38 files changed, 122 insertions, 123 deletions

diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 2b2733a04b..9b239c1e9d 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.48 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_dir.c,v 1.49 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,9 +64,9 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 typedef struct lookup_dir_hashes_st {
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 9b0fd2542c..86d4cd6b60 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_file.c,v 1.31 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_file.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,10 +62,10 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
diff --git a/src/lib/libcrypto/x509/by_mem.c b/src/lib/libcrypto/x509/by_mem.c
index 71afefa8a4..66093dd445 100644
--- a/src/lib/libcrypto/x509/by_mem.c
+++ b/src/lib/libcrypto/x509/by_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_mem.c,v 1.10 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_mem.c,v 1.11 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index a198b23202..729a06d0ed 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.121 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.123 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -178,6 +178,7 @@ DECLARE_STACK_OF(X509)
 #define X509_FLAG_NO_SIGDUMP            (1L << 9)
 #define X509_FLAG_NO_AUX                (1L << 10)
 #define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
+#define X509_FLAG_NO_IDS                (1L << 12)
 
 /* Flags specific to X509_NAME_print_ex() */
 
@@ -244,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
 
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-
-        /* When decrypted, the following will not be NULL */
         EVP_PKEY *dec_pkey;
-
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-
-        int references;
 } X509_PKEY;
 
 #ifndef OPENSSL_NO_EVP
@@ -646,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                 X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
-
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 2208cc434e..b4ee92a14b 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.94 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -69,12 +69,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
index 926508c4cd..524fea8009 100644
--- a/src/lib/libcrypto/x509/x509_akey.c
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.3 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.4 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 34734a55bd..ca91493848 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.19 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.20 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_internal.h"
 
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 40ee201a9f..45a154e7d9 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.46 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -68,10 +68,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 4931cbbc17..a442a17746 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_att.c,v 1.25 2024/08/31 10:46:40 tb Exp $ */
+/* $OpenBSD: x509_att.c,v 1.26 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,13 +59,13 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
index 99cb5afe9a..c10f822ccc 100644
--- a/src/lib/libcrypto/x509/x509_bcons.c
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
index 2bc4f9911a..89289b7af0 100644
--- a/src/lib/libcrypto/x509/x509_bitst.c
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.8 2024/08/31 10:23:13 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.9 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static const BIT_STRING_BITNAME ns_cert_type_table[] = {
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 2c1e427093..2479dcdd0d 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.44 2024/03/25 03:41:16 joshua Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.45 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
index e5b18c2f77..2089f72bc7 100644
--- a/src/lib/libcrypto/x509/x509_conf.c
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.29 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.31 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,11 +62,11 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 static int v3_check_critical(const char **value);
@@ -242,8 +242,9 @@ v3_check_critical(const char **value)
         if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
                 return 0;
         p += 9;
-        while (isspace((unsigned char)*p)) p++;
-                *value = p;
+        while (isspace((unsigned char)*p))
+                p++;
+        *value = p;
         return 1;
 }
 
