From 9da6320d732214906f0d716131fbd8f1db6422f4 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 4 Jun 2020 15:19:32 +0000
Subject: Collapse the x509v3 directory into x509.

This avoids the need to grep across directories to find functions and
prepares for further rototilling and chainsawing.

Discussed with tb@ (who also tested the release build)
---
 src/lib/libcrypto/Makefile           |   17 +-
 src/lib/libcrypto/x509/ext_dat.h     |  133 ++++
 src/lib/libcrypto/x509/pcy_cache.c   |  271 +++++++
 src/lib/libcrypto/x509/pcy_data.c    |  129 ++++
 src/lib/libcrypto/x509/pcy_int.h     |  209 +++++
 src/lib/libcrypto/x509/pcy_lib.c     |  157 ++++
 src/lib/libcrypto/x509/pcy_map.c     |  126 +++
 src/lib/libcrypto/x509/pcy_node.c    |  200 +++++
 src/lib/libcrypto/x509/pcy_tree.c    |  770 +++++++++++++++++++
 src/lib/libcrypto/x509/v3err.c       |  226 ++++++
 src/lib/libcrypto/x509/x509_akey.c   |  237 ++++++
 src/lib/libcrypto/x509/x509_akeya.c  |  124 +++
 src/lib/libcrypto/x509/x509_alt.c    |  699 +++++++++++++++++
 src/lib/libcrypto/x509/x509_bcons.c  |  199 +++++
 src/lib/libcrypto/x509/x509_bitst.c  |  187 +++++
 src/lib/libcrypto/x509/x509_conf.c   |  570 ++++++++++++++
 src/lib/libcrypto/x509/x509_cpols.c  |  763 +++++++++++++++++++
 src/lib/libcrypto/x509/x509_crld.c   |  809 ++++++++++++++++++++
 src/lib/libcrypto/x509/x509_enum.c   |  107 +++
 src/lib/libcrypto/x509/x509_extku.c  |  217 ++++++
 src/lib/libcrypto/x509/x509_genn.c   |  474 ++++++++++++
 src/lib/libcrypto/x509/x509_ia5.c    |  238 ++++++
 src/lib/libcrypto/x509/x509_info.c   |  308 ++++++++
 src/lib/libcrypto/x509/x509_int.c    |  110 +++
 src/lib/libcrypto/x509/x509_lib.c    |  358 +++++++++
 src/lib/libcrypto/x509/x509_ncons.c  |  556 ++++++++++++++
 src/lib/libcrypto/x509/x509_ocsp.c   |  380 ++++++++++
 src/lib/libcrypto/x509/x509_pci.c    |  310 ++++++++
 src/lib/libcrypto/x509/x509_pcia.c   |  145 ++++
 src/lib/libcrypto/x509/x509_pcons.c  |  194 +++++
 src/lib/libcrypto/x509/x509_pku.c    |  154 ++++
 src/lib/libcrypto/x509/x509_pmaps.c  |  235 ++++++
 src/lib/libcrypto/x509/x509_prn.c    |  225 ++++++
 src/lib/libcrypto/x509/x509_purp.c   |  893 ++++++++++++++++++++++
 src/lib/libcrypto/x509/x509_skey.c   |  161 ++++
 src/lib/libcrypto/x509/x509_sxnet.c  |  383 ++++++++++
 src/lib/libcrypto/x509/x509_utl.c    | 1387 ++++++++++++++++++++++++++++++++++
 src/lib/libcrypto/x509/x509v3.h      |  992 ++++++++++++++++++++++++
 src/lib/libcrypto/x509v3/ext_dat.h   |  133 ----
 src/lib/libcrypto/x509v3/pcy_cache.c |  271 -------
 src/lib/libcrypto/x509v3/pcy_data.c  |  129 ----
 src/lib/libcrypto/x509v3/pcy_int.h   |  209 -----
 src/lib/libcrypto/x509v3/pcy_lib.c   |  157 ----
 src/lib/libcrypto/x509v3/pcy_map.c   |  126 ---
 src/lib/libcrypto/x509v3/pcy_node.c  |  200 -----
 src/lib/libcrypto/x509v3/pcy_tree.c  |  770 -------------------
 src/lib/libcrypto/x509v3/v3_akey.c   |  237 ------
 src/lib/libcrypto/x509v3/v3_akeya.c  |  124 ---
 src/lib/libcrypto/x509v3/v3_alt.c    |  699 -----------------
 src/lib/libcrypto/x509v3/v3_bcons.c  |  199 -----
 src/lib/libcrypto/x509v3/v3_bitst.c  |  187 -----
 src/lib/libcrypto/x509v3/v3_conf.c   |  570 --------------
 src/lib/libcrypto/x509v3/v3_cpols.c  |  763 -------------------
 src/lib/libcrypto/x509v3/v3_crld.c   |  809 --------------------
 src/lib/libcrypto/x509v3/v3_enum.c   |  107 ---
 src/lib/libcrypto/x509v3/v3_extku.c  |  217 ------
 src/lib/libcrypto/x509v3/v3_genn.c   |  474 ------------
 src/lib/libcrypto/x509v3/v3_ia5.c    |  238 ------
 src/lib/libcrypto/x509v3/v3_info.c   |  308 --------
 src/lib/libcrypto/x509v3/v3_int.c    |  110 ---
 src/lib/libcrypto/x509v3/v3_lib.c    |  358 ---------
 src/lib/libcrypto/x509v3/v3_ncons.c  |  556 --------------
 src/lib/libcrypto/x509v3/v3_ocsp.c   |  380 ----------
 src/lib/libcrypto/x509v3/v3_pci.c    |  310 --------
 src/lib/libcrypto/x509v3/v3_pcia.c   |  145 ----
 src/lib/libcrypto/x509v3/v3_pcons.c  |  194 -----
 src/lib/libcrypto/x509v3/v3_pku.c    |  154 ----
 src/lib/libcrypto/x509v3/v3_pmaps.c  |  235 ------
 src/lib/libcrypto/x509v3/v3_prn.c    |  225 ------
 src/lib/libcrypto/x509v3/v3_purp.c   |  893 ----------------------
 src/lib/libcrypto/x509v3/v3_skey.c   |  161 ----
 src/lib/libcrypto/x509v3/v3_sxnet.c  |  383 ----------
 src/lib/libcrypto/x509v3/v3_utl.c    | 1387 ----------------------------------
 src/lib/libcrypto/x509v3/v3err.c     |  226 ------
 src/lib/libcrypto/x509v3/x509v3.h    |  992 ------------------------
 75 files changed, 13643 insertions(+), 13646 deletions(-)
 create mode 100644 src/lib/libcrypto/x509/ext_dat.h
 create mode 100644 src/lib/libcrypto/x509/pcy_cache.c
 create mode 100644 src/lib/libcrypto/x509/pcy_data.c
 create mode 100644 src/lib/libcrypto/x509/pcy_int.h
 create mode 100644 src/lib/libcrypto/x509/pcy_lib.c
 create mode 100644 src/lib/libcrypto/x509/pcy_map.c
 create mode 100644 src/lib/libcrypto/x509/pcy_node.c
 create mode 100644 src/lib/libcrypto/x509/pcy_tree.c
 create mode 100644 src/lib/libcrypto/x509/v3err.c
 create mode 100644 src/lib/libcrypto/x509/x509_akey.c
 create mode 100644 src/lib/libcrypto/x509/x509_akeya.c
 create mode 100644 src/lib/libcrypto/x509/x509_alt.c
 create mode 100644 src/lib/libcrypto/x509/x509_bcons.c
 create mode 100644 src/lib/libcrypto/x509/x509_bitst.c
 create mode 100644 src/lib/libcrypto/x509/x509_conf.c
 create mode 100644 src/lib/libcrypto/x509/x509_cpols.c
 create mode 100644 src/lib/libcrypto/x509/x509_crld.c
 create mode 100644 src/lib/libcrypto/x509/x509_enum.c
 create mode 100644 src/lib/libcrypto/x509/x509_extku.c
 create mode 100644 src/lib/libcrypto/x509/x509_genn.c
 create mode 100644 src/lib/libcrypto/x509/x509_ia5.c
 create mode 100644 src/lib/libcrypto/x509/x509_info.c
 create mode 100644 src/lib/libcrypto/x509/x509_int.c
 create mode 100644 src/lib/libcrypto/x509/x509_lib.c
 create mode 100644 src/lib/libcrypto/x509/x509_ncons.c
 create mode 100644 src/lib/libcrypto/x509/x509_ocsp.c
 create mode 100644 src/lib/libcrypto/x509/x509_pci.c
 create mode 100644 src/lib/libcrypto/x509/x509_pcia.c
 create mode 100644 src/lib/libcrypto/x509/x509_pcons.c
 create mode 100644 src/lib/libcrypto/x509/x509_pku.c
 create mode 100644 src/lib/libcrypto/x509/x509_pmaps.c
 create mode 100644 src/lib/libcrypto/x509/x509_prn.c
 create mode 100644 src/lib/libcrypto/x509/x509_purp.c
 create mode 100644 src/lib/libcrypto/x509/x509_skey.c
 create mode 100644 src/lib/libcrypto/x509/x509_sxnet.c
 create mode 100644 src/lib/libcrypto/x509/x509_utl.c
 create mode 100644 src/lib/libcrypto/x509/x509v3.h
 delete mode 100644 src/lib/libcrypto/x509v3/ext_dat.h
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_cache.c
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_data.c
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_int.h
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_lib.c
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_map.c
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_node.c
 delete mode 100644 src/lib/libcrypto/x509v3/pcy_tree.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_akey.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_akeya.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_alt.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_bcons.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_bitst.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_conf.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_cpols.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_crld.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_enum.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_extku.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_genn.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_ia5.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_info.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_int.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_lib.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_ncons.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_ocsp.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_pci.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_pcia.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_pcons.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_pku.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_pmaps.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_prn.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_purp.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_skey.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_sxnet.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3_utl.c
 delete mode 100644 src/lib/libcrypto/x509v3/v3err.c
 delete mode 100644 src/lib/libcrypto/x509v3/x509v3.h

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index b38bf884b9..633d65b592 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.39 2020/01/22 07:58:27 jsing Exp $
+# $OpenBSD: Makefile,v 1.40 2020/06/04 15:19:31 jsing Exp $
 
 LIB=	crypto
 LIBREBUILD=y
@@ -273,12 +273,10 @@ SRCS+= x509_set.c x509cset.c x509rset.c x509_err.c
 SRCS+= x509name.c x509_v3.c x509_ext.c x509_att.c
 SRCS+= x509type.c x509_lu.c x_all.c x509_txt.c
 SRCS+= x509_trs.c by_file.c by_dir.c by_mem.c x509_vpm.c
-
-# x509v3/
-SRCS+= v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c
-SRCS+= v3_prn.c v3_utl.c v3err.c v3_genn.c v3_alt.c v3_skey.c v3_akey.c v3_pku.c
-SRCS+= v3_int.c v3_enum.c v3_sxnet.c v3_cpols.c v3_crld.c v3_purp.c v3_info.c
-SRCS+= v3_ocsp.c v3_akeya.c v3_pmaps.c v3_pcons.c v3_ncons.c v3_pcia.c v3_pci.c
+SRCS+= x509_bcons.c x509_bitst.c x509_conf.c x509_extku.c x509_ia5.c x509_lib.c
+SRCS+= x509_prn.c x509_utl.c v3err.c x509_genn.c x509_alt.c x509_skey.c x509_akey.c x509_pku.c
+SRCS+= x509_int.c x509_enum.c x509_sxnet.c x509_cpols.c x509_crld.c x509_purp.c x509_info.c
+SRCS+= x509_ocsp.c x509_akeya.c x509_pmaps.c x509_pcons.c x509_ncons.c x509_pcia.c x509_pci.c
 SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
 
 .PATH:	${.CURDIR}/arch/${MACHINE_CPU} \
@@ -337,8 +335,7 @@ SRCS+= pcy_cache.c pcy_node.c pcy_data.c pcy_map.c pcy_tree.c pcy_lib.c
 	${LCRYPTO_SRC}/txt_db \
 	${LCRYPTO_SRC}/ui \
 	${LCRYPTO_SRC}/whrlpool \
-	${LCRYPTO_SRC}/x509 \
-	${LCRYPTO_SRC}/x509v3
+	${LCRYPTO_SRC}/x509
 
 HDRS=\
 	${LCRYPTO_SRC}/aes/aes.h \
@@ -403,7 +400,7 @@ HDRS=\
 	${LCRYPTO_SRC}/whrlpool/whrlpool.h \
 	${LCRYPTO_SRC}/x509/x509.h \
 	${LCRYPTO_SRC}/x509/x509_vfy.h \
-	${LCRYPTO_SRC}/x509v3/x509v3.h
+	${LCRYPTO_SRC}/x509/x509v3.h
 
 HDRS_GEN=\
 	${.CURDIR}/arch/${MACHINE_CPU}/opensslconf.h \
diff --git a/src/lib/libcrypto/x509/ext_dat.h b/src/lib/libcrypto/x509/ext_dat.h
new file mode 100644
index 0000000000..1a7ae6e1ae
--- /dev/null
+++ b/src/lib/libcrypto/x509/ext_dat.h
@@ -0,0 +1,133 @@
+/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/opensslconf.h>
+
+__BEGIN_HIDDEN_DECLS
+
+/* This file contains a table of "standard" extensions */
+
+extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
+extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
+extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
+extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
+extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
+extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
+extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
+extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
+extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
+extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
+extern X509V3_EXT_METHOD v3_addr, v3_asid;
+
+/* This table will be searched using OBJ_bsearch so it *must* kept in
+ * order of the ext_nid values.
+ */
+
+static const X509V3_EXT_METHOD *standard_exts[] = {
+	&v3_nscert,
+	&v3_ns_ia5_list[0],
+	&v3_ns_ia5_list[1],
+	&v3_ns_ia5_list[2],
+	&v3_ns_ia5_list[3],
+	&v3_ns_ia5_list[4],
+	&v3_ns_ia5_list[5],
+	&v3_ns_ia5_list[6],
+	&v3_skey_id,
+	&v3_key_usage,
+	&v3_pkey_usage_period,
+	&v3_alt[0],
+	&v3_alt[1],
+	&v3_bcons,
+	&v3_crl_num,
+	&v3_cpols,
+	&v3_akey_id,
+	&v3_crld,
+	&v3_ext_ku,
+	&v3_delta_crl,
+	&v3_crl_reason,
+#ifndef OPENSSL_NO_OCSP
+	&v3_crl_invdate,
+#endif
+	&v3_sxnet,
+	&v3_info,
+#ifndef OPENSSL_NO_OCSP
+	&v3_ocsp_nonce,
+	&v3_ocsp_crlid,
+	&v3_ocsp_accresp,
+	&v3_ocsp_nocheck,
+	&v3_ocsp_acutoff,
+	&v3_ocsp_serviceloc,
+#endif
+	&v3_sinfo,
+	&v3_policy_constraints,
+#ifndef OPENSSL_NO_OCSP
+	&v3_crl_hold,
+#endif
+	&v3_pci,
+	&v3_name_constraints,
+	&v3_policy_mappings,
+	&v3_inhibit_anyp,
+	&v3_idp,
+	&v3_alt[2],
+	&v3_freshest_crl,
+};
+
+/* Number of standard extensions */
+#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
+
+__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/pcy_cache.c b/src/lib/libcrypto/x509/pcy_cache.c
new file mode 100644
index 0000000000..896ba7d59e
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_cache.c
@@ -0,0 +1,271 @@
+/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+static int policy_data_cmp(const X509_POLICY_DATA * const *a,
+    const X509_POLICY_DATA * const *b);
+static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
+
+/* Set cache entry according to CertificatePolicies extension.
+ * Note: this destroys the passed CERTIFICATEPOLICIES structure.
+ */
+
+static int
+policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
+{
+	int i;
+	int ret = 0;
+	X509_POLICY_CACHE *cache = x->policy_cache;
+	X509_POLICY_DATA *data = NULL;
+	POLICYINFO *policy;
+
+	if (sk_POLICYINFO_num(policies) == 0)
+		goto bad_policy;
+	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
+	if (!cache->data)
+		goto bad_policy;
+	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
+		policy = sk_POLICYINFO_value(policies, i);
+		data = policy_data_new(policy, NULL, crit);
+		if (!data)
+			goto bad_policy;
+		/* Duplicate policy OIDs are illegal: reject if matches
+		 * found.
+		 */
+		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+			if (cache->anyPolicy) {
+				ret = -1;
+				goto bad_policy;
+			}
+			cache->anyPolicy = data;
+		} else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
+			ret = -1;
+			goto bad_policy;
+		} else if (!sk_X509_POLICY_DATA_push(cache->data, data))
+			goto bad_policy;
+		data = NULL;
+	}
+	ret = 1;
+
+bad_policy:
+	if (ret == -1)
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	if (data)
+		policy_data_free(data);
+	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
+	if (ret <= 0) {
+		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+		cache->data = NULL;
+	}
+	return ret;
+}
+
+static int
+policy_cache_new(X509 *x)
+{
+	X509_POLICY_CACHE *cache;
+	ASN1_INTEGER *ext_any = NULL;
+	POLICY_CONSTRAINTS *ext_pcons = NULL;
+	CERTIFICATEPOLICIES *ext_cpols = NULL;
+	POLICY_MAPPINGS *ext_pmaps = NULL;
+	int i;
+
+	cache = malloc(sizeof(X509_POLICY_CACHE));
+	if (!cache)
+		return 0;
+	cache->anyPolicy = NULL;
+	cache->data = NULL;
+	cache->any_skip = -1;
+	cache->explicit_skip = -1;
+	cache->map_skip = -1;
+
+	x->policy_cache = cache;
+
+	/* Handle requireExplicitPolicy *first*. Need to process this
+	 * even if we don't have any policies.
+	 */
+	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
+
+	if (!ext_pcons) {
+		if (i != -1)
+			goto bad_cache;
+	} else {
+		if (!ext_pcons->requireExplicitPolicy &&
+		    !ext_pcons->inhibitPolicyMapping)
+			goto bad_cache;
+		if (!policy_cache_set_int(&cache->explicit_skip,
+		    ext_pcons->requireExplicitPolicy))
+			goto bad_cache;
+		if (!policy_cache_set_int(&cache->map_skip,
+		    ext_pcons->inhibitPolicyMapping))
+			goto bad_cache;
+	}
+
+	/* Process CertificatePolicies */
+
+	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
+	/* If no CertificatePolicies extension or problem decoding then
+	 * there is no point continuing because the valid policies will be
+	 * NULL.
+	 */
+	if (!ext_cpols) {
+		/* If not absent some problem with extension */
+		if (i != -1)
+			goto bad_cache;
+		return 1;
+	}
+
+	i = policy_cache_create(x, ext_cpols, i);
+
+	/* NB: ext_cpols freed by policy_cache_set_policies */
+
+	if (i <= 0)
+		return i;
+
+	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
+
+	if (!ext_pmaps) {
+		/* If not absent some problem with extension */
+		if (i != -1)
+			goto bad_cache;
+	} else {
+		i = policy_cache_set_mapping(x, ext_pmaps);
+		if (i <= 0)
+			goto bad_cache;
+	}
+
+	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
+
+	if (!ext_any) {
+		if (i != -1)
+			goto bad_cache;
+	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
+		goto bad_cache;
+
+	if (0) {
+bad_cache:
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	}
+
+	if (ext_pcons)
+		POLICY_CONSTRAINTS_free(ext_pcons);
+
+	if (ext_any)
+		ASN1_INTEGER_free(ext_any);
+
+	return 1;
+}
+
+void
+policy_cache_free(X509_POLICY_CACHE *cache)
+{
+	if (!cache)
+		return;
+	if (cache->anyPolicy)
+		policy_data_free(cache->anyPolicy);
+	if (cache->data)
+		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
+	free(cache);
+}
+
+const X509_POLICY_CACHE *
+policy_cache_set(X509 *x)
+{
+	if (x->policy_cache == NULL) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		policy_cache_new(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+
+	return x->policy_cache;
+}
+
+X509_POLICY_DATA *
+policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
+{
+	int idx;
+	X509_POLICY_DATA tmp;
+
+	tmp.valid_policy = (ASN1_OBJECT *)id;
+	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
+	if (idx == -1)
+		return NULL;
+	return sk_X509_POLICY_DATA_value(cache->data, idx);
+}
+
+static int
+policy_data_cmp(const X509_POLICY_DATA * const *a,
+    const X509_POLICY_DATA * const *b)
+{
+	return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
+}
+
+static int
+policy_cache_set_int(long *out, ASN1_INTEGER *value)
+{
+	if (value == NULL)
+		return 1;
+	if (value->type == V_ASN1_NEG_INTEGER)
+		return 0;
+	*out = ASN1_INTEGER_get(value);
+	return 1;
+}
diff --git a/src/lib/libcrypto/x509/pcy_data.c b/src/lib/libcrypto/x509/pcy_data.c
new file mode 100644
index 0000000000..dadacb5266
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_data.c
@@ -0,0 +1,129 @@
+/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Policy Node routines */
+
+void
+policy_data_free(X509_POLICY_DATA *data)
+{
+	ASN1_OBJECT_free(data->valid_policy);
+	/* Don't free qualifiers if shared */
+	if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
+		sk_POLICYQUALINFO_pop_free(data->qualifier_set,
+		    POLICYQUALINFO_free);
+	sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
+	free(data);
+}
+
+/* Create a data based on an existing policy. If 'id' is NULL use the
+ * oid in the policy, otherwise use 'id'. This behaviour covers the two
+ * types of data in RFC3280: data with from a CertificatePolcies extension
+ * and additional data with just the qualifiers of anyPolicy and ID from
+ * another source.
+ */
+
+X509_POLICY_DATA *
+policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
+{
+	X509_POLICY_DATA *ret = NULL;
+	ASN1_OBJECT *id = NULL;
+
+	if (policy == NULL && cid == NULL)
+		return NULL;
+	if (cid != NULL) {
+		id = OBJ_dup(cid);
+		if (id == NULL)
+			return NULL;
+	}
+	ret = malloc(sizeof(X509_POLICY_DATA));
+	if (ret == NULL)
+		goto err;
+	ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
+	if (ret->expected_policy_set == NULL)
+		goto err;
+
+	if (crit)
+		ret->flags = POLICY_DATA_FLAG_CRITICAL;
+	else
+		ret->flags = 0;
+
+	if (id != NULL)
+		ret->valid_policy = id;
+	else {
+		ret->valid_policy = policy->policyid;
+		policy->policyid = NULL;
+	}
+
+	if (policy != NULL) {
+		ret->qualifier_set = policy->qualifiers;
+		policy->qualifiers = NULL;
+	} else
+		ret->qualifier_set = NULL;
+
+	return ret;
+
+err:
+	free(ret);
+	ASN1_OBJECT_free(id);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/pcy_int.h b/src/lib/libcrypto/x509/pcy_int.h
new file mode 100644
index 0000000000..6632b787fa
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_int.h
@@ -0,0 +1,209 @@
+/* $OpenBSD: pcy_int.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+__BEGIN_HIDDEN_DECLS
+
+typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
+
+DECLARE_STACK_OF(X509_POLICY_DATA)
+
+/* Internal structures */
+
+/* This structure and the field names correspond to the Policy 'node' of
+ * RFC3280. NB this structure contains no pointers to parent or child
+ * data: X509_POLICY_NODE contains that. This means that the main policy data
+ * can be kept static and cached with the certificate.
+ */
+
+struct X509_POLICY_DATA_st {
+	unsigned int flags;
+	/* Policy OID and qualifiers for this data */
+	ASN1_OBJECT *valid_policy;
+	STACK_OF(POLICYQUALINFO) *qualifier_set;
+	STACK_OF(ASN1_OBJECT) *expected_policy_set;
+};
+
+/* X509_POLICY_DATA flags values */
+
+/* This flag indicates the structure has been mapped using a policy mapping
+ * extension. If policy mapping is not active its references get deleted.
+ */
+
+#define POLICY_DATA_FLAG_MAPPED			0x1
+
+/* This flag indicates the data doesn't correspond to a policy in Certificate
+ * Policies: it has been mapped to any policy.
+ */
+
+#define POLICY_DATA_FLAG_MAPPED_ANY		0x2
+
+/* AND with flags to see if any mapping has occurred */
+
+#define POLICY_DATA_FLAG_MAP_MASK		0x3
+
+/* qualifiers are shared and shouldn't be freed */
+
+#define POLICY_DATA_FLAG_SHARED_QUALIFIERS	0x4
+
+/* Parent node is an extra node and should be freed */
+
+#define POLICY_DATA_FLAG_EXTRA_NODE		0x8
+
+/* Corresponding CertificatePolicies is critical */
+
+#define POLICY_DATA_FLAG_CRITICAL		0x10
+
+/* This structure is cached with a certificate */
+
+struct X509_POLICY_CACHE_st {
+	/* anyPolicy data or NULL if no anyPolicy */
+	X509_POLICY_DATA *anyPolicy;
+	/* other policy data */
+	STACK_OF(X509_POLICY_DATA) *data;
+	/* If InhibitAnyPolicy present this is its value or -1 if absent. */
+	long any_skip;
+	/* If policyConstraints and requireExplicitPolicy present this is its
+	 * value or -1 if absent.
+	 */
+	long explicit_skip;
+	/* If policyConstraints and policyMapping present this is its
+	 * value or -1 if absent.
+         */
+	long map_skip;
+};
+
+/*#define POLICY_CACHE_FLAG_CRITICAL		POLICY_DATA_FLAG_CRITICAL*/
+
+/* This structure represents the relationship between nodes */
+
+struct X509_POLICY_NODE_st {
+	/* node data this refers to */
+	const X509_POLICY_DATA *data;
+	/* Parent node */
+	X509_POLICY_NODE *parent;
+	/* Number of child nodes */
+	int nchild;
+};
+
+struct X509_POLICY_LEVEL_st {
+	/* Cert for this level */
+	X509 *cert;
+	/* nodes at this level */
+	STACK_OF(X509_POLICY_NODE) *nodes;
+	/* anyPolicy node */
+	X509_POLICY_NODE *anyPolicy;
+	/* Extra data */
+	/*STACK_OF(X509_POLICY_DATA) *extra_data;*/
+	unsigned int flags;
+};
+
+struct X509_POLICY_TREE_st {
+	/* This is the tree 'level' data */
+	X509_POLICY_LEVEL *levels;
+	int nlevel;
+	/* Extra policy data when additional nodes (not from the certificate)
+	 * are required.
