38 files changed, 88 insertions, 96 deletions

diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 2b2733a04b..9b239c1e9d 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.48 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_dir.c,v 1.49 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,9 +64,9 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 typedef struct lookup_dir_hashes_st {
diff --git a/src/lib/libcrypto/x509/by_file.c b/src/lib/libcrypto/x509/by_file.c
index 9b0fd2542c..86d4cd6b60 100644
--- a/src/lib/libcrypto/x509/by_file.c
+++ b/src/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_file.c,v 1.31 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_file.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,10 +62,10 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
diff --git a/src/lib/libcrypto/x509/by_mem.c b/src/lib/libcrypto/x509/by_mem.c
index 71afefa8a4..66093dd445 100644
--- a/src/lib/libcrypto/x509/by_mem.c
+++ b/src/lib/libcrypto/x509/by_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_mem.c,v 1.10 2024/08/31 10:19:17 tb Exp $ */
+/* $OpenBSD: by_mem.c,v 1.11 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <unistd.h>
 
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
diff --git a/src/lib/libcrypto/x509/x509.h b/src/lib/libcrypto/x509/x509.h
index a198b23202..729a06d0ed 100644
--- a/src/lib/libcrypto/x509/x509.h
+++ b/src/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.121 2025/03/09 15:17:22 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.123 2025/07/16 15:59:26 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -178,6 +178,7 @@ DECLARE_STACK_OF(X509)
 #define X509_FLAG_NO_SIGDUMP            (1L << 9)
 #define X509_FLAG_NO_AUX                (1L << 10)
 #define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
+#define X509_FLAG_NO_IDS                (1L << 12)
 
 /* Flags specific to X509_NAME_print_ex() */
 
@@ -244,23 +245,7 @@ typedef struct X509_crl_info_st X509_CRL_INFO;
 DECLARE_STACK_OF(X509_CRL)
 
 typedef struct private_key_st {
-        int version;
-        /* The PKCS#8 data types */
-        X509_ALGOR *enc_algor;
-        ASN1_OCTET_STRING *enc_pkey;    /* encrypted pub key */
-
-        /* When decrypted, the following will not be NULL */
         EVP_PKEY *dec_pkey;
-
-        /* used to encrypt and decrypt */
-        int key_length;
-        char *key_data;
-        int key_free;   /* true if we should auto free key_data */
-
-        /* expanded version of 'enc_algor' */
-        EVP_CIPHER_INFO cipher;
-
-        int references;
 } X509_PKEY;
 
 #ifndef OPENSSL_NO_EVP
@@ -646,9 +631,6 @@ int X509_CRL_get0_by_serial(X509_CRL *crl,
                 X509_REVOKED **ret, ASN1_INTEGER *serial);
 int X509_CRL_get0_by_cert(X509_CRL *crl, X509_REVOKED **ret, X509 *x);
 
-X509_PKEY *     X509_PKEY_new(void );
-void            X509_PKEY_free(X509_PKEY *a);
-
 NETSCAPE_SPKI *NETSCAPE_SPKI_new(void);
 void NETSCAPE_SPKI_free(NETSCAPE_SPKI *a);
 NETSCAPE_SPKI *d2i_NETSCAPE_SPKI(NETSCAPE_SPKI **a, const unsigned char **in, long len);
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 2208cc434e..b4ee92a14b 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.93 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.94 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -69,12 +69,12 @@
 #include <openssl/asn1t.h>
 #include <openssl/buffer.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
index 926508c4cd..524fea8009 100644
--- a/src/lib/libcrypto/x509/x509_akey.c
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_akey.c,v 1.3 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_akey.c,v 1.4 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
index 34734a55bd..ca91493848 100644
--- a/src/lib/libcrypto/x509/x509_alt.c
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_alt.c,v 1.19 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_alt.c,v 1.20 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_internal.h"
 
 static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 40ee201a9f..45a154e7d9 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.45 2024/07/13 15:08:58 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.46 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -68,10 +68,10 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 #ifndef OPENSSL_NO_RFC3779
diff --git a/src/lib/libcrypto/x509/x509_att.c b/src/lib/libcrypto/x509/x509_att.c
index 4931cbbc17..a442a17746 100644
--- a/src/lib/libcrypto/x509/x509_att.c
+++ b/src/lib/libcrypto/x509/x509_att.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_att.c,v 1.25 2024/08/31 10:46:40 tb Exp $ */
+/* $OpenBSD: x509_att.c,v 1.26 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,13 +59,13 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
index 99cb5afe9a..c10f822ccc 100644
--- a/src/lib/libcrypto/x509/x509_bcons.c
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_bcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
index 2bc4f9911a..89289b7af0 100644
--- a/src/lib/libcrypto/x509/x509_bitst.c
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_bitst.c,v 1.8 2024/08/31 10:23:13 tb Exp $ */
+/* $OpenBSD: x509_bitst.c,v 1.9 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static const BIT_STRING_BITNAME ns_cert_type_table[] = {
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 2c1e427093..2479dcdd0d 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.44 2024/03/25 03:41:16 joshua Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.45 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,11 +63,11 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
index e5b18c2f77..2089f72bc7 100644
--- a/src/lib/libcrypto/x509/x509_conf.c
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.29 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.31 2025/06/02 12:18:21 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,11 +62,11 @@
 #include <string.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
 #include "conf_local.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 static int v3_check_critical(const char **value);
@@ -242,8 +242,9 @@ v3_check_critical(const char **value)
         if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
                 return 0;
         p += 9;
-        while (isspace((unsigned char)*p)) p++;
-                *value = p;
+        while (isspace((unsigned char)*p))
+                p++;
+        *value = p;
         return 1;
 }
 
