36 files changed, 132 insertions, 338 deletions

diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index d5d00c4d44..3d1e49c49a 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.43 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.44 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,10 +63,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_BIT_STRING_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index 5d3a3dd0c7..ac5033ea8a 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_enum.c,v 1.30 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_enum.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 
 /*
  * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 0d9b6577d7..f171e330f6 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_int.c,v 1.48 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_int.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,9 +64,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_INTEGER_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index f050f97539..38398ad1d1 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_mbstr.c,v 1.27 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: a_mbstr.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int traverse_string(const unsigned char *p, int len, int inform,
     int (*rfunc)(unsigned long value, void *in), void *arg);
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 2f3ca1398f..333ac60348 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.55 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_object.c,v 1.56 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,11 +62,11 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 const ASN1_ITEM ASN1_OBJECT_it = {
         .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_pkey.c b/src/lib/libcrypto/asn1/a_pkey.c
index a730728076..636b602377 100644
--- a/src/lib/libcrypto/asn1/a_pkey.c
+++ b/src/lib/libcrypto/asn1/a_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pkey.c,v 1.8 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pkey.c,v 1.9 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,12 +62,12 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_pubkey.c b/src/lib/libcrypto/asn1/a_pubkey.c
index 544f3d2cf0..f846b6cda5 100644
--- a/src/lib/libcrypto/asn1/a_pubkey.c
+++ b/src/lib/libcrypto/asn1/a_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pubkey.c,v 1.7 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pubkey.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
@@ -76,6 +75,7 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "err_local.h"
 #include "evp_local.h"
 
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 5523c22cc4..52e1b7db5d 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strex.c,v 1.37 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: a_strex.c,v 1.38 2025/03/19 11:18:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -565,31 +565,6 @@ do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent,
         return outlen;
 }
 
-/* NID with SN of 1-2 letters, which X509_NAME_print() historically included. */
-static int
-x509_name_entry_include(const X509_NAME_ENTRY *ne)
-{
-        int nid;
-
-        if ((nid = OBJ_obj2nid(ne->object)) == NID_undef)
-                return 0;
-
-        switch (nid) {
-        case NID_commonName:
-        case NID_surname:
-        case NID_countryName:
-        case NID_localityName:
-        case NID_stateOrProvinceName:
-        case NID_organizationName:
-        case NID_organizationalUnitName:
-        case NID_givenName:
-        case NID_domainComponent: /* XXX - doesn't really belong here */
-                return 1;
-        }
-
-        return 0;
-}
-
 static int
 X509_NAME_print(BIO *bio, const X509_NAME *name, int obase)
 {
@@ -607,9 +582,6 @@ X509_NAME_print(BIO *bio, const X509_NAME *name, int obase)
         for (i = 0; i < sk_X509_NAME_ENTRY_num(name->entries); i++) {
                 ne = sk_X509_NAME_ENTRY_value(name->entries, i);
 
-                if (!x509_name_entry_include(ne))
-                        continue;
-
                 if (started) {
                         if (!CBB_add_u8(&cbb, ','))
                                 goto err;
diff --git a/src/lib/libcrypto/asn1/a_string.c b/src/lib/libcrypto/asn1/a_string.c
index ec492e71f0..70e9c95f22 100644
--- a/src/lib/libcrypto/asn1/a_string.c
+++ b/src/lib/libcrypto/asn1/a_string.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_string.c,v 1.17 2023/08/15 18:05:15 tb Exp $ */
+/* $OpenBSD: a_string.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 ASN1_STRING *
 ASN1_STRING_new(void)
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 5fa60b9ce7..3519d6725d 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strnid.c,v 1.31 2024/03/02 08:54:02 tb Exp $ */
+/* $OpenBSD: a_strnid.c,v 1.32 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,7 +62,6 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 /*
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 15ac1af5c4..3deff56eda 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time.c,v 1.38 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_time.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
  *
@@ -65,7 +65,6 @@
 #include <time.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
 
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index a1f329be96..dd2893167f 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.42 2024/05/03 18:33:27 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /*
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
@@ -22,10 +22,10 @@
 #include <time.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 
-#include "bytestring.h"
 #include "asn1_local.h"
+#include "bytestring.h"
+#include "err_local.h"
 