+	 */
+	STACK_OF(X509_POLICY_DATA) *extra_data;
+	/* This is the authority constained policy set */
+	STACK_OF(X509_POLICY_NODE) *auth_policies;
+	STACK_OF(X509_POLICY_NODE) *user_policies;
+	unsigned int flags;
+};
+
+/* Set if anyPolicy present in user policies */
+#define POLICY_FLAG_ANY_POLICY		0x2
+
+/* Useful macros */
+
+#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
+#define node_critical(node) node_data_critical(node->data)
+
+/* Internal functions */
+
+X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
+    int crit);
+void policy_data_free(X509_POLICY_DATA *data);
+
+X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
+    const ASN1_OBJECT *id);
+int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
+
+
+STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
+
+void policy_cache_init(void);
+
+void policy_cache_free(X509_POLICY_CACHE *cache);
+
+X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
+    const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
+
+X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
+    const ASN1_OBJECT *id);
+
+int level_add_node(X509_POLICY_LEVEL *level,
+    const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
+    X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep);
+void policy_node_free(X509_POLICY_NODE *node);
+int policy_node_match(const X509_POLICY_LEVEL *lvl,
+    const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
+
+const X509_POLICY_CACHE *policy_cache_set(X509 *x);
+
+__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509/pcy_lib.c b/src/lib/libcrypto/x509/pcy_lib.c
new file mode 100644
index 0000000000..3d5c58d710
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_lib.c
@@ -0,0 +1,157 @@
+/* $OpenBSD: pcy_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* accessor functions */
+
+/* X509_POLICY_TREE stuff */
+
+int
+X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
+{
+	if (!tree)
+		return 0;
+	return tree->nlevel;
+}
+
+X509_POLICY_LEVEL *
+X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
+{
+	if (!tree || (i < 0) || (i >= tree->nlevel))
+		return NULL;
+	return tree->levels + i;
+}
+
+STACK_OF(X509_POLICY_NODE) *
+X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
+{
+	if (!tree)
+		return NULL;
+	return tree->auth_policies;
+}
+
+STACK_OF(X509_POLICY_NODE) *
+X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
+{
+	if (!tree)
+		return NULL;
+	if (tree->flags & POLICY_FLAG_ANY_POLICY)
+		return tree->auth_policies;
+	else
+		return tree->user_policies;
+}
+
+/* X509_POLICY_LEVEL stuff */
+
+int
+X509_policy_level_node_count(X509_POLICY_LEVEL *level)
+{
+	int n;
+	if (!level)
+		return 0;
+	if (level->anyPolicy)
+		n = 1;
+	else
+		n = 0;
+	if (level->nodes)
+		n += sk_X509_POLICY_NODE_num(level->nodes);
+	return n;
+}
+
+X509_POLICY_NODE *
+X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
+{
+	if (!level)
+		return NULL;
+	if (level->anyPolicy) {
+		if (i == 0)
+			return level->anyPolicy;
+		i--;
+	}
+	return sk_X509_POLICY_NODE_value(level->nodes, i);
+}
+
+/* X509_POLICY_NODE stuff */
+
+const ASN1_OBJECT *
+X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
+{
+	if (!node)
+		return NULL;
+	return node->data->valid_policy;
+}
+
+STACK_OF(POLICYQUALINFO) *
+X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
+{
+	if (!node)
+		return NULL;
+	return node->data->qualifier_set;
+}
+
+const X509_POLICY_NODE *
+X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
+{
+	if (!node)
+		return NULL;
+	return node->parent;
+}
diff --git a/src/lib/libcrypto/x509/pcy_map.c b/src/lib/libcrypto/x509/pcy_map.c
new file mode 100644
index 0000000000..287a430c2c
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_map.c
@@ -0,0 +1,126 @@
+/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Set policy mapping entries in cache.
+ * Note: this modifies the passed POLICY_MAPPINGS structure
+ */
+
+int
+policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+{
+	POLICY_MAPPING *map;
+	X509_POLICY_DATA *data;
+	X509_POLICY_CACHE *cache = x->policy_cache;
+	int i;
+	int ret = 0;
+
+	if (sk_POLICY_MAPPING_num(maps) == 0) {
+		ret = -1;
+		goto bad_mapping;
+	}
+	for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
+		map = sk_POLICY_MAPPING_value(maps, i);
+		/* Reject if map to or from anyPolicy */
+		if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
+		    (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
+			ret = -1;
+			goto bad_mapping;
+		}
+
+		/* Attempt to find matching policy data */
+		data = policy_cache_find_data(cache, map->issuerDomainPolicy);
+		/* If we don't have anyPolicy can't map */
+		if (!data && !cache->anyPolicy)
+			continue;
+
+		/* Create a NODE from anyPolicy */
+		if (!data) {
+			data = policy_data_new(NULL, map->issuerDomainPolicy,
+			    cache->anyPolicy->flags &
+			    POLICY_DATA_FLAG_CRITICAL);
+			if (!data)
+				goto bad_mapping;
+			data->qualifier_set = cache->anyPolicy->qualifier_set;
+			/*map->issuerDomainPolicy = NULL;*/
+			data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
+			data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+			if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
+				policy_data_free(data);
+				goto bad_mapping;
+			}
+		} else
+			data->flags |= POLICY_DATA_FLAG_MAPPED;
+		if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
+		    map->subjectDomainPolicy))
+			goto bad_mapping;
+		map->subjectDomainPolicy = NULL;
+	}
+
+	ret = 1;
+
+bad_mapping:
+	if (ret == -1)
+		x->ex_flags |= EXFLAG_INVALID_POLICY;
+	sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+	return ret;
+}
diff --git a/src/lib/libcrypto/x509/pcy_node.c b/src/lib/libcrypto/x509/pcy_node.c
new file mode 100644
index 0000000000..3a0f230bb3
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_node.c
@@ -0,0 +1,200 @@
+/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/asn1.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+static int
+node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
+{
+	return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
+}
+
+STACK_OF(X509_POLICY_NODE) *
+policy_node_cmp_new(void)
+{
+	return sk_X509_POLICY_NODE_new(node_cmp);
+}
+
+X509_POLICY_NODE *
+tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
+{
+	X509_POLICY_DATA n;
+	X509_POLICY_NODE l;
+	int idx;
+
+	n.valid_policy = (ASN1_OBJECT *)id;
+	l.data = &n;
+
+	idx = sk_X509_POLICY_NODE_find(nodes, &l);
+	if (idx == -1)
+		return NULL;
+
+	return sk_X509_POLICY_NODE_value(nodes, idx);
+}
+
+X509_POLICY_NODE *
+level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
+    const ASN1_OBJECT *id)
+{
+	X509_POLICY_NODE *node;
+	int i;
+
+	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
+		node = sk_X509_POLICY_NODE_value(level->nodes, i);
+		if (node->parent == parent) {
+			if (!OBJ_cmp(node->data->valid_policy, id))
+				return node;
+		}
+	}
+	return NULL;
+}
+
+
+int
+level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
+    X509_POLICY_NODE *parent, X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep)
+{
+	X509_POLICY_NODE *node = NULL;
+
+	if (level) {
+		node = malloc(sizeof(X509_POLICY_NODE));
+		if (!node)
+			goto node_error;
+		node->data = data;
+		node->parent = parent;
+		node->nchild = 0;
+		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
+			if (level->anyPolicy)
+				goto node_error;
+			level->anyPolicy = node;
+			if (parent)
+				parent->nchild++;
+		} else {
+
+			if (!level->nodes)
+				level->nodes = policy_node_cmp_new();
+			if (!level->nodes)
+				goto node_error;
+			if (!sk_X509_POLICY_NODE_push(level->nodes, node))
+				goto node_error;
+			if (parent)
+				parent->nchild++;
+		}
+	}
+
+	if (tree) {
+		if (!tree->extra_data)
+			tree->extra_data = sk_X509_POLICY_DATA_new_null();
+		if (!tree->extra_data)
+			goto node_error_cond;
+		if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
+			goto node_error_cond;
+	}
+
+	if (nodep)
+		*nodep = node;
+
+	return 1;
+
+node_error_cond:
+	if (level)
+		node = NULL;
+node_error:
+	policy_node_free(node);
+	node = NULL;
+	if (nodep)
+		*nodep = node;
+	return 0;
+}
+
+void
+policy_node_free(X509_POLICY_NODE *node)
+{
+	free(node);
+}
+
+/* See if a policy node matches a policy OID. If mapping enabled look through
+ * expected policy set otherwise just valid policy.
+ */
+
+int
+policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
+    const ASN1_OBJECT *oid)
+{
+	int i;
+	ASN1_OBJECT *policy_oid;
+	const X509_POLICY_DATA *x = node->data;
+
+	if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
+	    !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
+		if (!OBJ_cmp(x->valid_policy, oid))
+			return 1;
+		return 0;
+	}
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
+		policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
+		if (!OBJ_cmp(policy_oid, oid))
+			return 1;
+	}
+	return 0;
+}
diff --git a/src/lib/libcrypto/x509/pcy_tree.c b/src/lib/libcrypto/x509/pcy_tree.c
new file mode 100644
index 0000000000..d0f7cd1ada
--- /dev/null
+++ b/src/lib/libcrypto/x509/pcy_tree.c
@@ -0,0 +1,770 @@
+/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2004.
+ */
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Enable this to print out the complete policy tree at various point during
+ * evaluation.
+ */
+
+/*#define OPENSSL_POLICY_DEBUG*/
+
+#ifdef OPENSSL_POLICY_DEBUG
+
+static void
+expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
+    int indent)
+{
+	if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
+	    !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
+		BIO_puts(err, "  Not Mapped\n");
+	else {
+		int i;
+		STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
+		ASN1_OBJECT *oid;
+		BIO_puts(err, "  Expected: ");
+		for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
+			oid = sk_ASN1_OBJECT_value(pset, i);
+			if (i)
+				BIO_puts(err, ", ");
+			i2a_ASN1_OBJECT(err, oid);
+		}
+		BIO_puts(err, "\n");
+	}
+}
+
+static void
+tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
+{
+	X509_POLICY_LEVEL *plev;
+	X509_POLICY_NODE *node;
+	int i;
+	BIO *err;
+
+	if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL)
+		return;
+
+	if (!curr)
+		curr = tree->levels + tree->nlevel;
+	else
+		curr++;
+	BIO_printf(err, "Level print after %s\n", str);
+	BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
+	for (plev = tree->levels; plev != curr; plev++) {
+		BIO_printf(err, "Level %ld, flags = %x\n",
+		    plev - tree->levels, plev->flags);
+		for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
+			node = sk_X509_POLICY_NODE_value(plev->nodes, i);
+			X509_POLICY_NODE_print(err, node, 2);
+			expected_print(err, plev, node, 2);
+			BIO_printf(err, "  Flags: %x\n", node->data->flags);
+		}
+		if (plev->anyPolicy)
+			X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
+	}
+
+	BIO_free(err);
+}
+#else
+
+#define tree_print(a,b,c) /* */
+
+#endif
+
+/* Initialize policy tree. Return values:
+ *  0 Some internal error occured.
+ * -1 Inconsistent or invalid extensions in certificates.
+ *  1 Tree initialized OK.
+ *  2 Policy tree is empty.
+ *  5 Tree OK and requireExplicitPolicy true.
+ *  6 Tree empty and requireExplicitPolicy true.
+ */
+
+static int
+tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
+{
+	X509_POLICY_TREE *tree;
+	X509_POLICY_LEVEL *level;
+	const X509_POLICY_CACHE *cache;
+	X509_POLICY_DATA *data = NULL;
+	X509 *x;
+	int ret = 1;
+	int i, n;
+	int explicit_policy;
+	int any_skip;
+	int map_skip;
+
+	*ptree = NULL;
+	n = sk_X509_num(certs);
+
+	if (flags & X509_V_FLAG_EXPLICIT_POLICY)
+		explicit_policy = 0;
+	else
+		explicit_policy = n + 1;
+
+	if (flags & X509_V_FLAG_INHIBIT_ANY)
+		any_skip = 0;
+	else
+		any_skip = n + 1;
+
+	if (flags & X509_V_FLAG_INHIBIT_MAP)
+		map_skip = 0;
+	else
+		map_skip = n + 1;
+
+	/* Can't do anything with just a trust anchor */
+	if (n == 1)
+		return 1;
+	/* First setup policy cache in all certificates apart from the
+	 * trust anchor. Note any bad cache results on the way. Also can
+	 * calculate explicit_policy value at this point.
+	 */
+	for (i = n - 2; i >= 0; i--) {
+		x = sk_X509_value(certs, i);
+		X509_check_purpose(x, -1, -1);
+		cache = policy_cache_set(x);
+		/* If cache NULL something bad happened: return immediately */
+		if (cache == NULL)
+			return 0;
+		/* If inconsistent extensions keep a note of it but continue */
+		if (x->ex_flags & EXFLAG_INVALID_POLICY)
+			ret = -1;
+		/* Otherwise if we have no data (hence no CertificatePolicies)
+		 * and haven't already set an inconsistent code note it.
+		 */
+		else if ((ret == 1) && !cache->data)
+			ret = 2;
+		if (explicit_policy > 0) {
+			if (!(x->ex_flags & EXFLAG_SI))
+				explicit_policy--;
+			if ((cache->explicit_skip != -1) &&
+			    (cache->explicit_skip < explicit_policy))
+				explicit_policy = cache->explicit_skip;
+		}
+	}
+
+	if (ret != 1) {
+		if (ret == 2 && !explicit_policy)
+			return 6;
+		return ret;
+	}
+
+
+	/* If we get this far initialize the tree */
+
+	tree = malloc(sizeof(X509_POLICY_TREE));
+
+	if (!tree)
+		return 0;
+
+	tree->flags = 0;
+	tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL));
+	tree->nlevel = 0;
+	tree->extra_data = NULL;
+	tree->auth_policies = NULL;
+	tree->user_policies = NULL;
+
+	if (!tree->levels) {
+		free(tree);
+		return 0;
+	}
+
+	tree->nlevel = n;
+
+	level = tree->levels;
+
+	/* Root data: initialize to anyPolicy */
+
+	data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
+
+	if (!data || !level_add_node(level, data, NULL, tree, NULL))
+		goto bad_tree;
+
+	for (i = n - 2; i >= 0; i--) {
+		level++;
+		x = sk_X509_value(certs, i);
+		cache = policy_cache_set(x);
+		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+		level->cert = x;
+
+		if (!cache->anyPolicy)
+			level->flags |= X509_V_FLAG_INHIBIT_ANY;
+
+		/* Determine inhibit any and inhibit map flags */
+		if (any_skip == 0) {
+			/* Any matching allowed if certificate is self
+			 * issued and not the last in the chain.
+			 */
+			if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
+				level->flags |= X509_V_FLAG_INHIBIT_ANY;
+		} else {
+			if (!(x->ex_flags & EXFLAG_SI))
+				any_skip--;
+			if ((cache->any_skip >= 0) &&
+			    (cache->any_skip < any_skip))
+				any_skip = cache->any_skip;
+		}
+
+		if (map_skip == 0)
+			level->flags |= X509_V_FLAG_INHIBIT_MAP;
+		else {
+			if (!(x->ex_flags & EXFLAG_SI))
+				map_skip--;
+			if ((cache->map_skip >= 0) &&
+			    (cache->map_skip < map_skip))
+				map_skip = cache->map_skip;
+		}
+
+	}
+
+	*ptree = tree;
+
+	if (explicit_policy)
+		return 1;
+	else
+		return 5;
+
+bad_tree:
+	X509_policy_tree_free(tree);
+
+	return 0;
+}
+
+static int
+tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
+{
+	X509_POLICY_LEVEL *last = curr - 1;
+	X509_POLICY_NODE *node;
+	int i, matched = 0;
+
+	/* Iterate through all in nodes linking matches */
+	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
+		node = sk_X509_POLICY_NODE_value(last->nodes, i);
+		if (policy_node_match(last, node, data->valid_policy)) {
+			if (!level_add_node(curr, data, node, NULL, NULL))
+				return 0;
+			matched = 1;
+		}
+	}
+	if (!matched && last->anyPolicy) {
+		if (!level_add_node(curr, data, last->anyPolicy, NULL, NULL))
+			return 0;
+	}
+	return 1;
+}
+
+/* This corresponds to RFC3280 6.1.3(d)(1):
+ * link any data from CertificatePolicies onto matching parent
+ * or anyPolicy if no match.
+ */
+
+static int
+tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
+{
+	int i;
+	X509_POLICY_DATA *data;
+
+	for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
+		data = sk_X509_POLICY_DATA_value(cache->data, i);
+		/* Look for matching nodes in previous level */
+		if (!tree_link_matching_nodes(curr, data))
+			return 0;
+	}
+	return 1;
+}
+
+/* This corresponds to RFC3280 6.1.3(d)(2):
+ * Create new data for any unmatched policies in the parent and link
+ * to anyPolicy.
+ */
+
+static int
+tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
+    const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
+{
+	X509_POLICY_DATA *data;
+
+	if (id == NULL)
+		id = node->data->valid_policy;
+	/* Create a new node with qualifiers from anyPolicy and
+	 * id from unmatched node.
+	 */
+	data = policy_data_new(NULL, id, node_critical(node));
+
+	if (data == NULL)
+		return 0;
+	/* Curr may not have anyPolicy */
+	data->qualifier_set = cache->anyPolicy->qualifier_set;
+	data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
+	if (!level_add_node(curr, data, node, tree, NULL)) {
+		policy_data_free(data);
+		return 0;
+	}
+
+	return 1;
+}
+
+static int
+tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
+    X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
+{
+	const X509_POLICY_LEVEL *last = curr - 1;
+	int i;
+
+	if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
+	    !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
+		/* If no policy mapping: matched if one child present */
+		if (node->nchild)
+			return 1;
+		if (!tree_add_unmatched(curr, cache, NULL, node, tree))
+			return 0;
+		/* Add it */
+	} else {
+		/* If mapping: matched if one child per expected policy set */
+		STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
+		if (node->nchild == sk_ASN1_OBJECT_num(expset))
+			return 1;
+		/* Locate unmatched nodes */
+		for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
+			ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
+			if (level_find_node(curr, node, oid))
+				continue;
+			if (!tree_add_unmatched(curr, cache, oid, node, tree))
+				return 0;
+		}
+	}
+
+	return 1;
+}
+
+static int
+tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
+    X509_POLICY_TREE *tree)
+{
+	int i;
+	X509_POLICY_NODE *node;
+	X509_POLICY_LEVEL *last = curr - 1;
+
+	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
+		node = sk_X509_POLICY_NODE_value(last->nodes, i);
+
+		if (!tree_link_unmatched(curr, cache, node, tree))
+			return 0;
+	}
+	/* Finally add link to anyPolicy */
+	if (last->anyPolicy) {
+		if (!level_add_node(curr, cache->anyPolicy,
+		    last->anyPolicy, NULL, NULL))
+			return 0;
+	}
+	return 1;
+}
+
+/* Prune the tree: delete any child mapped child data on the current level
+ * then proceed up the tree deleting any data with no children. If we ever
+ * have no data on a level we can halt because the tree will be empty.
+ */
+
+static int
+tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
+{
+	STACK_OF(X509_POLICY_NODE) *nodes;
+	X509_POLICY_NODE *node;
+	int i;
+
+	nodes = curr->nodes;
+	if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
+		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
+			node = sk_X509_POLICY_NODE_value(nodes, i);
+			/* Delete any mapped data: see RFC3280 XXXX */
+			if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
+				node->parent->nchild--;
+				free(node);
+				(void)sk_X509_POLICY_NODE_delete(nodes, i);
+			}
+		}
+	}
+
+	for (;;) {
+		--curr;
+		nodes = curr->nodes;
+		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
+			node = sk_X509_POLICY_NODE_value(nodes, i);
+			if (node->nchild == 0) {
+				node->parent->nchild--;
+				free(node);
+				(void)sk_X509_POLICY_NODE_delete(nodes, i);
+			}
+		}
+		if (curr->anyPolicy && !curr->anyPolicy->nchild) {
+			if (curr->anyPolicy->parent)
+				curr->anyPolicy->parent->nchild--;
+			free(curr->anyPolicy);
+			curr->anyPolicy = NULL;
+		}
+		if (curr == tree->levels) {
+			/* If we zapped anyPolicy at top then tree is empty */
+			if (!curr->anyPolicy)
+				return 2;
+			return 1;
+		}
+	}
+
+	return 1;
+}
+
+static int
+tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
+{
+	if (!*pnodes) {
+		*pnodes = policy_node_cmp_new();
+		if (!*pnodes)
+			return 0;
+	} else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
+		return 1;
+
+	if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
+		return 0;
+
+	return 1;
+}
+
+/* Calculate the authority set based on policy tree.
+ * The 'pnodes' parameter is used as a store for the set of policy nodes
+ * used to calculate the user set. If the authority set is not anyPolicy
+ * then pnodes will just point to the authority set. If however the authority
+ * set is anyPolicy then the set of valid policies (other than anyPolicy)
+ * is store in pnodes. The return value of '2' is used in this case to indicate
+ * that pnodes should be freed.
+ */
+
+static int
+tree_calculate_authority_set(X509_POLICY_TREE *tree,
+    STACK_OF(X509_POLICY_NODE) **pnodes)
+{
+	X509_POLICY_LEVEL *curr;
+	X509_POLICY_NODE *node, *anyptr;
+	STACK_OF(X509_POLICY_NODE) **addnodes;
+	int i, j;
+
+	curr = tree->levels + tree->nlevel - 1;
+
+	/* If last level contains anyPolicy set is anyPolicy */
+	if (curr->anyPolicy) {
+		if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
+			return 0;
+		addnodes = pnodes;
+	} else
+		/* Add policies to authority set */
+		addnodes = &tree->auth_policies;
+
+	curr = tree->levels;
+	for (i = 1; i < tree->nlevel; i++) {
+		/* If no anyPolicy node on this this level it can't
+		 * appear on lower levels so end search.
+		 */
+		if (!(anyptr = curr->anyPolicy))
+			break;
+		curr++;
+		for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
+			node = sk_X509_POLICY_NODE_value(curr->nodes, j);
+			if ((node->parent == anyptr) &&
+			    !tree_add_auth_node(addnodes, node))
+				return 0;
+		}
+	}
+
+	if (addnodes == pnodes)
+		return 2;
+
+	*pnodes = tree->auth_policies;
+
+	return 1;
+}
+
+static int
+tree_calculate_user_set(X509_POLICY_TREE *tree,
+    STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
+{
+	int i;
+	X509_POLICY_NODE *node;
+	ASN1_OBJECT *oid;
+	X509_POLICY_NODE *anyPolicy;
+	X509_POLICY_DATA *extra;
+
+	/* Check if anyPolicy present in authority constrained policy set:
+	 * this will happen if it is a leaf node.
+	 */
+
+	if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
+		return 1;
+
+	anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
+		oid = sk_ASN1_OBJECT_value(policy_oids, i);
+		if (OBJ_obj2nid(oid) == NID_any_policy) {
+			tree->flags |= POLICY_FLAG_ANY_POLICY;
+			return 1;
+		}
+	}
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
+		oid = sk_ASN1_OBJECT_value(policy_oids, i);
+		node = tree_find_sk(auth_nodes, oid);
+		if (!node) {
+			if (!anyPolicy)
+				continue;
+			/* Create a new node with policy ID from user set
+			 * and qualifiers from anyPolicy.
+			 */
+			extra = policy_data_new(NULL, oid,
+			    node_critical(anyPolicy));
+			if (!extra)
+				return 0;
+			extra->qualifier_set = anyPolicy->data->qualifier_set;
+			extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
+			    POLICY_DATA_FLAG_EXTRA_NODE;
+			(void) level_add_node(NULL, extra, anyPolicy->parent,
+			    tree, &node);
+		}
+		if (!tree->user_policies) {
+			tree->user_policies = sk_X509_POLICY_NODE_new_null();
+			if (!tree->user_policies)
+				return 1;
+		}
+		if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
+			return 0;
+	}
+	return 1;
+}
+
+static int
+tree_evaluate(X509_POLICY_TREE *tree)
+{
+	int ret, i;
+	X509_POLICY_LEVEL *curr = tree->levels + 1;
+	const X509_POLICY_CACHE *cache;
+
+	for (i = 1; i < tree->nlevel; i++, curr++) {
+		cache = policy_cache_set(curr->cert);
+		if (!tree_link_nodes(curr, cache))
+			return 0;
+
+		if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
+		    !tree_link_any(curr, cache, tree))
+			return 0;
+		tree_print("before tree_prune()", tree, curr);
+		ret = tree_prune(tree, curr);
+		if (ret != 1)
+			return ret;
+	}
+
+	return 1;
+}
+
+static void
+exnode_free(X509_POLICY_NODE *node)
+{
+	if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
+		free(node);
+}
+
+void
+X509_policy_tree_free(X509_POLICY_TREE *tree)
+{
+	X509_POLICY_LEVEL *curr;
+	int i;
+
+	if (!tree)
+		return;
+
+	sk_X509_POLICY_NODE_free(tree->auth_policies);
+	sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
+
+	for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
+		X509_free(curr->cert);
+		if (curr->nodes)
+			sk_X509_POLICY_NODE_pop_free(curr->nodes,
+		    policy_node_free);
+		if (curr->anyPolicy)
+			policy_node_free(curr->anyPolicy);
+	}
+
+	if (tree->extra_data)
+		sk_X509_POLICY_DATA_pop_free(tree->extra_data,
+		    policy_data_free);
+
+	free(tree->levels);
+	free(tree);
+}
+
+/* Application policy checking function.
+ * Return codes:
+ *  0 	Internal Error.
+ *  1   Successful.
+ * -1   One or more certificates contain invalid or inconsistent extensions
+ * -2	User constrained policy set empty and requireExplicit true.
+ */
+
+int
+X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
+    STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
+    unsigned int flags)
+{
+	int ret, ret2;
+	X509_POLICY_TREE *tree = NULL;
+	STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
+
+	*ptree = NULL;
+	*pexplicit_policy = 0;
+	ret = tree_init(&tree, certs, flags);
+
+	switch (ret) {
+
+		/* Tree empty requireExplicit False: OK */
+	case 2:
+		return 1;
+
+		/* Some internal error */
+	case -1:
+		return -1;
+
+		/* Some internal error */
+	case 0:
+		return 0;
+
+		/* Tree empty requireExplicit True: Error */
+
+	case 6:
+		*pexplicit_policy = 1;
+		return -2;
+
+		/* Tree OK requireExplicit True: OK and continue */
+	case 5:
+		*pexplicit_policy = 1;
+		break;
+
+		/* Tree OK: continue */
+
+	case 1:
+		if (!tree)
+			/*
+			 * tree_init() returns success and a null tree
+			 * if it's just looking at a trust anchor.
+			 * I'm not sure that returning success here is
+			 * correct, but I'm sure that reporting this
+			 * as an internal error which our caller
+			 * interprets as a malloc failure is wrong.
+			 */
+			return 1;
+		break;
+	}
+
+	if (!tree)
+		goto error;
+	ret = tree_evaluate(tree);
+
+	tree_print("tree_evaluate()", tree, NULL);
+
+	if (ret <= 0)
+		goto error;
+
+	/* Return value 2 means tree empty */
+	if (ret == 2) {
+		X509_policy_tree_free(tree);
+		if (*pexplicit_policy)
+			return -2;
+		else
+			return 1;
+	}
+
+	/* Tree is not empty: continue */
+
+	ret = tree_calculate_authority_set(tree, &auth_nodes);
+	if (ret == 0)
+		goto error;
+
+	ret2 = tree_calculate_user_set(tree, policy_oids, auth_nodes);
+
+	/* Return value 2 means auth_nodes needs to be freed */
+	if (ret == 2)
+		sk_X509_POLICY_NODE_free(auth_nodes);
+
+	if (ret2 == 0)
+		goto error;
+
+	if (tree)
+		*ptree = tree;
+
+	if (*pexplicit_policy) {
+		nodes = X509_policy_tree_get0_user_policies(tree);
+		if (sk_X509_POLICY_NODE_num(nodes) <= 0)
+			return -2;
+	}
+
+	return 1;
+
+error:
+	X509_policy_tree_free(tree);
+
+	return 0;
+}
diff --git a/src/lib/libcrypto/x509/v3err.c b/src/lib/libcrypto/x509/v3err.c
new file mode 100644
index 0000000000..f7850effb1
--- /dev/null
+++ b/src/lib/libcrypto/x509/v3err.c
@@ -0,0 +1,226 @@
+/* $OpenBSD: v3err.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* ====================================================================
+ * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/* NOTE: this file was auto generated by the mkerr.pl script: any changes
+ * made to it will be overwritten when the script next updates this file,
+ * only reason strings will be preserved.
