41 files changed, 655 insertions, 727 deletions
diff --git a/src/lib/libcrypto/asn1/a_bitstr.c b/src/lib/libcrypto/asn1/a_bitstr.c
index d5d00c4d44..e656c43f0c 100644
--- a/src/lib/libcrypto/asn1/a_bitstr.c
+++ b/src/lib/libcrypto/asn1/a_bitstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_bitstr.c,v 1.43 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_bitstr.c,v 1.48 2026/01/04 09:54:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "bytestring.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_BIT_STRING_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
@@ -182,18 +182,9 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
        unsigned char *p, *d;
        if (a == NULL)
-                return (0);
+                return 0;
-        if (a->length == INT_MAX)
-                return (0);
-        ret = a->length + 1;
-        if (pp == NULL)
-                return (ret);
        len = a->length;
        if (len > 0) {
                if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) {
                        bits = (int)a->flags & 0x07;
@@ -222,12 +213,20 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
                        else if (j & 0x80)
                                bits = 7;
                        else
-                                bits = 0; /* should not happen */
+                                bits = 0;
                }
        } else
                bits = 0;
-        p= *pp;
+        if (len > INT_MAX - 1)
+                return 0;
+        ret = len + 1;
+        if (pp == NULL)
+                return ret;
+        p = *pp;
        *(p++) = (unsigned char)bits;
        d = a->data;
@@ -237,7 +236,7 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
                p[-1] &= 0xff << bits;
        }
        *pp = p;
-        return (ret);
+        return ret;
 }
 int
diff --git a/src/lib/libcrypto/asn1/a_enum.c b/src/lib/libcrypto/asn1/a_enum.c
index 5d3a3dd0c7..ac5033ea8a 100644
--- a/src/lib/libcrypto/asn1/a_enum.c
+++ b/src/lib/libcrypto/asn1/a_enum.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_enum.c,v 1.30 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_enum.c,v 1.31 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -63,10 +63,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 /*
 * Code for ENUMERATED type: identical to INTEGER apart from a different tag.
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index 0d9b6577d7..f171e330f6 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_int.c,v 1.48 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_int.c,v 1.49 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -64,9 +64,9 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "bytestring.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_INTEGER_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_mbstr.c b/src/lib/libcrypto/asn1/a_mbstr.c
index f050f97539..38398ad1d1 100644
--- a/src/lib/libcrypto/asn1/a_mbstr.c
+++ b/src/lib/libcrypto/asn1/a_mbstr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_mbstr.c,v 1.27 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: a_mbstr.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int traverse_string(const unsigned char *p, int len, int inform,
    int (*rfunc)(unsigned long value, void *in), void *arg);
diff --git a/src/lib/libcrypto/asn1/a_object.c b/src/lib/libcrypto/asn1/a_object.c
index 2f3ca1398f..333ac60348 100644
--- a/src/lib/libcrypto/asn1/a_object.c
+++ b/src/lib/libcrypto/asn1/a_object.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_object.c,v 1.55 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_object.c,v 1.56 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,11 +62,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 const ASN1_ITEM ASN1_OBJECT_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
diff --git a/src/lib/libcrypto/asn1/a_pkey.c b/src/lib/libcrypto/asn1/a_pkey.c
index a730728076..636b602377 100644
--- a/src/lib/libcrypto/asn1/a_pkey.c
+++ b/src/lib/libcrypto/asn1/a_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pkey.c,v 1.8 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pkey.c,v 1.9 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,12 +62,12 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_pubkey.c b/src/lib/libcrypto/asn1/a_pubkey.c
index 544f3d2cf0..f846b6cda5 100644
--- a/src/lib/libcrypto/asn1/a_pubkey.c
+++ b/src/lib/libcrypto/asn1/a_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pubkey.c,v 1.7 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: a_pubkey.c,v 1.8 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -76,6 +75,7 @@
 #include <openssl/rsa.h>
 #endif
+#include "err_local.h"
 #include "evp_local.h"
 EVP_PKEY *
diff --git a/src/lib/libcrypto/asn1/a_string.c b/src/lib/libcrypto/asn1/a_string.c
index ec492e71f0..70e9c95f22 100644
--- a/src/lib/libcrypto/asn1/a_string.c
+++ b/src/lib/libcrypto/asn1/a_string.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_string.c,v 1.17 2023/08/15 18:05:15 tb Exp $ */
+/* $OpenBSD: a_string.c,v 1.18 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 ASN1_STRING *
 ASN1_STRING_new(void)
diff --git a/src/lib/libcrypto/asn1/a_strnid.c b/src/lib/libcrypto/asn1/a_strnid.c
index 5fa60b9ce7..3519d6725d 100644
--- a/src/lib/libcrypto/asn1/a_strnid.c
+++ b/src/lib/libcrypto/asn1/a_strnid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strnid.c,v 1.31 2024/03/02 08:54:02 tb Exp $ */
+/* $OpenBSD: a_strnid.c,v 1.32 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -62,7 +62,6 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 /*
diff --git a/src/lib/libcrypto/asn1/a_time.c b/src/lib/libcrypto/asn1/a_time.c
index 15ac1af5c4..3deff56eda 100644
--- a/src/lib/libcrypto/asn1/a_time.c
+++ b/src/lib/libcrypto/asn1/a_time.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time.c,v 1.38 2024/07/08 14:52:31 beck Exp $ */
+/* $OpenBSD: a_time.c,v 1.39 2025/05/10 05:54:38 tb Exp $ */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
@@ -65,7 +65,6 @@
 #include <time.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index a1f329be96..dd2893167f 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.42 2024/05/03 18:33:27 tb Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.43 2025/05/10 05:54:38 tb Exp $ */
 /*
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
 *
@@ -22,10 +22,10 @@
 #include <time.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
-#include "bytestring.h"
 #include "asn1_local.h"
+#include "bytestring.h"
+#include "err_local.h"
 #define RFC5280 0
 #define GENTIME_LENGTH 15
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c
index ef0a76e810..0615de1ccb 100644
--- a/src/lib/libcrypto/asn1/a_type.c
+++ b/src/lib/libcrypto/asn1/a_type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_type.c,v 1.27 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: a_type.c,v 1.29 2025/12/05 14:19:27 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,10 +59,10 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 typedef struct {
        ASN1_INTEGER *num;
@@ -227,14 +227,14 @@ int
 ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len)
 {
        int ret, num;
-        unsigned char *p;
+        const unsigned char *p;
        if ((a->type != V_ASN1_OCTET_STRING) ||
            (a->value.octet_string == NULL)) {
                ASN1error(ASN1_R_DATA_IS_WRONG);
                return (-1);
        }
-        p = ASN1_STRING_data(a->value.octet_string);
+        p = ASN1_STRING_get0_data(a->value.octet_string);
        ret = ASN1_STRING_length(a->value.octet_string);
        if (ret < max_len)
                num = ret;
@@ -298,7 +298,7 @@ ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *at, long *num, unsigned char *dat
                len = ASN1_STRING_length(ios->value);
                if (len > max_len)
                        len = max_len;
-                memcpy(data, ASN1_STRING_data(ios->value), len);
+                memcpy(data, ASN1_STRING_get0_data(ios->value), len);
        }
        ret = ASN1_STRING_length(ios->value);
diff --git a/src/lib/libcrypto/asn1/asn1.h b/src/lib/libcrypto/asn1/asn1.h
index aeabbc0a28..2b19f58717 100644
--- a/src/lib/libcrypto/asn1/asn1.h
+++ b/src/lib/libcrypto/asn1/asn1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1.h,v 1.92 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1.h,v 1.95 2026/01/02 08:03:02 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -85,7 +85,6 @@ extern "C" {
 #define V_ASN1_PRIMITIVE_TAG            0x1f
 #define V_ASN1_PRIMATIVE_TAG            0x1f
-#define V_ASN1_APP_CHOOSE               -2      /* let the recipient choose */
 #define V_ASN1_OTHER                    -3      /* used in ASN1_TYPE */
 #define V_ASN1_ANY                      -4      /* used in ASN1 template code */
@@ -200,11 +199,9 @@ typedef struct ASN1_ENCODING_st {
        int modified;            /* set to 1 if 'enc' is invalid */
 } ASN1_ENCODING;
-/* Used with ASN1 LONG type: if a long is set to this it is omitted */
+/* Used by security/xca */
-#define ASN1_LONG_UNDEF 0x7fffffffL
-#define STABLE_FLAGS_MALLOC     0x01
 #define STABLE_NO_MASK          0x02
 #define DIRSTRING_TYPE  \
 (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
 #define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
diff --git a/src/lib/libcrypto/asn1/asn1_gen.c b/src/lib/libcrypto/asn1/asn1_gen.c
index edd6743993..b409e83c7d 100644
--- a/src/lib/libcrypto/asn1/asn1_gen.c
+++ b/src/lib/libcrypto/asn1/asn1_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_gen.c,v 1.27 2025/03/06 07:25:01 tb Exp $ */
+/* $OpenBSD: asn1_gen.c,v 1.28 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2002.