 #define RFC5280 0
 #define GENTIME_LENGTH 15
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index ef0a76e810..502db42a73 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_type.c,v 1.27 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: a_type.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,10 +59,10 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 typedef struct {
         ASN1_INTEGER *num;
diff --git a/src/lib/libcrypto/asn1/asn1_gen.c b/src/lib/libcrypto/asn1/asn1_gen.c
index edd6743993..b409e83c7d 100644
--- a/src/lib/libcrypto/asn1/asn1_gen.c
+++ b/src/lib/libcrypto/asn1/asn1_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_gen.c,v 1.27 2025/03/06 07:25:01 tb Exp $ */
+/* $OpenBSD: asn1_gen.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2002.
  */
@@ -59,11 +59,11 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 #define ASN1_GEN_FLAG           0x10000
diff --git a/src/lib/libcrypto/asn1/asn1_item.c b/src/lib/libcrypto/asn1/asn1_item.c
index 86c800e3ad..621d65711b 100644
--- a/src/lib/libcrypto/asn1/asn1_item.c
+++ b/src/lib/libcrypto/asn1/asn1_item.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_item.c,v 1.21 2024/04/09 13:55:02 beck Exp $ */
+/* $OpenBSD: asn1_item.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -112,11 +112,11 @@
 #include <limits.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/asn1/asn1_old.c b/src/lib/libcrypto/asn1/asn1_old.c
index 7992fccdef..c47ea8e74a 100644
--- a/src/lib/libcrypto/asn1/asn1_old.c
+++ b/src/lib/libcrypto/asn1/asn1_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old.c,v 1.6 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1_old.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 #ifndef NO_OLD_ASN1
 
diff --git a/src/lib/libcrypto/asn1/asn1_old_lib.c b/src/lib/libcrypto/asn1/asn1_old_lib.c
index 80362ae689..541ac7b615 100644
--- a/src/lib/libcrypto/asn1/asn1_old_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_old_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old_lib.c,v 1.6 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_old_lib.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,9 +61,9 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static void asn1_put_length(unsigned char **pp, int length);
 
diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index 3995fc547c..d42dd8663e 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.35 2025/01/17 05:02:18 tb Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.37 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -59,10 +59,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 
 /* Generalised MIME like utilities for streaming ASN1. Although many
@@ -507,8 +507,9 @@ SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
                         *bcont = sk_BIO_value(parts, 0);
                         BIO_free(asnin);
                         sk_BIO_free(parts);
-                } else sk_BIO_pop_free(parts, BIO_vfree);
-                        return val;
+                } else
+                        sk_BIO_pop_free(parts, BIO_vfree);
+                return val;
         }
 
         /* OK, if not multipart/signed try opaque signature */
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index e3c7d09446..a9a752cc38 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_moid.c,v 1.18 2024/08/31 09:26:18 tb Exp $ */
+/* $OpenBSD: asn_moid.c,v 1.20 2025/05/10 11:51:01 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -60,13 +60,13 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 /* Simple ASN1 OID module: add all objects in a given section */
 
diff --git a/src/lib/libcrypto/asn1/bio_ndef.c b/src/lib/libcrypto/asn1/bio_ndef.c
index 98bb1cd197..d001ffb0ae 100644
--- a/src/lib/libcrypto/asn1/bio_ndef.c
+++ b/src/lib/libcrypto/asn1/bio_ndef.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ndef.c,v 1.24 2023/07/28 09:58:30 tb Exp $ */
+/* $OpenBSD: bio_ndef.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -57,9 +57,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 int BIO_asn1_set_prefix(BIO *b, asn1_ps_func *prefix, asn1_ps_func *prefix_free);
 int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix, asn1_ps_func *suffix_free);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 582d2d9a9b..668bf5d7c1 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.28 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.30 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,11 +61,14 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
+/* RFC 8018, section 6.1 specifies an eight-octet salt for PBES1. */
+#define PKCS5_PBE1_SALT_LEN     8
+
 /* PKCS#5 password based encryption structure */
 
 static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = {
@@ -139,7 +142,7 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                 goto err;
         }
         if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE1_SALT_LEN;
         if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
                 ASN1error(ERR_R_MALLOC_FAILURE);
                 goto err;
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 76872a8dec..64924d9b38 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.35 2024/03/26 07:03:10 tb Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.38 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -61,12 +61,18 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
+/*
+ * RFC 8018, sections 6.2 and 4 specify at least 64 bits for PBES2, apparently
+ * FIPS will require at least 128 bits in the future, OpenSSL does that.
+ */
+#define PKCS5_PBE2_SALT_LEN     16
+
 /* PKCS#5 v2.0 password based encryption structures */
 
 static const ASN1_TEMPLATE PBE2PARAM_seq_tt[] = {
@@ -187,7 +193,7 @@ PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
     int saltlen)
 {
         X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-        int prf_nid = NID_hmacWithSHA1;
+        int prf_nid = NID_hmacWithSHA256;
         int alg_nid, keylen;
         EVP_CIPHER_CTX ctx;
         unsigned char iv[EVP_MAX_IV_LENGTH];
@@ -292,7 +298,7 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
         kdf->salt->type = V_ASN1_OCTET_STRING;
 
         if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE2_SALT_LEN;
         if (!(osalt->data = malloc (saltlen)))
                 goto merr;
 