+ */
+
+#include <stdio.h>
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+/* BEGIN ERROR CODES */
+#ifndef OPENSSL_NO_ERR
+
+#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
+#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
+
+static ERR_STRING_DATA X509V3_str_functs[] = {
+	{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME),	"A2I_GENERAL_NAME"},
+	{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),	"ASIDENTIFIERCHOICE_CANONIZE"},
+	{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),	"ASIDENTIFIERCHOICE_IS_CANONICAL"},
+	{ERR_FUNC(X509V3_F_COPY_EMAIL),	"COPY_EMAIL"},
+	{ERR_FUNC(X509V3_F_COPY_ISSUER),	"COPY_ISSUER"},
+	{ERR_FUNC(X509V3_F_DO_DIRNAME),	"DO_DIRNAME"},
+	{ERR_FUNC(X509V3_F_DO_EXT_CONF),	"DO_EXT_CONF"},
+	{ERR_FUNC(X509V3_F_DO_EXT_I2D),	"DO_EXT_I2D"},
+	{ERR_FUNC(X509V3_F_DO_EXT_NCONF),	"DO_EXT_NCONF"},
+	{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS),	"DO_I2V_NAME_CONSTRAINTS"},
+	{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME),	"GNAMES_FROM_SECTNAME"},
+	{ERR_FUNC(X509V3_F_HEX_TO_STRING),	"hex_to_string"},
+	{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),	"i2s_ASN1_ENUMERATED"},
+	{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING),	"I2S_ASN1_IA5STRING"},
+	{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER),	"i2s_ASN1_INTEGER"},
+	{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),	"I2V_AUTHORITY_INFO_ACCESS"},
+	{ERR_FUNC(X509V3_F_NOTICE_SECTION),	"NOTICE_SECTION"},
+	{ERR_FUNC(X509V3_F_NREF_NOS),	"NREF_NOS"},
+	{ERR_FUNC(X509V3_F_POLICY_SECTION),	"POLICY_SECTION"},
+	{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE),	"PROCESS_PCI_VALUE"},
+	{ERR_FUNC(X509V3_F_R2I_CERTPOL),	"R2I_CERTPOL"},
+	{ERR_FUNC(X509V3_F_R2I_PCI),	"R2I_PCI"},
+	{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING),	"S2I_ASN1_IA5STRING"},
+	{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER),	"s2i_ASN1_INTEGER"},
+	{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),	"s2i_ASN1_OCTET_STRING"},
+	{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),	"S2I_ASN1_SKEY_ID"},
+	{ERR_FUNC(X509V3_F_S2I_SKEY_ID),	"S2I_SKEY_ID"},
+	{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME),	"SET_DIST_POINT_NAME"},
+	{ERR_FUNC(X509V3_F_STRING_TO_HEX),	"string_to_hex"},
+	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC),	"SXNET_add_id_asc"},
+	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),	"SXNET_add_id_INTEGER"},
+	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG),	"SXNET_add_id_ulong"},
+	{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC),	"SXNET_get_id_asc"},
+	{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG),	"SXNET_get_id_ulong"},
+	{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS),	"V2I_ASIDENTIFIERS"},
+	{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING),	"v2i_ASN1_BIT_STRING"},
+	{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS),	"V2I_AUTHORITY_INFO_ACCESS"},
+	{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID),	"V2I_AUTHORITY_KEYID"},
+	{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS),	"V2I_BASIC_CONSTRAINTS"},
+	{ERR_FUNC(X509V3_F_V2I_CRLD),	"V2I_CRLD"},
+	{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE),	"V2I_EXTENDED_KEY_USAGE"},
+	{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),	"v2i_GENERAL_NAMES"},
+	{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX),	"v2i_GENERAL_NAME_ex"},
+	{ERR_FUNC(X509V3_F_V2I_IDP),	"V2I_IDP"},
+	{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS),	"V2I_IPADDRBLOCKS"},
+	{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT),	"V2I_ISSUER_ALT"},
+	{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS),	"V2I_NAME_CONSTRAINTS"},
+	{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS),	"V2I_POLICY_CONSTRAINTS"},
+	{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS),	"V2I_POLICY_MAPPINGS"},
+	{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT),	"V2I_SUBJECT_ALT"},
+	{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL),	"V3_ADDR_VALIDATE_PATH_INTERNAL"},
+	{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION),	"V3_GENERIC_EXTENSION"},
+	{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D),	"X509V3_add1_i2d"},
+	{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE),	"X509V3_add_value"},
+	{ERR_FUNC(X509V3_F_X509V3_EXT_ADD),	"X509V3_EXT_add"},
+	{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS),	"X509V3_EXT_add_alias"},
+	{ERR_FUNC(X509V3_F_X509V3_EXT_CONF),	"X509V3_EXT_conf"},
+	{ERR_FUNC(X509V3_F_X509V3_EXT_I2D),	"X509V3_EXT_i2d"},
+	{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF),	"X509V3_EXT_nconf"},
+	{ERR_FUNC(X509V3_F_X509V3_GET_SECTION),	"X509V3_get_section"},
+	{ERR_FUNC(X509V3_F_X509V3_GET_STRING),	"X509V3_get_string"},
+	{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL),	"X509V3_get_value_bool"},
+	{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST),	"X509V3_parse_list"},
+	{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD),	"X509_PURPOSE_add"},
+	{ERR_FUNC(X509V3_F_X509_PURPOSE_SET),	"X509_PURPOSE_set"},
+	{0, NULL}
+};
+
+static ERR_STRING_DATA X509V3_str_reasons[] = {
+	{ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     , "bad ip address"},
+	{ERR_REASON(X509V3_R_BAD_OBJECT)         , "bad object"},
+	{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    , "bn dec2bn error"},
+	{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"},
+	{ERR_REASON(X509V3_R_DIRNAME_ERROR)      , "dirname error"},
+	{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
+	{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  , "duplicate zone id"},
+	{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
+	{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"},
+	{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"},
+	{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
+	{ERR_REASON(X509V3_R_EXTENSION_EXISTS)   , "extension exists"},
+	{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
+	{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
+	{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"},
+	{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
+	{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
+	{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  , "illegal hex digit"},
+	{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"},
+	{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
+	{ERR_REASON(X509V3_R_INVALID_ASNUMBER)   , "invalid asnumber"},
+	{ERR_REASON(X509V3_R_INVALID_ASRANGE)    , "invalid asrange"},
+	{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
+	{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"},
+	{ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
+	{ERR_REASON(X509V3_R_INVALID_IPADDRESS)  , "invalid ipaddress"},
+	{ERR_REASON(X509V3_R_INVALID_NAME)       , "invalid name"},
+	{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
+	{ERR_REASON(X509V3_R_INVALID_NULL_NAME)  , "invalid null name"},
+	{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"},
+	{ERR_REASON(X509V3_R_INVALID_NUMBER)     , "invalid number"},
+	{ERR_REASON(X509V3_R_INVALID_NUMBERS)    , "invalid numbers"},
+	{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"},
+	{ERR_REASON(X509V3_R_INVALID_OPTION)     , "invalid option"},
+	{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"},
+	{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"},
+	{ERR_REASON(X509V3_R_INVALID_PURPOSE)    , "invalid purpose"},
+	{ERR_REASON(X509V3_R_INVALID_SAFI)       , "invalid safi"},
+	{ERR_REASON(X509V3_R_INVALID_SECTION)    , "invalid section"},
+	{ERR_REASON(X509V3_R_INVALID_SYNTAX)     , "invalid syntax"},
+	{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
+	{ERR_REASON(X509V3_R_MISSING_VALUE)      , "missing value"},
+	{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"},
+	{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"},
+	{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
+	{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS)  , "no issuer details"},
+	{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
+	{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"},
+	{ERR_REASON(X509V3_R_NO_PUBLIC_KEY)      , "no public key"},
+	{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"},
+	{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
+	{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
+	{ERR_REASON(X509V3_R_OTHERNAME_ERROR)    , "othername error"},
+	{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"},
+	{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"},
+	{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"},
+	{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"},
+	{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"},
+	{ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  , "section not found"},
+	{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"},
+	{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"},
+	{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"},
+	{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION)  , "unknown extension"},
+	{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
+	{ERR_REASON(X509V3_R_UNKNOWN_OPTION)     , "unknown option"},
+	{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"},
+	{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE)   , "unsupported type"},
+	{ERR_REASON(X509V3_R_USER_TOO_LONG)      , "user too long"},
+	{0, NULL}
+};
+
+#endif
+
+void
+ERR_load_X509V3_strings(void)
+{
+#ifndef OPENSSL_NO_ERR
+	if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
+		ERR_load_strings(0, X509V3_str_functs);
+		ERR_load_strings(0, X509V3_str_reasons);
+	}
+#endif
+}
diff --git a/src/lib/libcrypto/x509/x509_akey.c b/src/lib/libcrypto/x509/x509_akey.c
new file mode 100644
index 0000000000..f8c7113350
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_akey.c
@@ -0,0 +1,237 @@
+/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+    AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
+static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+const X509V3_EXT_METHOD v3_akey_id = {
+	.ext_nid = NID_authority_key_identifier,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &AUTHORITY_KEYID_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
+	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static STACK_OF(CONF_VALUE) *
+i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+	STACK_OF(CONF_VALUE) *free_extlist = NULL;
+	char *tmpstr = NULL;
+
+	if (extlist == NULL) {
+		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	if (akeyid->keyid != NULL) {
+		if ((tmpstr = hex_to_string(akeyid->keyid->data,
+		    akeyid->keyid->length)) == NULL)
+			goto err;
+		if (!X509V3_add_value("keyid", tmpstr, &extlist))
+			goto err;
+		free(tmpstr);
+		tmpstr = NULL;
+	}
+
+	if (akeyid->issuer != NULL) {
+		if ((extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer,
+		    extlist)) == NULL)
+			goto err;
+	}
+
+	if (akeyid->serial != NULL) {
+		if ((tmpstr = hex_to_string(akeyid->serial->data,
+		    akeyid->serial->length)) == NULL)
+			goto err;
+		if (!X509V3_add_value("serial", tmpstr, &extlist))
+			goto err;
+		free(tmpstr);
+		tmpstr = NULL;
+	}
+
+	if (sk_CONF_VALUE_num(extlist) <= 0)
+		goto err;
+
+	return extlist;
+
+ err:
+	free(tmpstr);
+	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
+
+	return NULL;
+}
+
+/*
+ * Currently two options:
+ * keyid: use the issuers subject keyid, the value 'always' means its is
+ * an error if the issuer certificate doesn't have a key id.
+ * issuer: use the issuers cert issuer and serial number. The default is
+ * to only use this if keyid is not present. With the option 'always'
+ * this is always included.
+ */
+static AUTHORITY_KEYID *
+v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *values)
+{
+	char keyid = 0, issuer = 0;
+	int i;
+	CONF_VALUE *cnf;
+	ASN1_OCTET_STRING *ikeyid = NULL;
+	X509_NAME *isname = NULL;
+	STACK_OF(GENERAL_NAME) *gens = NULL;
+	GENERAL_NAME *gen = NULL;
+	ASN1_INTEGER *serial = NULL;
+	X509_EXTENSION *ext;
+	X509 *cert;
+	AUTHORITY_KEYID *akeyid = NULL;
+
+	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		cnf = sk_CONF_VALUE_value(values, i);
+		if (!strcmp(cnf->name, "keyid")) {
+			keyid = 1;
+			if (cnf->value && !strcmp(cnf->value, "always"))
+				keyid = 2;
+		} else if (!strcmp(cnf->name, "issuer")) {
+			issuer = 1;
+			if (cnf->value && !strcmp(cnf->value, "always"))
+				issuer = 2;
+		} else {
+			X509V3error(X509V3_R_UNKNOWN_OPTION);
+			ERR_asprintf_error_data("name=%s", cnf->name);
+			return NULL;
+		}
+	}
+
+	if (!ctx || !ctx->issuer_cert) {
+		if (ctx && (ctx->flags == CTX_TEST))
+			return AUTHORITY_KEYID_new();
+		X509V3error(X509V3_R_NO_ISSUER_CERTIFICATE);
+		return NULL;
+	}
+
+	cert = ctx->issuer_cert;
+
+	if (keyid) {
+		i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
+		if ((i >= 0)  && (ext = X509_get_ext(cert, i)))
+			ikeyid = X509V3_EXT_d2i(ext);
+		if (keyid == 2 && !ikeyid) {
+			X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
+			return NULL;
+		}
+	}
+
+	if ((issuer && !ikeyid) || (issuer == 2)) {
+		isname = X509_NAME_dup(X509_get_issuer_name(cert));
+		serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
+		if (!isname || !serial) {
+			X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
+			goto err;
+		}
+	}
+
+	if (!(akeyid = AUTHORITY_KEYID_new()))
+		goto err;
+
+	if (isname) {
+		if (!(gens = sk_GENERAL_NAME_new_null()) ||
+		    !(gen = GENERAL_NAME_new()) ||
+		    !sk_GENERAL_NAME_push(gens, gen)) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		gen->type = GEN_DIRNAME;
+		gen->d.dirn = isname;
+	}
+
+	akeyid->issuer = gens;
+	akeyid->serial = serial;
+	akeyid->keyid = ikeyid;
+
+	return akeyid;
+
+ err:
+	AUTHORITY_KEYID_free(akeyid);
+	GENERAL_NAME_free(gen);
+	sk_GENERAL_NAME_free(gens);
+	X509_NAME_free(isname);
+	ASN1_INTEGER_free(serial);
+	ASN1_OCTET_STRING_free(ikeyid);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_akeya.c b/src/lib/libcrypto/x509/x509_akeya.c
new file mode 100644
index 0000000000..aba8923caa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_akeya.c
@@ -0,0 +1,124 @@
+/* $OpenBSD: x509_akeya.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static const ASN1_TEMPLATE AUTHORITY_KEYID_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(AUTHORITY_KEYID, keyid),
+		.field_name = "keyid",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(AUTHORITY_KEYID, issuer),
+		.field_name = "issuer",
+		.item = &GENERAL_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(AUTHORITY_KEYID, serial),
+		.field_name = "serial",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM AUTHORITY_KEYID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = AUTHORITY_KEYID_seq_tt,
+	.tcount = sizeof(AUTHORITY_KEYID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(AUTHORITY_KEYID),
+	.sname = "AUTHORITY_KEYID",
+};
+
+
+AUTHORITY_KEYID *
+d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len)
+{
+	return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &AUTHORITY_KEYID_it);
+}
+
+int
+i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it);
+}
+
+AUTHORITY_KEYID *
+AUTHORITY_KEYID_new(void)
+{
+	return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it);
+}
+
+void
+AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it);
+}
diff --git a/src/lib/libcrypto/x509/x509_alt.c b/src/lib/libcrypto/x509/x509_alt.c
new file mode 100644
index 0000000000..45aaec24c0
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_alt.c
@@ -0,0 +1,699 @@
+/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
+static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
+static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
+
+const X509V3_EXT_METHOD v3_alt[] = {
+	{
+		.ext_nid = NID_subject_alt_name,
+		.ext_flags = 0,
+		.it = &GENERAL_NAMES_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = NULL,
+		.s2i = NULL,
+		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+		.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_issuer_alt_name,
+		.ext_flags = 0,
+		.it = &GENERAL_NAMES_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = NULL,
+		.s2i = NULL,
+		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+		.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_certificate_issuer,
+		.ext_flags = 0,
+		.it = &GENERAL_NAMES_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = NULL,
+		.s2i = NULL,
+		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+};
+
+STACK_OF(CONF_VALUE) *
+i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
+    STACK_OF(CONF_VALUE) *ret)
+{
+	STACK_OF(CONF_VALUE) *free_ret = NULL;
+	GENERAL_NAME *gen;
+	int i;
+
+	if (ret == NULL) {
+		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+		if ((gen = sk_GENERAL_NAME_value(gens, i)) == NULL)
+			goto err;
+		if ((ret = i2v_GENERAL_NAME(method, gen, ret)) == NULL)
+			goto err;
+	}
+
+	return ret;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
+
+	return NULL;
+}
+
+STACK_OF(CONF_VALUE) *
+i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen,
+    STACK_OF(CONF_VALUE) *ret)
+{
+	STACK_OF(CONF_VALUE) *free_ret = NULL;
+	unsigned char *p;
+	char oline[256], htmp[5];
+	int i;
+
+	if (ret == NULL) {
+		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	switch (gen->type) {
+	case GEN_OTHERNAME:
+		if (!X509V3_add_value("othername", "<unsupported>", &ret))
+			goto err;
+		break;
+
+	case GEN_X400:
+		if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
+			goto err;
+		break;
+
+	case GEN_EDIPARTY:
+		if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
+			goto err;
+		break;
+
+	case GEN_EMAIL:
+		if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
+			goto err;
+		break;
+
+	case GEN_DNS:
+		if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
+			goto err;
+		break;
+
+	case GEN_URI:
+		if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
+			goto err;
+		break;
+
+	case GEN_DIRNAME:
+		if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL)
+			goto err;
+		if (!X509V3_add_value("DirName", oline, &ret))
+			goto err;
+		break;
+
+	case GEN_IPADD: /* XXX */
+		p = gen->d.ip->data;
+		if (gen->d.ip->length == 4)
+			(void) snprintf(oline, sizeof oline,
+			    "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
+		else if (gen->d.ip->length == 16) {
+			oline[0] = 0;
+			for (i = 0; i < 8; i++) {
+				(void) snprintf(htmp, sizeof htmp,
+				    "%X", p[0] << 8 | p[1]);
+				p += 2;
+				strlcat(oline, htmp, sizeof(oline));
+				if (i != 7)
+					strlcat(oline, ":", sizeof(oline));
+			}
+		} else {
+			if (!X509V3_add_value("IP Address", "<invalid>", &ret))
+				goto err;
+			break;
+		}
+		if (!X509V3_add_value("IP Address", oline, &ret))
+			goto err;
+		break;
+
+	case GEN_RID:
+		if (!i2t_ASN1_OBJECT(oline, 256, gen->d.rid))
+			goto err;
+		if (!X509V3_add_value("Registered ID", oline, &ret))
+			goto err;
+		break;
+	}
+
+	return ret;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
+
+	return NULL;
+}
+
+int
+GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
+{
+	unsigned char *p;
+	int i;
+
+	switch (gen->type) {
+	case GEN_OTHERNAME:
+		BIO_printf(out, "othername:<unsupported>");
+		break;
+
+	case GEN_X400:
+		BIO_printf(out, "X400Name:<unsupported>");
+		break;
+
+	case GEN_EDIPARTY:
+		/* Maybe fix this: it is supported now */
+		BIO_printf(out, "EdiPartyName:<unsupported>");
+		break;
+
+	case GEN_EMAIL:
+		BIO_printf(out, "email:%s", gen->d.ia5->data);
+		break;
+
+	case GEN_DNS:
+		BIO_printf(out, "DNS:%s", gen->d.ia5->data);
+		break;
+
+	case GEN_URI:
+		BIO_printf(out, "URI:%s", gen->d.ia5->data);
+		break;
+
+	case GEN_DIRNAME:
+		BIO_printf(out, "DirName: ");
+		X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
+		break;
+
+	case GEN_IPADD:
+		p = gen->d.ip->data;
+		if (gen->d.ip->length == 4)
+			BIO_printf(out, "IP Address:%d.%d.%d.%d",
+			    p[0], p[1], p[2], p[3]);
+		else if (gen->d.ip->length == 16) {
+			BIO_printf(out, "IP Address");
+			for (i = 0; i < 8; i++) {
+				BIO_printf(out, ":%X", p[0] << 8 | p[1]);
+				p += 2;
+			}
+			BIO_puts(out, "\n");
+		} else {
+			BIO_printf(out, "IP Address:<invalid>");
+			break;
+		}
+		break;
+
+	case GEN_RID:
+		BIO_printf(out, "Registered ID");
+		i2a_ASN1_OBJECT(out, gen->d.rid);
+		break;
+	}
+	return 1;
+}
+
+static GENERAL_NAMES *
+v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	GENERAL_NAMES *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+
+	if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if (name_cmp(cnf->name, "issuer") == 0 && cnf->value != NULL &&
+		    strcmp(cnf->value, "copy") == 0) {
+			if (!copy_issuer(ctx, gens))
+				goto err;
+		} else {
+			GENERAL_NAME *gen;
+			if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
+				goto err;
+			if (sk_GENERAL_NAME_push(gens, gen) == 0) {
+				GENERAL_NAME_free(gen);
+				goto err;
+			}
+		}
+	}
+	return gens;
+
+err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+/* Append subject altname of issuer to issuer alt name of subject */
+
+static int
+copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
+{
+	GENERAL_NAMES *ialt;
+	GENERAL_NAME *gen;
+	X509_EXTENSION *ext;
+	int i;
+
+	if (ctx && (ctx->flags == CTX_TEST))
+		return 1;
+	if (!ctx || !ctx->issuer_cert) {
+		X509V3error(X509V3_R_NO_ISSUER_DETAILS);
+		goto err;
+	}
+	i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
+	if (i < 0)
+		return 1;
+	if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
+	    !(ialt = X509V3_EXT_d2i(ext))) {
+		X509V3error(X509V3_R_ISSUER_DECODE_ERROR);
+		goto err;
+	}
+
+	for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
+		gen = sk_GENERAL_NAME_value(ialt, i);
+		if (!sk_GENERAL_NAME_push(gens, gen)) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+	}
+	sk_GENERAL_NAME_free(ialt);
+
+	return 1;
+
+err:
+	return 0;
+
+}
+
+static GENERAL_NAMES *
+v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	GENERAL_NAMES *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+
+	if (!(gens = sk_GENERAL_NAME_new_null())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if (!name_cmp(cnf->name, "email") && cnf->value &&
+		    !strcmp(cnf->value, "copy")) {
+			if (!copy_email(ctx, gens, 0))
+				goto err;
+		} else if (!name_cmp(cnf->name, "email") && cnf->value &&
+		    !strcmp(cnf->value, "move")) {
+			if (!copy_email(ctx, gens, 1))
+				goto err;
+		} else {
+			GENERAL_NAME *gen;
+			if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+				goto err;
+			if (sk_GENERAL_NAME_push(gens, gen) == 0) {
+				GENERAL_NAME_free(gen);
+				goto err;
+			}
+		}
+	}
+	return gens;
+
+err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+/* Copy any email addresses in a certificate or request to
+ * GENERAL_NAMES
+ */
+
+static int
+copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
+{
+	X509_NAME *nm;
+	ASN1_IA5STRING *email = NULL;
+	X509_NAME_ENTRY *ne;
+	GENERAL_NAME *gen = NULL;
+	int i;
+
+	if (ctx != NULL && ctx->flags == CTX_TEST)
+		return 1;
+	if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
+		X509V3error(X509V3_R_NO_SUBJECT_DETAILS);
+		goto err;
+	}
+	/* Find the subject name */
+	if (ctx->subject_cert)
+		nm = X509_get_subject_name(ctx->subject_cert);
+	else
+		nm = X509_REQ_get_subject_name(ctx->subject_req);
+
+	/* Now add any email address(es) to STACK */
+	i = -1;
+	while ((i = X509_NAME_get_index_by_NID(nm,
+	    NID_pkcs9_emailAddress, i)) >= 0) {
+		ne = X509_NAME_get_entry(nm, i);
+		email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
+		if (move_p) {
+			X509_NAME_delete_entry(nm, i);
+			X509_NAME_ENTRY_free(ne);
+			i--;
+		}
+		if (!email || !(gen = GENERAL_NAME_new())) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		gen->d.ia5 = email;
+		email = NULL;
+		gen->type = GEN_EMAIL;
+		if (!sk_GENERAL_NAME_push(gens, gen)) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		gen = NULL;
+	}
+
+	return 1;
+
+err:
+	GENERAL_NAME_free(gen);
+	ASN1_IA5STRING_free(email);
+	return 0;
+}
+
+GENERAL_NAMES *
+v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	GENERAL_NAME *gen;
+	GENERAL_NAMES *gens = NULL;
+	CONF_VALUE *cnf;
+	int i;
+
+	if (!(gens = sk_GENERAL_NAME_new_null())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+			goto err;
+		if (sk_GENERAL_NAME_push(gens, gen) == 0) {
+			GENERAL_NAME_free(gen);
+			goto err;
+		}
+	}
+	return gens;
+
+err:
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return NULL;
+}
+
+GENERAL_NAME *
+v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    CONF_VALUE *cnf)
+{
+	return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
+}
+
+GENERAL_NAME *
+a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, int gen_type, const char *value, int is_nc)
+{
+	char is_string = 0;
+	GENERAL_NAME *gen = NULL;
+
+	if (!value) {
+		X509V3error(X509V3_R_MISSING_VALUE);
+		return NULL;
+	}
+
+	if (out)
+		gen = out;
+	else {
+		gen = GENERAL_NAME_new();
+		if (gen == NULL) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+	}
+
+	switch (gen_type) {
+	case GEN_URI:
+	case GEN_EMAIL:
+	case GEN_DNS:
+		is_string = 1;
+		break;
+
+	case GEN_RID:
+		{
+			ASN1_OBJECT *obj;
+			if (!(obj = OBJ_txt2obj(value, 0))) {
+				X509V3error(X509V3_R_BAD_OBJECT);
+				ERR_asprintf_error_data("value=%s", value);
+				goto err;
+			}
+			gen->d.rid = obj;
+		}
+		break;
+
+	case GEN_IPADD:
+		if (is_nc)
+			gen->d.ip = a2i_IPADDRESS_NC(value);
+		else
+			gen->d.ip = a2i_IPADDRESS(value);
+		if (gen->d.ip == NULL) {
+			X509V3error(X509V3_R_BAD_IP_ADDRESS);
+			ERR_asprintf_error_data("value=%s", value);
+			goto err;
+		}
+		break;
+
+	case GEN_DIRNAME:
+		if (!do_dirname(gen, value, ctx)) {
+			X509V3error(X509V3_R_DIRNAME_ERROR);
+			goto err;
+		}
+		break;
+
+	case GEN_OTHERNAME:
+		if (!do_othername(gen, value, ctx)) {
+			X509V3error(X509V3_R_OTHERNAME_ERROR);
+			goto err;
+		}
+		break;
+
+	default:
+		X509V3error(X509V3_R_UNSUPPORTED_TYPE);
+		goto err;
+	}
+
+	if (is_string) {
+		if (!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
+		    !ASN1_STRING_set(gen->d.ia5, value, strlen(value))) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+	}
+
+	gen->type = gen_type;
+
+	return gen;
+
+err:
+	if (out == NULL)
+		GENERAL_NAME_free(gen);
+	return NULL;
+}
+
+GENERAL_NAME *
+v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
+{
+	int type;
+	char *name, *value;
+
+	name = cnf->name;
+	value = cnf->value;
+
+	if (!value) {
+		X509V3error(X509V3_R_MISSING_VALUE);
+		return NULL;
+	}
+
+	if (!name_cmp(name, "email"))
+		type = GEN_EMAIL;
+	else if (!name_cmp(name, "URI"))
+		type = GEN_URI;
+	else if (!name_cmp(name, "DNS"))
+		type = GEN_DNS;
+	else if (!name_cmp(name, "RID"))
+		type = GEN_RID;
+	else if (!name_cmp(name, "IP"))
+		type = GEN_IPADD;
+	else if (!name_cmp(name, "dirName"))
+		type = GEN_DIRNAME;
+	else if (!name_cmp(name, "otherName"))
+		type = GEN_OTHERNAME;
+	else {
+		X509V3error(X509V3_R_UNSUPPORTED_OPTION);
+		ERR_asprintf_error_data("name=%s", name);
+		return NULL;
+	}
+
+	return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
+}
+
+static int
+do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
+{
+	char *objtmp = NULL, *p;
+	int objlen;
+
+	if (!(p = strchr(value, ';')))
+		return 0;
+	if (!(gen->d.otherName = OTHERNAME_new()))
+		return 0;
+	/* Free this up because we will overwrite it.