 */
@@ -59,11 +59,11 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 #define ASN1_GEN_FLAG           0x10000
diff --git a/src/lib/libcrypto/asn1/asn1_item.c b/src/lib/libcrypto/asn1/asn1_item.c
index 86c800e3ad..621d65711b 100644
--- a/src/lib/libcrypto/asn1/asn1_item.c
+++ b/src/lib/libcrypto/asn1/asn1_item.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_item.c,v 1.21 2024/04/09 13:55:02 beck Exp $ */
+/* $OpenBSD: asn1_item.c,v 1.22 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -112,11 +112,11 @@
 #include <limits.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/asn1/asn1_local.h b/src/lib/libcrypto/asn1/asn1_local.h
index 19de978772..d61cfaa7b9 100644
--- a/src/lib/libcrypto/asn1/asn1_local.h
+++ b/src/lib/libcrypto/asn1/asn1_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_local.h,v 1.10 2024/03/02 09:10:42 tb Exp $ */
+/* $OpenBSD: asn1_local.h,v 1.11 2025/11/26 10:19:57 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -56,6 +56,9 @@
 *
 */
+#ifndef HEADER_ASN1_LOCAL_H
+#define HEADER_ASN1_LOCAL_H
 #include "bytestring.h"
 __BEGIN_HIDDEN_DECLS
@@ -191,3 +194,5 @@ int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode);
 int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2);
 __END_HIDDEN_DECLS
+#endif /* HEADER_ASN1_LOCAL_H */
diff --git a/src/lib/libcrypto/asn1/asn1_old.c b/src/lib/libcrypto/asn1/asn1_old.c
index 7992fccdef..c47ea8e74a 100644
--- a/src/lib/libcrypto/asn1/asn1_old.c
+++ b/src/lib/libcrypto/asn1/asn1_old.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old.c,v 1.6 2024/04/10 14:55:12 beck Exp $ */
+/* $OpenBSD: asn1_old.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #ifndef NO_OLD_ASN1
diff --git a/src/lib/libcrypto/asn1/asn1_old_lib.c b/src/lib/libcrypto/asn1/asn1_old_lib.c
index 80362ae689..541ac7b615 100644
--- a/src/lib/libcrypto/asn1/asn1_old_lib.c
+++ b/src/lib/libcrypto/asn1/asn1_old_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_old_lib.c,v 1.6 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_old_lib.c,v 1.7 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,9 +61,9 @@
 #include <string.h>
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static void asn1_put_length(unsigned char **pp, int length);
diff --git a/src/lib/libcrypto/asn1/asn1t.h b/src/lib/libcrypto/asn1/asn1t.h
index 22cde48669..b3fb1cf838 100644
--- a/src/lib/libcrypto/asn1/asn1t.h
+++ b/src/lib/libcrypto/asn1/asn1t.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1t.h,v 1.24 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: asn1t.h,v 1.31 2026/01/16 09:25:15 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -78,44 +78,43 @@ extern "C" {
 /* Macros for start and end of ASN1_ITEM definition */
-#define ASN1_ITEM_start(itname) \
+#define ASN1_ITEM_start(itname)                                         \
        const ASN1_ITEM itname##_it = {
-#define static_ASN1_ITEM_start(itname) \
+#define static_ASN1_ITEM_start(itname)                                  \
        static const ASN1_ITEM itname##_it = {
-#define ASN1_ITEM_end(itname) \
+#define ASN1_ITEM_end(itname)                                           \
-                };
+        };
 /* Macros to aid ASN1 template writing */
-#define ASN1_ITEM_TEMPLATE(tname) \
+#define ASN1_ITEM_TEMPLATE(tname)                                       \
        static const ASN1_TEMPLATE tname##_item_tt
-#define ASN1_ITEM_TEMPLATE_END(tname) \
+#define ASN1_ITEM_TEMPLATE_END(tname)                                   \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_PRIMITIVE,\
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                -1,\
+                .utype = -1,                                            \
-                &tname##_item_tt,\
+                .templates = &tname##_item_tt,                          \
-                0,\
+                .tcount = 0,                                            \
-                NULL,\
+                .funcs = NULL,                                          \
-                0,\
+                .size = 0,                                              \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define static_ASN1_ITEM_TEMPLATE_END(tname) \
+#define static_ASN1_ITEM_TEMPLATE_END(tname)                            \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_PRIMITIVE,\
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                -1,\
+                .utype = -1,                                            \
-                &tname##_item_tt,\
+                .templates = &tname##_item_tt,                          \
-                0,\
+                .tcount = 0,                                            \
-                NULL,\
+                .funcs = NULL,                                          \
-                0,\
+                .size = 0,                                              \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
@@ -142,119 +141,145 @@ extern "C" {
 *      a structure called stname.
 */
-#define ASN1_SEQUENCE(tname) \
+#define ASN1_SEQUENCE(tname)                                            \
        static const ASN1_TEMPLATE tname##_seq_tt[]
-#define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname)
+#define ASN1_SEQUENCE_END(stname)                                       \
+        ASN1_SEQUENCE_END_name(stname, stname)
-#define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname)
+#define static_ASN1_SEQUENCE_END(stname)                                \
-#define ASN1_SEQUENCE_END_name(stname, tname) \
+        static_ASN1_SEQUENCE_END_name(stname, stname)
-        ;\
-        ASN1_ITEM_start(tname) \
+#define ASN1_SEQUENCE_END_name(stname, tname)                           \
-                ASN1_ITYPE_SEQUENCE,\
+        ;                                                               \
-                V_ASN1_SEQUENCE,\
+        ASN1_ITEM_start(tname)                                          \
-                tname##_seq_tt,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .utype = V_ASN1_SEQUENCE,                               \
-                NULL,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(stname),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                #stname \
+                .funcs = NULL,                                          \
+                .size = sizeof(stname),                                 \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_SEQUENCE_END_name(stname, tname) \
+#define static_ASN1_SEQUENCE_END_name(stname, tname)                    \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_SEQUENCE,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_NDEF_SEQUENCE(tname) \
+#define ASN1_NDEF_SEQUENCE(tname)                                       \
        ASN1_SEQUENCE(tname)
-#define ASN1_NDEF_SEQUENCE_cb(tname, cb) \
+#define ASN1_NDEF_SEQUENCE_cb(tname, cb)                                \
        ASN1_SEQUENCE_cb(tname, cb)
-#define ASN1_SEQUENCE_cb(tname, cb) \
+#define ASN1_SEQUENCE_cb(tname, cb)                                     \
-        static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = 0,                                             \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_SEQUENCE_ref(tname, cb, lck) \
+#define ASN1_SEQUENCE_ref(tname, cb, lck)                               \
-        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = ASN1_AFLG_REFCOUNT,                            \
+                .ref_offset = offsetof(tname, references),              \
+                .ref_lock = lck,                                        \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_SEQUENCE_enc(tname, enc, cb) \
+#define ASN1_SEQUENCE_enc(tname, enc, cb)                               \
-        static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_ENCODING, 0, 0, cb, offsetof(tname, enc)}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = ASN1_AFLG_ENCODING,                            \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = offsetof(tname, enc),                     \
+        };                                                              \
        ASN1_SEQUENCE(tname)
-#define ASN1_NDEF_SEQUENCE_END(tname) \
+#define ASN1_NDEF_SEQUENCE_END(tname)                                   \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(tname),\
+                .size = sizeof(tname),                                  \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define static_ASN1_NDEF_SEQUENCE_END(tname) \
+#define static_ASN1_NDEF_SEQUENCE_END(tname)                            \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(tname),\
+                .size = sizeof(tname),                                  \
-                #tname \
+                .sname = #tname,                                        \
        ASN1_ITEM_end(tname)
-#define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+#define ASN1_SEQUENCE_END_enc(stname, tname)                            \
+        ASN1_SEQUENCE_END_ref(stname, tname)
-#define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname)
+#define ASN1_SEQUENCE_END_cb(stname, tname)                             \
-#define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname)
+        ASN1_SEQUENCE_END_ref(stname, tname)
-#define ASN1_SEQUENCE_END_ref(stname, tname) \
+#define static_ASN1_SEQUENCE_END_cb(stname, tname)                      \
-        ;\
+        static_ASN1_SEQUENCE_END_ref(stname, tname)
-        ASN1_ITEM_start(tname) \
-                ASN1_ITYPE_SEQUENCE,\
+#define ASN1_SEQUENCE_END_ref(stname, tname)                            \
-                V_ASN1_SEQUENCE,\
+        ;                                                               \
-                tname##_seq_tt,\
+        ASN1_ITEM_start(tname)                                          \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                &tname##_aux,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                sizeof(stname),\
+                .templates = tname##_seq_tt,                            \
-                #stname \
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .funcs = &tname##_aux,                                  \
+                .size = sizeof(stname),                                 \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_SEQUENCE_END_ref(stname, tname) \
+#define static_ASN1_SEQUENCE_END_ref(stname, tname)                     \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_SEQUENCE,\
+                .itype = ASN1_ITYPE_SEQUENCE,                           \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \
+#define ASN1_NDEF_SEQUENCE_END_cb(stname, tname)                        \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_NDEF_SEQUENCE,\
+                .itype = ASN1_ITYPE_NDEF_SEQUENCE,                      \
-                V_ASN1_SEQUENCE,\
+                .utype = V_ASN1_SEQUENCE,                               \
-                tname##_seq_tt,\
+                .templates = tname##_seq_tt,                            \
-                sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
@@ -281,170 +306,214 @@ extern "C" {
 *      ASN1_CHOICE_END_selector() version.