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 6449e7f199..295ab6c050 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_crl.c,v 1.26 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_crl.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,11 +61,11 @@
 
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index 1d4be9865d..51e4b4f651 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_req.c,v 1.28 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_req.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,7 +62,6 @@
 
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -74,6 +73,7 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 7cf4557314..71f97a8214 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.51 2025/02/08 03:41:36 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.54 2025/07/01 06:46:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,13 +65,13 @@
 
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
@@ -106,6 +106,28 @@ X509_print(BIO *bp, X509 *x)
 }
 LCRYPTO_ALIAS(X509_print);
 
+static int
+x509_print_uids(BIO *bp, const X509 *x, int indent)
+{
+        const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
+
+        X509_get0_uids(x, &issuerUID, &subjectUID);
+        if (issuerUID != NULL) {
+                if (BIO_printf(bp, "%*sIssuer Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, issuerUID, indent + 4))
+                        return 0;
+        }
+        if (subjectUID != NULL) {
+                if (BIO_printf(bp, "%*sSubject Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, subjectUID, indent + 4))
+                        return 0;
+        }
+
+        return 1;
+}
+
 int
 X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 {
@@ -127,9 +149,9 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 
         ci = x->cert_info;
         if (!(cflag & X509_FLAG_NO_HEADER)) {
-                if (BIO_write(bp, "Certificate:\n", 13) <= 0)
+                if (BIO_printf(bp, "Certificate:\n") <= 0)
                         goto err;
-                if (BIO_write(bp, "    Data:\n", 10) <= 0)
+                if (BIO_printf(bp, "    Data:\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_VERSION)) {
@@ -145,7 +167,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 }
         }
         if (!(cflag & X509_FLAG_NO_SERIAL)) {
-                if (BIO_write(bp, "        Serial Number:", 22) <= 0)
+                if (BIO_printf(bp, "        Serial Number:") <= 0)
                         goto err;
 
                 bs = X509_get_serialNumber(x);
@@ -196,21 +218,21 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 if (X509_NAME_print_ex(bp, X509_get_issuer_name(x),
                     nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_VALIDITY)) {
-                if (BIO_write(bp, "        Validity\n", 17) <= 0)
+                if (BIO_printf(bp, "        Validity\n") <= 0)
                         goto err;
-                if (BIO_write(bp, "            Not Before: ", 24) <= 0)
+                if (BIO_printf(bp, "            Not Before: ") <= 0)
                         goto err;
                 if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
                         goto err;
-                if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
+                if (BIO_printf(bp, "\n            Not After : ") <= 0)
                         goto err;
                 if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_SUBJECT)) {
@@ -219,12 +241,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 if (X509_NAME_print_ex(bp, X509_get_subject_name(x),
                     nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                         goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                         goto err;
         }
         if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-                if (BIO_write(bp, "        Subject Public Key Info:\n",
-                    33) <= 0)
+                if (BIO_printf(bp, "        Subject Public Key Info:\n") <= 0)
                         goto err;
                 if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
                         goto err;
@@ -243,6 +264,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                 }
         }
 
+        if (!(cflag & X509_FLAG_NO_IDS)) {
+                if (!x509_print_uids(bp, x, 8))
+                        goto err;
+        }
+
         if (!(cflag & X509_FLAG_NO_EXTENSIONS))
                 X509V3_extensions_print(bp, "X509v3 extensions",
                     ci->extensions, cflag, 8);
@@ -325,7 +351,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
         s = sig->data;
         for (i = 0; i < n; i++) {
                 if ((i % 18) == 0) {
-                        if (BIO_write(bp, "\n", 1) <= 0)
+                        if (BIO_printf(bp, "\n") <= 0)
                                 return 0;
                         if (BIO_indent(bp, indent, indent) <= 0)
                                 return 0;
@@ -334,7 +360,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
                     ((i + 1) == n) ? "" : ":") <= 0)
                         return 0;
         }
-        if (BIO_write(bp, "\n", 1) != 1)
+        if (BIO_printf(bp, "\n") != 1)
                 return 0;
 
         return 1;
@@ -375,7 +401,7 @@ ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
                 return ASN1_UTCTIME_print(bp, tm);
         if (tm->type == V_ASN1_GENERALIZEDTIME)
                 return ASN1_GENERALIZEDTIME_print(bp, tm);
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_TIME_print);
@@ -435,7 +461,7 @@ ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
                 return (1);
 