+	 * no need to free type_id because it is static
+	 */
+	ASN1_TYPE_free(gen->d.otherName->value);
+	if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
+		return 0;
+	objlen = p - value;
+	objtmp = malloc(objlen + 1);
+	if (objtmp) {
+		strlcpy(objtmp, value, objlen + 1);
+		gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
+		free(objtmp);
+	} else
+		gen->d.otherName->type_id = NULL;
+	if (!gen->d.otherName->type_id)
+		return 0;
+	return 1;
+}
+
+static int
+do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
+{
+	int ret;
+	STACK_OF(CONF_VALUE) *sk;
+	X509_NAME *nm;
+
+	if (!(nm = X509_NAME_new()))
+		return 0;
+	sk = X509V3_get_section(ctx, value);
+	if (!sk) {
+		X509V3error(X509V3_R_SECTION_NOT_FOUND);
+		ERR_asprintf_error_data("section=%s", value);
+		X509_NAME_free(nm);
+		return 0;
+	}
+	/* FIXME: should allow other character types... */
+	ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
+	if (!ret)
+		X509_NAME_free(nm);
+	gen->d.dirn = nm;
+	X509V3_section_free(ctx, sk);
+
+	return ret;
+}
diff --git a/src/lib/libcrypto/x509/x509_bcons.c b/src/lib/libcrypto/x509/x509_bcons.c
new file mode 100644
index 0000000000..48ce7d6087
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_bcons.c
@@ -0,0 +1,199 @@
+/* $OpenBSD: x509_bcons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+    BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
+static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+const X509V3_EXT_METHOD v3_bcons = {
+	.ext_nid = NID_basic_constraints,
+	.ext_flags = 0,
+	.it = &BASIC_CONSTRAINTS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
+	.v2i = (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(BASIC_CONSTRAINTS, ca),
+		.field_name = "ca",
+		.item = &ASN1_FBOOLEAN_it,
+	},
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(BASIC_CONSTRAINTS, pathlen),
+		.field_name = "pathlen",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM BASIC_CONSTRAINTS_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = BASIC_CONSTRAINTS_seq_tt,
+	.tcount = sizeof(BASIC_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(BASIC_CONSTRAINTS),
+	.sname = "BASIC_CONSTRAINTS",
+};
+
+
+BASIC_CONSTRAINTS *
+d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len)
+{
+	return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &BASIC_CONSTRAINTS_it);
+}
+
+int
+i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
+}
+
+BASIC_CONSTRAINTS *
+BASIC_CONSTRAINTS_new(void)
+{
+	return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it);
+}
+
+void
+BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it);
+}
+
+
+static STACK_OF(CONF_VALUE) *
+i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+	STACK_OF(CONF_VALUE) *free_extlist = NULL;
+
+	if (extlist == NULL) {
+		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	if (!X509V3_add_value_bool("CA", bcons->ca, &extlist))
+		goto err;
+	if (!X509V3_add_value_int("pathlen", bcons->pathlen, &extlist))
+		goto err;
+
+	return extlist;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
+
+	return NULL;
+}
+
+static BASIC_CONSTRAINTS *
+v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *values)
+{
+	BASIC_CONSTRAINTS *bcons = NULL;
+	CONF_VALUE *val;
+	int i;
+
+	if (!(bcons = BASIC_CONSTRAINTS_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		val = sk_CONF_VALUE_value(values, i);
+		if (!strcmp(val->name, "CA")) {
+			if (!X509V3_get_value_bool(val, &bcons->ca))
+				goto err;
+		} else if (!strcmp(val->name, "pathlen")) {
+			if (!X509V3_get_value_int(val, &bcons->pathlen))
+				goto err;
+		} else {
+			X509V3error(X509V3_R_INVALID_NAME);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	return bcons;
+
+err:
+	BASIC_CONSTRAINTS_free(bcons);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_bitst.c b/src/lib/libcrypto/x509/x509_bitst.c
new file mode 100644
index 0000000000..3d998188e8
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_bitst.c
@@ -0,0 +1,187 @@
+/* $OpenBSD: x509_bitst.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static BIT_STRING_BITNAME ns_cert_type_table[] = {
+	{0, "SSL Client", "client"},
+	{1, "SSL Server", "server"},
+	{2, "S/MIME", "email"},
+	{3, "Object Signing", "objsign"},
+	{4, "Unused", "reserved"},
+	{5, "SSL CA", "sslCA"},
+	{6, "S/MIME CA", "emailCA"},
+	{7, "Object Signing CA", "objCA"},
+	{-1, NULL, NULL}
+};
+
+static BIT_STRING_BITNAME key_usage_type_table[] = {
+	{0, "Digital Signature", "digitalSignature"},
+	{1, "Non Repudiation", "nonRepudiation"},
+	{2, "Key Encipherment", "keyEncipherment"},
+	{3, "Data Encipherment", "dataEncipherment"},
+	{4, "Key Agreement", "keyAgreement"},
+	{5, "Certificate Sign", "keyCertSign"},
+	{6, "CRL Sign", "cRLSign"},
+	{7, "Encipher Only", "encipherOnly"},
+	{8, "Decipher Only", "decipherOnly"},
+	{-1, NULL, NULL}
+};
+
+const X509V3_EXT_METHOD v3_nscert = {
+	.ext_nid = NID_netscape_cert_type,
+	.ext_flags = 0,
+	.it = &ASN1_BIT_STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
+	.v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = ns_cert_type_table,
+};
+
+const X509V3_EXT_METHOD v3_key_usage = {
+	.ext_nid = NID_key_usage,
+	.ext_flags = 0,
+	.it = &ASN1_BIT_STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
+	.v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = key_usage_type_table,
+};
+
+STACK_OF(CONF_VALUE) *
+i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
+    STACK_OF(CONF_VALUE) *ret)
+{
+	BIT_STRING_BITNAME *bnam;
+	STACK_OF(CONF_VALUE) *free_ret = NULL;
+
+	if (ret == NULL) {
+		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	for (bnam = method->usr_data; bnam->lname != NULL; bnam++) {
+		if (!ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
+			continue;
+		if (!X509V3_add_value(bnam->lname, NULL, &ret))
+			goto err;
+	}
+
+	return ret;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
+
+	return NULL;
+}
+
+ASN1_BIT_STRING *
+v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	CONF_VALUE *val;
+	ASN1_BIT_STRING *bs;
+	int i;
+	BIT_STRING_BITNAME *bnam;
+
+	if (!(bs = ASN1_BIT_STRING_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		for (bnam = method->usr_data; bnam->lname; bnam++) {
+			if (!strcmp(bnam->sname, val->name) ||
+			    !strcmp(bnam->lname, val->name) ) {
+				if (!ASN1_BIT_STRING_set_bit(bs,
+				    bnam->bitnum, 1)) {
+					X509V3error(ERR_R_MALLOC_FAILURE);
+					ASN1_BIT_STRING_free(bs);
+					return NULL;
+				}
+				break;
+			}
+		}
+		if (!bnam->lname) {
+			X509V3error(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
+			X509V3_conf_err(val);
+			ASN1_BIT_STRING_free(bs);
+			return NULL;
+		}
+	}
+	return bs;
+}
diff --git a/src/lib/libcrypto/x509/x509_conf.c b/src/lib/libcrypto/x509/x509_conf.c
new file mode 100644
index 0000000000..8bf2d10b9f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_conf.c
@@ -0,0 +1,570 @@
+/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* extension creation utilities */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+
+static int v3_check_critical(const char **value);
+static int v3_check_generic(const char **value);
+static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
+    int crit, const char *value);
+static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
+    int crit, int type, X509V3_CTX *ctx);
+static char *conf_lhash_get_string(void *db, const char *section,
+    const char *value);
+static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db,
+    const char *section);
+static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
+    int crit, void *ext_struc);
+static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
+    long *ext_len);
+
+/* CONF *conf:  Config file    */
+/* char *name:  Name    */
+/* char *value:  Value    */
+X509_EXTENSION *
+X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
+    const char *value)
+{
+	int crit;
+	int ext_type;
+	X509_EXTENSION *ret;
+
+	crit = v3_check_critical(&value);
+	if ((ext_type = v3_check_generic(&value)))
+		return v3_generic_extension(name, value, crit, ext_type, ctx);
+	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
+	if (!ret) {
+		X509V3error(X509V3_R_ERROR_IN_EXTENSION);
+		ERR_asprintf_error_data("name=%s, value=%s", name, value);
+	}
+	return ret;
+}
+
+/* CONF *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *
+X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
+    const char *value)
+{
+	int crit;
+	int ext_type;
+
+	crit = v3_check_critical(&value);
+	if ((ext_type = v3_check_generic(&value)))
+		return v3_generic_extension(OBJ_nid2sn(ext_nid),
+		    value, crit, ext_type, ctx);
+	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
+}
+
+/* CONF *conf:  Config file    */
+/* char *value:  Value    */
+static X509_EXTENSION *
+do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit,
+    const char *value)
+{
+	const X509V3_EXT_METHOD *method;
+	X509_EXTENSION *ext;
+	void *ext_struc;
+
+	if (ext_nid == NID_undef) {
+		X509V3error(X509V3_R_UNKNOWN_EXTENSION_NAME);
+		return NULL;
+	}
+	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
+		return NULL;
+	}
+	/* Now get internal extension representation based on type */
+	if (method->v2i) {
+		STACK_OF(CONF_VALUE) *nval;
+
+		if (*value == '@')
+			nval = NCONF_get_section(conf, value + 1);
+		else
+			nval = X509V3_parse_list(value);
+		if (sk_CONF_VALUE_num(nval) <= 0) {
+			X509V3error(X509V3_R_INVALID_EXTENSION_STRING);
+			ERR_asprintf_error_data("name=%s,section=%s",
+			    OBJ_nid2sn(ext_nid), value);
+			if (*value != '@')
+				sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+			return NULL;
+		}
+		ext_struc = method->v2i(method, ctx, nval);
+		if (*value != '@')
+			sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+	} else if (method->s2i) {
+		ext_struc = method->s2i(method, ctx, value);
+	} else if (method->r2i) {
+		if (!ctx->db || !ctx->db_meth) {
+			X509V3error(X509V3_R_NO_CONFIG_DATABASE);
+			return NULL;
+		}
+		ext_struc = method->r2i(method, ctx, value);
+	} else {
+		X509V3error(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
+		ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
+		return NULL;
+	}
+	if (ext_struc == NULL)
+		return NULL;
+
+	ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
+	if (method->it)
+		ASN1_item_free(ext_struc, method->it);
+	else
+		method->ext_free(ext_struc);
+	return ext;
+}
+
+static X509_EXTENSION *
+do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
+    void *ext_struc)
+{
+	unsigned char *ext_der;
+	int ext_len;
+	ASN1_OCTET_STRING *ext_oct = NULL;
+	X509_EXTENSION *ext;
+
+	/* Convert internal representation to DER */
+	if (method->it) {
+		ext_der = NULL;
+		ext_len = ASN1_item_i2d(ext_struc, &ext_der,
+		    method->it);
+		if (ext_len < 0)
+			goto merr;
+	} else {
+		unsigned char *p;
+		ext_len = method->i2d(ext_struc, NULL);
+		if (!(ext_der = malloc(ext_len)))
+			goto merr;
+		p = ext_der;
+		method->i2d(ext_struc, &p);
+	}
+	if (!(ext_oct = ASN1_OCTET_STRING_new()))
+		goto merr;
+	ext_oct->data = ext_der;
+	ext_oct->length = ext_len;
+
+	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
+	if (!ext)
+		goto merr;
+	ASN1_OCTET_STRING_free(ext_oct);
+
+	return ext;
+
+merr:
+	ASN1_OCTET_STRING_free(ext_oct);
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	return NULL;
+
+}
+
+/* Given an internal structure, nid and critical flag create an extension */
+
+X509_EXTENSION *
+X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
+{
+	const X509V3_EXT_METHOD *method;
+
+	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
+		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
+		return NULL;
+	}
+	return do_ext_i2d(method, ext_nid, crit, ext_struc);
+}
+
+/* Check the extension string for critical flag */
+static int
+v3_check_critical(const char **value)
+{
+	const char *p = *value;
+
+	if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
+		return 0;
+	p += 9;
+	while (isspace((unsigned char)*p)) p++;
+		*value = p;
+	return 1;
+}
+
+/* Check extension string for generic extension and return the type */
+static int
+v3_check_generic(const char **value)
+{
+	int gen_type = 0;
+	const char *p = *value;
+
+	if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
+		p += 4;
+		gen_type = 1;
+	} else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
+		p += 5;
+		gen_type = 2;
+	} else
+		return 0;
+
+	while (isspace((unsigned char)*p))
+		p++;
+	*value = p;
+	return gen_type;
+}
+
+/* Create a generic extension: for now just handle DER type */
+static X509_EXTENSION *
+v3_generic_extension(const char *ext, const char *value, int crit, int gen_type,
+    X509V3_CTX *ctx)
+{
+	unsigned char *ext_der = NULL;
+	long ext_len = 0;
+	ASN1_OBJECT *obj = NULL;
+	ASN1_OCTET_STRING *oct = NULL;
+	X509_EXTENSION *extension = NULL;
+
+	if (!(obj = OBJ_txt2obj(ext, 0))) {
+		X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
+		ERR_asprintf_error_data("name=%s", ext);
+		goto err;
+	}
+
+	if (gen_type == 1)
+		ext_der = string_to_hex(value, &ext_len);
+	else if (gen_type == 2)
+		ext_der = generic_asn1(value, ctx, &ext_len);
+	else {
+		ERR_asprintf_error_data("Unexpected generic extension type %d", gen_type);
+		goto err;
+	}
+
+	if (ext_der == NULL) {
+		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
+		ERR_asprintf_error_data("value=%s", value);
+		goto err;
+	}
+
+	if (!(oct = ASN1_OCTET_STRING_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	oct->data = ext_der;
+	oct->length = ext_len;
+	ext_der = NULL;
+
+	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
+
+err:
+	ASN1_OBJECT_free(obj);
+	ASN1_OCTET_STRING_free(oct);
+	free(ext_der);
+	return extension;
+}
+
+static unsigned char *
+generic_asn1(const char *value, X509V3_CTX *ctx, long *ext_len)
+{
+	ASN1_TYPE *typ;
+	unsigned char *ext_der = NULL;
+
+	typ = ASN1_generate_v3(value, ctx);
+	if (typ == NULL)
+		return NULL;
+	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
+	ASN1_TYPE_free(typ);
+	return ext_der;
+}
+
+/* This is the main function: add a bunch of extensions based on a config file
+ * section to an extension STACK.
+ */
+
+int
+X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
+    STACK_OF(X509_EXTENSION) **sk)
+{
+	X509_EXTENSION *ext;
+	STACK_OF(CONF_VALUE) *nval;
+	CONF_VALUE *val;
+	int i;
+
+	if (!(nval = NCONF_get_section(conf, section)))
+		return 0;
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
+			return 0;
+		if (sk)
+			X509v3_add_ext(sk, ext, -1);
+		X509_EXTENSION_free(ext);
+	}
+	return 1;
+}
+
+/* Convenience functions to add extensions to a certificate, CRL and request */
+
+int
+X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509 *cert)
+{
+	STACK_OF(X509_EXTENSION) **sk = NULL;
+
+	if (cert)
+		sk = &cert->cert_info->extensions;
+	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
+}
+
+/* Same as above but for a CRL */
+
+int
+X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509_CRL *crl)
+{
+	STACK_OF(X509_EXTENSION) **sk = NULL;
+
+	if (crl)
+		sk = &crl->crl->extensions;
+	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
+}
+
+/* Add extensions to certificate request */
+
+int
+X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509_REQ *req)
+{
+	STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
+	int i;
+
+	if (req)
+		sk = &extlist;
+	i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
+	if (!i || !sk)
+		return i;
+	i = X509_REQ_add_extensions(req, extlist);
+	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
+	return i;
+}
+
+/* Config database functions */
+
+char *
+X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
+{
+	if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
+		X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
+		return NULL;
+	}
+	return ctx->db_meth->get_string(ctx->db, name, section);
+}
+
+STACK_OF(CONF_VALUE) *
+X509V3_get_section(X509V3_CTX *ctx, const char *section)
+{
+	if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
+		X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
+		return NULL;
+	}
+	return ctx->db_meth->get_section(ctx->db, section);
+}
+
+void
+X509V3_string_free(X509V3_CTX *ctx, char *str)
+{
+	if (!str)
+		return;
+	if (ctx->db_meth->free_string)
+		ctx->db_meth->free_string(ctx->db, str);
+}
+
+void
+X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
+{
+	if (!section)
+		return;
+	if (ctx->db_meth->free_section)
+		ctx->db_meth->free_section(ctx->db, section);
+}
+
+static char *
+nconf_get_string(void *db, const char *section, const char *value)
+{
+	return NCONF_get_string(db, section, value);
+}
+
+static STACK_OF(CONF_VALUE) *
+nconf_get_section(void *db, const char *section)
+{
+	return NCONF_get_section(db, section);
+}
+
+static X509V3_CONF_METHOD nconf_method = {
+	nconf_get_string,
+	nconf_get_section,
+	NULL,
+	NULL
+};
+
+void
+X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
+{
+	ctx->db_meth = &nconf_method;
+	ctx->db = conf;
+}
+
+void
+X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+    X509_CRL *crl, int flags)
+{
+	ctx->issuer_cert = issuer;
+	ctx->subject_cert = subj;
+	ctx->crl = crl;
+	ctx->subject_req = req;
+	ctx->flags = flags;
+}
+
+/* Old conf compatibility functions */
+
+X509_EXTENSION *
+X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name,
+    const char *value)
+{
+	CONF ctmp;
+
+	CONF_set_nconf(&ctmp, conf);
+	return X509V3_EXT_nconf(&ctmp, ctx, name, value);
+}
+
+/* LHASH *conf:  Config file    */
+/* char *value:  Value    */
+X509_EXTENSION *
+X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
+    const char *value)
+{
+	CONF ctmp;
+
+	CONF_set_nconf(&ctmp, conf);
+	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
+}
+
+static char *
+conf_lhash_get_string(void *db, const char *section, const char *value)
+{
+	return CONF_get_string(db, section, value);
+}
+
+static STACK_OF(CONF_VALUE) *
+conf_lhash_get_section(void *db, const char *section)
+{
+	return CONF_get_section(db, section);
+}
+
+static X509V3_CONF_METHOD conf_lhash_method = {
+	conf_lhash_get_string,
+	conf_lhash_get_section,
+	NULL,
+	NULL
+};
+
+void
+X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
+{
+	ctx->db_meth = &conf_lhash_method;
+	ctx->db = lhash;
+}
+
+int
+X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509 *cert)
+{
+	CONF ctmp;
+
+	CONF_set_nconf(&ctmp, conf);
+	return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
+}
+
+/* Same as above but for a CRL */
+
+int
+X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509_CRL *crl)
+{
+	CONF ctmp;
+
+	CONF_set_nconf(&ctmp, conf);
+	return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
+}
+
+/* Add extensions to certificate request */
+
+int
+X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509_REQ *req)
+{
+	CONF ctmp;
+
+	CONF_set_nconf(&ctmp, conf);
+	return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
+}
diff --git a/src/lib/libcrypto/x509/x509_cpols.c b/src/lib/libcrypto/x509/x509_cpols.c
new file mode 100644
index 0000000000..4b6c13cfbe
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_cpols.c
@@ -0,0 +1,763 @@
+/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+#include "pcy_int.h"
+
+/* Certificate policies extension support: this one is a bit complex... */
+
+static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
+    BIO *out, int indent);
+static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, char *value);
+static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
+    int indent);
+static void print_notice(BIO *out, USERNOTICE *notice, int indent);
+static POLICYINFO *policy_section(X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *polstrs, int ia5org);
+static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *unot, int ia5org);
+static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
+
+const X509V3_EXT_METHOD v3_cpols = {
+	.ext_nid = NID_certificate_policies,
+	.ext_flags = 0,
+	.it = &CERTIFICATEPOLICIES_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_certpol,
+	.r2i = (X509V3_EXT_R2I)r2i_certpol,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "CERTIFICATEPOLICIES",
+	.item = &POLICYINFO_it,
+};
+
+const ASN1_ITEM CERTIFICATEPOLICIES_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &CERTIFICATEPOLICIES_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "CERTIFICATEPOLICIES",
+};
+
+
+CERTIFICATEPOLICIES *
+d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len)
+{
+	return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &CERTIFICATEPOLICIES_it);
+}
+
+int
+i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it);
+}
+
+CERTIFICATEPOLICIES *
+CERTIFICATEPOLICIES_new(void)
+{
+	return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it);
+}
+
+void
+CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it);
+}
+
+static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(POLICYINFO, policyid),
+		.field_name = "policyid",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(POLICYINFO, qualifiers),
+		.field_name = "qualifiers",
+		.item = &POLICYQUALINFO_it,
+	},
+};
+
+const ASN1_ITEM POLICYINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = POLICYINFO_seq_tt,
+	.tcount = sizeof(POLICYINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(POLICYINFO),
+	.sname = "POLICYINFO",
+};
+
+
+POLICYINFO *
+d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len)
+{
+	return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &POLICYINFO_it);
+}
+
+int
+i2d_POLICYINFO(POLICYINFO *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it);
+}
+
+POLICYINFO *
+POLICYINFO_new(void)
+{
+	return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it);
+}
+
+void
+POLICYINFO_free(POLICYINFO *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it);
+}
+
+static const ASN1_TEMPLATE policydefault_tt = {
+	.flags = 0,
+	.tag = 0,
+	.offset = offsetof(POLICYQUALINFO, d.other),
+	.field_name = "d.other",
+	.item = &ASN1_ANY_it,
+};
+
+static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = {
+	{
+		.value = NID_id_qt_cps,
+		.tt = {
+			.flags = 0,
+			.tag = 0,
+			.offset = offsetof(POLICYQUALINFO, d.cpsuri),
+			.field_name = "d.cpsuri",
+			.item = &ASN1_IA5STRING_it,
+		},
+	
+	},
+	{
+		.value = NID_id_qt_unotice,
+		.tt = {
+			.flags = 0,
+			.tag = 0,
+			.offset = offsetof(POLICYQUALINFO, d.usernotice),
+			.field_name = "d.usernotice",
+			.item = &USERNOTICE_it,
+		},
+	
+	},
+};
+
+static const ASN1_ADB POLICYQUALINFO_adb = {
+	.flags = 0,
+	.offset = offsetof(POLICYQUALINFO, pqualid),
+	.app_items = 0,
+	.tbl = POLICYQUALINFO_adbtbl,
+	.tblcount = sizeof(POLICYQUALINFO_adbtbl) / sizeof(ASN1_ADB_TABLE),
+	.default_tt = &policydefault_tt,
+	.null_tt = NULL,
+};
+
+static const ASN1_TEMPLATE POLICYQUALINFO_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(POLICYQUALINFO, pqualid),
+		.field_name = "pqualid",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = ASN1_TFLG_ADB_OID,
+		.tag = -1,
+		.offset = 0,
+		.field_name = "POLICYQUALINFO",
+		.item = (const ASN1_ITEM *)&POLICYQUALINFO_adb,
+	},
+};
+
+const ASN1_ITEM POLICYQUALINFO_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = POLICYQUALINFO_seq_tt,
+	.tcount = sizeof(POLICYQUALINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(POLICYQUALINFO),
+	.sname = "POLICYQUALINFO",
+};
+
+
+POLICYQUALINFO *
+d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len)
+{
+	return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &POLICYQUALINFO_it);
+}
+
+int
+i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it);
+}
+
+POLICYQUALINFO *
+POLICYQUALINFO_new(void)
+{
+	return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it);
+}
+
+void
+POLICYQUALINFO_free(POLICYQUALINFO *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it);
+}
+
+static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(USERNOTICE, noticeref),
+		.field_name = "noticeref",
+		.item = &NOTICEREF_it,
+	},
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(USERNOTICE, exptext),
+		.field_name = "exptext",
+		.item = &DISPLAYTEXT_it,
+	},
+};
+
+const ASN1_ITEM USERNOTICE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = USERNOTICE_seq_tt,
+	.tcount = sizeof(USERNOTICE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(USERNOTICE),
+	.sname = "USERNOTICE",
+};
+
+
+USERNOTICE *
+d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len)
+{
+	return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &USERNOTICE_it);
+}
+
+int
+i2d_USERNOTICE(USERNOTICE *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it);
+}
+
+USERNOTICE *
+USERNOTICE_new(void)
+{
+	return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it);
+}
+
+void
+USERNOTICE_free(USERNOTICE *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it);
+}
+
+static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(NOTICEREF, organization),
+		.field_name = "organization",
+		.item = &DISPLAYTEXT_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(NOTICEREF, noticenos),
+		.field_name = "noticenos",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM NOTICEREF_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = NOTICEREF_seq_tt,
+	.tcount = sizeof(NOTICEREF_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(NOTICEREF),
+	.sname = "NOTICEREF",
+};
+
+
+NOTICEREF *
+d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len)
+{
+	return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &NOTICEREF_it);
+}
+
+int
+i2d_NOTICEREF(NOTICEREF *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it);
+}
+
+NOTICEREF *
+NOTICEREF_new(void)
+{
+	return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it);
+}
+
+void
+NOTICEREF_free(NOTICEREF *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it);
+}
+
+static STACK_OF(POLICYINFO) *
+r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
+{
+	STACK_OF(POLICYINFO) *pols = NULL;
+	char *pstr;
+	POLICYINFO *pol;
+	ASN1_OBJECT *pobj;
+	STACK_OF(CONF_VALUE) *vals;
+	CONF_VALUE *cnf;
+	int i, ia5org;
+
+	pols = sk_POLICYINFO_new_null();
+	if (pols == NULL) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	vals = X509V3_parse_list(value);
+	if (vals == NULL) {
+		X509V3error(ERR_R_X509V3_LIB);
+		goto err;
+	}
+	ia5org = 0;
+	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+		cnf = sk_CONF_VALUE_value(vals, i);
+		if (cnf->value || !cnf->name) {
+			X509V3error(X509V3_R_INVALID_POLICY_IDENTIFIER);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+		pstr = cnf->name;
+		if (!strcmp(pstr, "ia5org")) {
+			ia5org = 1;
+			continue;
+		} else if (*pstr == '@') {
+			STACK_OF(CONF_VALUE) *polsect;
+			polsect = X509V3_get_section(ctx, pstr + 1);
+			if (!polsect) {
+				X509V3error(X509V3_R_INVALID_SECTION);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = policy_section(ctx, polsect, ia5org);
+			X509V3_section_free(ctx, polsect);
+			if (!pol)
+				goto err;
+		} else {
+			if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
+				X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol = POLICYINFO_new();
+			pol->policyid = pobj;
+		}
+		if (!sk_POLICYINFO_push(pols, pol)){
+			POLICYINFO_free(pol);
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+	}
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	return pols;
+
+err:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
+	return NULL;
+}
+
+static POLICYINFO *
+policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
+{
+	int i;
+	CONF_VALUE *cnf;
+	POLICYINFO *pol;
+	POLICYQUALINFO *nqual = NULL;
+
+	if ((pol = POLICYINFO_new()) == NULL)
+		goto merr;
+	for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
+		cnf = sk_CONF_VALUE_value(polstrs, i);
+		if (strcmp(cnf->name, "policyIdentifier") == 0) {
+			ASN1_OBJECT *pobj;
+
+			if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
+				X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			pol->policyid = pobj;
+		} else if (name_cmp(cnf->name, "CPS") == 0) {
+			if ((nqual = POLICYQUALINFO_new()) == NULL)
+				goto merr;
+			nqual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
+			nqual->d.cpsuri = ASN1_IA5STRING_new();
+			if (nqual->d.cpsuri == NULL)
+				goto merr;