 */
-#define ASN1_CHOICE(tname) \
+#define ASN1_CHOICE(tname)                                              \
        static const ASN1_TEMPLATE tname##_ch_tt[]
-#define ASN1_CHOICE_cb(tname, cb) \
+#define ASN1_CHOICE_cb(tname, cb)                                       \
-        static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \
+        static const ASN1_AUX tname##_aux = {                           \
+                .app_data = NULL,                                       \
+                .flags = 0,                                             \
+                .ref_offset = 0,                                        \
+                .ref_lock = 0,                                          \
+                .asn1_cb = cb,                                          \
+                .enc_offset = 0,                                        \
+        };                                                              \
        ASN1_CHOICE(tname)
-#define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname)
+#define ASN1_CHOICE_END(stname)                                         \
+        ASN1_CHOICE_END_name(stname, stname)
-#define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname)
+#define static_ASN1_CHOICE_END(stname)                                  \
+        static_ASN1_CHOICE_END_name(stname, stname)
-#define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type)
+#define ASN1_CHOICE_END_name(stname, tname)                             \
+        ASN1_CHOICE_END_selector(stname, tname, type)
-#define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type)
+#define static_ASN1_CHOICE_END_name(stname, tname)                      \
+        static_ASN1_CHOICE_END_selector(stname, tname, type)
-#define ASN1_CHOICE_END_selector(stname, tname, selname) \
+#define ASN1_CHOICE_END_selector(stname, tname, selname)                \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define static_ASN1_CHOICE_END_selector(stname, tname, selname) \
+#define static_ASN1_CHOICE_END_selector(stname, tname, selname)         \
-        ;\
+        ;                                                               \
-        static_ASN1_ITEM_start(tname) \
+        static_ASN1_ITEM_start(tname)                                   \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                NULL,\
+                .funcs = NULL,                                          \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
-#define ASN1_CHOICE_END_cb(stname, tname, selname) \
+#define ASN1_CHOICE_END_cb(stname, tname, selname)                      \
-        ;\
+        ;                                                               \
-        ASN1_ITEM_start(tname) \
+        ASN1_ITEM_start(tname)                                          \
-                ASN1_ITYPE_CHOICE,\
+                .itype = ASN1_ITYPE_CHOICE,                             \
-                offsetof(stname,selname) ,\
+                .utype = offsetof(stname, selname),                     \
-                tname##_ch_tt,\
+                .templates = tname##_ch_tt,                             \
-                sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
+                .tcount = sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\
-                &tname##_aux,\
+                .funcs = &tname##_aux,                                  \
-                sizeof(stname),\
+                .size = sizeof(stname),                                 \
-                #stname \
+                .sname = #stname,                                       \
        ASN1_ITEM_end(tname)
 /* This helps with the template wrapper form of ASN1_ITEM */
-#define ASN1_EX_TEMPLATE_TYPE(flags, tag, name, type) { \
+#define ASN1_EX_TEMPLATE_TYPE(flagsval, tagval, name, type)             \
-        (flags), (tag), 0,\
+        {                                                               \
-        #name, ASN1_ITEM_ref(type) }
+                .flags = (flagsval),                                    \
+                .tag = (tagval),                                        \
+                .offset = 0,                                            \
+                .field_name = #name,                                    \
+                .item = ASN1_ITEM_ref(type),                            \
+        }
 /* These help with SEQUENCE or CHOICE components */
 /* used to declare other types */
-#define ASN1_EX_TYPE(flags, tag, stname, field, type) { \
+#define ASN1_EX_TYPE(flagsval, tagval, stname, field, type)             \
-        (flags), (tag), offsetof(stname, field),\
+        {                                                               \
-        #field, ASN1_ITEM_ref(type) }
+                .flags = (flagsval),                                    \
+                .tag = (tagval),                                        \
+                .offset = offsetof(stname, field),                      \
+                .field_name = #field,                                   \
+                .item = ASN1_ITEM_ref(type),                            \
+        }
 /* implicit and explicit helper macros */
-#define ASN1_IMP_EX(stname, field, type, tag, ex) \
+#define ASN1_IMP_EX(stname, field, type, tag, ex)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_IMPLICIT | ex, tag, stname, field, type)
-#define ASN1_EXP_EX(stname, field, type, tag, ex) \
+#define ASN1_EXP_EX(stname, field, type, tag, ex)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_EXPLICIT | ex, tag, stname, field, type)
 /* Any defined by macros: the field used is in the table itself */
-#define ASN1_ADB_OBJECT(tblname) { ASN1_TFLG_ADB_OID, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+#define ASN1_ADB_OBJECT(tblname)                                        \
-#define ASN1_ADB_INTEGER(tblname) { ASN1_TFLG_ADB_INT, -1, 0, #tblname, (const ASN1_ITEM *)&(tblname##_adb) }
+        {                                                               \
+                .flags = ASN1_TFLG_ADB_OID,                             \
+                .tag = -1,                                              \
+                .offset = 0,                                            \
+                .field_name = #tblname,                                 \
+                .item = (const ASN1_ITEM *)&(tblname##_adb),            \
+        }
+#define ASN1_ADB_INTEGER(tblname)                                       \
+        {                                                               \
+                .flags = ASN1_TFLG_ADB_INT,                             \
+                .tag = -1,                                              \
+                .offset = 0,                                            \
+                .field_name = #tblname,                                 \
+                .item = (const ASN1_ITEM *)&(tblname##_adb),            \
+        }
 /* Plain simple type */
-#define ASN1_SIMPLE(stname, field, type) ASN1_EX_TYPE(0,0, stname, field, type)
+#define ASN1_SIMPLE(stname, field, type)                                \
+        ASN1_EX_TYPE(0, 0, stname, field, type)
 /* OPTIONAL simple type */
-#define ASN1_OPT(stname, field, type) ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+#define ASN1_OPT(stname, field, type)                                   \
+        ASN1_EX_TYPE(ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* IMPLICIT tagged simple type */
-#define ASN1_IMP(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, 0)
+#define ASN1_IMP(stname, field, type, tag)                              \
+        ASN1_IMP_EX(stname, field, type, tag, 0)
 /* IMPLICIT tagged OPTIONAL simple type */
-#define ASN1_IMP_OPT(stname, field, type, tag) ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+#define ASN1_IMP_OPT(stname, field, type, tag)                          \
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
 /* Same as above but EXPLICIT */
-#define ASN1_EXP(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP(stname, field, type, tag)                              \
-#define ASN1_EXP_OPT(stname, field, type, tag) ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, 0)
+#define ASN1_EXP_OPT(stname, field, type, tag)                          \
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL)
 /* SEQUENCE OF type */
-#define ASN1_SEQUENCE_OF(stname, field, type) \
+#define ASN1_SEQUENCE_OF(stname, field, type)                           \
-                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, stname, field, type)
 /* OPTIONAL SEQUENCE OF */
-#define ASN1_SEQUENCE_OF_OPT(stname, field, type) \
+#define ASN1_SEQUENCE_OF_OPT(stname, field, type)                       \
-                ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* Same as above but for SET OF */
-#define ASN1_SET_OF(stname, field, type) \
+#define ASN1_SET_OF(stname, field, type)                                \
-                ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SET_OF, 0, stname, field, type)
-#define ASN1_SET_OF_OPT(stname, field, type) \
+#define ASN1_SET_OF_OPT(stname, field, type)                            \
-                ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
+        ASN1_EX_TYPE(ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL, 0, stname, field, type)
 /* Finally compound types of SEQUENCE, SET, IMPLICIT, EXPLICIT and OPTIONAL */
-#define ASN1_IMP_SET_OF(stname, field, type, tag) \
+#define ASN1_IMP_SET_OF(stname, field, type, tag)                       \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
-#define ASN1_EXP_SET_OF(stname, field, type, tag) \
+#define ASN1_EXP_SET_OF(stname, field, type, tag)                       \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF)
-#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag) \
+#define ASN1_IMP_SET_OF_OPT(stname, field, type, tag)                   \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag) \
+#define ASN1_EXP_SET_OF_OPT(stname, field, type, tag)                   \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SET_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag) \
+#define ASN1_IMP_SEQUENCE_OF(stname, field, type, tag)                  \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
-#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+#define ASN1_IMP_SEQUENCE_OF_OPT(stname, field, type, tag)              \
-                        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_IMP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
-#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag) \
+#define ASN1_EXP_SEQUENCE_OF(stname, field, type, tag)                  \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF)
-#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag) \
+#define ASN1_EXP_SEQUENCE_OF_OPT(stname, field, type, tag)              \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_SEQUENCE_OF|ASN1_TFLG_OPTIONAL)
 /* EXPLICIT using indefinite length constructed form */
-#define ASN1_NDEF_EXP(stname, field, type, tag) \
+#define ASN1_NDEF_EXP(stname, field, type, tag)                         \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_NDEF)
 /* EXPLICIT OPTIONAL using indefinite length constructed form */
-#define ASN1_NDEF_EXP_OPT(stname, field, type, tag) \
+#define ASN1_NDEF_EXP_OPT(stname, field, type, tag)                     \
-                        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
+        ASN1_EXP_EX(stname, field, type, tag, ASN1_TFLG_OPTIONAL|ASN1_TFLG_NDEF)
 /* Macros for the ASN1_ADB structure */
-#define ASN1_ADB(name) \
+#define ASN1_ADB(name)                                                  \
        static const ASN1_ADB_TABLE name##_adbtbl[]
+/* In 5b70372d OpenSSL added adb_cb. Ignore this until someone complains. */
-#define ASN1_ADB_END(name, flags, field, app_table, def, none) \
+#define ASN1_ADB_END(name, flagsval, field, adb_cb, def, none)          \
-        ;\
+        ;                                                               \
-        static const ASN1_ADB name##_adb = {\
+        static const ASN1_ADB name##_adb = {                            \
-                flags,\
+                .flags = flagsval,                                      \
-                offsetof(name, field),\
+                .offset = offsetof(name, field),                        \
-                app_table,\
+                .tbl = name##_adbtbl,                                   \
-                name##_adbtbl,\
+                .tblcount = sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
-                sizeof(name##_adbtbl) / sizeof(ASN1_ADB_TABLE),\
+                .default_tt = def,                                      \
-                def,\
+                .null_tt = none,                                        \
-                none\
        }
+#define ADB_ENTRY(val, template)                                        \
-#define ADB_ENTRY(val, template) {val, template}
+        {                                                               \
+                .value = val,                                           \
+                .tt = template,                                         \
+        }
 #define ASN1_ADB_TEMPLATE(name) \
        static const ASN1_TEMPLATE name##_tt
@@ -474,16 +543,16 @@ typedef struct ASN1_ADB_TABLE_st ASN1_ADB_TABLE;
 typedef struct ASN1_ADB_st ASN1_ADB;
 struct ASN1_ADB_st {
-        unsigned long flags;    /* Various flags */
+        unsigned long flags;            /* Various flags */
-        unsigned long offset;   /* Offset of selector field */
+        unsigned long offset;           /* Offset of selector field */
        const ASN1_ADB_TABLE *tbl;      /* Table of possible types */
-        long tblcount;          /* Number of entries in tbl */
+        long tblcount;                  /* Number of entries in tbl */
        const ASN1_TEMPLATE *default_tt;  /* Type to use if no match */
-        const ASN1_TEMPLATE *null_tt;  /* Type to use if selector is NULL */
+        const ASN1_TEMPLATE *null_tt;   /* Type to use if selector is NULL */
 };
 struct ASN1_ADB_TABLE_st {
-        long value;             /* NID for an object or value for an int */
+        long value;                     /* NID for an object or value for an int */
        const ASN1_TEMPLATE tt;         /* item for this value */
 };
@@ -498,9 +567,9 @@ struct ASN1_ADB_TABLE_st {
 /* Field is a SEQUENCE OF */
 #define ASN1_TFLG_SEQUENCE_OF   (0x2 << 1)
-/* Special case: this refers to a SET OF that
+/*
- * will be sorted into DER order when encoded *and*
+ * Special case: this refers to a SET OF that will be sorted into DER order
- * the corresponding STACK will be modified to match
+ * when encoded *and* the corresponding STACK will be modified to match
 * the new order.
