,arg)
 #define lh_OBJ_NAME_error(lh) LHM_lh_error(OBJ_NAME,lh)
 #define lh_OBJ_NAME_num_items(lh) LHM_lh_num_items(OBJ_NAME,lh)
-#define lh_OBJ_NAME_down_load(lh) LHM_lh_down_load(OBJ_NAME,lh)
 #define lh_OBJ_NAME_free(lh) LHM_lh_free(OBJ_NAME,lh)
 #define lh_OPENSSL_STRING_new() LHM_lh_new(OPENSSL_STRING,openssl_string)
@@ -1899,7 +1884,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(OPENSSL_STRING,lh,fn,arg_type,arg)
 #define lh_OPENSSL_STRING_error(lh) LHM_lh_error(OPENSSL_STRING,lh)
 #define lh_OPENSSL_STRING_num_items(lh) LHM_lh_num_items(OPENSSL_STRING,lh)
-#define lh_OPENSSL_STRING_down_load(lh) LHM_lh_down_load(OPENSSL_STRING,lh)
 #define lh_OPENSSL_STRING_free(lh) LHM_lh_free(OPENSSL_STRING,lh)
 #define lh_SSL_SESSION_new() LHM_lh_new(SSL_SESSION,ssl_session)
@@ -1911,7 +1895,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
  LHM_lh_doall_arg(SSL_SESSION,lh,fn,arg_type,arg)
 #define lh_SSL_SESSION_error(lh) LHM_lh_error(SSL_SESSION,lh)
 #define lh_SSL_SESSION_num_items(lh) LHM_lh_num_items(SSL_SESSION,lh)
-#define lh_SSL_SESSION_down_load(lh) LHM_lh_down_load(SSL_SESSION,lh)
 #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh)
 #endif /* !defined HEADER_SAFESTACK_H */
diff --git a/src/lib/libcrypto/stack/stack.c b/src/lib/libcrypto/stack/stack.c
index 86117f07a7..99bb52dcfa 100644
--- a/src/lib/libcrypto/stack/stack.c
+++ b/src/lib/libcrypto/stack/stack.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: stack.c,v 1.26 2024/03/02 09:47:16 tb Exp $ */
+/* $OpenBSD: stack.c,v 1.27 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,6 +63,8 @@
 #include <openssl/objects.h>
 #include <openssl/stack.h>
+#include "stack_local.h"
 #undef MIN_NODES
 #define MIN_NODES       4
diff --git a/src/lib/libcrypto/stack/stack.h b/src/lib/libcrypto/stack/stack.h
index 6bea6348f2..8b490c7225 100644
--- a/src/lib/libcrypto/stack/stack.h
+++ b/src/lib/libcrypto/stack/stack.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: stack.h,v 1.9 2014/06/12 15:49:30 deraadt Exp $ */
+/* $OpenBSD: stack.h,v 1.10 2024/03/02 11:11:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,14 +63,7 @@
 extern "C" {
 #endif
-typedef struct stack_st {
+typedef struct stack_st _STACK;
-        int num;
-        char **data;
-        int sorted;
-        int num_alloc;
-        int (*comp)(const void *, const void *);
-} _STACK;  /* Use STACK_OF(...) instead */
 #define M_sk_num(sk)            ((sk) ? (sk)->num:-1)
 #define M_sk_value(sk,n)        ((sk) ? (sk)->data[n] : NULL)
diff --git a/src/lib/libcrypto/stack/stack_local.h b/src/lib/libcrypto/stack/stack_local.h
new file mode 100644
index 0000000000..a330707192
--- /dev/null
+++ b/src/lib/libcrypto/stack/stack_local.h
@@ -0,0 +1,71 @@
+/* $OpenBSD: stack_local.h,v 1.1 2024/03/02 11:11:11 tb Exp $ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+#ifndef HEADER_STACK_LOCAL_H
+#define HEADER_STACK_LOCAL_H
+struct stack_st {
+        int num;
+        char **data;
+        int sorted;
+        int num_alloc;
+        int (*comp)(const void *, const void *);
+} /* _STACK */;
+#endif
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 73f7154f51..ec9be8d927 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.26 2024/03/02 11:11:11 tb Exp $ */
 /*
 * Copyright (c) 2022, Google Inc.
 *
@@ -23,6 +23,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "stack_local.h"
 #include "x509_internal.h"
 #include "x509_local.h"