+			if (ASN1_STRING_set(nqual->d.cpsuri, cnf->value,
+			    strlen(cnf->value)) == 0)
+				goto merr;
+
+			if (pol->qualifiers == NULL) {
+				pol->qualifiers = sk_POLICYQUALINFO_new_null();
+				if (pol->qualifiers == NULL)
+					goto merr;
+			}
+			if (sk_POLICYQUALINFO_push(pol->qualifiers, nqual) == 0)
+				goto merr;
+			nqual = NULL;
+		} else if (name_cmp(cnf->name, "userNotice") == 0) {
+			STACK_OF(CONF_VALUE) *unot;
+			POLICYQUALINFO *qual;
+
+			if (*cnf->value != '@') {
+				X509V3error(X509V3_R_EXPECTED_A_SECTION_NAME);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			unot = X509V3_get_section(ctx, cnf->value + 1);
+			if (unot == NULL) {
+				X509V3error(X509V3_R_INVALID_SECTION);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			qual = notice_section(ctx, unot, ia5org);
+			X509V3_section_free(ctx, unot);
+			if (qual == NULL)
+				goto err;
+
+			if (pol->qualifiers == NULL) {
+				pol->qualifiers = sk_POLICYQUALINFO_new_null();
+				if (pol->qualifiers == NULL)
+					goto merr;
+			}
+			if (sk_POLICYQUALINFO_push(pol->qualifiers, qual) == 0)
+				goto merr;
+		} else {
+			X509V3error(X509V3_R_INVALID_OPTION);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+	}
+	if (pol->policyid == NULL) {
+		X509V3error(X509V3_R_NO_POLICY_IDENTIFIER);
+		goto err;
+	}
+
+	return pol;
+
+merr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+
+err:
+	POLICYQUALINFO_free(nqual);
+	POLICYINFO_free(pol);
+	return NULL;
+}
+
+static POLICYQUALINFO *
+notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
+{
+	int i, ret;
+	CONF_VALUE *cnf;
+	USERNOTICE *not;
+	POLICYQUALINFO *qual;
+
+	if (!(qual = POLICYQUALINFO_new()))
+		goto merr;
+	qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+	if (!(not = USERNOTICE_new()))
+		goto merr;
+	qual->d.usernotice = not;
+	for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
+		cnf = sk_CONF_VALUE_value(unot, i);
+		if (!strcmp(cnf->name, "explicitText")) {
+			if (not->exptext == NULL) {
+				not->exptext = ASN1_VISIBLESTRING_new();
+				if (not->exptext == NULL)
+					goto merr;
+			}
+			if (!ASN1_STRING_set(not->exptext, cnf->value,
+			    strlen(cnf->value)))
+				goto merr;
+		} else if (!strcmp(cnf->name, "organization")) {
+			NOTICEREF *nref;
+			if (!not->noticeref) {
+				if (!(nref = NOTICEREF_new()))
+					goto merr;
+				not->noticeref = nref;
+			} else
+				nref = not->noticeref;
+			if (ia5org)
+				nref->organization->type = V_ASN1_IA5STRING;
+			else
+				nref->organization->type = V_ASN1_VISIBLESTRING;
+			if (!ASN1_STRING_set(nref->organization, cnf->value,
+			    strlen(cnf->value)))
+				goto merr;
+		} else if (!strcmp(cnf->name, "noticeNumbers")) {
+			NOTICEREF *nref;
+			STACK_OF(CONF_VALUE) *nos;
+			if (!not->noticeref) {
+				if (!(nref = NOTICEREF_new()))
+					goto merr;
+				not->noticeref = nref;
+			} else
+				nref = not->noticeref;
+			nos = X509V3_parse_list(cnf->value);
+			if (!nos || !sk_CONF_VALUE_num(nos)) {
+				X509V3error(X509V3_R_INVALID_NUMBERS);
+				X509V3_conf_err(cnf);
+				if (nos != NULL)
+					sk_CONF_VALUE_pop_free(nos,
+					    X509V3_conf_free);
+				goto err;
+			}
+			ret = nref_nos(nref->noticenos, nos);
+			sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
+			if (!ret)
+				goto err;
+		} else {
+			X509V3error(X509V3_R_INVALID_OPTION);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+	}
+
+	if (not->noticeref &&
+	    (!not->noticeref->noticenos || !not->noticeref->organization)) {
+		X509V3error(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
+		goto err;
+	}
+
+	return qual;
+
+merr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+
+err:
+	POLICYQUALINFO_free(qual);
+	return NULL;
+}
+
+static int
+nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
+{
+	CONF_VALUE *cnf;
+	ASN1_INTEGER *aint;
+	int i;
+
+	for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
+		cnf = sk_CONF_VALUE_value(nos, i);
+		if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
+			X509V3error(X509V3_R_INVALID_NUMBER);
+			goto err;
+		}
+		if (!sk_ASN1_INTEGER_push(nnums, aint))
+			goto merr;
+	}
+	return 1;
+
+merr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+
+err:
+	sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
+	return 0;
+}
+
+static int
+i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out,
+    int indent)
+{
+	int i;
+	POLICYINFO *pinfo;
+
+	/* First print out the policy OIDs */
+	for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
+		pinfo = sk_POLICYINFO_value(pol, i);
+		BIO_printf(out, "%*sPolicy: ", indent, "");
+		i2a_ASN1_OBJECT(out, pinfo->policyid);
+		BIO_puts(out, "\n");
+		if (pinfo->qualifiers)
+			print_qualifiers(out, pinfo->qualifiers, indent + 2);
+	}
+	return 1;
+}
+
+static void
+print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
+{
+	POLICYQUALINFO *qualinfo;
+	int i;
+
+	for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
+		qualinfo = sk_POLICYQUALINFO_value(quals, i);
+		switch (OBJ_obj2nid(qualinfo->pqualid)) {
+		case NID_id_qt_cps:
+			BIO_printf(out, "%*sCPS: %s\n", indent, "",
+			    qualinfo->d.cpsuri->data);
+			break;
+
+		case NID_id_qt_unotice:
+			BIO_printf(out, "%*sUser Notice:\n", indent, "");
+			print_notice(out, qualinfo->d.usernotice, indent + 2);
+			break;
+
+		default:
+			BIO_printf(out, "%*sUnknown Qualifier: ",
+			    indent + 2, "");
+
+			i2a_ASN1_OBJECT(out, qualinfo->pqualid);
+			BIO_puts(out, "\n");
+			break;
+		}
+	}
+}
+
+static void
+print_notice(BIO *out, USERNOTICE *notice, int indent)
+{
+	int i;
+
+	if (notice->noticeref) {
+		NOTICEREF *ref;
+		ref = notice->noticeref;
+		BIO_printf(out, "%*sOrganization: %s\n", indent, "",
+		    ref->organization->data);
+		BIO_printf(out, "%*sNumber%s: ", indent, "",
+		    sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
+		for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
+			ASN1_INTEGER *num;
+			char *tmp;
+			num = sk_ASN1_INTEGER_value(ref->noticenos, i);
+			if (i)
+				BIO_puts(out, ", ");
+			tmp = i2s_ASN1_INTEGER(NULL, num);
+			BIO_puts(out, tmp);
+			free(tmp);
+		}
+		BIO_puts(out, "\n");
+	}
+	if (notice->exptext)
+		BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
+		    notice->exptext->data);
+}
+
+void
+X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
+{
+	const X509_POLICY_DATA *dat = node->data;
+
+	BIO_printf(out, "%*sPolicy: ", indent, "");
+
+	i2a_ASN1_OBJECT(out, dat->valid_policy);
+	BIO_puts(out, "\n");
+	BIO_printf(out, "%*s%s\n", indent + 2, "",
+	    node_data_critical(dat) ? "Critical" : "Non Critical");
+	if (dat->qualifier_set)
+		print_qualifiers(out, dat->qualifier_set, indent + 2);
+	else
+		BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
+}
diff --git a/src/lib/libcrypto/x509/x509_crld.c b/src/lib/libcrypto/x509/x509_crld.c
new file mode 100644
index 0000000000..ff60a880fa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_crld.c
@@ -0,0 +1,809 @@
+/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_crld(const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
+    int indent);
+
+const X509V3_EXT_METHOD v3_crld = {
+	.ext_nid = NID_crl_distribution_points,
+	.ext_flags = 0,
+	.it = &CRL_DIST_POINTS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = v2i_crld,
+	.i2r = i2r_crldp,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_freshest_crl = {
+	.ext_nid = NID_freshest_crl,
+	.ext_flags = 0,
+	.it = &CRL_DIST_POINTS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = v2i_crld,
+	.i2r = i2r_crldp,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static STACK_OF(GENERAL_NAME) *
+gnames_from_sectname(X509V3_CTX *ctx, char *sect)
+{
+	STACK_OF(CONF_VALUE) *gnsect;
+	STACK_OF(GENERAL_NAME) *gens;
+
+	if (*sect == '@')
+		gnsect = X509V3_get_section(ctx, sect + 1);
+	else
+		gnsect = X509V3_parse_list(sect);
+	if (!gnsect) {
+		X509V3error(X509V3_R_SECTION_NOT_FOUND);
+		return NULL;
+	}
+	gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
+	if (*sect == '@')
+		X509V3_section_free(ctx, gnsect);
+	else
+		sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
+	return gens;
+}
+
+static int
+set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
+{
+	STACK_OF(GENERAL_NAME) *fnm = NULL;
+	STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
+
+	if (!strncmp(cnf->name, "fullname", 9)) {
+		fnm = gnames_from_sectname(ctx, cnf->value);
+		if (!fnm)
+			goto err;
+	} else if (!strcmp(cnf->name, "relativename")) {
+		int ret;
+		STACK_OF(CONF_VALUE) *dnsect;
+		X509_NAME *nm;
+		nm = X509_NAME_new();
+		if (!nm)
+			return -1;
+		dnsect = X509V3_get_section(ctx, cnf->value);
+		if (!dnsect) {
+			X509V3error(X509V3_R_SECTION_NOT_FOUND);
+			X509_NAME_free(nm);
+			return -1;
+		}
+		ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
+		X509V3_section_free(ctx, dnsect);
+		rnm = nm->entries;
+		nm->entries = NULL;
+		X509_NAME_free(nm);
+		if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
+			goto err;
+		/* Since its a name fragment can't have more than one
+		 * RDNSequence
+		 */
+		if (sk_X509_NAME_ENTRY_value(rnm,
+		    sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
+			X509V3error(X509V3_R_INVALID_MULTIPLE_RDNS);
+			goto err;
+		}
+	} else
+		return 0;
+
+	if (*pdp) {
+		X509V3error(X509V3_R_DISTPOINT_ALREADY_SET);
+		goto err;
+	}
+
+	*pdp = DIST_POINT_NAME_new();
+	if (!*pdp)
+		goto err;
+	if (fnm) {
+		(*pdp)->type = 0;
+		(*pdp)->name.fullname = fnm;
+	} else {
+		(*pdp)->type = 1;
+		(*pdp)->name.relativename = rnm;
+	}
+
+	return 1;
+
+err:
+	sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
+	sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
+	return -1;
+}
+
+static const BIT_STRING_BITNAME reason_flags[] = {
+	{0, "Unused", "unused"},
+	{1, "Key Compromise", "keyCompromise"},
+	{2, "CA Compromise", "CACompromise"},
+	{3, "Affiliation Changed", "affiliationChanged"},
+	{4, "Superseded", "superseded"},
+	{5, "Cessation Of Operation", "cessationOfOperation"},
+	{6, "Certificate Hold", "certificateHold"},
+	{7, "Privilege Withdrawn", "privilegeWithdrawn"},
+	{8, "AA Compromise", "AACompromise"},
+	{-1, NULL, NULL}
+};
+
+static int
+set_reasons(ASN1_BIT_STRING **preas, char *value)
+{
+	STACK_OF(CONF_VALUE) *rsk = NULL;
+	const BIT_STRING_BITNAME *pbn;
+	const char *bnam;
+	int i, ret = 0;
+
+	if (*preas != NULL)
+		return 0;
+	rsk = X509V3_parse_list(value);
+	if (rsk == NULL)
+		return 0;
+	for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
+		bnam = sk_CONF_VALUE_value(rsk, i)->name;
+		if (!*preas) {
+			*preas = ASN1_BIT_STRING_new();
+			if (!*preas)
+				goto err;
+		}
+		for (pbn = reason_flags; pbn->lname; pbn++) {
+			if (!strcmp(pbn->sname, bnam)) {
+				if (!ASN1_BIT_STRING_set_bit(*preas,
+				    pbn->bitnum, 1))
+					goto err;
+				break;
+			}
+		}
+		if (!pbn->lname)
+			goto err;
+	}
+	ret = 1;
+
+err:
+	sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
+	return ret;
+}
+
+static int
+print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
+{
+	int first = 1;
+	const BIT_STRING_BITNAME *pbn;
+
+	BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
+	for (pbn = reason_flags; pbn->lname; pbn++) {
+		if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
+			if (first)
+				first = 0;
+			else
+				BIO_puts(out, ", ");
+			BIO_puts(out, pbn->lname);
+		}
+	}
+	if (first)
+		BIO_puts(out, "<EMPTY>\n");
+	else
+		BIO_puts(out, "\n");
+	return 1;
+}
+
+static DIST_POINT *
+crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
+{
+	int i;
+	CONF_VALUE *cnf;
+	DIST_POINT *point = NULL;
+
+	point = DIST_POINT_new();
+	if (!point)
+		goto err;
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		int ret;
+		cnf = sk_CONF_VALUE_value(nval, i);
+		ret = set_dist_point_name(&point->distpoint, ctx, cnf);
+		if (ret > 0)
+			continue;
+		if (ret < 0)
+			goto err;
+		if (!strcmp(cnf->name, "reasons")) {
+			if (!set_reasons(&point->reasons, cnf->value))
+				goto err;
+		}
+		else if (!strcmp(cnf->name, "CRLissuer")) {
+			point->CRLissuer =
+			    gnames_from_sectname(ctx, cnf->value);
+			if (!point->CRLissuer)
+				goto err;
+		}
+	}
+
+	return point;
+
+err:
+	DIST_POINT_free(point);
+	return NULL;
+}
+
+static void *
+v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	STACK_OF(DIST_POINT) *crld = NULL;
+	GENERAL_NAMES *gens = NULL;
+	GENERAL_NAME *gen = NULL;
+	CONF_VALUE *cnf;
+	int i;
+
+	if (!(crld = sk_DIST_POINT_new_null()))
+		goto merr;
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		DIST_POINT *point;
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if (!cnf->value) {
+			STACK_OF(CONF_VALUE) *dpsect;
+			dpsect = X509V3_get_section(ctx, cnf->name);
+			if (!dpsect)
+				goto err;
+			point = crldp_from_section(ctx, dpsect);
+			X509V3_section_free(ctx, dpsect);
+			if (!point)
+				goto err;
+			if (!sk_DIST_POINT_push(crld, point)) {
+				DIST_POINT_free(point);
+				goto merr;
+			}
+		} else {
+			if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
+				goto err;
+			if (!(gens = GENERAL_NAMES_new()))
+				goto merr;
+			if (!sk_GENERAL_NAME_push(gens, gen))
+				goto merr;
+			gen = NULL;
+			if (!(point = DIST_POINT_new()))
+				goto merr;
+			if (!sk_DIST_POINT_push(crld, point)) {
+				DIST_POINT_free(point);
+				goto merr;
+			}
+			if (!(point->distpoint = DIST_POINT_NAME_new()))
+				goto merr;
+			point->distpoint->name.fullname = gens;
+			point->distpoint->type = 0;
+			gens = NULL;
+		}
+	}
+	return crld;
+
+merr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+err:
+	GENERAL_NAME_free(gen);
+	GENERAL_NAMES_free(gens);
+	sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
+	return NULL;
+}
+
+static int
+dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
+{
+	DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
+
+	switch (operation) {
+	case ASN1_OP_NEW_POST:
+		dpn->dpname = NULL;
+		break;
+
+	case ASN1_OP_FREE_POST:
+		if (dpn->dpname)
+			X509_NAME_free(dpn->dpname);
+		break;
+	}
+	return 1;
+}
+
+
+static const ASN1_AUX DIST_POINT_NAME_aux = {
+	.app_data = NULL,
+	.flags = 0,
+	.ref_offset = 0,
+	.ref_lock = 0,
+	.asn1_cb = dpn_cb,
+	.enc_offset = 0,
+};
+static const ASN1_TEMPLATE DIST_POINT_NAME_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(DIST_POINT_NAME, name.fullname),
+		.field_name = "name.fullname",
+		.item = &GENERAL_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF,
+		.tag = 1,
+		.offset = offsetof(DIST_POINT_NAME, name.relativename),
+		.field_name = "name.relativename",
+		.item = &X509_NAME_ENTRY_it,
+	},
+};
+
+const ASN1_ITEM DIST_POINT_NAME_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(DIST_POINT_NAME, type),
+	.templates = DIST_POINT_NAME_ch_tt,
+	.tcount = sizeof(DIST_POINT_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = &DIST_POINT_NAME_aux,
+	.size = sizeof(DIST_POINT_NAME),
+	.sname = "DIST_POINT_NAME",
+};
+
+
+
+DIST_POINT_NAME *
+d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
+{
+	return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &DIST_POINT_NAME_it);
+}
+
+int
+i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
+}
+
+DIST_POINT_NAME *
+DIST_POINT_NAME_new(void)
+{
+	return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
+}
+
+void
+DIST_POINT_NAME_free(DIST_POINT_NAME *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
+}
+
+static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(DIST_POINT, distpoint),
+		.field_name = "distpoint",
+		.item = &DIST_POINT_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(DIST_POINT, reasons),
+		.field_name = "reasons",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(DIST_POINT, CRLissuer),
+		.field_name = "CRLissuer",
+		.item = &GENERAL_NAME_it,
+	},
+};
+
+const ASN1_ITEM DIST_POINT_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = DIST_POINT_seq_tt,
+	.tcount = sizeof(DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(DIST_POINT),
+	.sname = "DIST_POINT",
+};
+
+
+DIST_POINT *
+d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
+{
+	return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &DIST_POINT_it);
+}
+
+int
+i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
+}
+
+DIST_POINT *
+DIST_POINT_new(void)
+{
+	return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
+}
+
+void
+DIST_POINT_free(DIST_POINT *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
+}
+
+static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "CRLDistributionPoints",
+	.item = &DIST_POINT_it,
+};
+
+const ASN1_ITEM CRL_DIST_POINTS_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &CRL_DIST_POINTS_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "CRL_DIST_POINTS",
+};
+
+
+CRL_DIST_POINTS *
+d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
+{
+	return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &CRL_DIST_POINTS_it);
+}
+
+int
+i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
+}
+
+CRL_DIST_POINTS *
+CRL_DIST_POINTS_new(void)
+{
+	return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
+}
+
+void
+CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
+}
+
+static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(ISSUING_DIST_POINT, distpoint),
+		.field_name = "distpoint",
+		.item = &DIST_POINT_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(ISSUING_DIST_POINT, onlyuser),
+		.field_name = "onlyuser",
+		.item = &ASN1_FBOOLEAN_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 2,
+		.offset = offsetof(ISSUING_DIST_POINT, onlyCA),
+		.field_name = "onlyCA",
+		.item = &ASN1_FBOOLEAN_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 3,
+		.offset = offsetof(ISSUING_DIST_POINT, onlysomereasons),
+		.field_name = "onlysomereasons",
+		.item = &ASN1_BIT_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 4,
+		.offset = offsetof(ISSUING_DIST_POINT, indirectCRL),
+		.field_name = "indirectCRL",
+		.item = &ASN1_FBOOLEAN_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 5,
+		.offset = offsetof(ISSUING_DIST_POINT, onlyattr),
+		.field_name = "onlyattr",
+		.item = &ASN1_FBOOLEAN_it,
+	},
+};
+
+const ASN1_ITEM ISSUING_DIST_POINT_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = ISSUING_DIST_POINT_seq_tt,
+	.tcount = sizeof(ISSUING_DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(ISSUING_DIST_POINT),
+	.sname = "ISSUING_DIST_POINT",
+};
+
+
+ISSUING_DIST_POINT *
+d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
+{
+	return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &ISSUING_DIST_POINT_it);
+}
+
+int
+i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
+}
+
+ISSUING_DIST_POINT *
+ISSUING_DIST_POINT_new(void)
+{
+	return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
+}
+
+void
+ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
+}
+
+static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
+    int indent);
+static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval);
+
+const X509V3_EXT_METHOD v3_idp = {
+	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
+	&ISSUING_DIST_POINT_it,
+	0, 0, 0, 0,
+	0, 0,
+	0,
+	v2i_idp,
+	i2r_idp, 0,
+	NULL
+};
+
+static void *
+v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	ISSUING_DIST_POINT *idp = NULL;
+	CONF_VALUE *cnf;
+	char *name, *val;
+	int i, ret;
+
+	idp = ISSUING_DIST_POINT_new();
+	if (!idp)
+		goto merr;
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		name = cnf->name;
+		val = cnf->value;
+		ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
+		if (ret > 0)
+			continue;
+		if (ret < 0)
+			goto err;
+		if (!strcmp(name, "onlyuser")) {
+			if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
+				goto err;
+		}
+		else if (!strcmp(name, "onlyCA")) {
+			if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
+				goto err;
+		}
+		else if (!strcmp(name, "onlyAA")) {
+			if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
+				goto err;
+		}
+		else if (!strcmp(name, "indirectCRL")) {
+			if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
+				goto err;
+		}
+		else if (!strcmp(name, "onlysomereasons")) {
+			if (!set_reasons(&idp->onlysomereasons, val))
+				goto err;
+		} else {
+			X509V3error(X509V3_R_INVALID_NAME);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+	}
+	return idp;
+
+merr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+err:
+	ISSUING_DIST_POINT_free(idp);
+	return NULL;
+}
+
+static int
+print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
+{
+	int i;
+
+	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+		BIO_printf(out, "%*s", indent + 2, "");
+		GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
+		BIO_puts(out, "\n");
+	}
+	return 1;
+}
+
+static int
+print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
+{
+	if (dpn->type == 0) {
+		BIO_printf(out, "%*sFull Name:\n", indent, "");
+		print_gens(out, dpn->name.fullname, indent);
+	} else {
+		X509_NAME ntmp;
+		ntmp.entries = dpn->name.relativename;
+		BIO_printf(out, "%*sRelative Name:\n%*s",
+		    indent, "", indent + 2, "");
+		X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
+		BIO_puts(out, "\n");
+	}
+	return 1;
+}
+
+static int
+i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
+{
+	ISSUING_DIST_POINT *idp = pidp;
+
+	if (idp->distpoint)
+		print_distpoint(out, idp->distpoint, indent);
+	if (idp->onlyuser > 0)
+		BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
+	if (idp->onlyCA > 0)
+		BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
+	if (idp->indirectCRL > 0)
+		BIO_printf(out, "%*sIndirect CRL\n", indent, "");
+	if (idp->onlysomereasons)
+		print_reasons(out, "Only Some Reasons",
+	    idp->onlysomereasons, indent);
+	if (idp->onlyattr > 0)
+		BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
+	if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
+	    (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
+	    (idp->onlyattr <= 0))
+		BIO_printf(out, "%*s<EMPTY>\n", indent, "");
+
+	return 1;
+}
+
+static int
+i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
+{
+	STACK_OF(DIST_POINT) *crld = pcrldp;
+	DIST_POINT *point;
+	int i;
+
+	for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
+		BIO_puts(out, "\n");
+		point = sk_DIST_POINT_value(crld, i);
+		if (point->distpoint)
+			print_distpoint(out, point->distpoint, indent);
+		if (point->reasons)
+			print_reasons(out, "Reasons", point->reasons,
+		    indent);
+		if (point->CRLissuer) {
+			BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
+			print_gens(out, point->CRLissuer, indent);
+		}
+	}
+	return 1;
+}
+
+int
+DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
+{
+	int i;
+	STACK_OF(X509_NAME_ENTRY) *frag;
+	X509_NAME_ENTRY *ne;
+
+	if (!dpn || (dpn->type != 1))
+		return 1;
+	frag = dpn->name.relativename;
+	dpn->dpname = X509_NAME_dup(iname);
+	if (!dpn->dpname)
+		return 0;
+	for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
+		ne = sk_X509_NAME_ENTRY_value(frag, i);
+		if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
+			X509_NAME_free(dpn->dpname);
+			dpn->dpname = NULL;
+			return 0;
+		}
+	}
+	/* generate cached encoding of name */
+	if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
+		X509_NAME_free(dpn->dpname);
+		dpn->dpname = NULL;
+		return 0;
+	}
+	return 1;
+}
diff --git a/src/lib/libcrypto/x509/x509_enum.c b/src/lib/libcrypto/x509/x509_enum.c
new file mode 100644
index 0000000000..f18eea535f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_enum.c
@@ -0,0 +1,107 @@
+/* $OpenBSD: x509_enum.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <openssl/x509v3.h>
+
+static ENUMERATED_NAMES crl_reasons[] = {
+	{CRL_REASON_UNSPECIFIED, 	 "Unspecified", "unspecified"},
+	{CRL_REASON_KEY_COMPROMISE,	 "Key Compromise", "keyCompromise"},
+	{CRL_REASON_CA_COMPROMISE,	 "CA Compromise", "CACompromise"},
+	{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
+	{CRL_REASON_SUPERSEDED, 	 "Superseded", "superseded"},
+		{CRL_REASON_CESSATION_OF_OPERATION,
+	"Cessation Of Operation", "cessationOfOperation"},
+	{CRL_REASON_CERTIFICATE_HOLD,	 "Certificate Hold", "certificateHold"},
+	{CRL_REASON_REMOVE_FROM_CRL,	 "Remove From CRL", "removeFromCRL"},
+	{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
+	{CRL_REASON_AA_COMPROMISE,	 "AA Compromise", "AACompromise"},
+	{-1, NULL, NULL}
+};
+
+const X509V3_EXT_METHOD v3_crl_reason = {
+	.ext_nid = NID_crl_reason,
+	.ext_flags = 0,
+	.it = &ASN1_ENUMERATED_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = crl_reasons,
+};
+
+char *
+i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e)
+{
+	ENUMERATED_NAMES *enam;
+	long strval;
+
+	strval = ASN1_ENUMERATED_get(e);
+	for (enam = method->usr_data; enam->lname; enam++) {
+		if (strval == enam->bitnum)
+			return strdup(enam->lname);
+	}
+	return i2s_ASN1_ENUMERATED(method, e);
+}
diff --git a/src/lib/libcrypto/x509/x509_extku.c b/src/lib/libcrypto/x509/x509_extku.c
new file mode 100644
index 0000000000..09bec675ac
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_extku.c
@@ -0,0 +1,217 @@
+/* $OpenBSD: x509_extku.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
+    const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
+
+const X509V3_EXT_METHOD v3_ext_ku = {
+	.ext_nid = NID_ext_key_usage,
+	.ext_flags = 0,
+	.it = &EXTENDED_KEY_USAGE_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = i2v_EXTENDED_KEY_USAGE,
+	.v2i = v2i_EXTENDED_KEY_USAGE,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
+const X509V3_EXT_METHOD v3_ocsp_accresp = {
+	.ext_nid = NID_id_pkix_OCSP_acceptableResponses,
+	.ext_flags = 0,
+	.it = &EXTENDED_KEY_USAGE_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = i2v_EXTENDED_KEY_USAGE,
+	.v2i = v2i_EXTENDED_KEY_USAGE,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "EXTENDED_KEY_USAGE",
+	.item = &ASN1_OBJECT_it,
+};
+
+const ASN1_ITEM EXTENDED_KEY_USAGE_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &EXTENDED_KEY_USAGE_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "EXTENDED_KEY_USAGE",
+};
+
+
+EXTENDED_KEY_USAGE *
+d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len)
+{
+	return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &EXTENDED_KEY_USAGE_it);
+}
+
+int
+i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it);
+}
+
+EXTENDED_KEY_USAGE *
+EXTENDED_KEY_USAGE_new(void)
+{
+	return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it);
+}
+
+void
+EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it);
+}
+
+static STACK_OF(CONF_VALUE) *
+i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+	ASN1_OBJECT *obj;
+	EXTENDED_KEY_USAGE *eku = a;
+	STACK_OF(CONF_VALUE) *free_extlist = NULL;
+	char obj_tmp[80];
+	int i;
+
+	if (extlist == NULL) {
+		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
+		if ((obj = sk_ASN1_OBJECT_value(eku, i)) == NULL)
+			goto err;
+		if (!i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, obj))
+			goto err;
+		if (!X509V3_add_value(NULL, obj_tmp, &extlist))
+			goto err;
+	}
+
+	return extlist;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
+
+	return NULL;
+}
+
+static void *
+v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	EXTENDED_KEY_USAGE *extku;
+	char *extval;
+	ASN1_OBJECT *objtmp;
+	CONF_VALUE *val;
+	int i;
+
+	if (!(extku = sk_ASN1_OBJECT_new_null())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if (val->value)
+			extval = val->value;
+		else
+			extval = val->name;
+		if (!(objtmp = OBJ_txt2obj(extval, 0))) {
+			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+			X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return NULL;
+		}
+		if (sk_ASN1_OBJECT_push(extku, objtmp) == 0) {
+			ASN1_OBJECT_free(objtmp);
+			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			return NULL;
+		}
+	}
+	return extku;
+}
diff --git a/src/lib/libcrypto/x509/x509_genn.c b/src/lib/libcrypto/x509/x509_genn.c
new file mode 100644
index 0000000000..848006acf4
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_genn.c
@@ -0,0 +1,474 @@
+/* $OpenBSD: x509_genn.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(OTHERNAME, type_id),
+		.field_name = "type_id",
+		.item = &ASN1_OBJECT_it,
+	},
+	/* Maybe have a true ANY DEFINED BY later */