 */
 #define ASN1_TFLG_SET_ORDER     (0x3 << 1)
@@ -508,9 +577,9 @@ struct ASN1_ADB_TABLE_st {
 /* Mask for SET OF or SEQUENCE OF */
 #define ASN1_TFLG_SK_MASK       (0x3 << 1)
-/* These flags mean the tag should be taken from the
+/*
- * tag field. If EXPLICIT then the underlying type
+ * These flags mean the tag should be taken from the tag field. If EXPLICIT
- * is used for the inner tag.
+ * then the underlying type is used for the inner tag.
 */
 /* IMPLICIT tagging */
@@ -529,7 +598,7 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_EXPLICIT      ASN1_TFLG_EXPTAG|ASN1_TFLG_CONTEXT
 /*
- * If tagging is in force these determine the type of tag to use. Otherwiser
+ * If tagging is in force these determine the type of tag to use. Otherwise
 * the tag is determined by the underlying type. These values reflect the
 * actual octet format.
 */
@@ -546,10 +615,9 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_TAG_CLASS     (0x3<<6)
 /*
- * These are for ANY DEFINED BY type. In this case
+ * These are for ANY DEFINED BY type. In this case the 'item' field points
- * the 'item' field points to an ASN1_ADB structure
+ * to an ASN1_ADB structure which contains a table of values to decode the
- * which contains a table of values to decode the
+ * relevant type.
- * relevant type
 */
 #define ASN1_TFLG_ADB_MASK      (0x3<<8)
@@ -559,9 +627,8 @@ struct ASN1_ADB_TABLE_st {
 #define ASN1_TFLG_ADB_INT       (0x1<<9)
 /*
- * This flag when present in a SEQUENCE OF, SET OF
+ * This flag when present in a SEQUENCE OF, SET OF or EXPLICIT causes
- * or EXPLICIT causes indefinite length constructed
+ * indefinite length constructed encoding to be used if required.
- * encoding to be used if required.
 */
 #define ASN1_TFLG_NDEF          (0x1<<11)
@@ -569,52 +636,43 @@ struct ASN1_ADB_TABLE_st {
 /* This is the actual ASN1 item itself */
 struct ASN1_ITEM_st {
-        char itype;                     /* The item type, primitive, SEQUENCE, CHOICE or extern */
+        char itype; /* The item type, primitive, SEQUENCE, CHOICE or extern */
        long utype;                     /* underlying type */
-        const ASN1_TEMPLATE *templates; /* If SEQUENCE or CHOICE this contains the contents */
+        const ASN1_TEMPLATE *templates; /* contents for SEQUENCE or CHOICE */
        long tcount;                    /* Number of templates if SEQUENCE or CHOICE */
        const void *funcs;              /* functions that handle this type */
-        long size;                      /* Structure size (usually)*/
+        long size;                      /* Structure size (usually) */
        const char *sname;              /* Structure name */
 };
-/* These are values for the itype field and
+/*
- * determine how the type is interpreted.
+ * These are values for the itype field and determine how the type is
+ * interpreted.
 *
- * For PRIMITIVE types the underlying type
+ * For PRIMITIVE types the underlying type determines the behaviour if
- * determines the behaviour if items is NULL.
+ * items is NULL.
 *
- * Otherwise templates must contain a single
+ * Otherwise templates must contain a single template and the type is
- * template and the type is treated in the
+ * treated in the same way as the type specified in the template.
- * same way as the type specified in the template.
 *
- * For SEQUENCE types the templates field points
+ * For SEQUENCE types the templates field points to the members, the
- * to the members, the size field is the
+ * size field is the structure size.
- * structure size.
 *
- * For CHOICE types the templates field points
+ * For CHOICE types the templates field points to each possible member
- * to each possible member (typically a union)
+ * (typically a union) and the 'size' field is the offset of the selector.
- * and the 'size' field is the offset of the
- * selector.
 *
- * The 'funcs' field is used for application
+ * The 'funcs' field is used for application specific functions.
- * specific functions.
 *
- * The EXTERN type uses a new style d2i/i2d.
+ * The EXTERN type uses a new style d2i/i2d.  The new style should be used
- * The new style should be used where possible
+ * where possible because it avoids things like the d2i IMPLICIT hack.
- * because it avoids things like the d2i IMPLICIT
- * hack.
 *
- * MSTRING is a multiple string type, it is used
+ * MSTRING is a multiple string type, it is used for a CHOICE of character
- * for a CHOICE of character strings where the
+ * strings where the actual strings all occupy an ASN1_STRING structure.
- * actual strings all occupy an ASN1_STRING
+ * In this case the 'utype' field has a special meaning, it is used as a
- * structure. In this case the 'utype' field
+ * mask of acceptable types using the B_ASN1 constants.
- * has a special meaning, it is used as a mask
- * of acceptable types using the B_ASN1 constants.
 *
- * NDEF_SEQUENCE is the same as SEQUENCE except
+ * NDEF_SEQUENCE is the same as SEQUENCE except that it will use
- * that it will use indefinite length constructed
+ * indefinite length constructed encoding if requested.
- * encoding if requested.
 *
 */
@@ -648,23 +706,27 @@ struct ASN1_TLC_st {
 typedef ASN1_VALUE * ASN1_new_func(void);
 typedef void ASN1_free_func(ASN1_VALUE *a);
-typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in, long length);
+typedef ASN1_VALUE * ASN1_d2i_func(ASN1_VALUE **a, const unsigned char ** in,
+    long length);
 typedef int ASN1_i2d_func(ASN1_VALUE * a, unsigned char **in);
-typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
+typedef int ASN1_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                                        int tag, int aclass, char opt, ASN1_TLC *ctx);
+    const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
-typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+typedef int ASN1_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
+    const ASN1_ITEM *it, int tag, int aclass);
 typedef int ASN1_ex_new_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
 typedef void ASN1_ex_free_func(ASN1_VALUE **pval, const ASN1_ITEM *it);
-typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval,
+typedef int ASN1_ex_print_func(BIO *out, ASN1_VALUE **pval, int indent,
-                                                int indent, const char *fname,
+    const char *fname, const ASN1_PCTX *pctx);
-                                                const ASN1_PCTX *pctx);
-typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it);
+typedef int ASN1_primitive_i2c(ASN1_VALUE **pval, unsigned char *cont,
-typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it);
+    int *putype, const ASN1_ITEM *it);
-typedef int ASN1_primitive_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx);
+typedef int ASN1_primitive_c2i(ASN1_VALUE **pval, const unsigned char *cont,
+    int len, int utype, char *free_cont, const ASN1_ITEM *it);
+typedef int ASN1_primitive_print(BIO *out, ASN1_VALUE **pval,
+    const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx);
 typedef struct ASN1_EXTERN_FUNCS_st {
        void *app_data;
@@ -687,25 +749,25 @@ typedef struct ASN1_PRIMITIVE_FUNCS_st {
        ASN1_primitive_print *prim_print;
 } ASN1_PRIMITIVE_FUNCS;
-/* This is the ASN1_AUX structure: it handles various
+/*
- * miscellaneous requirements. For example the use of
+ * This is the ASN1_AUX structure: it handles various miscellaneous
- * reference counts and an informational callback.