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 6bae2a0482..b6a456023f 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.15 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
index 81f2010df5..75afcefca8 100644
--- a/src/lib/libcrypto/x509/x509_crld.c
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.9 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
index da5036a09a..35460ca46b 100644
--- a/src/lib/libcrypto/x509/x509_extku.c
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index 1ea7155795..5214c394ed 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.7 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.8 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -63,6 +63,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
         {
                 .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
index 4f62a9134c..b8886c6cb8 100644
--- a/src/lib/libcrypto/x509/x509_ia5.c
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.3 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,9 +61,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
index d1de346ee6..c91642a02e 100644
--- a/src/lib/libcrypto/x509/x509_info.c
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_info.c,v 1.6 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
     X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
     STACK_OF(CONF_VALUE) *ret);
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
index 6fa66ab88e..0285ac0d3a 100644
--- a/src/lib/libcrypto/x509/x509_lib.c
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.25 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <stdio.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 const X509V3_EXT_METHOD *
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 0367794fca..1ac3436a6e 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.67 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.68 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int X509_OBJECT_up_ref_count(X509_OBJECT *a);
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
index 148a66e887..f197488d70 100644
--- a/src/lib/libcrypto/x509/x509_ncons.c
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
index 6531b4c420..d0a0d49890 100644
--- a/src/lib/libcrypto/x509/x509_ocsp.c
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.4 2024/12/24 09:14:33 schwarze Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.5 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,10 +65,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 
 /* OCSP extensions and a couple of CRL entry extensions
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
index 66dc57abf6..404fa28724 100644
--- a/src/lib/libcrypto/x509/x509_pcons.c
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
index 5039f65f2e..141a3a6f90 100644
--- a/src/lib/libcrypto/x509/x509_pmaps.c
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 4321a9669d..8267e8dc49 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.29 2025/01/06 17:42:39 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Copyright (c) 2022, Google Inc.
  *
@@ -17,12 +17,12 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "stack_local.h"
 #include "x509_internal.h"
 #include "x509_local.h"
@@ -498,7 +498,7 @@ delete_if_mapped(X509_POLICY_NODE *node, void *data)
  * with P1 in |parent_policies|.
  *
  * This is equivalent to the |X509_POLICY_LEVEL| that would result if the next
- * certificats contained anyPolicy. |process_certificate_policies| will filter
+ * certificate contained anyPolicy. |process_certificate_policies| will filter
  * this result down to compute the actual level.
  */
 static X509_POLICY_LEVEL *
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
index 3bf7c803e5..23c649a7b9 100644
--- a/src/lib/libcrypto/x509/x509_prn.c
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */
+/* $OpenBSD: x509_prn.c,v 1.7 2025/06/02 12:18:22 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -87,8 +87,9 @@ X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
         for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
                 if (ml)
                         BIO_printf(out, "%*s", indent, "");
-                else if (i > 0) BIO_printf(out, ", ");
-                        nval = sk_CONF_VALUE_value(val, i);
+                else if (i > 0)
+                        BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
                 if (!nval->name)
                         BIO_puts(out, nval->value);
                 else if (!nval->value)
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 619a4b890a..36dfe6abee 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -61,7 +61,6 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 39b392259b..4ca8a87935 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.17 2023/04/25 09:46:36 job Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.18 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 X509 *
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 704acbd897..df1119a55c 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.43 2024/08/31 10:16:52 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,13 +64,13 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
index d2c90b6f1c..e9e915a0c7 100644
--- a/src/lib/libcrypto/x509/x509_skey.c
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
index 08383849c9..4be8630d89 100644
--- a/src/lib/libcrypto/x509/x509_utl.c
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_utl.c,v 1.26 2025/01/26 13:51:41 tb Exp $ */
+/* $OpenBSD: x509_utl.c,v 1.27 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -64,11 +64,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "bytestring.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 /*
  * Match reference identifiers starting with "." to any sub-domain. This
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 688aed15a2..ee14d2dcef 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c93ae81bd8..3d0abda615 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.147 2025/03/04 08:43:25 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,7 +67,6 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
@@ -75,6 +74,7 @@
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 4b333e2a2d..19091b12aa 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.47 2025/03/12 04:58:04 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.56 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -61,12 +61,12 @@
 
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* X509_VERIFY_PARAM functions */
@@ -113,7 +113,7 @@ sk_OPENSSL_STRING_deep_copy(const STACK_OF(OPENSSL_STRING) *sk)
 }
 
 static int
-x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
+x509_param_set_hosts_internal(X509_VERIFY_PARAM *param, int mode,
     const char *name, size_t namelen)
 {
         char *copy;
@@ -126,9 +126,9 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
         if (name && memchr(name, '\0', namelen))
                 return 0;
 