  err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_print);
@@ -479,7 +505,7 @@ ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
                 return (1);
 
  err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
         return (0);
 }
 LCRYPTO_ALIAS(ASN1_UTCTIME_print);
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 31b9efee54..1bffae8a94 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.88 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.89 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 
 /*
  * Constructed types with a recursive definition (such as can be found in PKCS7)
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index b71993a139..a65fb5b7e7 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.33 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,10 +61,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
     const ASN1_ITEM *it, int tag, int aclass);
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index 10c1137dbf..e17810b832 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_new.c,v 1.25 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_new.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -60,11 +60,11 @@
 #include <stddef.h>
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <string.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 static int asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 07764fc091..4db6d61111 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_prn.c,v 1.27 2024/03/02 09:04:07 tb Exp $ */
+/* $OpenBSD: tasn_prn.c,v 1.29 2025/06/07 09:28:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,7 +61,6 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
 
@@ -411,7 +410,7 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it,
         if (!asn1_print_fsname(out, indent, fname, sname, pctx))
                 return 0;
 
-        if (it != NULL && it->funcs != NULL) {
+        if (it->funcs != NULL) {
                 const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
 
                 if (pf->prim_print == NULL)
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
index ae546edd4b..178a364c89 100644
--- a/src/lib/libcrypto/asn1/tasn_utl.c
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_utl.c,v 1.18 2022/12/26 07:18:51 jmc Exp $ */
+/* $OpenBSD: tasn_utl.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -63,9 +63,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 
 /* Utility functions for manipulating fields and offsets */
 
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 7ad8350f3d..19caf56cec 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.48 2025/02/27 20:13:41 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.50 2025/07/10 18:48:31 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
@@ -540,6 +540,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+        /*
+         * The CertificateList's signature AlgorithmIdentifier must match
+         * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+         */
+        if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+                return 0;
         return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
             crl->crl, pkey);
 }
diff --git a/src/lib/libcrypto/asn1/x_info.c b/src/lib/libcrypto/asn1/x_info.c
deleted file mode 100644
index d2c4bcfe7a..0000000000
--- a/src/lib/libcrypto/asn1/x_info.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* $OpenBSD: x_info.c,v 1.22 2024/12/11 10:28:03 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-
-X509_INFO *
-X509_INFO_new(void)
-{
-        X509_INFO *ret;
-
-        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        ret->references = 1;
-
-        return ret;
-}
-LCRYPTO_ALIAS(X509_INFO_new);
-
-void
-X509_INFO_free(X509_INFO *x)
-{
-        if (x == NULL)
-                return;
-
-        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
-                return;
-
-        X509_free(x->x509);
-        X509_CRL_free(x->crl);
-        X509_PKEY_free(x->x_pkey);
-        free(x->enc_data);
-
-        free(x);
-}
-LCRYPTO_ALIAS(X509_INFO_free);
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index 5e673f4521..a72411f30c 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_long.c,v 1.21 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: x_long.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 
 /*
  * Custom primitive type for long handling. This converts between an
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index 7bacd83340..09536666fc 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.44 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: x_name.c,v 1.46 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,10 +61,10 @@
 #include <string.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
@@ -414,8 +414,10 @@ x509_name_encode(X509_NAME *a)
                         if (!entries)
                                 goto memerr;
                         if (!sk_STACK_OF_X509_NAME_ENTRY_push(intname.s,
-                            entries))
+                            entries)) {
+                                sk_X509_NAME_ENTRY_free(entries);
                                 goto memerr;
+                        }
                         set = entry->set;
                 }
                 if (entries == NULL /* if entry->set is bogusly -1 */ ||
diff --git a/src/lib/libcrypto/asn1/x_pkey.c b/src/lib/libcrypto/asn1/x_pkey.c
deleted file mode 100644
index 5c96c13ab9..0000000000
--- a/src/lib/libcrypto/asn1/x_pkey.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* $OpenBSD: x_pkey.c,v 1.24 2024/04/09 13:55:02 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-
-X509_PKEY *
-X509_PKEY_new(void)
-{
-        X509_PKEY *ret = NULL;
-
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
-
- err:
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
-}
-LCRYPTO_ALIAS(X509_PKEY_new);
-
-void
-X509_PKEY_free(X509_PKEY *x)
-{
-        int i;
-
-        if (x == NULL)
-                return;
-
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
-        if (i > 0)
-                return;
-
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_PKEY_free);
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 1e772a3458..ec847861ea 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_pubkey.c,v 1.37 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: x_pubkey.c,v 1.38 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_DSA
@@ -72,6 +71,7 @@
 #endif
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"