+ * requirements. For example the use of reference counts and an
+ * informational callback.
 *
- * The "informational callback" is called at various
+ * The "informational callback" is called at various points during
- * points during the ASN1 encoding and decoding. It can
+ * the ASN1 encoding and decoding. It can be used to provide minor
- * be used to provide minor customisation of the structures
+ * customisation of the structures used. This is most useful where
- * used. This is most useful where the supplied routines
+ * the supplied routines *almost* do the right thing but need some
- * *almost* do the right thing but need some extra help
+ * extra help at a few points. If the callback returns zero then it
- * at a few points. If the callback returns zero then
+ * is assumed a fatal error has occurred and the main operation
- * it is assumed a fatal error has occurred and the
+ * should be abandoned.
- * main operation should be abandoned.
 *
- * If major changes in the default behaviour are required
+ * If major changes in the default behaviour are required then an
- * then an external type is more appropriate.
+ * external type is more appropriate.
 */
 typedef int ASN1_aux_cb(int operation, ASN1_VALUE **in, const ASN1_ITEM *it,
-                                void *exarg);
+    void *exarg);
 typedef struct ASN1_AUX_st {
        void *app_data;
@@ -761,116 +823,146 @@ typedef struct ASN1_STREAM_ARG_st {
 /* Macro to implement a primitive type */
 #define IMPLEMENT_ASN1_TYPE(stname) IMPLEMENT_ASN1_TYPE_ex(stname, stname, 0)
-#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex) \
+#define IMPLEMENT_ASN1_TYPE_ex(itname, vname, ex)                       \
-                                ASN1_ITEM_start(itname) \
+        ASN1_ITEM_start(itname)                                         \
-                                        ASN1_ITYPE_PRIMITIVE, V_##vname, NULL, 0, NULL, ex, #itname \
+                .itype = ASN1_ITYPE_PRIMITIVE,                          \
-                                ASN1_ITEM_end(itname)
+                .utype = V_##vname,                                     \
+                .templates = NULL,                                      \
+                .tcount = 0,                                            \
+                .funcs = NULL,                                          \
+                .size = ex,                                             \
+                .sname = #itname,                                       \
+        ASN1_ITEM_end(itname)
 /* Macro to implement a multi string type */
-#define IMPLEMENT_ASN1_MSTRING(itname, mask) \
+#define IMPLEMENT_ASN1_MSTRING(itname, mask)                            \
-                                ASN1_ITEM_start(itname) \
+        ASN1_ITEM_start(itname)                                         \
-                                        ASN1_ITYPE_MSTRING, mask, NULL, 0, NULL, sizeof(ASN1_STRING), #itname \
+                .itype = ASN1_ITYPE_MSTRING,                            \
-                                ASN1_ITEM_end(itname)
+                .utype = mask,                                          \
-#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs) \
+                .templates = NULL,                                      \
-        ASN1_ITEM_start(sname) \
+                .tcount = 0,                                            \
-                ASN1_ITYPE_EXTERN, \
+                .funcs = NULL,                                          \
-                tag, \
+                .size = sizeof(ASN1_STRING),                            \
-                NULL, \
+                .sname = #itname,                                       \
-                0, \
+        ASN1_ITEM_end(itname)
-                &fptrs, \
+#define IMPLEMENT_EXTERN_ASN1(sname, tag, fptrs)                        \
-                0, \
+        ASN1_ITEM_start(sname)                                          \
-                #sname \
+                .itype = ASN1_ITYPE_EXTERN,                             \
+                .utype = tag,                                           \
+                .templates = NULL,                                      \
+                .tcount = 0,                                            \
+                .funcs = &fptrs,                                        \
+                .size = 0,                                              \
+                .sname = #sname,                                        \
        ASN1_ITEM_end(sname)
 /* Macro to implement standard functions in terms of ASN1_ITEM structures */
-#define IMPLEMENT_ASN1_FUNCTIONS(stname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
+#define IMPLEMENT_ASN1_FUNCTIONS(stname)                                \
+        IMPLEMENT_ASN1_FUNCTIONS_fname(stname, stname, stname)
-#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname) IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
+#define IMPLEMENT_ASN1_FUNCTIONS_name(stname, itname)                   \
+        IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, itname)
-#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_ENCODE_name(stname, itname)            \
-                        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
+        IMPLEMENT_ASN1_FUNCTIONS_ENCODE_fname(stname, itname, itname)
-#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname) \
+#define IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(stname)                   \
-                IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname)
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(static, stname, stname, stname)
-#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname) \
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS(stname)                          \
-                IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)
+        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, stname, stname)
 #define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_pfname(pre, stname, itname, fname) \
-        pre stname *fname##_new(void) \
+        pre stname *                                                    \
-        { \
+        fname##_new(void)                                               \
-                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
-        pre void fname##_free(stname *a) \
+        }                                                               \
-        { \
+        pre void                                                        \
+        fname##_free(stname *a)                                         \
+        {                                                               \
                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
        }
-#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)     \
-        stname *fname##_new(void) \
+        stname *                                                        \
-        { \
+        fname##_new(void)                                               \
-                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_new(ASN1_ITEM_rptr(itname)); \
-        void fname##_free(stname *a) \
+        }                                                               \
-        { \
+        void                                                            \
+        fname##_free(stname *a)                                         \
+        {                                                               \
                ASN1_item_free((ASN1_VALUE *)a, ASN1_ITEM_rptr(itname)); \
        }
-#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_fname(stname, itname, fname)           \
-        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname)    \
        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
-#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_fname(stname, itname, fname)    \
-        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        stname *                                                        \
-        { \
+        d2i_##fname(stname **a, const unsigned char **in, long len)     \
-                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in,    \
-        int i2d_##fname(stname *a, unsigned char **out) \
+                    len, ASN1_ITEM_rptr(itname));                       \
-        { \
+        }                                                               \
-                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        int                                                             \
+        i2d_##fname(stname *a, unsigned char **out)                     \
+        {                                                               \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out,              \
+                    ASN1_ITEM_rptr(itname));                            \
        }
-#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_NDEF_FUNCTION(stname)                            \
-        int i2d_##stname##_NDEF(stname *a, unsigned char **out) \
+        int                                                             \
-        { \
+        i2d_##stname##_NDEF(stname *a, unsigned char **out)             \
-                return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(stname));\
+        {                                                               \
+                return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out,         \
+                    ASN1_ITEM_rptr(stname));                            \
        }
 /* This includes evil casts to remove const: they will go away when full
 * ASN1 constification is done.
 */
 #define IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
-        stname *d2i_##fname(stname **a, const unsigned char **in, long len) \
+        stname *                                                        \
-        { \
+        d2i_##fname(stname **a, const unsigned char **in, long len)     \
-                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, ASN1_ITEM_rptr(itname));\
+        {                                                               \
-        } \
+                return (stname *)ASN1_item_d2i((ASN1_VALUE **)a, in,    \
-        int i2d_##fname(const stname *a, unsigned char **out) \
+                    len, ASN1_ITEM_rptr(itname));                       \
-        { \
+        }                                                               \
-                return ASN1_item_i2d((ASN1_VALUE *)a, out, ASN1_ITEM_rptr(itname));\
+        int                                                             \
+        i2d_##fname(const stname *a, unsigned char **out)               \
+        {                                                               \
+                return ASN1_item_i2d((ASN1_VALUE *)a, out,              \
+                    ASN1_ITEM_rptr(itname));                            \
        }
-#define IMPLEMENT_ASN1_DUP_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_DUP_FUNCTION(stname)                             \
-        stname * stname##_dup(stname *x) \
+        stname *                                                        \
-        { \
+        stname##_dup(stname *x)                                         \
-        return ASN1_item_dup(ASN1_ITEM_rptr(stname), x); \
+        {                                                               \
-        }
+                return ASN1_item_dup(ASN1_ITEM_rptr(stname), x);        \
+        }
-#define IMPLEMENT_ASN1_PRINT_FUNCTION(stname) \
+#define IMPLEMENT_ASN1_PRINT_FUNCTION(stname)                           \
        IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, stname, stname)
-#define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_PRINT_FUNCTION_fname(stname, itname, fname)      \
-        int fname##_print_ctx(BIO *out, stname *x, int indent, \
+        int                                                             \
-                                                const ASN1_PCTX *pctx) \
+        fname##_print_ctx(BIO *out, stname *x, int indent,              \
-        { \
+            const ASN1_PCTX *pctx)                                      \
-                return ASN1_item_print(out, (ASN1_VALUE *)x, indent, \
+        {                                                               \
-                        ASN1_ITEM_rptr(itname), pctx); \
+                return ASN1_item_print(out, (ASN1_VALUE *)x, indent,    \
+                    ASN1_ITEM_rptr(itname), pctx);                      \
        }
-#define IMPLEMENT_ASN1_FUNCTIONS_const(name) \
+#define IMPLEMENT_ASN1_FUNCTIONS_const(name)                            \
-                IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
+        IMPLEMENT_ASN1_FUNCTIONS_const_fname(name, name, name)
-#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname) \
+#define IMPLEMENT_ASN1_FUNCTIONS_const_fname(stname, itname, fname)     \
        IMPLEMENT_ASN1_ENCODE_FUNCTIONS_const_fname(stname, itname, fname) \
        IMPLEMENT_ASN1_ALLOC_FUNCTIONS_fname(stname, itname, fname)
@@ -893,10 +985,10 @@ DECLARE_STACK_OF(ASN1_VALUE)
 int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
-int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it,
+int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
-                                int tag, int aclass, char opt, ASN1_TLC *ctx);
+    const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx);
+int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out,
-int ASN1_item_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass);
+    const ASN1_ITEM *it, int tag, int aclass);
 #ifdef  __cplusplus
 }
diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index 3995fc547c..d42dd8663e 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.35 2025/01/17 05:02:18 tb Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.37 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -59,10 +59,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 /* Generalised MIME like utilities for streaming ASN1. Although many
@@ -507,8 +507,9 @@ SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
                        *bcont = sk_BIO_value(parts, 0);
                        BIO_free(asnin);
                        sk_BIO_free(parts);
-                } else sk_BIO_pop_free(parts, BIO_vfree);
+                } else
-                        return val;
+                        sk_BIO_pop_free(parts, BIO_vfree);
+                return val;
        }
        /* OK, if not multipart/signed try opaque signature */
diff --git a/src/lib/libcrypto/asn1/asn_moid.c b/src/lib/libcrypto/asn1/asn_moid.c
index e3c7d09446..a9a752cc38 100644
--- a/src/lib/libcrypto/asn1/asn_moid.c
+++ b/src/lib/libcrypto/asn1/asn_moid.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_moid.c,v 1.18 2024/08/31 09:26:18 tb Exp $ */
+/* $OpenBSD: asn_moid.c,v 1.20 2025/05/10 11:51:01 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
 * project 2001.