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = 0,
+		.offset = offsetof(OTHERNAME, value),
+		.field_name = "value",
+		.item = &ASN1_ANY_it,
+	},
+};
+
+const ASN1_ITEM OTHERNAME_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = OTHERNAME_seq_tt,
+	.tcount = sizeof(OTHERNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(OTHERNAME),
+	.sname = "OTHERNAME",
+};
+
+
+OTHERNAME *
+d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len)
+{
+	return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &OTHERNAME_it);
+}
+
+int
+i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
+}
+
+OTHERNAME *
+OTHERNAME_new(void)
+{
+	return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it);
+}
+
+void
+OTHERNAME_free(OTHERNAME *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
+}
+
+static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(EDIPARTYNAME, nameAssigner),
+		.field_name = "nameAssigner",
+		.item = &DIRECTORYSTRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(EDIPARTYNAME, partyName),
+		.field_name = "partyName",
+		.item = &DIRECTORYSTRING_it,
+	},
+};
+
+const ASN1_ITEM EDIPARTYNAME_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = EDIPARTYNAME_seq_tt,
+	.tcount = sizeof(EDIPARTYNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(EDIPARTYNAME),
+	.sname = "EDIPARTYNAME",
+};
+
+
+EDIPARTYNAME *
+d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len)
+{
+	return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &EDIPARTYNAME_it);
+}
+
+int
+i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
+}
+
+EDIPARTYNAME *
+EDIPARTYNAME_new(void)
+{
+	return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it);
+}
+
+void
+EDIPARTYNAME_free(EDIPARTYNAME *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it);
+}
+
+static const ASN1_TEMPLATE GENERAL_NAME_ch_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_OTHERNAME,
+		.offset = offsetof(GENERAL_NAME, d.otherName),
+		.field_name = "d.otherName",
+		.item = &OTHERNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_EMAIL,
+		.offset = offsetof(GENERAL_NAME, d.rfc822Name),
+		.field_name = "d.rfc822Name",
+		.item = &ASN1_IA5STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_DNS,
+		.offset = offsetof(GENERAL_NAME, d.dNSName),
+		.field_name = "d.dNSName",
+		.item = &ASN1_IA5STRING_it,
+	},
+	/* Don't decode this */
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_X400,
+		.offset = offsetof(GENERAL_NAME, d.x400Address),
+		.field_name = "d.x400Address",
+		.item = &ASN1_SEQUENCE_it,
+	},
+	/* X509_NAME is a CHOICE type so use EXPLICIT */
+	{
+		.flags = ASN1_TFLG_EXPLICIT,
+		.tag = GEN_DIRNAME,
+		.offset = offsetof(GENERAL_NAME, d.directoryName),
+		.field_name = "d.directoryName",
+		.item = &X509_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_EDIPARTY,
+		.offset = offsetof(GENERAL_NAME, d.ediPartyName),
+		.field_name = "d.ediPartyName",
+		.item = &EDIPARTYNAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_URI,
+		.offset = offsetof(GENERAL_NAME, d.uniformResourceIdentifier),
+		.field_name = "d.uniformResourceIdentifier",
+		.item = &ASN1_IA5STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_IPADD,
+		.offset = offsetof(GENERAL_NAME, d.iPAddress),
+		.field_name = "d.iPAddress",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT,
+		.tag = GEN_RID,
+		.offset = offsetof(GENERAL_NAME, d.registeredID),
+		.field_name = "d.registeredID",
+		.item = &ASN1_OBJECT_it,
+	},
+};
+
+const ASN1_ITEM GENERAL_NAME_it = {
+	.itype = ASN1_ITYPE_CHOICE,
+	.utype = offsetof(GENERAL_NAME, type),
+	.templates = GENERAL_NAME_ch_tt,
+	.tcount = sizeof(GENERAL_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(GENERAL_NAME),
+	.sname = "GENERAL_NAME",
+};
+
+
+GENERAL_NAME *
+d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len)
+{
+	return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &GENERAL_NAME_it);
+}
+
+int
+i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it);
+}
+
+GENERAL_NAME *
+GENERAL_NAME_new(void)
+{
+	return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it);
+}
+
+void
+GENERAL_NAME_free(GENERAL_NAME *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it);
+}
+
+static const ASN1_TEMPLATE GENERAL_NAMES_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "GeneralNames",
+	.item = &GENERAL_NAME_it,
+};
+
+const ASN1_ITEM GENERAL_NAMES_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &GENERAL_NAMES_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "GENERAL_NAMES",
+};
+
+
+GENERAL_NAMES *
+d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len)
+{
+	return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &GENERAL_NAMES_it);
+}
+
+int
+i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
+}
+
+GENERAL_NAMES *
+GENERAL_NAMES_new(void)
+{
+	return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it);
+}
+
+void
+GENERAL_NAMES_free(GENERAL_NAMES *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it);
+}
+
+GENERAL_NAME *
+GENERAL_NAME_dup(GENERAL_NAME *a)
+{
+	return ASN1_item_dup(&GENERAL_NAME_it, a);
+}
+
+/* Returns 0 if they are equal, != 0 otherwise. */
+int
+GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
+{
+	int result = -1;
+
+	if (!a || !b || a->type != b->type)
+		return -1;
+	switch (a->type) {
+	case GEN_X400:
+	case GEN_EDIPARTY:
+		result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+		break;
+
+	case GEN_OTHERNAME:
+		result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
+		break;
+
+	case GEN_EMAIL:
+	case GEN_DNS:
+	case GEN_URI:
+		result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
+		break;
+
+	case GEN_DIRNAME:
+		result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
+		break;
+
+	case GEN_IPADD:
+		result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
+		break;
+
+	case GEN_RID:
+		result = OBJ_cmp(a->d.rid, b->d.rid);
+		break;
+	}
+	return result;
+}
+
+/* Returns 0 if they are equal, != 0 otherwise. */
+int
+OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
+{
+	int result = -1;
+
+	if (!a || !b)
+		return -1;
+	/* Check their type first. */
+	if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
+		return result;
+	/* Check the value. */
+	result = ASN1_TYPE_cmp(a->value, b->value);
+	return result;
+}
+
+void
+GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
+{
+	switch (type) {
+	case GEN_X400:
+	case GEN_EDIPARTY:
+		a->d.other = value;
+		break;
+
+	case GEN_OTHERNAME:
+		a->d.otherName = value;
+		break;
+
+	case GEN_EMAIL:
+	case GEN_DNS:
+	case GEN_URI:
+		a->d.ia5 = value;
+		break;
+
+	case GEN_DIRNAME:
+		a->d.dirn = value;
+		break;
+
+	case GEN_IPADD:
+		a->d.ip = value;
+		break;
+
+	case GEN_RID:
+		a->d.rid = value;
+		break;
+	}
+	a->type = type;
+}
+
+void *
+GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
+{
+	if (ptype)
+		*ptype = a->type;
+	switch (a->type) {
+	case GEN_X400:
+	case GEN_EDIPARTY:
+		return a->d.other;
+
+	case GEN_OTHERNAME:
+		return a->d.otherName;
+
+	case GEN_EMAIL:
+	case GEN_DNS:
+	case GEN_URI:
+		return a->d.ia5;
+
+	case GEN_DIRNAME:
+		return a->d.dirn;
+
+	case GEN_IPADD:
+		return a->d.ip;
+
+	case GEN_RID:
+		return a->d.rid;
+
+	default:
+		return NULL;
+	}
+}
+
+int
+GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
+    ASN1_TYPE *value)
+{
+	OTHERNAME *oth;
+
+	oth = OTHERNAME_new();
+	if (!oth)
+		return 0;
+	oth->type_id = oid;
+	oth->value = value;
+	GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
+	return 1;
+}
+
+int
+GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid,
+    ASN1_TYPE **pvalue)
+{
+	if (gen->type != GEN_OTHERNAME)
+		return 0;
+	if (poid)
+		*poid = gen->d.otherName->type_id;
+	if (pvalue)
+		*pvalue = gen->d.otherName->value;
+	return 1;
+}
diff --git a/src/lib/libcrypto/x509/x509_ia5.c b/src/lib/libcrypto/x509/x509_ia5.c
new file mode 100644
index 0000000000..4113c3d3b3
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ia5.c
@@ -0,0 +1,238 @@
+/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
+static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, char *str);
+
+const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
+	{
+		.ext_nid = NID_netscape_base_url,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_revocation_url,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_ca_revocation_url,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_renewal_url,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_ca_policy_url,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_ssl_server_name,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = NID_netscape_comment,
+		.ext_flags = 0,
+		.it = &ASN1_IA5STRING_it,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
+		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+	{
+		.ext_nid = -1,
+		.ext_flags = 0,
+		.it = NULL,
+		.ext_new = NULL,
+		.ext_free = NULL,
+		.d2i = NULL,
+		.i2d = NULL,
+		.i2s = NULL,
+		.s2i = NULL,
+		.i2v = NULL,
+		.v2i = NULL,
+		.i2r = NULL,
+		.r2i = NULL,
+		.usr_data = NULL,
+	},
+};
+
+static char *
+i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
+{
+	char *tmp;
+
+	if (!ia5 || !ia5->length)
+		return NULL;
+	if (!(tmp = malloc(ia5->length + 1))) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	memcpy(tmp, ia5->data, ia5->length);
+	tmp[ia5->length] = 0;
+	return tmp;
+}
+
+static ASN1_IA5STRING *
+s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+{
+	ASN1_IA5STRING *ia5;
+	if (!str) {
+		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+	if (!(ia5 = ASN1_IA5STRING_new()))
+		goto err;
+	if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
+	    strlen(str))) {
+		ASN1_IA5STRING_free(ia5);
+		goto err;
+	}
+	return ia5;
+
+err:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_info.c b/src/lib/libcrypto/x509/x509_info.c
new file mode 100644
index 0000000000..86ed6fadfa
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_info.c
@@ -0,0 +1,308 @@
+/* $OpenBSD: x509_info.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
+    X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
+    STACK_OF(CONF_VALUE) *ret);
+static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
+    X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+const X509V3_EXT_METHOD v3_info = {
+	.ext_nid = NID_info_access,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &AUTHORITY_INFO_ACCESS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_sinfo = {
+	.ext_nid = NID_sinfo_access,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &AUTHORITY_INFO_ACCESS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
+	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(ACCESS_DESCRIPTION, method),
+		.field_name = "method",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(ACCESS_DESCRIPTION, location),
+		.field_name = "location",
+		.item = &GENERAL_NAME_it,
+	},
+};
+
+const ASN1_ITEM ACCESS_DESCRIPTION_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = ACCESS_DESCRIPTION_seq_tt,
+	.tcount = sizeof(ACCESS_DESCRIPTION_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(ACCESS_DESCRIPTION),
+	.sname = "ACCESS_DESCRIPTION",
+};
+
+
+ACCESS_DESCRIPTION *
+d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len)
+{
+	return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &ACCESS_DESCRIPTION_it);
+}
+
+int
+i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it);
+}
+
+ACCESS_DESCRIPTION *
+ACCESS_DESCRIPTION_new(void)
+{
+	return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it);
+}
+
+void
+ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it);
+}
+
+static const ASN1_TEMPLATE AUTHORITY_INFO_ACCESS_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "GeneralNames",
+	.item = &ACCESS_DESCRIPTION_it,
+};
+
+const ASN1_ITEM AUTHORITY_INFO_ACCESS_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &AUTHORITY_INFO_ACCESS_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "AUTHORITY_INFO_ACCESS",
+};
+
+
+AUTHORITY_INFO_ACCESS *
+d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len)
+{
+	return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &AUTHORITY_INFO_ACCESS_it);
+}
+
+int
+i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it);
+}
+
+AUTHORITY_INFO_ACCESS *
+AUTHORITY_INFO_ACCESS_new(void)
+{
+	return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it);
+}
+
+void
+AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it);
+}
+
+static STACK_OF(CONF_VALUE) *
+i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
+    AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret)
+{
+	ACCESS_DESCRIPTION *desc;
+	CONF_VALUE *vtmp;
+	STACK_OF(CONF_VALUE) *free_ret = NULL;
+	char objtmp[80], *ntmp;
+	int i;
+
+	if (ret == NULL) {
+		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
+		if ((desc = sk_ACCESS_DESCRIPTION_value(ainfo, i)) == NULL)
+			goto err;
+		if ((ret = i2v_GENERAL_NAME(method, desc->location,
+		    ret)) == NULL)
+			goto err;
+		if ((vtmp = sk_CONF_VALUE_value(ret, i)) == NULL)
+			goto err;
+		if (!i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method))
+			goto err;
+		if (asprintf(&ntmp, "%s - %s", objtmp, vtmp->name) == -1) {
+			ntmp = NULL;
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		free(vtmp->name);
+		vtmp->name = ntmp;
+	}
+
+	return ret;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
+
+	return NULL;
+}
+
+static AUTHORITY_INFO_ACCESS *
+v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	AUTHORITY_INFO_ACCESS *ainfo = NULL;
+	CONF_VALUE *cnf, ctmp;
+	ACCESS_DESCRIPTION *acc;
+	int i, objlen;
+	char *objtmp, *ptmp;
+
+	if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		if (sk_ACCESS_DESCRIPTION_push(ainfo, acc) == 0) {
+			ACCESS_DESCRIPTION_free(acc);
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		ptmp = strchr(cnf->name, ';');
+		if (!ptmp) {
+			X509V3error(X509V3_R_INVALID_SYNTAX);
+			goto err;
+		}
+		objlen = ptmp - cnf->name;
+		ctmp.name = ptmp + 1;
+		ctmp.value = cnf->value;
+		if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
+			goto err;
+		if (!(objtmp = malloc(objlen + 1))) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			goto err;
+		}
+		strlcpy(objtmp, cnf->name, objlen + 1);
+		acc->method = OBJ_txt2obj(objtmp, 0);
+		if (!acc->method) {
+			X509V3error(X509V3_R_BAD_OBJECT);
+			ERR_asprintf_error_data("value=%s", objtmp);
+			free(objtmp);
+			goto err;
+		}
+		free(objtmp);
+	}
+	return ainfo;
+
+err:
+	sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
+	return NULL;
+}
+
+int
+i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a)
+{
+	i2a_ASN1_OBJECT(bp, a->method);
+	return 2;
+}
diff --git a/src/lib/libcrypto/x509/x509_int.c b/src/lib/libcrypto/x509/x509_int.c
new file mode 100644
index 0000000000..35c8853c13
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_int.c
@@ -0,0 +1,110 @@
+/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/x509v3.h>
+
+const X509V3_EXT_METHOD v3_crl_num = {
+	.ext_nid = NID_crl_number,
+	.ext_flags = 0,
+	.it = &ASN1_INTEGER_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_delta_crl = {
+	.ext_nid = NID_delta_crl,
+	.ext_flags = 0,
+	.it = &ASN1_INTEGER_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static void *
+s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
+{
+	return s2i_ASN1_INTEGER(meth, value);
+}
+
+const X509V3_EXT_METHOD v3_inhibit_anyp = {
+	NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
+	0, 0, 0, 0,
+	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
+	(X509V3_EXT_S2I)s2i_asn1_int,
+	0, 0, 0, 0,
+	NULL
+};
diff --git a/src/lib/libcrypto/x509/x509_lib.c b/src/lib/libcrypto/x509/x509_lib.c
new file mode 100644
index 0000000000..3af090fde6
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_lib.c
@@ -0,0 +1,358 @@
+/* $OpenBSD: x509_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+#include "ext_dat.h"
+
+static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
+
+static int ext_cmp(const X509V3_EXT_METHOD * const *a,
+    const X509V3_EXT_METHOD * const *b);
+static void ext_list_free(X509V3_EXT_METHOD *ext);
+
+int
+X509V3_EXT_add(X509V3_EXT_METHOD *ext)
+{
+	if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	return 1;
+}
+
+static int
+ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
+{
+	return ((*a)->ext_nid - (*b)->ext_nid);
+}
+
+static int ext_cmp_BSEARCH_CMP_FN(const void *, const void *);
+static int ext_cmp(const X509V3_EXT_METHOD * const *, const X509V3_EXT_METHOD * const *);
+static const X509V3_EXT_METHOD * *OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num);
+
+static int
+ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
+{
+	const X509V3_EXT_METHOD * const *a = a_;
+	const X509V3_EXT_METHOD * const *b = b_;
+	return ext_cmp(a, b);
+}
+
+static const X509V3_EXT_METHOD **
+OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
+    const X509V3_EXT_METHOD *const *base, int num)
+{
+	return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
+	    sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
+}
+
+const X509V3_EXT_METHOD *
+X509V3_EXT_get_nid(int nid)
+{
+	X509V3_EXT_METHOD tmp;
+	const X509V3_EXT_METHOD *t = &tmp, * const *ret;
+	int idx;
+
+	if (nid < 0)
+		return NULL;
+	tmp.ext_nid = nid;
+	ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
+	if (ret)
+		return *ret;
+	if (!ext_list)
+		return NULL;
+	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
+	if (idx == -1)
+		return NULL;
+	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
+}
+
+const X509V3_EXT_METHOD *
+X509V3_EXT_get(X509_EXTENSION *ext)
+{
+	int nid;
+
+	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
+		return NULL;
+	return X509V3_EXT_get_nid(nid);
+}
+
+int
+X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
+{
+	for (; extlist->ext_nid!=-1; extlist++)
+		if (!X509V3_EXT_add(extlist))
+			return 0;
+	return 1;
+}
+
+int
+X509V3_EXT_add_alias(int nid_to, int nid_from)
+{
+	const X509V3_EXT_METHOD *ext;
+	X509V3_EXT_METHOD *tmpext;
+
+	if (!(ext = X509V3_EXT_get_nid(nid_from))) {
+		X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
+		return 0;
+	}
+	if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return 0;
+	}
+	*tmpext = *ext;
+	tmpext->ext_nid = nid_to;
+	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
+	return X509V3_EXT_add(tmpext);
+}
+
+void
+X509V3_EXT_cleanup(void)
+{
+	sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
+	ext_list = NULL;
+}
+
+static void
+ext_list_free(X509V3_EXT_METHOD *ext)
+{
+	if (ext->ext_flags & X509V3_EXT_DYNAMIC)
+		free(ext);
+}
+
+/* Legacy function: we don't need to add standard extensions
+ * any more because they are now kept in ext_dat.h.
+ */
+
+int
+X509V3_add_standard_extensions(void)
+{
+	return 1;
+}
+
+/* Return an extension internal structure */
+
+void *
+X509V3_EXT_d2i(X509_EXTENSION *ext)
+{
+	const X509V3_EXT_METHOD *method;
+	const unsigned char *p;
+
+	if (!(method = X509V3_EXT_get(ext)))
+		return NULL;
+	p = ext->value->data;
+	if (method->it)
+		return ASN1_item_d2i(NULL, &p, ext->value->length,
+		    method->it);
+	return method->d2i(NULL, &p, ext->value->length);
+}
+
+/* Get critical flag and decoded version of extension from a NID.
+ * The "idx" variable returns the last found extension and can
+ * be used to retrieve multiple extensions of the same NID.
+ * However multiple extensions with the same NID is usually
+ * due to a badly encoded certificate so if idx is NULL we
+ * choke if multiple extensions exist.
+ * The "crit" variable is set to the critical value.
+ * The return value is the decoded extension or NULL on
+ * error. The actual error can have several different causes,
+ * the value of *crit reflects the cause:
+ * >= 0, extension found but not decoded (reflects critical value).
+ * -1 extension not found.
+ * -2 extension occurs more than once.
+ */
+
+void *
+X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
+{
+	int lastpos, i;
+	X509_EXTENSION *ex, *found_ex = NULL;
+
+	if (!x) {
+		if (idx)
+			*idx = -1;
+		if (crit)
+			*crit = -1;
+		return NULL;
+	}
+	if (idx)
+		lastpos = *idx + 1;
+	else
+		lastpos = 0;
+	if (lastpos < 0)
+		lastpos = 0;
+	for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
+		ex = sk_X509_EXTENSION_value(x, i);
+		if (OBJ_obj2nid(ex->object) == nid) {
+			if (idx) {
+				*idx = i;
+				found_ex = ex;
+				break;
+			} else if (found_ex) {
+				/* Found more than one */
+				if (crit)
+					*crit = -2;
+				return NULL;
+			}
+			found_ex = ex;
+		}
+	}
+	if (found_ex) {
+		/* Found it */
+		if (crit)
+			*crit = X509_EXTENSION_get_critical(found_ex);
+		return X509V3_EXT_d2i(found_ex);
+	}
+
+	/* Extension not found */
+	if (idx)
+		*idx = -1;
+	if (crit)
+		*crit = -1;
+	return NULL;
+}
+
+/* This function is a general extension append, replace and delete utility.
+ * The precise operation is governed by the 'flags' value. The 'crit' and
+ * 'value' arguments (if relevant) are the extensions internal structure.
+ */
+
+int
+X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
+    int crit, unsigned long flags)
+{
+	int extidx = -1;
+	int errcode;
+	X509_EXTENSION *ext, *extmp;
+	unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
+
+	/* If appending we don't care if it exists, otherwise
+	 * look for existing extension.
+	 */
+	if (ext_op != X509V3_ADD_APPEND)
+		extidx = X509v3_get_ext_by_NID(*x, nid, -1);
+
+	/* See if extension exists */
+	if (extidx >= 0) {
+		/* If keep existing, nothing to do */
+		if (ext_op == X509V3_ADD_KEEP_EXISTING)
+			return 1;
+		/* If default then its an error */
+		if (ext_op == X509V3_ADD_DEFAULT) {
+			errcode = X509V3_R_EXTENSION_EXISTS;
+			goto err;
+		}
+		/* If delete, just delete it */
+		if (ext_op == X509V3_ADD_DELETE) {
+			if (!sk_X509_EXTENSION_delete(*x, extidx))
+				return -1;
+			return 1;
+		}
+	} else {
+		/* If replace existing or delete, error since
+		 * extension must exist
+		 */
+		if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
+		    (ext_op == X509V3_ADD_DELETE)) {
+			errcode = X509V3_R_EXTENSION_NOT_FOUND;
+			goto err;
+		}
+	}
+
+	/* If we get this far then we have to create an extension:
+	 * could have some flags for alternative encoding schemes...
+	 */
+
+	ext = X509V3_EXT_i2d(nid, crit, value);
+
+	if (!ext) {
+		X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
+		return 0;
+	}
+
+	/* If extension exists replace it.. */
+	if (extidx >= 0) {
+		extmp = sk_X509_EXTENSION_value(*x, extidx);
+		X509_EXTENSION_free(extmp);
+		if (!sk_X509_EXTENSION_set(*x, extidx, ext))
+			return -1;
+		return 1;
+	}
+
+	if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
+		return -1;
+	if (!sk_X509_EXTENSION_push(*x, ext))
+		return -1;
+
+	return 1;
+
+err:
+	if (!(flags & X509V3_ADD_SILENT))
+		X509V3error(errcode);
+	return 0;
+}
diff --git a/src/lib/libcrypto/x509/x509_ncons.c b/src/lib/libcrypto/x509/x509_ncons.c
new file mode 100644
index 0000000000..86b54513c7
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ncons.c
@@ -0,0 +1,556 @@
+/* $OpenBSD: x509_ncons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+    void *a, BIO *bp, int ind);
+static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
+    STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
+static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
+
+static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
+static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
+static int nc_dn(X509_NAME *sub, X509_NAME *nm);
+static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
+static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
+static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
+
+const X509V3_EXT_METHOD v3_name_constraints = {
+	.ext_nid = NID_name_constraints,
+	.ext_flags = 0,
+	.it = &NAME_CONSTRAINTS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = v2i_NAME_CONSTRAINTS,
+	.i2r = i2r_NAME_CONSTRAINTS,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(GENERAL_SUBTREE, base),
+		.field_name = "base",
+		.item = &GENERAL_NAME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(GENERAL_SUBTREE, minimum),
+		.field_name = "minimum",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(GENERAL_SUBTREE, maximum),
+		.field_name = "maximum",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM GENERAL_SUBTREE_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = GENERAL_SUBTREE_seq_tt,
+	.tcount = sizeof(GENERAL_SUBTREE_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(GENERAL_SUBTREE),
+	.sname = "GENERAL_SUBTREE",
+};
+
+static const ASN1_TEMPLATE NAME_CONSTRAINTS_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(NAME_CONSTRAINTS, permittedSubtrees),
+		.field_name = "permittedSubtrees",
+		.item = &GENERAL_SUBTREE_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(NAME_CONSTRAINTS, excludedSubtrees),
+		.field_name = "excludedSubtrees",
+		.item = &GENERAL_SUBTREE_it,
+	},
+};
+
+const ASN1_ITEM NAME_CONSTRAINTS_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = NAME_CONSTRAINTS_seq_tt,
+	.tcount = sizeof(NAME_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(NAME_CONSTRAINTS),
+	.sname = "NAME_CONSTRAINTS",
+};
+
+
+GENERAL_SUBTREE *
+GENERAL_SUBTREE_new(void)
+{
+	return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it);
+}
+
+void
+GENERAL_SUBTREE_free(GENERAL_SUBTREE *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it);
+}
+
+NAME_CONSTRAINTS *
+NAME_CONSTRAINTS_new(void)
+{
+	return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it);
+}
+
+void
+NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it);
+}
+
+static void *
+v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	int i;
+	CONF_VALUE tval, *val;
+	STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
+	NAME_CONSTRAINTS *ncons = NULL;
+	GENERAL_SUBTREE *sub = NULL;
+
+	ncons = NAME_CONSTRAINTS_new();
+	if (!ncons)
+		goto memerr;
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
+			ptree = &ncons->permittedSubtrees;
+			tval.name = val->name + 10;
+		} else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
+			ptree = &ncons->excludedSubtrees;
+			tval.name = val->name + 9;
+		} else {
+			X509V3error(X509V3_R_INVALID_SYNTAX);
+			goto err;
+		}
+		tval.value = val->value;
+		sub = GENERAL_SUBTREE_new();
+		if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
+			goto err;
+		if (!*ptree)
+			*ptree = sk_GENERAL_SUBTREE_new_null();
+		if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
+			goto memerr;
+		sub = NULL;
+	}
+
+	return ncons;
+
+memerr:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+err:
+	NAME_CONSTRAINTS_free(ncons);
+	GENERAL_SUBTREE_free(sub);
+	return NULL;
+}
+
+static int
+i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
+{
+	NAME_CONSTRAINTS *ncons = a;
+
+	do_i2r_name_constraints(method, ncons->permittedSubtrees,
+	    bp, ind, "Permitted");
+	do_i2r_name_constraints(method, ncons->excludedSubtrees,
+	    bp, ind, "Excluded");
+	return 1;
+}
+
+static int
+do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
+    STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
+{
+	GENERAL_SUBTREE *tree;
+	int i;
+
+	if (sk_GENERAL_SUBTREE_num(trees) > 0)
+		BIO_printf(bp, "%*s%s:\n", ind, "", name);
+	for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
+		tree = sk_GENERAL_SUBTREE_value(trees, i);
+		BIO_printf(bp, "%*s", ind + 2, "");
+		if (tree->base->type == GEN_IPADD)
+			print_nc_ipadd(bp, tree->base->d.ip);
+		else
+			GENERAL_NAME_print(bp, tree->base);
+		BIO_puts(bp, "\n");
+	}
+	return 1;
+}
+
+static int
+print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
+{
+	int i, len;
+	unsigned char *p;
+
+	p = ip->data;
+	len = ip->length;
+	BIO_puts(bp, "IP:");
+	if (len == 8) {
+		BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
+		    p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
+	} else if (len == 32) {
+		for (i = 0; i < 16; i++) {
+			BIO_printf(bp, "%X", p[0] << 8 | p[1]);
+			p += 2;
+			if (i == 7)
+				BIO_puts(bp, "/");
+			else if (i != 15)
+				BIO_puts(bp, ":");
+		}
+	} else
+		BIO_printf(bp, "IP Address:<invalid>");
+	return 1;
+}
+
+/* Check a certificate conforms to a specified set of constraints.