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
index 6bae2a0482..b6a456023f 100644
--- a/src/lib/libcrypto/x509/x509_cpols.c
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cpols.c,v 1.15 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_cpols.c,v 1.16 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* Certificate policies extension support: this one is a bit complex... */
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
index 81f2010df5..75afcefca8 100644
--- a/src/lib/libcrypto/x509/x509_crld.c
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.9 2025/03/06 07:20:01 tb Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.10 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
index da5036a09a..35460ca46b 100644
--- a/src/lib/libcrypto/x509/x509_extku.c
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_extku.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_extku.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
index 1ea7155795..5214c394ed 100644
--- a/src/lib/libcrypto/x509/x509_genn.c
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_genn.c,v 1.7 2024/07/08 14:47:44 beck Exp $ */
+/* $OpenBSD: x509_genn.c,v 1.8 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -63,6 +63,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
         {
                 .flags = 0,
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
index 4f62a9134c..b8886c6cb8 100644
--- a/src/lib/libcrypto/x509/x509_ia5.c
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ia5.c,v 1.2 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ia5.c,v 1.3 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -61,9 +61,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
 static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
index d1de346ee6..c91642a02e 100644
--- a/src/lib/libcrypto/x509/x509_info.c
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_info.c,v 1.5 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_info.c,v 1.6 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,9 +62,10 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
     X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
     STACK_OF(CONF_VALUE) *ret);
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
index 6fa66ab88e..0285ac0d3a 100644
--- a/src/lib/libcrypto/x509/x509_lib.c
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.24 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.25 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,9 @@
 #include <stdio.h>
 
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 const X509V3_EXT_METHOD *
diff --git a/src/lib/libcrypto/x509/x509_lu.c b/src/lib/libcrypto/x509/x509_lu.c
index 0367794fca..1ac3436a6e 100644
--- a/src/lib/libcrypto/x509/x509_lu.c
+++ b/src/lib/libcrypto/x509/x509_lu.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lu.c,v 1.67 2025/03/09 15:20:20 tb Exp $ */
+/* $OpenBSD: x509_lu.c,v 1.68 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,11 +59,11 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static int X509_OBJECT_up_ref_count(X509_OBJECT *a);
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
index 148a66e887..f197488d70 100644
--- a/src/lib/libcrypto/x509/x509_ncons.c
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.11 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.12 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
index 6531b4c420..d0a0d49890 100644
--- a/src/lib/libcrypto/x509/x509_ocsp.c
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ocsp.c,v 1.4 2024/12/24 09:14:33 schwarze Exp $ */
+/* $OpenBSD: x509_ocsp.c,v 1.5 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,10 +65,10 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/ocsp.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "ocsp_local.h"
 
 /* OCSP extensions and a couple of CRL entry extensions
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
index 66dc57abf6..404fa28724 100644
--- a/src/lib/libcrypto/x509/x509_pcons.c
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pcons.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pcons.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -62,9 +62,9 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static STACK_OF(CONF_VALUE) *
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
index 5039f65f2e..141a3a6f90 100644
--- a/src/lib/libcrypto/x509/x509_pmaps.c
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_pmaps.c,v 1.6 2024/08/31 10:03:03 tb Exp $ */
+/* $OpenBSD: x509_pmaps.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -61,9 +61,9 @@
 
 #include <openssl/asn1t.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index d93760755d..8267e8dc49 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.31 2025/03/28 13:11:57 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.32 2025/05/10 05:54:39 tb Exp $ */
 /*
  * Copyright (c) 2022, Google Inc.
  *
@@ -17,12 +17,12 @@
 