 */
@@ -60,13 +60,13 @@
 #include <stdio.h>
 #include <string.h>
-#include <openssl/err.h>
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
 #include "conf_local.h"
+#include "err_local.h"
 /* Simple ASN1 OID module: add all objects in a given section */
diff --git a/src/lib/libcrypto/asn1/bio_ndef.c b/src/lib/libcrypto/asn1/bio_ndef.c
index 98bb1cd197..d001ffb0ae 100644
--- a/src/lib/libcrypto/asn1/bio_ndef.c
+++ b/src/lib/libcrypto/asn1/bio_ndef.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_ndef.c,v 1.24 2023/07/28 09:58:30 tb Exp $ */
+/* $OpenBSD: bio_ndef.c,v 1.25 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -57,9 +57,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 int BIO_asn1_set_prefix(BIO *b, asn1_ps_func *prefix, asn1_ps_func *prefix_free);
 int BIO_asn1_set_suffix(BIO *b, asn1_ps_func *suffix, asn1_ps_func *suffix_free);
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index 582d2d9a9b..feccf8af58 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.28 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.31 2025/12/07 09:27:02 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,11 +61,14 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "x509_local.h"
+/* RFC 8018, section 6.1 specifies an eight-octet salt for PBES1. */
+#define PKCS5_PBE1_SALT_LEN     8
 /* PKCS#5 password based encryption structure */
 static const ASN1_TEMPLATE PBEPARAM_seq_tt[] = {
@@ -126,7 +129,6 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
 {
        PBEPARAM *pbe = NULL;
        ASN1_STRING *pbe_str = NULL;
-        unsigned char *sstr;
        if ((pbe = PBEPARAM_new()) == NULL) {
                ASN1error(ERR_R_MALLOC_FAILURE);
@@ -138,17 +140,24 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                ASN1error(ERR_R_MALLOC_FAILURE);
                goto err;
        }
-        if (!saltlen)
+        if (saltlen < 0)
-                saltlen = PKCS5_SALT_LEN;
-        if (!ASN1_STRING_set(pbe->salt, NULL, saltlen)) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
                goto err;
-        }
+        if (saltlen == 0)
-        sstr = ASN1_STRING_data(pbe->salt);
+                saltlen = PKCS5_PBE1_SALT_LEN;
-        if (salt)
+        if (salt != NULL) {
-                memcpy(sstr, salt, saltlen);
+                if (!ASN1_STRING_set(pbe->salt, salt, saltlen))
-        else
+                        goto err;
+        } else {
+                unsigned char *sstr = NULL;
+                if ((sstr = malloc(saltlen)) == NULL) {
+                        ASN1error(ERR_R_MALLOC_FAILURE);
+                        goto err;
+                }
                arc4random_buf(sstr, saltlen);
+                ASN1_STRING_set0(pbe->salt, sstr, saltlen);
+                sstr = NULL;
+        }
        if (!ASN1_item_pack(pbe, &PBEPARAM_it, &pbe_str)) {
                ASN1error(ERR_R_MALLOC_FAILURE);
@@ -162,9 +171,9 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
                return 1;
 err:
-        if (pbe != NULL)
+        PBEPARAM_free(pbe);
-                PBEPARAM_free(pbe);
        ASN1_STRING_free(pbe_str);
        return 0;
 }
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 76872a8dec..64924d9b38 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.35 2024/03/26 07:03:10 tb Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.38 2025/05/24 02:57:14 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999-2004.
 */
@@ -61,12 +61,18 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
+/*
+ * RFC 8018, sections 6.2 and 4 specify at least 64 bits for PBES2, apparently
+ * FIPS will require at least 128 bits in the future, OpenSSL does that.
+ */
+#define PKCS5_PBE2_SALT_LEN     16
 /* PKCS#5 v2.0 password based encryption structures */
 static const ASN1_TEMPLATE PBE2PARAM_seq_tt[] = {
@@ -187,7 +193,7 @@ PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
    int saltlen)
 {
        X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
-        int prf_nid = NID_hmacWithSHA1;
+        int prf_nid = NID_hmacWithSHA256;
        int alg_nid, keylen;
        EVP_CIPHER_CTX ctx;
        unsigned char iv[EVP_MAX_IV_LENGTH];
@@ -292,7 +298,7 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
        kdf->salt->type = V_ASN1_OCTET_STRING;
        if (!saltlen)
-                saltlen = PKCS5_SALT_LEN;
+                saltlen = PKCS5_PBE2_SALT_LEN;
        if (!(osalt->data = malloc (saltlen)))
                goto merr;
diff --git a/src/lib/libcrypto/asn1/p8_pkey.c b/src/lib/libcrypto/asn1/p8_pkey.c
index bdb0c39ad5..a5e82ef7ff 100644
--- a/src/lib/libcrypto/asn1/p8_pkey.c
+++ b/src/lib/libcrypto/asn1/p8_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p8_pkey.c,v 1.25 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: p8_pkey.c,v 1.26 2025/12/05 14:19:27 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -168,7 +168,7 @@ PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg, const unsigned char **pk,
        if (ppkalg != NULL)
                *ppkalg = p8->pkeyalg->algorithm;
        if (pk != NULL) {
-                *pk = ASN1_STRING_data(p8->pkey);
+                *pk = ASN1_STRING_get0_data(p8->pkey);
                *ppklen = ASN1_STRING_length(p8->pkey);
        }
        if (pa != NULL)
diff --git a/src/lib/libcrypto/asn1/t_crl.c b/src/lib/libcrypto/asn1/t_crl.c
index 6449e7f199..295ab6c050 100644
--- a/src/lib/libcrypto/asn1/t_crl.c
+++ b/src/lib/libcrypto/asn1/t_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_crl.c,v 1.26 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_crl.c,v 1.27 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999.