+ * Return values:
+ *  X509_V_OK: All constraints obeyed.
+ *  X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
+ *  X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
+ *  X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
+ *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:  Unsupported constraint type.
+ *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
+ *  X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
+ */
+
+int
+NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
+{
+	int r, i;
+	X509_NAME *nm;
+
+	nm = X509_get_subject_name(x);
+
+	if (X509_NAME_entry_count(nm) > 0) {
+		GENERAL_NAME gntmp;
+		gntmp.type = GEN_DIRNAME;
+		gntmp.d.directoryName = nm;
+
+		r = nc_match(&gntmp, nc);
+
+		if (r != X509_V_OK)
+			return r;
+
+		gntmp.type = GEN_EMAIL;
+
+		/* Process any email address attributes in subject name */
+
+		for (i = -1;;) {
+			X509_NAME_ENTRY *ne;
+			i = X509_NAME_get_index_by_NID(nm,
+			    NID_pkcs9_emailAddress, i);
+			if (i == -1)
+				break;
+			ne = X509_NAME_get_entry(nm, i);
+			gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
+			if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
+				return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+
+			r = nc_match(&gntmp, nc);
+
+			if (r != X509_V_OK)
+				return r;
+		}
+
+	}
+
+	for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
+		GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
+		r = nc_match(gen, nc);
+		if (r != X509_V_OK)
+			return r;
+	}
+
+	return X509_V_OK;
+}
+
+static int
+nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
+{
+	GENERAL_SUBTREE *sub;
+	int i, r, match = 0;
+
+	/* Permitted subtrees: if any subtrees exist of matching the type
+	 * at least one subtree must match.
+	 */
+
+	for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
+		sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
+		if (gen->type != sub->base->type)
+			continue;
+		if (sub->minimum || sub->maximum)
+			return X509_V_ERR_SUBTREE_MINMAX;
+		/* If we already have a match don't bother trying any more */
+		if (match == 2)
+			continue;
+		if (match == 0)
+			match = 1;
+		r = nc_match_single(gen, sub->base);
+		if (r == X509_V_OK)
+			match = 2;
+		else if (r != X509_V_ERR_PERMITTED_VIOLATION)
+			return r;
+	}
+
+	if (match == 1)
+		return X509_V_ERR_PERMITTED_VIOLATION;
+
+	/* Excluded subtrees: must not match any of these */
+
+	for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
+		sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
+		if (gen->type != sub->base->type)
+			continue;
+		if (sub->minimum || sub->maximum)
+			return X509_V_ERR_SUBTREE_MINMAX;
+
+		r = nc_match_single(gen, sub->base);
+		if (r == X509_V_OK)
+			return X509_V_ERR_EXCLUDED_VIOLATION;
+		else if (r != X509_V_ERR_PERMITTED_VIOLATION)
+			return r;
+
+	}
+
+	return X509_V_OK;
+}
+
+static int
+nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
+{
+	switch (base->type) {
+	case GEN_DIRNAME:
+		return nc_dn(gen->d.directoryName, base->d.directoryName);
+
+	case GEN_DNS:
+		return nc_dns(gen->d.dNSName, base->d.dNSName);
+
+	case GEN_EMAIL:
+		return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
+
+	case GEN_URI:
+		return nc_uri(gen->d.uniformResourceIdentifier,
+		    base->d.uniformResourceIdentifier);
+
+	default:
+		return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
+	}
+}
+
+/* directoryName name constraint matching.
+ * The canonical encoding of X509_NAME makes this comparison easy. It is
+ * matched if the subtree is a subset of the name.
+ */
+
+static int
+nc_dn(X509_NAME *nm, X509_NAME *base)
+{
+	/* Ensure canonical encodings are up to date.  */
+	if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
+		return X509_V_ERR_OUT_OF_MEM;
+	if (base->modified && i2d_X509_NAME(base, NULL) < 0)
+		return X509_V_ERR_OUT_OF_MEM;
+	if (base->canon_enclen > nm->canon_enclen)
+		return X509_V_ERR_PERMITTED_VIOLATION;
+	if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
+		return X509_V_ERR_PERMITTED_VIOLATION;
+	return X509_V_OK;
+}
+
+static int
+nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
+{
+	char *baseptr = (char *)base->data;
+	char *dnsptr = (char *)dns->data;
+
+	/* Empty matches everything */
+	if (!*baseptr)
+		return X509_V_OK;
+	/* Otherwise can add zero or more components on the left so
+	 * compare RHS and if dns is longer and expect '.' as preceding
+	 * character.
+	 */
+	if (dns->length > base->length) {
+		dnsptr += dns->length - base->length;
+		if (baseptr[0] != '.' && dnsptr[-1] != '.')
+			return X509_V_ERR_PERMITTED_VIOLATION;
+	}
+
+	if (strcasecmp(baseptr, dnsptr))
+		return X509_V_ERR_PERMITTED_VIOLATION;
+
+	return X509_V_OK;
+}
+
+static int
+nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
+{
+	const char *baseptr = (char *)base->data;
+	const char *emlptr = (char *)eml->data;
+	const char *baseat = strchr(baseptr, '@');
+	const char *emlat = strchr(emlptr, '@');
+
+	if (!emlat)
+		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+	/* Special case: inital '.' is RHS match */
+	if (!baseat && (*baseptr == '.')) {
+		if (eml->length > base->length) {
+			emlptr += eml->length - base->length;
+			if (!strcasecmp(baseptr, emlptr))
+				return X509_V_OK;
+		}
+		return X509_V_ERR_PERMITTED_VIOLATION;
+	}
+
+	/* If we have anything before '@' match local part */
+
+	if (baseat) {
+		if (baseat != baseptr) {
+			if ((baseat - baseptr) != (emlat - emlptr))
+				return X509_V_ERR_PERMITTED_VIOLATION;
+			/* Case sensitive match of local part */
+			if (strncmp(baseptr, emlptr, emlat - emlptr))
+				return X509_V_ERR_PERMITTED_VIOLATION;
+		}
+		/* Position base after '@' */
+		baseptr = baseat + 1;
+	}
+	emlptr = emlat + 1;
+	/* Just have hostname left to match: case insensitive */
+	if (strcasecmp(baseptr, emlptr))
+		return X509_V_ERR_PERMITTED_VIOLATION;
+
+	return X509_V_OK;
+}
+
+static int
+nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
+{
+	const char *baseptr = (char *)base->data;
+	const char *hostptr = (char *)uri->data;
+	const char *p = strchr(hostptr, ':');
+	int hostlen;
+
+	/* Check for foo:// and skip past it */
+	if (!p || (p[1] != '/') || (p[2] != '/'))
+		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+	hostptr = p + 3;
+
+	/* Determine length of hostname part of URI */
+
+	/* Look for a port indicator as end of hostname first */
+
+	p = strchr(hostptr, ':');
+	/* Otherwise look for trailing slash */
+	if (!p)
+		p = strchr(hostptr, '/');
+
+	if (!p)
+		hostlen = strlen(hostptr);
+	else
+		hostlen = p - hostptr;
+
+	if (hostlen == 0)
+		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+
+	/* Special case: inital '.' is RHS match */
+	if (*baseptr == '.') {
+		if (hostlen > base->length) {
+			p = hostptr + hostlen - base->length;
+			if (!strncasecmp(p, baseptr, base->length))
+				return X509_V_OK;
+		}
+		return X509_V_ERR_PERMITTED_VIOLATION;
+	}
+
+	if ((base->length != (int)hostlen) ||
+	    strncasecmp(hostptr, baseptr, hostlen))
+		return X509_V_ERR_PERMITTED_VIOLATION;
+
+	return X509_V_OK;
+}
diff --git a/src/lib/libcrypto/x509/x509_ocsp.c b/src/lib/libcrypto/x509/x509_ocsp.c
new file mode 100644
index 0000000000..59a2e972ca
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_ocsp.c
@@ -0,0 +1,380 @@
+/* $OpenBSD: x509_ocsp.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_OCSP
+
+#include <openssl/asn1.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/ocsp.h>
+#include <openssl/x509v3.h>
+
+/* OCSP extensions and a couple of CRL entry extensions
+ */
+
+static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
+    BIO *out, int indent);
+static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
+    BIO *out, int indent);
+static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
+    int indent);
+
+static void *ocsp_nonce_new(void);
+static int i2d_ocsp_nonce(void *a, unsigned char **pp);
+static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
+static void ocsp_nonce_free(void *a);
+static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
+    BIO *out, int indent);
+
+static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
+    void *nocheck, BIO *out, int indent);
+static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    const char *str);
+static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
+    BIO *bp, int ind);
+
+const X509V3_EXT_METHOD v3_ocsp_crlid = {
+	.ext_nid = NID_id_pkix_OCSP_CrlID,
+	.ext_flags = 0,
+	.it = &OCSP_CRLID_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_crlid,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_ocsp_acutoff = {
+	.ext_nid = NID_id_pkix_OCSP_archiveCutoff,
+	.ext_flags = 0,
+	.it = &ASN1_GENERALIZEDTIME_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_acutoff,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_crl_invdate = {
+	.ext_nid = NID_invalidity_date,
+	.ext_flags = 0,
+	.it = &ASN1_GENERALIZEDTIME_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_acutoff,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_crl_hold = {
+	.ext_nid = NID_hold_instruction_code,
+	.ext_flags = 0,
+	.it = &ASN1_OBJECT_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_object,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_ocsp_nonce = {
+	.ext_nid = NID_id_pkix_OCSP_Nonce,
+	.ext_flags = 0,
+	.it = NULL,
+	.ext_new = ocsp_nonce_new,
+	.ext_free = ocsp_nonce_free,
+	.d2i = d2i_ocsp_nonce,
+	.i2d = i2d_ocsp_nonce,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_nonce,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_ocsp_nocheck = {
+	.ext_nid = NID_id_pkix_OCSP_noCheck,
+	.ext_flags = 0,
+	.it = &ASN1_NULL_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = s2i_ocsp_nocheck,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_nocheck,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
+	.ext_nid = NID_id_pkix_OCSP_serviceLocator,
+	.ext_flags = 0,
+	.it = &OCSP_SERVICELOC_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = i2r_ocsp_serviceloc,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static int
+i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+	OCSP_CRLID *a = in;
+	if (a->crlUrl) {
+		if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
+			goto err;
+		if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
+			goto err;
+		if (BIO_write(bp, "\n", 1) <= 0)
+			goto err;
+	}
+	if (a->crlNum) {
+		if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
+			goto err;
+		if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
+			goto err;
+		if (BIO_write(bp, "\n", 1) <= 0)
+			goto err;
+	}
+	if (a->crlTime) {
+		if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
+			goto err;
+		if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
+			goto err;
+		if (BIO_write(bp, "\n", 1) <= 0)
+			goto err;
+	}
+	return 1;
+
+err:
+	return 0;
+}
+
+static int
+i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
+    int ind)
+{
+	if (BIO_printf(bp, "%*s", ind, "") <= 0)
+		return 0;
+	if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
+		return 0;
+	return 1;
+}
+
+static int
+i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
+{
+	if (BIO_printf(bp, "%*s", ind, "") <= 0)
+		return 0;
+	if (i2a_ASN1_OBJECT(bp, oid) <= 0)
+		return 0;
+	return 1;
+}
+
+/* OCSP nonce. This is needs special treatment because it doesn't have
+ * an ASN1 encoding at all: it just contains arbitrary data.
+ */
+
+static void *
+ocsp_nonce_new(void)
+{
+	return ASN1_OCTET_STRING_new();
+}
+
+static int
+i2d_ocsp_nonce(void *a, unsigned char **pp)
+{
+	ASN1_OCTET_STRING *os = a;
+
+	if (pp) {
+		memcpy(*pp, os->data, os->length);
+		*pp += os->length;
+	}
+	return os->length;
+}
+
+static void *
+d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
+{
+	ASN1_OCTET_STRING *os, **pos;
+
+	pos = a;
+	if (pos == NULL || *pos == NULL) {
+		os = ASN1_OCTET_STRING_new();
+		if (os == NULL)
+			goto err;
+	} else
+		os = *pos;
+	if (ASN1_OCTET_STRING_set(os, *pp, length) == 0)
+		goto err;
+
+	*pp += length;
+
+	if (pos != NULL)
+		*pos = os;
+	return os;
+
+err:
+	if (pos == NULL || *pos != os)
+		ASN1_OCTET_STRING_free(os);
+	OCSPerror(ERR_R_MALLOC_FAILURE);
+	return NULL;
+}
+
+static void
+ocsp_nonce_free(void *a)
+{
+	ASN1_OCTET_STRING_free(a);
+}
+
+static int
+i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
+    int indent)
+{
+	if (BIO_printf(out, "%*s", indent, "") <= 0)
+		return 0;
+	if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
+		return 0;
+	return 1;
+}
+
+/* Nocheck is just a single NULL. Don't print anything and always set it */
+
+static int
+i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
+    int indent)
+{
+	return 1;
+}
+
+static void *
+s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    const char *str)
+{
+	return ASN1_NULL_new();
+}
+
+static int
+i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
+{
+	int i;
+	OCSP_SERVICELOC *a = in;
+	ACCESS_DESCRIPTION *ad;
+
+	if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
+		goto err;
+	if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
+		goto err;
+	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
+		ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
+		if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
+			goto err;
+		if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
+			goto err;
+		if (BIO_puts(bp, " - ") <= 0)
+			goto err;
+		if (GENERAL_NAME_print(bp, ad->location) <= 0)
+			goto err;
+	}
+	return 1;
+
+err:
+	return 0;
+}
+#endif
diff --git a/src/lib/libcrypto/x509/x509_pci.c b/src/lib/libcrypto/x509/x509_pci.c
new file mode 100644
index 0000000000..8997f0cec8
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pci.c
@@ -0,0 +1,310 @@
+/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
+    BIO *out, int indent);
+static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, char *str);
+
+const X509V3_EXT_METHOD v3_pci = {
+	.ext_nid = NID_proxyCertInfo,
+	.ext_flags = 0,
+	.it = &PROXY_CERT_INFO_EXTENSION_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_pci,
+	.r2i = (X509V3_EXT_R2I)r2i_pci,
+	.usr_data = NULL,
+};
+
+static int
+i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
+    int indent)
+{
+	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
+	if (pci->pcPathLengthConstraint)
+		i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
+	else
+		BIO_printf(out, "infinite");
+	BIO_puts(out, "\n");
+	BIO_printf(out, "%*sPolicy Language: ", indent, "");
+	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
+	BIO_puts(out, "\n");
+	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
+		BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
+		    pci->proxyPolicy->policy->data);
+	return 1;
+}
+
+static int
+process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
+    ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
+{
+	int free_policy = 0;
+
+	if (strcmp(val->name, "language") == 0) {
+		if (*language) {
+			X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+		}
+		if (!(*language = OBJ_txt2obj(val->value, 0))) {
+			X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
+			X509V3_conf_err(val);
+			return 0;
+		}
+	}
+	else if (strcmp(val->name, "pathlen") == 0) {
+		if (*pathlen) {
+			X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
+			X509V3_conf_err(val);
+			return 0;
+		}
+		if (!X509V3_get_value_int(val, pathlen)) {
+			X509V3error(X509V3_R_POLICY_PATH_LENGTH);
+			X509V3_conf_err(val);
+			return 0;
+		}
+	}
+	else if (strcmp(val->name, "policy") == 0) {
+		unsigned char *tmp_data = NULL;
+		long val_len;
+		if (!*policy) {
+			*policy = ASN1_OCTET_STRING_new();
+			if (!*policy) {
+				X509V3error(ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				return 0;
+			}
+			free_policy = 1;
+		}
+		if (strncmp(val->value, "hex:", 4) == 0) {
+			unsigned char *tmp_data2 =
+			    string_to_hex(val->value + 4, &val_len);
+
+			if (!tmp_data2) {
+				X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
+				X509V3_conf_err(val);
+				goto err;
+			}
+
+			tmp_data = realloc((*policy)->data,
+			    (*policy)->length + val_len + 1);
+			if (tmp_data) {
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+				    tmp_data2, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+			} else {
+				free(tmp_data2);
+				free((*policy)->data);
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3error(ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
+			}
+			free(tmp_data2);
+		}
+		else if (strncmp(val->value, "file:", 5) == 0) {
+			unsigned char buf[2048];
+			int n;
+			BIO *b = BIO_new_file(val->value + 5, "r");
+			if (!b) {
+				X509V3error(ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+			}
+			while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
+			    (n == 0 && BIO_should_retry(b))) {
+				if (!n)
+					continue;
+
+				tmp_data = realloc((*policy)->data,
+				    (*policy)->length + n + 1);
+
+				if (!tmp_data)
+					break;
+
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+				    buf, n);
+				(*policy)->length += n;
+				(*policy)->data[(*policy)->length] = '\0';
+			}
+			BIO_free_all(b);
+
+			if (n < 0) {
+				X509V3error(ERR_R_BIO_LIB);
+				X509V3_conf_err(val);
+				goto err;
+			}
+		}
+		else if (strncmp(val->value, "text:", 5) == 0) {
+			val_len = strlen(val->value + 5);
+			tmp_data = realloc((*policy)->data,
+			    (*policy)->length + val_len + 1);
+			if (tmp_data) {
+				(*policy)->data = tmp_data;
+				memcpy(&(*policy)->data[(*policy)->length],
+				    val->value + 5, val_len);
+				(*policy)->length += val_len;
+				(*policy)->data[(*policy)->length] = '\0';
+			} else {
+				free((*policy)->data);
+				(*policy)->data = NULL;
+				(*policy)->length = 0;
+				X509V3error(ERR_R_MALLOC_FAILURE);
+				X509V3_conf_err(val);
+				goto err;
+			}
+		} else {
+			X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
+			X509V3_conf_err(val);
+			goto err;
+		}
+		if (!tmp_data) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	return 1;
+
+err:
+	if (free_policy) {
+		ASN1_OCTET_STRING_free(*policy);
+		*policy = NULL;
+	}
+	return 0;
+}
+
+static PROXY_CERT_INFO_EXTENSION *
+r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
+{
+	PROXY_CERT_INFO_EXTENSION *pci = NULL;
+	STACK_OF(CONF_VALUE) *vals;
+	ASN1_OBJECT *language = NULL;
+	ASN1_INTEGER *pathlen = NULL;
+	ASN1_OCTET_STRING *policy = NULL;
+	int i, j;
+
+	vals = X509V3_parse_list(value);
+	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+		CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
+		if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
+			X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
+			X509V3_conf_err(cnf);
+			goto err;
+		}
+		if (*cnf->name == '@') {
+			STACK_OF(CONF_VALUE) *sect;
+			int success_p = 1;
+
+			sect = X509V3_get_section(ctx, cnf->name + 1);
+			if (!sect) {
+				X509V3error(X509V3_R_INVALID_SECTION);
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+			for (j = 0; success_p &&
+			    j < sk_CONF_VALUE_num(sect); j++) {
+				success_p = process_pci_value(
+				    sk_CONF_VALUE_value(sect, j),
+				    &language, &pathlen, &policy);
+			}
+			X509V3_section_free(ctx, sect);
+			if (!success_p)
+				goto err;
+		} else {
+			if (!process_pci_value(cnf,
+			    &language, &pathlen, &policy)) {
+				X509V3_conf_err(cnf);
+				goto err;
+			}
+		}
+	}
+
+	/* Language is mandatory */
+	if (!language) {
+		X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
+		goto err;
+	}
+	i = OBJ_obj2nid(language);
+	if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
+		X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
+		goto err;
+	}
+
+	pci = PROXY_CERT_INFO_EXTENSION_new();
+	if (!pci) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	pci->proxyPolicy->policyLanguage = language;
+	language = NULL;
+	pci->proxyPolicy->policy = policy;
+	policy = NULL;
+	pci->pcPathLengthConstraint = pathlen;
+	pathlen = NULL;
+	goto end;
+
+err:
+	ASN1_OBJECT_free(language);
+	language = NULL;
+	ASN1_INTEGER_free(pathlen);
+	pathlen = NULL;
+	ASN1_OCTET_STRING_free(policy);
+	policy = NULL;
+end:
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	return pci;
+}
diff --git a/src/lib/libcrypto/x509/x509_pcia.c b/src/lib/libcrypto/x509/x509_pcia.c
new file mode 100644
index 0000000000..b639aa336d
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pcia.c
@@ -0,0 +1,145 @@
+/* $OpenBSD: x509_pcia.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Contributed to the OpenSSL Project 2004
+ * by Richard Levitte (richard@levitte.org)
+ */
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(PROXY_POLICY, policyLanguage),
+		.field_name = "policyLanguage",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(PROXY_POLICY, policy),
+		.field_name = "policy",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM PROXY_POLICY_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = PROXY_POLICY_seq_tt,
+	.tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(PROXY_POLICY),
+	.sname = "PROXY_POLICY",
+};
+
+
+PROXY_POLICY *
+d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
+{
+	return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &PROXY_POLICY_it);
+}
+
+int
+i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
+}
+
+PROXY_POLICY *
+PROXY_POLICY_new(void)
+{
+	return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
+}
+
+void
+PROXY_POLICY_free(PROXY_POLICY *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
+}
+
+static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
+		.field_name = "pcPathLengthConstraint",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
+		.field_name = "proxyPolicy",
+		.item = &PROXY_POLICY_it,
+	},
+};
+
+const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
+	.tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(PROXY_CERT_INFO_EXTENSION),
+	.sname = "PROXY_CERT_INFO_EXTENSION",
+};
+
+
+PROXY_CERT_INFO_EXTENSION *
+d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
+{
+	return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &PROXY_CERT_INFO_EXTENSION_it);
+}
+
+int
+i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
+}
+
+PROXY_CERT_INFO_EXTENSION *
+PROXY_CERT_INFO_EXTENSION_new(void)
+{
+	return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
+}
+
+void
+PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
+}
diff --git a/src/lib/libcrypto/x509/x509_pcons.c b/src/lib/libcrypto/x509/x509_pcons.c
new file mode 100644
index 0000000000..69bf43377f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pcons.c
@@ -0,0 +1,194 @@
+/* $OpenBSD: x509_pcons.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
+    STACK_OF(CONF_VALUE) *extlist);
+static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
+
+const X509V3_EXT_METHOD v3_policy_constraints = {
+	.ext_nid = NID_policy_constraints,
+	.ext_flags = 0,
+	.it = &POLICY_CONSTRAINTS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = i2v_POLICY_CONSTRAINTS,
+	.v2i = v2i_POLICY_CONSTRAINTS,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(POLICY_CONSTRAINTS, requireExplicitPolicy),
+		.field_name = "requireExplicitPolicy",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(POLICY_CONSTRAINTS, inhibitPolicyMapping),
+		.field_name = "inhibitPolicyMapping",
+		.item = &ASN1_INTEGER_it,
+	},
+};
+
+const ASN1_ITEM POLICY_CONSTRAINTS_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = POLICY_CONSTRAINTS_seq_tt,
+	.tcount = sizeof(POLICY_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(POLICY_CONSTRAINTS),
+	.sname = "POLICY_CONSTRAINTS",
+};
+
+
+POLICY_CONSTRAINTS *
+POLICY_CONSTRAINTS_new(void)
+{
+	return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it);
+}
+
+void
+POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it);
+}
+
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+	POLICY_CONSTRAINTS *pcons = a;
+	STACK_OF(CONF_VALUE) *free_extlist = NULL;
+
+	if (extlist == NULL) {
+		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	if (!X509V3_add_value_int("Require Explicit Policy",
+	    pcons->requireExplicitPolicy, &extlist))
+		goto err;
+	if (!X509V3_add_value_int("Inhibit Policy Mapping",
+	    pcons->inhibitPolicyMapping, &extlist))
+		goto err;
+
+	return extlist;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
+
+	return NULL;
+}
+
+static void *
+v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *values)
+{
+	POLICY_CONSTRAINTS *pcons = NULL;
+	CONF_VALUE *val;
+	int i;
+
+	if (!(pcons = POLICY_CONSTRAINTS_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+		val = sk_CONF_VALUE_value(values, i);
+		if (!strcmp(val->name, "requireExplicitPolicy")) {
+			if (!X509V3_get_value_int(val,
+			    &pcons->requireExplicitPolicy)) goto err;
+		} else if (!strcmp(val->name, "inhibitPolicyMapping")) {
+			if (!X509V3_get_value_int(val,
+			    &pcons->inhibitPolicyMapping)) goto err;
+		} else {
+			X509V3error(X509V3_R_INVALID_NAME);
+			X509V3_conf_err(val);
+			goto err;
+		}
+	}
+	if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
+		X509V3error(X509V3_R_ILLEGAL_EMPTY_EXTENSION);
+		goto err;
+	}
+
+	return pcons;
+
+err:
+	POLICY_CONSTRAINTS_free(pcons);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_pku.c b/src/lib/libcrypto/x509/x509_pku.c
new file mode 100644
index 0000000000..9b82ad3d5f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pku.c
@@ -0,0 +1,154 @@
+/* $OpenBSD: x509_pku.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/x509v3.h>
+
+static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
+    PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
+
+const X509V3_EXT_METHOD v3_pkey_usage_period = {
+	.ext_nid = NID_private_key_usage_period,
+	.ext_flags = 0,
+	.it = &PKEY_USAGE_PERIOD_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 0,
+		.offset = offsetof(PKEY_USAGE_PERIOD, notBefore),
+		.field_name = "notBefore",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+	{