-        if (mode == SET_HOST && vpm->hosts) {
-                sk_OPENSSL_STRING_pop_free(vpm->hosts, str_free);
-                vpm->hosts = NULL;
+        if (mode == SET_HOST && param->hosts) {
+                sk_OPENSSL_STRING_pop_free(param->hosts, str_free);
+                param->hosts = NULL;
         }
         if (name == NULL || namelen == 0)
                 return 1;
@@ -136,17 +136,17 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM *vpm, int mode,
         if (copy == NULL)
                 return 0;
 
-        if (vpm->hosts == NULL &&
-            (vpm->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
+        if (param->hosts == NULL &&
+           (param->hosts = sk_OPENSSL_STRING_new_null()) == NULL) {
                 free(copy);
                 return 0;
         }
 
-        if (!sk_OPENSSL_STRING_push(vpm->hosts, copy)) {
+        if (!sk_OPENSSL_STRING_push(param->hosts, copy)) {
                 free(copy);
-                if (sk_OPENSSL_STRING_num(vpm->hosts) == 0) {
-                        sk_OPENSSL_STRING_free(vpm->hosts);
-                        vpm->hosts = NULL;
+                if (sk_OPENSSL_STRING_num(param->hosts) == 0) {
+                        sk_OPENSSL_STRING_free(param->hosts);
+                        param->hosts = NULL;
                 }
                 return 0;
         }
@@ -654,6 +654,8 @@ static const X509_VERIFY_PARAM default_table[] = {
         }
 };
 
+#define N_DEFAULT_VERIFY_PARAMS (sizeof(default_table) / sizeof(default_table[0]))
+
 static STACK_OF(X509_VERIFY_PARAM) *param_table = NULL;
 
 static int
@@ -687,9 +689,11 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_table);
 int
 X509_VERIFY_PARAM_get_count(void)
 {
-        int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
-        if (param_table)
+        int num = N_DEFAULT_VERIFY_PARAMS;
+
+        if (param_table != NULL)
                 num += sk_X509_VERIFY_PARAM_num(param_table);
+
         return num;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
@@ -697,9 +701,14 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count);
 const X509_VERIFY_PARAM *
 X509_VERIFY_PARAM_get0(int id)
 {
-        int num = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
+        int num = N_DEFAULT_VERIFY_PARAMS;
+
+        if (id < 0)
+                return NULL;
+
         if (id < num)
-                return default_table + id;
+                return &default_table[id];
+
         return sk_X509_VERIFY_PARAM_value(param_table, id - num);
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
@@ -707,22 +716,20 @@ LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0);
 const X509_VERIFY_PARAM *
 X509_VERIFY_PARAM_lookup(const char *name)
 {
-        X509_VERIFY_PARAM pm;
-        unsigned int i, limit;
+        X509_VERIFY_PARAM param;
+        size_t i;
+        int idx;
 
-        pm.name = (char *)name;
-        if (param_table) {
-                size_t idx;
-                if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &pm)) != -1)
-                        return sk_X509_VERIFY_PARAM_value(param_table, idx);
-        }
+        memset(&param, 0, sizeof(param));
+        param.name = (char *)name;
+        if ((idx = sk_X509_VERIFY_PARAM_find(param_table, &param)) != -1)
+                return sk_X509_VERIFY_PARAM_value(param_table, idx);
 
-        limit = sizeof(default_table) / sizeof(X509_VERIFY_PARAM);
-        for (i = 0; i < limit; i++) {
-                if (strcmp(default_table[i].name, name) == 0) {
+        for (i = 0; i < N_DEFAULT_VERIFY_PARAMS; i++) {
+                if (strcmp(default_table[i].name, name) == 0)
                         return &default_table[i];
-                }
         }
+
         return NULL;
 }
 LCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup);
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index d2df06ccc6..9a582d34e4 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509name.c,v 1.35 2023/05/29 11:54:50 beck Exp $ */
+/* $OpenBSD: x509name.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,13 +60,13 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index 04c9a6f01b..ef5f9e34c8 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509spki.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509spki.c,v 1.17 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 int
 NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+        /*
+         * The Certificate's signature AlgorithmIdentifier must match the one
+         * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+         */
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
                 return 0;
         return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
             a->signature, a->cert_info, r);