 */
@@ -61,11 +61,11 @@
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/asn1/t_req.c b/src/lib/libcrypto/asn1/t_req.c
index 1d4be9865d..51e4b4f651 100644
--- a/src/lib/libcrypto/asn1/t_req.c
+++ b/src/lib/libcrypto/asn1/t_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_req.c,v 1.28 2024/05/03 02:52:00 tb Exp $ */
+/* $OpenBSD: t_req.c,v 1.29 2025/05/10 05:54:38 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -62,7 +62,6 @@
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -74,6 +73,7 @@
 #include <openssl/rsa.h>
 #endif
+#include "err_local.h"
 #include "x509_local.h"
 int
diff --git a/src/lib/libcrypto/asn1/t_x509.c b/src/lib/libcrypto/asn1/t_x509.c
index 7cf4557314..71f97a8214 100644
--- a/src/lib/libcrypto/asn1/t_x509.c
+++ b/src/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.51 2025/02/08 03:41:36 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.54 2025/07/01 06:46:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,13 +65,13 @@
 #include <openssl/asn1.h>
 #include <openssl/bio.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/sha.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -106,6 +106,28 @@ X509_print(BIO *bp, X509 *x)
 }
 LCRYPTO_ALIAS(X509_print);
+static int
+x509_print_uids(BIO *bp, const X509 *x, int indent)
+{
+        const ASN1_BIT_STRING *issuerUID = NULL, *subjectUID = NULL;
+        X509_get0_uids(x, &issuerUID, &subjectUID);
+        if (issuerUID != NULL) {
+                if (BIO_printf(bp, "%*sIssuer Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, issuerUID, indent + 4))
+                        return 0;
+        }
+        if (subjectUID != NULL) {
+                if (BIO_printf(bp, "%*sSubject Unique ID: ", indent, "") <= 0)
+                        return 0;
+                if (!X509_signature_dump(bp, subjectUID, indent + 4))
+                        return 0;
+        }
+        return 1;
+}
 int
 X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 {
@@ -127,9 +149,9 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
        ci = x->cert_info;
        if (!(cflag & X509_FLAG_NO_HEADER)) {
-                if (BIO_write(bp, "Certificate:\n", 13) <= 0)
+                if (BIO_printf(bp, "Certificate:\n") <= 0)
                        goto err;
-                if (BIO_write(bp, "    Data:\n", 10) <= 0)
+                if (BIO_printf(bp, "    Data:\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_VERSION)) {
@@ -145,7 +167,7 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                }
        }
        if (!(cflag & X509_FLAG_NO_SERIAL)) {
-                if (BIO_write(bp, "        Serial Number:", 22) <= 0)
+                if (BIO_printf(bp, "        Serial Number:") <= 0)
                        goto err;
                bs = X509_get_serialNumber(x);
@@ -196,21 +218,21 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                if (X509_NAME_print_ex(bp, X509_get_issuer_name(x),
                    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_VALIDITY)) {
-                if (BIO_write(bp, "        Validity\n", 17) <= 0)
+                if (BIO_printf(bp, "        Validity\n") <= 0)
                        goto err;
-                if (BIO_write(bp, "            Not Before: ", 24) <= 0)
+                if (BIO_printf(bp, "            Not Before: ") <= 0)
                        goto err;
                if (!ASN1_TIME_print(bp, X509_get_notBefore(x)))
                        goto err;
-                if (BIO_write(bp, "\n            Not After : ", 25) <= 0)
+                if (BIO_printf(bp, "\n            Not After : ") <= 0)
                        goto err;
                if (!ASN1_TIME_print(bp, X509_get_notAfter(x)))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_SUBJECT)) {
@@ -219,12 +241,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                if (X509_NAME_print_ex(bp, X509_get_subject_name(x),
                    nmindent, nmflags) < (nmflags == X509_FLAG_COMPAT ? 1 : 0))
                        goto err;
-                if (BIO_write(bp, "\n", 1) <= 0)
+                if (BIO_printf(bp, "\n") <= 0)
                        goto err;
        }
        if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-                if (BIO_write(bp, "        Subject Public Key Info:\n",
+                if (BIO_printf(bp, "        Subject Public Key Info:\n") <= 0)
-                    33) <= 0)
                        goto err;
                if (BIO_printf(bp, "%12sPublic Key Algorithm: ", "") <= 0)
                        goto err;
@@ -243,6 +264,11 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
                }
        }
+        if (!(cflag & X509_FLAG_NO_IDS)) {
+                if (!x509_print_uids(bp, x, 8))
+                        goto err;
+        }
        if (!(cflag & X509_FLAG_NO_EXTENSIONS))
                X509V3_extensions_print(bp, "X509v3 extensions",
                    ci->extensions, cflag, 8);
@@ -325,7 +351,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
        s = sig->data;
        for (i = 0; i < n; i++) {
                if ((i % 18) == 0) {
-                        if (BIO_write(bp, "\n", 1) <= 0)
+                        if (BIO_printf(bp, "\n") <= 0)
                                return 0;
                        if (BIO_indent(bp, indent, indent) <= 0)
                                return 0;
@@ -334,7 +360,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent)
                    ((i + 1) == n) ? "" : ":") <= 0)
                        return 0;
        }
-        if (BIO_write(bp, "\n", 1) != 1)
+        if (BIO_printf(bp, "\n") != 1)
                return 0;
        return 1;
@@ -375,7 +401,7 @@ ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm)
                return ASN1_UTCTIME_print(bp, tm);
        if (tm->type == V_ASN1_GENERALIZEDTIME)
                return ASN1_GENERALIZEDTIME_print(bp, tm);
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_TIME_print);
@@ -435,7 +461,7 @@ ASN1_GENERALIZEDTIME_print(BIO *bp, const ASN1_GENERALIZEDTIME *tm)
                return (1);
 err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_GENERALIZEDTIME_print);
@@ -479,7 +505,7 @@ ASN1_UTCTIME_print(BIO *bp, const ASN1_UTCTIME *tm)
                return (1);
 err:
-        BIO_write(bp, "Bad time value", 14);
+        BIO_printf(bp, "Bad time value");
        return (0);
 }
 LCRYPTO_ALIAS(ASN1_UTCTIME_print);
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c
index 31b9efee54..1bffae8a94 100644
--- a/src/lib/libcrypto/asn1/tasn_dec.c
+++ b/src/lib/libcrypto/asn1/tasn_dec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_dec.c,v 1.88 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.89 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -63,11 +63,11 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 /*
 * Constructed types with a recursive definition (such as can be found in PKCS7)
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c
index b71993a139..a65fb5b7e7 100644
--- a/src/lib/libcrypto/asn1/tasn_enc.c
+++ b/src/lib/libcrypto/asn1/tasn_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_enc.c,v 1.33 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_enc.c,v 1.34 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,10 +61,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out,
    const ASN1_ITEM *it, int tag, int aclass);
diff --git a/src/lib/libcrypto/asn1/tasn_fre.c b/src/lib/libcrypto/asn1/tasn_fre.c
index 0e259a13ab..c3de668483 100644
--- a/src/lib/libcrypto/asn1/tasn_fre.c
+++ b/src/lib/libcrypto/asn1/tasn_fre.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_fre.c,v 1.24 2024/12/11 11:22:06 tb Exp $ */
+/* $OpenBSD: tasn_fre.c,v 1.25 2025/08/14 19:02:17 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -147,8 +147,9 @@ asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it)
                                return;
                }
                asn1_enc_cleanup(pval, it);
-                /* If we free up as normal we will invalidate any
+                /*
-                 * ANY DEFINED BY field and we wont be able to
+                 * If we free up as normal, we will invalidate any
+                 * ANY DEFINED BY field and we won't be able to
                 * determine the type of the field it defines. So
                 * free up in reverse order.
                 */
diff --git a/src/lib/libcrypto/asn1/tasn_new.c b/src/lib/libcrypto/asn1/tasn_new.c
index 10c1137dbf..e17810b832 100644
--- a/src/lib/libcrypto/asn1/tasn_new.c
+++ b/src/lib/libcrypto/asn1/tasn_new.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_new.c,v 1.25 2023/07/28 10:00:10 tb Exp $ */
+/* $OpenBSD: tasn_new.c,v 1.26 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -60,11 +60,11 @@
 #include <stddef.h>
 #include <openssl/asn1.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include <openssl/asn1t.h>
 #include <string.h>
 #include "asn1_local.h"
+#include "err_local.h"
 static int asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
diff --git a/src/lib/libcrypto/asn1/tasn_prn.c b/src/lib/libcrypto/asn1/tasn_prn.c
index 07764fc091..4db6d61111 100644
--- a/src/lib/libcrypto/asn1/tasn_prn.c
+++ b/src/lib/libcrypto/asn1/tasn_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_prn.c,v 1.27 2024/03/02 09:04:07 tb Exp $ */
+/* $OpenBSD: tasn_prn.c,v 1.29 2025/06/07 09:28:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,7 +61,6 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509v3.h>
@@ -411,7 +410,7 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it,
        if (!asn1_print_fsname(out, indent, fname, sname, pctx))
                return 0;
-        if (it != NULL && it->funcs != NULL) {
+        if (it->funcs != NULL) {
                const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
                if (pf->prim_print == NULL)
diff --git a/src/lib/libcrypto/asn1/tasn_typ.c b/src/lib/libcrypto/asn1/tasn_typ.c
index 0f7fcb0e03..64faad7240 100644
--- a/src/lib/libcrypto/asn1/tasn_typ.c
+++ b/src/lib/libcrypto/asn1/tasn_typ.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_typ.c,v 1.20 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: tasn_typ.c,v 1.21 2025/08/22 14:07:34 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -623,6 +623,7 @@ const ASN1_ITEM ASN1_BOOLEAN_it = {
        .size = -1,
        .sname = "ASN1_BOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_BOOLEAN_it);
 int
 i2d_ASN1_BOOLEAN(int a, unsigned char **out)
@@ -652,6 +653,7 @@ const ASN1_ITEM ASN1_TBOOLEAN_it = {
        .size = 1,
        .sname = "ASN1_TBOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_TBOOLEAN_it);
 const ASN1_ITEM ASN1_FBOOLEAN_it = {
        .itype = ASN1_ITYPE_PRIMITIVE,
@@ -659,6 +661,7 @@ const ASN1_ITEM ASN1_FBOOLEAN_it = {
        .size = 0,
        .sname = "ASN1_FBOOLEAN",
 };
+LCRYPTO_ALIAS(ASN1_FBOOLEAN_it);
 /* Special, OCTET STRING with indefinite length constructed support */
diff --git a/src/lib/libcrypto/asn1/tasn_utl.c b/src/lib/libcrypto/asn1/tasn_utl.c
index ae546edd4b..178a364c89 100644
--- a/src/lib/libcrypto/asn1/tasn_utl.c
+++ b/src/lib/libcrypto/asn1/tasn_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tasn_utl.c,v 1.18 2022/12/26 07:18:51 jmc Exp $ */
+/* $OpenBSD: tasn_utl.c,v 1.19 2025/05/10 05:54:38 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -63,9 +63,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
-#include <openssl/err.h>
 #include "bytestring.h"
+#include "err_local.h"
 /* Utility functions for manipulating fields and offsets */
diff --git a/src/lib/libcrypto/asn1/x_crl.c b/src/lib/libcrypto/asn1/x_crl.c
index 7ad8350f3d..59f867bc12 100644
--- a/src/lib/libcrypto/asn1/x_crl.c
+++ b/src/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.48 2025/02/27 20:13:41 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.51 2025/08/19 21:54:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,11 +61,11 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 static void setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp);
@@ -105,8 +105,9 @@ X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b)
        return ASN1_INTEGER_cmp((*a)->serialNumber, (*b)->serialNumber);
 }
-/* The X509_CRL_INFO structure needs a bit of customisation.