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "stack_local.h"
 #include "x509_internal.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
index 3bf7c803e5..23c649a7b9 100644
--- a/src/lib/libcrypto/x509/x509_prn.c
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */
+/* $OpenBSD: x509_prn.c,v 1.7 2025/06/02 12:18:22 jsg Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -87,8 +87,9 @@ X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
         for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
                 if (ml)
                         BIO_printf(out, "%*s", indent, "");
-                else if (i > 0) BIO_printf(out, ", ");
-                        nval = sk_CONF_VALUE_value(val, i);
+                else if (i > 0)
+                        BIO_printf(out, ", ");
+                nval = sk_CONF_VALUE_value(val, i);
                 if (!nval->name)
                         BIO_puts(out, nval->value);
                 else if (!nval->value)
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 619a4b890a..36dfe6abee 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.43 2024/07/12 18:15:10 beck Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -61,7 +61,6 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
diff --git a/src/lib/libcrypto/x509/x509_r2x.c b/src/lib/libcrypto/x509/x509_r2x.c
index 39b392259b..4ca8a87935 100644
--- a/src/lib/libcrypto/x509/x509_r2x.c
+++ b/src/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.17 2023/04/25 09:46:36 job Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.18 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 X509 *
diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 704acbd897..df1119a55c 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.43 2024/08/31 10:16:52 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -64,13 +64,13 @@
 #include <openssl/asn1t.h>
 #include <openssl/bn.h>
 #include <openssl/buffer.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "evp_local.h"
 #include "x509_local.h"
 
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
index d2c90b6f1c..e9e915a0c7 100644
--- a/src/lib/libcrypto/x509/x509_skey.c
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.6 2024/07/13 15:08:58 tb Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.7 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
index 08383849c9..4be8630d89 100644
--- a/src/lib/libcrypto/x509/x509_utl.c
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_utl.c,v 1.26 2025/01/26 13:51:41 tb Exp $ */
+/* $OpenBSD: x509_utl.c,v 1.27 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -64,11 +64,11 @@
 #include <openssl/asn1.h>
 #include <openssl/bn.h>
 #include <openssl/conf.h>
-#include <openssl/err.h>
 #include <openssl/x509v3.h>
 
 #include "bytestring.h"
 #include "conf_local.h"
+#include "err_local.h"
 
 /*
  * Match reference identifiers starting with "." to any sub-domain. This
diff --git a/src/lib/libcrypto/x509/x509_v3.c b/src/lib/libcrypto/x509/x509_v3.c
index 688aed15a2..ee14d2dcef 100644
--- a/src/lib/libcrypto/x509/x509_v3.c
+++ b/src/lib/libcrypto/x509/x509_v3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.43 2024/07/12 09:57:04 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.44 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -59,12 +59,12 @@
 #include <stdio.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index c93ae81bd8..3d0abda615 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.147 2025/03/04 08:43:25 tb Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.148 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,7 +67,6 @@
 #include <openssl/asn1.h>
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/objects.h>
@@ -75,6 +74,7 @@
 #include <openssl/x509v3.h>
 
 #include "asn1_local.h"
+#include "err_local.h"
 #include "x509_internal.h"
 #include "x509_issuer_cache.h"
 #include "x509_local.h"
diff --git a/src/lib/libcrypto/x509/x509_vpm.c b/src/lib/libcrypto/x509/x509_vpm.c
index 9efe473fc3..19091b12aa 100644
--- a/src/lib/libcrypto/x509/x509_vpm.c
+++ b/src/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.55 2025/03/19 17:11:21 tb Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.56 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -61,12 +61,12 @@
 
 #include <openssl/buffer.h>
 #include <openssl/crypto.h>
-#include <openssl/err.h>
 #include <openssl/lhash.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
 #include "x509_local.h"
 
 /* X509_VERIFY_PARAM functions */
diff --git a/src/lib/libcrypto/x509/x509name.c b/src/lib/libcrypto/x509/x509name.c
index d2df06ccc6..9a582d34e4 100644
--- a/src/lib/libcrypto/x509/x509name.c
+++ b/src/lib/libcrypto/x509/x509name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509name.c,v 1.35 2023/05/29 11:54:50 beck Exp $ */
+/* $OpenBSD: x509name.c,v 1.36 2025/05/10 05:54:39 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -60,13 +60,13 @@
 #include <string.h>
 
 #include <openssl/asn1.h>
-#include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
 #include "bytestring.h"
+#include "err_local.h"
 #include "x509_local.h"
 
 int
diff --git a/src/lib/libcrypto/x509/x509spki.c b/src/lib/libcrypto/x509/x509spki.c
index 04c9a6f01b..ef5f9e34c8 100644
--- a/src/lib/libcrypto/x509/x509spki.c
+++ b/src/lib/libcrypto/x509/x509spki.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509spki.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: x509spki.c,v 1.17 2025/05/10 05:54:39 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,9 +60,10 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
 #include <openssl/x509.h>
 
+#include "err_local.h"
+
 int
 NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey)
 {
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index 5997714061..b5d50ae4ee 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.32 2024/06/19 08:00:53 tb Exp $ */
+/* $OpenBSD: x_all.c,v 1.33 2025/07/10 18:50:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -399,7 +399,11 @@ LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp);
 int
 X509_verify(X509 *a, EVP_PKEY *r)
 {
-        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+        /*
+         * The Certificate's signature AlgorithmIdentifier must match the one
+         * inside the TBSCertificate, see RFC 5280, 4.1.1.2, 4.1.2.3.
+         */
+        if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature) != 0)
                 return 0;
         return ASN1_item_verify(&X509_CINF_it, a->sig_alg,
             a->signature, a->cert_info, r);