+/*
- * Since we cache the original encoding the signature wont be affected by
+ * The X509_CRL_INFO structure needs a bit of customisation.
+ * Since we cache the original encoding, the signature won't be affected by
 * reordering of the revoked field.
 */
 static int
@@ -540,6 +541,12 @@ LCRYPTO_ALIAS(X509_CRL_add0_revoked);
 int
 X509_CRL_verify(X509_CRL *crl, EVP_PKEY *pkey)
 {
+        /*
+         * The CertificateList's signature AlgorithmIdentifier must match
+         * the one inside the TBSCertList, see RFC 5280, 5.1.1.2, 5.1.2.2.
+         */
+        if (X509_ALGOR_cmp(crl->sig_alg, crl->crl->sig_alg) != 0)
+                return 0;
        return ASN1_item_verify(&X509_CRL_INFO_it, crl->sig_alg, crl->signature,
            crl->crl, pkey);
 }
diff --git a/src/lib/libcrypto/asn1/x_info.c b/src/lib/libcrypto/asn1/x_info.c
deleted file mode 100644
index d2c4bcfe7a..0000000000
--- a/src/lib/libcrypto/asn1/x_info.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/* $OpenBSD: x_info.c,v 1.22 2024/12/11 10:28:03 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <openssl/asn1.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-X509_INFO *
-X509_INFO_new(void)
-{
-        X509_INFO *ret;
-        if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                return NULL;
-        }
-        ret->references = 1;
-        return ret;
-}
-LCRYPTO_ALIAS(X509_INFO_new);
-void
-X509_INFO_free(X509_INFO *x)
-{
-        if (x == NULL)
-                return;
-        if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0)
-                return;
-        X509_free(x->x509);
-        X509_CRL_free(x->crl);
-        X509_PKEY_free(x->x_pkey);
-        free(x->enc_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_INFO_free);
diff --git a/src/lib/libcrypto/asn1/x_long.c b/src/lib/libcrypto/asn1/x_long.c
index 5e673f4521..ed463bf7c5 100644
--- a/src/lib/libcrypto/asn1/x_long.c
+++ b/src/lib/libcrypto/asn1/x_long.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_long.c,v 1.21 2024/07/08 16:24:22 beck Exp $ */
+/* $OpenBSD: x_long.c,v 1.23 2026/01/02 08:03:02 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -61,15 +61,18 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
-#include <openssl/err.h>
 #include "asn1_local.h"
+#include "err_local.h"
 /*
 * Custom primitive type for long handling. This converts between an
 * ASN1_INTEGER and a long directly.
 */
+/* Used with ASN1 LONG type: if a long is set to this it is omitted */
+#define ASN1_LONG_UNDEF 0x7fffffffL
 static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it);
 static void long_clear(ASN1_VALUE **pval, const ASN1_ITEM *it);
@@ -159,8 +162,9 @@ long_i2c(ASN1_VALUE **pval, unsigned char *content, int *putype,
        long_get(pval, &val);
        /*
-         * The zero value for this type (stored in the overloaded it->size
+         * Omit this field if it has the zero value for this type (stored
-         * field) is considered to be invalid.
+         * in the overloaded it->size field) - asn1_i2d_ex_primitive()
+         * specifically checks for a -1 return value.
         */
        if (val == it->size)
                return -1;
diff --git a/src/lib/libcrypto/asn1/x_name.c b/src/lib/libcrypto/asn1/x_name.c
index c60714b74f..eab14ad503 100644
--- a/src/lib/libcrypto/asn1/x_name.c
+++ b/src/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.45 2025/03/20 09:41:47 tb Exp $ */
+/* $OpenBSD: x_name.c,v 1.47 2026/01/05 05:22:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,10 +61,10 @@
 #include <string.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
@@ -194,7 +194,7 @@ static const ASN1_ITEM X509_NAME_INTERNAL_it = {
 * to the external form.
 */
-const ASN1_EXTERN_FUNCS x509_name_ff = {
+static const ASN1_EXTERN_FUNCS x509_name_ff = {
        .app_data = NULL,
        .asn1_ex_new = x509_name_ex_new,
        .asn1_ex_free = x509_name_ex_free,
diff --git a/src/lib/libcrypto/asn1/x_pkey.c b/src/lib/libcrypto/asn1/x_pkey.c
deleted file mode 100644
index 5c96c13ab9..0000000000
--- a/src/lib/libcrypto/asn1/x_pkey.c
+++ /dev/null
@@ -1,123 +0,0 @@
-/* $OpenBSD: x_pkey.c,v 1.24 2024/04/09 13:55:02 beck Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-#include <stdio.h>
-#include <string.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-X509_PKEY *
-X509_PKEY_new(void)
-{
-        X509_PKEY *ret = NULL;
-        if ((ret = malloc(sizeof(X509_PKEY))) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->version = 0;
-        if ((ret->enc_algor = X509_ALGOR_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        if ((ret->enc_pkey = ASN1_OCTET_STRING_new()) == NULL) {
-                ASN1error(ERR_R_MALLOC_FAILURE);
-                goto err;
-        }
-        ret->dec_pkey = NULL;
-        ret->key_length = 0;
-        ret->key_data = NULL;
-        ret->key_free = 0;
-        ret->cipher.cipher = NULL;
-        memset(ret->cipher.iv, 0, EVP_MAX_IV_LENGTH);
-        ret->references = 1;
-        return (ret);
- err:
-        if (ret) {
-                X509_ALGOR_free(ret->enc_algor);
-                free(ret);
-        }
-        return NULL;
-}
-LCRYPTO_ALIAS(X509_PKEY_new);
-void
-X509_PKEY_free(X509_PKEY *x)
-{
-        int i;
-        if (x == NULL)
-                return;
-        i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_PKEY);
-        if (i > 0)
-                return;
-        if (x->enc_algor != NULL)
-                X509_ALGOR_free(x->enc_algor);
-        ASN1_OCTET_STRING_free(x->enc_pkey);
-        EVP_PKEY_free(x->dec_pkey);
-        if ((x->key_data != NULL) && (x->key_free))
-                free(x->key_data);
-        free(x);
-}
-LCRYPTO_ALIAS(X509_PKEY_free);
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 1e772a3458..895b4da4d0 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_pubkey.c,v 1.37 2024/07/08 14:48:49 beck Exp $ */
+/* $OpenBSD: x_pubkey.c,v 1.40 2026/01/05 05:23:56 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -61,7 +61,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/asn1t.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #ifndef OPENSSL_NO_DSA
@@ -72,6 +71,7 @@
 #endif
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
@@ -385,7 +385,7 @@ pkey_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_NONE, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = pkey_pubkey_ex_new,
        .asn1_ex_free = pkey_pubkey_ex_free,
@@ -395,7 +395,7 @@ const ASN1_EXTERN_FUNCS pkey_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM EVP_PKEY_PUBKEY_it = {
+static const ASN1_ITEM EVP_PKEY_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -485,7 +485,7 @@ rsa_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_RSA, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = rsa_pubkey_ex_new,
        .asn1_ex_free = rsa_pubkey_ex_free,
@@ -495,7 +495,7 @@ const ASN1_EXTERN_FUNCS rsa_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM RSA_PUBKEY_it = {
+static const ASN1_ITEM RSA_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -581,7 +581,7 @@ dsa_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_DSA, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = dsa_pubkey_ex_new,
        .asn1_ex_free = dsa_pubkey_ex_free,
@@ -591,7 +591,7 @@ const ASN1_EXTERN_FUNCS dsa_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM DSA_PUBKEY_it = {
+static const ASN1_ITEM DSA_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,
@@ -678,7 +678,7 @@ ec_pubkey_ex_i2d(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it,
        return pubkey_ex_i2d(EVP_PKEY_EC, pval, out, it);
 }
-const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
+static const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
        .app_data = NULL,
        .asn1_ex_new = ec_pubkey_ex_new,
        .asn1_ex_free = ec_pubkey_ex_free,
@@ -688,7 +688,7 @@ const ASN1_EXTERN_FUNCS ec_pubkey_asn1_ff = {
        .asn1_ex_print = NULL,
 };
-const ASN1_ITEM EC_PUBKEY_it = {
+static const ASN1_ITEM EC_PUBKEY_it = {
        .itype = ASN1_ITYPE_EXTERN,
        .utype = 0,
        .templates = NULL,