+		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
+		.tag = 1,
+		.offset = offsetof(PKEY_USAGE_PERIOD, notAfter),
+		.field_name = "notAfter",
+		.item = &ASN1_GENERALIZEDTIME_it,
+	},
+};
+
+const ASN1_ITEM PKEY_USAGE_PERIOD_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = PKEY_USAGE_PERIOD_seq_tt,
+	.tcount = sizeof(PKEY_USAGE_PERIOD_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(PKEY_USAGE_PERIOD),
+	.sname = "PKEY_USAGE_PERIOD",
+};
+
+
+PKEY_USAGE_PERIOD *
+d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len)
+{
+	return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &PKEY_USAGE_PERIOD_it);
+}
+
+int
+i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it);
+}
+
+PKEY_USAGE_PERIOD *
+PKEY_USAGE_PERIOD_new(void)
+{
+	return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it);
+}
+
+void
+PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it);
+}
+
+static int
+i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
+    BIO *out, int indent)
+{
+	BIO_printf(out, "%*s", indent, "");
+	if (usage->notBefore) {
+		BIO_write(out, "Not Before: ", 12);
+		ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
+		if (usage->notAfter)
+			BIO_write(out, ", ", 2);
+	}
+	if (usage->notAfter) {
+		BIO_write(out, "Not After: ", 11);
+		ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
+	}
+	return 1;
+}
diff --git a/src/lib/libcrypto/x509/x509_pmaps.c b/src/lib/libcrypto/x509/x509_pmaps.c
new file mode 100644
index 0000000000..352f85a025
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_pmaps.c
@@ -0,0 +1,235 @@
+/* $OpenBSD: x509_pmaps.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+
+#include <stdio.h>
+
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
+    const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
+
+const X509V3_EXT_METHOD v3_policy_mappings = {
+	.ext_nid = NID_policy_mappings,
+	.ext_flags = 0,
+	.it = &POLICY_MAPPINGS_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = i2v_POLICY_MAPPINGS,
+	.v2i = v2i_POLICY_MAPPINGS,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(POLICY_MAPPING, issuerDomainPolicy),
+		.field_name = "issuerDomainPolicy",
+		.item = &ASN1_OBJECT_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(POLICY_MAPPING, subjectDomainPolicy),
+		.field_name = "subjectDomainPolicy",
+		.item = &ASN1_OBJECT_it,
+	},
+};
+
+const ASN1_ITEM POLICY_MAPPING_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = POLICY_MAPPING_seq_tt,
+	.tcount = sizeof(POLICY_MAPPING_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(POLICY_MAPPING),
+	.sname = "POLICY_MAPPING",
+};
+
+static const ASN1_TEMPLATE POLICY_MAPPINGS_item_tt = {
+	.flags = ASN1_TFLG_SEQUENCE_OF,
+	.tag = 0,
+	.offset = 0,
+	.field_name = "POLICY_MAPPINGS",
+	.item = &POLICY_MAPPING_it,
+};
+
+const ASN1_ITEM POLICY_MAPPINGS_it = {
+	.itype = ASN1_ITYPE_PRIMITIVE,
+	.utype = -1,
+	.templates = &POLICY_MAPPINGS_item_tt,
+	.tcount = 0,
+	.funcs = NULL,
+	.size = 0,
+	.sname = "POLICY_MAPPINGS",
+};
+
+
+POLICY_MAPPING *
+POLICY_MAPPING_new(void)
+{
+	return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it);
+}
+
+void
+POLICY_MAPPING_free(POLICY_MAPPING *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it);
+}
+
+static STACK_OF(CONF_VALUE) *
+i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
+    STACK_OF(CONF_VALUE) *extlist)
+{
+	STACK_OF(CONF_VALUE) *free_extlist = NULL;
+	POLICY_MAPPINGS *pmaps = a;
+	POLICY_MAPPING *pmap;
+	char issuer[80], subject[80];
+	int i;
+
+	if (extlist == NULL) {
+		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
+			return NULL;
+	}
+
+	for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
+		if ((pmap = sk_POLICY_MAPPING_value(pmaps, i)) == NULL)
+			goto err;
+		if (!i2t_ASN1_OBJECT(issuer, sizeof issuer,
+		    pmap->issuerDomainPolicy))
+			goto err;
+		if (!i2t_ASN1_OBJECT(subject, sizeof subject,
+		    pmap->subjectDomainPolicy))
+			goto err;
+		if (!X509V3_add_value(issuer, subject, &extlist))
+			goto err;
+	}
+
+	return extlist;
+
+ err:
+	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
+
+	return NULL;
+}
+
+static void *
+v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	POLICY_MAPPINGS *pmaps = NULL;
+	POLICY_MAPPING *pmap = NULL;
+	ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
+	CONF_VALUE *val;
+	int i, rc;
+
+	if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		val = sk_CONF_VALUE_value(nval, i);
+		if (!val->value || !val->name) {
+			rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
+			goto err;
+		}
+		obj1 = OBJ_txt2obj(val->name, 0);
+		obj2 = OBJ_txt2obj(val->value, 0);
+		if (!obj1 || !obj2) {
+			rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
+			goto err;
+		}
+		pmap = POLICY_MAPPING_new();
+		if (!pmap) {
+	    		rc = ERR_R_MALLOC_FAILURE;
+			goto err;
+		}
+		pmap->issuerDomainPolicy = obj1;
+		pmap->subjectDomainPolicy = obj2;
+		obj1 = obj2 = NULL;
+		if (sk_POLICY_MAPPING_push(pmaps, pmap) == 0) {
+	    		rc = ERR_R_MALLOC_FAILURE;
+			goto err;
+		}
+		pmap = NULL;
+	}
+	return pmaps;
+
+err:
+	sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
+	X509V3error(rc);
+	if (rc == X509V3_R_INVALID_OBJECT_IDENTIFIER)
+		X509V3_conf_err(val);
+	ASN1_OBJECT_free(obj1);
+	ASN1_OBJECT_free(obj2);
+	POLICY_MAPPING_free(pmap);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_prn.c b/src/lib/libcrypto/x509/x509_prn.c
new file mode 100644
index 0000000000..5c15cc390f
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_prn.c
@@ -0,0 +1,225 @@
+/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <stdio.h>
+
+#include <openssl/conf.h>
+#include <openssl/x509v3.h>
+
+/* Extension printing routines */
+
+static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+    int indent, int supported);
+
+/* Print out a name+value stack */
+
+void
+X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
+{
+	int i;
+	CONF_VALUE *nval;
+
+	if (!val)
+		return;
+	if (!ml || !sk_CONF_VALUE_num(val)) {
+		BIO_printf(out, "%*s", indent, "");
+		if (!sk_CONF_VALUE_num(val))
+			BIO_puts(out, "<EMPTY>\n");
+	}
+	for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
+		if (ml)
+			BIO_printf(out, "%*s", indent, "");
+		else if (i > 0) BIO_printf(out, ", ");
+			nval = sk_CONF_VALUE_value(val, i);
+		if (!nval->name)
+			BIO_puts(out, nval->value);
+		else if (!nval->value)
+			BIO_puts(out, nval->name);
+		else
+			BIO_printf(out, "%s:%s", nval->name, nval->value);
+		if (ml)
+			BIO_puts(out, "\n");
+	}
+}
+
+/* Main routine: print out a general extension */
+
+int
+X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
+{
+	void *ext_str = NULL;
+	char *value = NULL;
+	const unsigned char *p;
+	const X509V3_EXT_METHOD *method;
+	STACK_OF(CONF_VALUE) *nval = NULL;
+	int ok = 1;
+
+	if (!(method = X509V3_EXT_get(ext)))
+		return unknown_ext_print(out, ext, flag, indent, 0);
+	p = ext->value->data;
+	if (method->it)
+		ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
+		    method->it);
+	else
+		ext_str = method->d2i(NULL, &p, ext->value->length);
+
+	if (!ext_str)
+		return unknown_ext_print(out, ext, flag, indent, 1);
+
+	if (method->i2s) {
+		if (!(value = method->i2s(method, ext_str))) {
+			ok = 0;
+			goto err;
+		}
+		BIO_printf(out, "%*s%s", indent, "", value);
+	} else if (method->i2v) {
+		if (!(nval = method->i2v(method, ext_str, NULL))) {
+			ok = 0;
+			goto err;
+		}
+		X509V3_EXT_val_prn(out, nval, indent,
+		    method->ext_flags & X509V3_EXT_MULTILINE);
+	} else if (method->i2r) {
+		if (!method->i2r(method, ext_str, out, indent))
+			ok = 0;
+	} else
+		ok = 0;
+
+err:
+	sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
+	free(value);
+	if (method->it)
+		ASN1_item_free(ext_str, method->it);
+	else
+		method->ext_free(ext_str);
+	return ok;
+}
+
+int
+X509V3_extensions_print(BIO *bp, const char *title,
+    const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
+{
+	int i, j;
+
+	if (sk_X509_EXTENSION_num(exts) <= 0)
+		return 1;
+
+	if (title) {
+		BIO_printf(bp, "%*s%s:\n",indent, "", title);
+		indent += 4;
+	}
+
+	for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+		ASN1_OBJECT *obj;
+		X509_EXTENSION *ex;
+		ex = sk_X509_EXTENSION_value(exts, i);
+		if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
+			return 0;
+		obj = X509_EXTENSION_get_object(ex);
+		i2a_ASN1_OBJECT(bp, obj);
+		j = X509_EXTENSION_get_critical(ex);
+		if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
+			return 0;
+		if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
+			BIO_printf(bp, "%*s", indent + 4, "");
+			ASN1_STRING_print(bp, ex->value);
+		}
+		if (BIO_write(bp, "\n",1) <= 0)
+			return 0;
+	}
+	return 1;
+}
+
+static int
+unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+    int indent, int supported)
+{
+	switch (flag & X509V3_EXT_UNKNOWN_MASK) {
+	case X509V3_EXT_DEFAULT:
+		return 0;
+	case X509V3_EXT_ERROR_UNKNOWN:
+		if (supported)
+			BIO_printf(out, "%*s<Parse Error>", indent, "");
+		else
+			BIO_printf(out, "%*s<Not Supported>", indent, "");
+		return 1;
+	case X509V3_EXT_PARSE_UNKNOWN:
+		return ASN1_parse_dump(out,
+		    ext->value->data, ext->value->length, indent, -1);
+	case X509V3_EXT_DUMP_UNKNOWN:
+		return BIO_dump_indent(out, (char *)ext->value->data,
+		    ext->value->length, indent);
+	default:
+		return 1;
+	}
+}
+
+
+int
+X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
+{
+	BIO *bio_tmp;
+	int ret;
+
+	if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
+		return 0;
+	ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
+	BIO_free(bio_tmp);
+	return ret;
+}
diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
new file mode 100644
index 0000000000..62b3bcfe3a
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -0,0 +1,893 @@
+/* $OpenBSD: x509_purp.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2001.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+#include <openssl/x509_vfy.h>
+
+#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
+#define ku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
+#define xku_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
+#define ns_reject(x, usage) \
+	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
+
+static void x509v3_cache_extensions(X509 *x);
+
+static int check_ssl_ca(const X509 *x);
+static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int purpose_smime(const X509 *x, int ca);
+static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
+    int ca);
+static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
+static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
+
+static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
+static void xptable_free(X509_PURPOSE *p);
+
+static X509_PURPOSE xstandard[] = {
+	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
+	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
+	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
+	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
+	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
+	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
+	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
+	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
+	{X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
+};
+
+#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
+
+static STACK_OF(X509_PURPOSE) *xptable = NULL;
+
+static int
+xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
+{
+	return (*a)->purpose - (*b)->purpose;
+}
+
+/* As much as I'd like to make X509_check_purpose use a "const" X509*
+ * I really can't because it does recalculate hashes and do other non-const
+ * things. */
+int
+X509_check_purpose(X509 *x, int id, int ca)
+{
+	int idx;
+	const X509_PURPOSE *pt;
+
+	if (!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+	if (id == -1)
+		return 1;
+	idx = X509_PURPOSE_get_by_id(id);
+	if (idx == -1)
+		return -1;
+	pt = X509_PURPOSE_get0(idx);
+	return pt->check_purpose(pt, x, ca);
+}
+
+int
+X509_PURPOSE_set(int *p, int purpose)
+{
+	if (X509_PURPOSE_get_by_id(purpose) == -1) {
+		X509V3error(X509V3_R_INVALID_PURPOSE);
+		return 0;
+	}
+	*p = purpose;
+	return 1;
+}
+
+int
+X509_PURPOSE_get_count(void)
+{
+	if (!xptable)
+		return X509_PURPOSE_COUNT;
+	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
+}
+
+X509_PURPOSE *
+X509_PURPOSE_get0(int idx)
+{
+	if (idx < 0)
+		return NULL;
+	if (idx < (int)X509_PURPOSE_COUNT)
+		return xstandard + idx;
+	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
+}
+
+int
+X509_PURPOSE_get_by_sname(const char *sname)
+{
+	int i;
+	X509_PURPOSE *xptmp;
+
+	for (i = 0; i < X509_PURPOSE_get_count(); i++) {
+		xptmp = X509_PURPOSE_get0(i);
+		if (!strcmp(xptmp->sname, sname))
+			return i;
+	}
+	return -1;
+}
+
+int
+X509_PURPOSE_get_by_id(int purpose)
+{
+	X509_PURPOSE tmp;
+	int idx;
+
+	if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
+		return purpose - X509_PURPOSE_MIN;
+	tmp.purpose = purpose;
+	if (!xptable)
+		return -1;
+	idx = sk_X509_PURPOSE_find(xptable, &tmp);
+	if (idx == -1)
+		return -1;
+	return idx + X509_PURPOSE_COUNT;
+}
+
+int
+X509_PURPOSE_add(int id, int trust, int flags,
+    int (*ck)(const X509_PURPOSE *, const X509 *, int), const char *name,
+    const char *sname, void *arg)
+{
+	int idx;
+	X509_PURPOSE *ptmp;
+	char *name_dup, *sname_dup;
+
+	name_dup = sname_dup = NULL;
+
+	if (name == NULL || sname == NULL) {
+		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
+		return 0;
+	}
+
+	/* This is set according to what we change: application can't set it */
+	flags &= ~X509_PURPOSE_DYNAMIC;
+	/* This will always be set for application modified trust entries */
+	flags |= X509_PURPOSE_DYNAMIC_NAME;
+	/* Get existing entry if any */
+	idx = X509_PURPOSE_get_by_id(id);
+	/* Need a new entry */
+	if (idx == -1) {
+		if ((ptmp = malloc(sizeof(X509_PURPOSE))) == NULL) {
+			X509V3error(ERR_R_MALLOC_FAILURE);
+			return 0;
+		}
+		ptmp->flags = X509_PURPOSE_DYNAMIC;
+	} else
+		ptmp = X509_PURPOSE_get0(idx);
+
+	if ((name_dup = strdup(name)) == NULL)
+		goto err;
+	if ((sname_dup = strdup(sname)) == NULL)
+		goto err;
+
+	/* free existing name if dynamic */
+	if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
+		free(ptmp->name);
+		free(ptmp->sname);
+	}
+	/* dup supplied name */
+	ptmp->name = name_dup;
+	ptmp->sname = sname_dup;
+	/* Keep the dynamic flag of existing entry */
+	ptmp->flags &= X509_PURPOSE_DYNAMIC;
+	/* Set all other flags */
+	ptmp->flags |= flags;
+
+	ptmp->purpose = id;
+	ptmp->trust = trust;
+	ptmp->check_purpose = ck;
+	ptmp->usr_data = arg;
+
+	/* If its a new entry manage the dynamic table */
+	if (idx == -1) {
+		if (xptable == NULL &&
+		    (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL)
+			goto err;
+		if (sk_X509_PURPOSE_push(xptable, ptmp) == 0)
+			goto err;
+	}
+	return 1;
+
+err:
+	free(name_dup);
+	free(sname_dup);
+	if (idx == -1)
+		free(ptmp);
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	return 0;
+}
+
+static void
+xptable_free(X509_PURPOSE *p)
+{
+	if (!p)
+		return;
+	if (p->flags & X509_PURPOSE_DYNAMIC) {
+		if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
+			free(p->name);
+			free(p->sname);
+		}
+		free(p);
+	}
+}
+
+void
+X509_PURPOSE_cleanup(void)
+{
+	unsigned int i;
+
+	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
+	for(i = 0; i < X509_PURPOSE_COUNT; i++)
+		xptable_free(xstandard + i);
+	xptable = NULL;
+}
+
+int
+X509_PURPOSE_get_id(const X509_PURPOSE *xp)
+{
+	return xp->purpose;
+}
+
+char *
+X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
+{
+	return xp->name;
+}
+
+char *
+X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
+{
+	return xp->sname;
+}
+
+int
+X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
+{
+	return xp->trust;
+}
+
+static int
+nid_cmp(const int *a, const int *b)
+{
+	return *a - *b;
+}
+
+static int nid_cmp_BSEARCH_CMP_FN(const void *, const void *);
+static int nid_cmp(int const *, int const *);
+static int *OBJ_bsearch_nid(int *key, int const *base, int num);
+
+static int
+nid_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
+{
+	int const *a = a_;
+	int const *b = b_;
+	return nid_cmp(a, b);
+}
+
+static int *
+OBJ_bsearch_nid(int *key, int const *base, int num)
+{
+	return (int *)OBJ_bsearch_(key, base, num, sizeof(int),
+	    nid_cmp_BSEARCH_CMP_FN);
+}
+
+int
+X509_supported_extension(X509_EXTENSION *ex)
+{
+	/* This table is a list of the NIDs of supported extensions:
+	 * that is those which are used by the verify process. If
+	 * an extension is critical and doesn't appear in this list
+	 * then the verify process will normally reject the certificate.
+	 * The list must be kept in numerical order because it will be
+	 * searched using bsearch.
+	 */
+
+	static const int supported_nids[] = {
+		NID_netscape_cert_type, /* 71 */
+		NID_key_usage,		/* 83 */
+		NID_subject_alt_name,	/* 85 */
+		NID_basic_constraints,	/* 87 */
+		NID_certificate_policies, /* 89 */
+		NID_ext_key_usage,	/* 126 */
+		NID_policy_constraints,	/* 401 */
+		NID_proxyCertInfo,	/* 663 */
+		NID_name_constraints,	/* 666 */
+		NID_policy_mappings,	/* 747 */
+		NID_inhibit_any_policy	/* 748 */
+	};
+
+	int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
+
+	if (ex_nid == NID_undef)
+		return 0;
+
+	if (OBJ_bsearch_nid(&ex_nid, supported_nids,
+	    sizeof(supported_nids) / sizeof(int)))
+		return 1;
+	return 0;
+}
+
+static void
+setup_dp(X509 *x, DIST_POINT *dp)
+{
+	X509_NAME *iname = NULL;
+	int i;
+
+	if (dp->reasons) {
+		if (dp->reasons->length > 0)
+			dp->dp_reasons = dp->reasons->data[0];
+		if (dp->reasons->length > 1)
+			dp->dp_reasons |= (dp->reasons->data[1] << 8);
+		dp->dp_reasons &= CRLDP_ALL_REASONS;
+	} else
+		dp->dp_reasons = CRLDP_ALL_REASONS;
+	if (!dp->distpoint || (dp->distpoint->type != 1))
+		return;
+	for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
+		GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
+		if (gen->type == GEN_DIRNAME) {
+			iname = gen->d.directoryName;
+			break;
+		}
+	}
+	if (!iname)
+		iname = X509_get_issuer_name(x);
+
+	DIST_POINT_set_dpname(dp->distpoint, iname);
+
+}
+
+static void
+setup_crldp(X509 *x)
+{
+	int i;
+
+	x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
+	for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
+		setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
+}
+
+static void
+x509v3_cache_extensions(X509 *x)
+{
+	BASIC_CONSTRAINTS *bs;
+	PROXY_CERT_INFO_EXTENSION *pci;
+	ASN1_BIT_STRING *usage;
+	ASN1_BIT_STRING *ns;
+	EXTENDED_KEY_USAGE *extusage;
+	X509_EXTENSION *ex;
+	int i;
+
+	if (x->ex_flags & EXFLAG_SET)
+		return;
+
+#ifndef OPENSSL_NO_SHA
+	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
+#endif
+
+	/* V1 should mean no extensions ... */
+	if (!X509_get_version(x))
+		x->ex_flags |= EXFLAG_V1;
+
+	/* Handle basic constraints */
+	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
+		if (bs->ca)
+			x->ex_flags |= EXFLAG_CA;
+		if (bs->pathlen) {
+			if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
+			    !bs->ca) {
+				x->ex_flags |= EXFLAG_INVALID;
+				x->ex_pathlen = 0;
+			} else
+				x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
+		} else
+			x->ex_pathlen = -1;
+		BASIC_CONSTRAINTS_free(bs);
+		x->ex_flags |= EXFLAG_BCONS;
+	}
+
+	/* Handle proxy certificates */
+	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+		if (x->ex_flags & EXFLAG_CA ||
+		    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
+		    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
+			x->ex_flags |= EXFLAG_INVALID;
+		}
+		if (pci->pcPathLengthConstraint) {
+			if (pci->pcPathLengthConstraint->type ==
+			    V_ASN1_NEG_INTEGER) {
+				x->ex_flags |= EXFLAG_INVALID;
+				x->ex_pcpathlen = 0;
+			} else
+				x->ex_pcpathlen =
+				    ASN1_INTEGER_get(pci->
+				      pcPathLengthConstraint);
+		} else
+			x->ex_pcpathlen = -1;
+		PROXY_CERT_INFO_EXTENSION_free(pci);
+		x->ex_flags |= EXFLAG_PROXY;
+	}
+
+	/* Handle key usage */
+	if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
+		if (usage->length > 0) {
+			x->ex_kusage = usage->data[0];
+			if (usage->length > 1)
+				x->ex_kusage |= usage->data[1] << 8;
+		} else
+			x->ex_kusage = 0;
+		x->ex_flags |= EXFLAG_KUSAGE;
+		ASN1_BIT_STRING_free(usage);
+	}
+	x->ex_xkusage = 0;
+	if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
+		x->ex_flags |= EXFLAG_XKUSAGE;
+		for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
+			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
+			case NID_server_auth:
+				x->ex_xkusage |= XKU_SSL_SERVER;
+				break;
+
+			case NID_client_auth:
+				x->ex_xkusage |= XKU_SSL_CLIENT;
+				break;
+
+			case NID_email_protect:
+				x->ex_xkusage |= XKU_SMIME;
+				break;
+
+			case NID_code_sign:
+				x->ex_xkusage |= XKU_CODE_SIGN;
+				break;
+
+			case NID_ms_sgc:
+			case NID_ns_sgc:
+				x->ex_xkusage |= XKU_SGC;
+				break;
+
+			case NID_OCSP_sign:
+				x->ex_xkusage |= XKU_OCSP_SIGN;
+				break;
+
+			case NID_time_stamp:
+				x->ex_xkusage |= XKU_TIMESTAMP;
+				break;
+
+			case NID_dvcs:
+				x->ex_xkusage |= XKU_DVCS;
+				break;
+			}
+		}
+		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
+	}
+
+	if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
+		if (ns->length > 0)
+			x->ex_nscert = ns->data[0];
+		else
+			x->ex_nscert = 0;
+		x->ex_flags |= EXFLAG_NSCERT;
+		ASN1_BIT_STRING_free(ns);
+	}
+
+	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
+	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
+
+	/* Does subject name match issuer? */
+	if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
+		x->ex_flags |= EXFLAG_SI;
+		/* If SKID matches AKID also indicate self signed. */
+		if (X509_check_akid(x, x->akid) == X509_V_OK &&
+		    !ku_reject(x, KU_KEY_CERT_SIGN))
+			x->ex_flags |= EXFLAG_SS;
+	}
+
+	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
+	if (!x->nc && (i != -1))
+		x->ex_flags |= EXFLAG_INVALID;
+	setup_crldp(x);
+
+	for (i = 0; i < X509_get_ext_count(x); i++) {
+		ex = X509_get_ext(x, i);
+		if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
+		    NID_freshest_crl)
+			x->ex_flags |= EXFLAG_FRESHEST;
+		if (!X509_EXTENSION_get_critical(ex))
+			continue;
+		if (!X509_supported_extension(ex)) {
+			x->ex_flags |= EXFLAG_CRITICAL;
+			break;
+		}
+	}
+	x->ex_flags |= EXFLAG_SET;
+}
+
+/* CA checks common to all purposes
+ * return codes:
+ * 0 not a CA
+ * 1 is a CA
+ * 2 basicConstraints absent so "maybe" a CA
+ * 3 basicConstraints absent but self signed V1.
+ * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
+ */
+
+static int
+check_ca(const X509 *x)
+{
+	/* keyUsage if present should allow cert signing */
+	if (ku_reject(x, KU_KEY_CERT_SIGN))
+		return 0;
+	if (x->ex_flags & EXFLAG_BCONS) {
+		if (x->ex_flags & EXFLAG_CA)
+			return 1;
+		/* If basicConstraints says not a CA then say so */
+		else
+			return 0;
+	} else {
+		/* we support V1 roots for...  uh, I don't really know why. */
+		if ((x->ex_flags & V1_ROOT) == V1_ROOT)
+			return 3;
+		/* If key usage present it must have certSign so tolerate it */
+		else if (x->ex_flags & EXFLAG_KUSAGE)
+			return 4;
+		/* Older certificates could have Netscape-specific CA types */
+		else if (x->ex_flags & EXFLAG_NSCERT &&
+		    x->ex_nscert & NS_ANY_CA)
+			return 5;
+		/* can this still be regarded a CA certificate?  I doubt it */
+		return 0;
+	}
+}
+
+int
+X509_check_ca(X509 *x)
+{
+	if (!(x->ex_flags & EXFLAG_SET)) {
+		CRYPTO_w_lock(CRYPTO_LOCK_X509);
+		x509v3_cache_extensions(x);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
+	}
+
+	return check_ca(x);
+}
+
+/* Check SSL CA: common checks for SSL client and server */
+static int
+check_ssl_ca(const X509 *x)
+{
+	int ca_ret;
+
+	ca_ret = check_ca(x);
+	if (!ca_ret)
+		return 0;
+	/* check nsCertType if present */
+	if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
+		return ca_ret;
+	else
+		return 0;
+}
+
+static int
+check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	if (xku_reject(x, XKU_SSL_CLIENT))
+		return 0;
+	if (ca)
+		return check_ssl_ca(x);
+	/* We need to do digital signatures with it */
+	if (ku_reject(x, KU_DIGITAL_SIGNATURE))
+		return 0;
+	/* nsCertType if present should allow SSL client use */
+	if (ns_reject(x, NS_SSL_CLIENT))
+		return 0;
+	return 1;
+}
+
+static int
+check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
+		return 0;
+	if (ca)
+		return check_ssl_ca(x);
+
+	if (ns_reject(x, NS_SSL_SERVER))
+		return 0;
+	/* Now as for keyUsage: we'll at least need to sign OR encipher */
+	if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
+		return 0;
+
+	return 1;
+}
+
+static int
+check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	int ret;
+
+	ret = check_purpose_ssl_server(xp, x, ca);
+	if (!ret || ca)
+		return ret;
+	/* We need to encipher or Netscape complains */
+	if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+		return 0;
+	return ret;
+}
+
+/* common S/MIME checks */
+static int
+purpose_smime(const X509 *x, int ca)
+{
+	if (xku_reject(x, XKU_SMIME))
+		return 0;
+	if (ca) {
+		int ca_ret;
+		ca_ret = check_ca(x);
+		if (!ca_ret)
+			return 0;
+		/* check nsCertType if present */
+		if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
+			return ca_ret;
+		else
+			return 0;
+	}
+	if (x->ex_flags & EXFLAG_NSCERT) {
+		if (x->ex_nscert & NS_SMIME)
+			return 1;
+		/* Workaround for some buggy certificates */
+		if (x->ex_nscert & NS_SSL_CLIENT)
+			return 2;
+		return 0;
+	}
+	return 1;
+}
+
+static int
+check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	int ret;
+
+	ret = purpose_smime(x, ca);
+	if (!ret || ca)
+		return ret;
+	if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
+		return 0;
+	return ret;
+}
+
+static int
+check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	int ret;
+
+	ret = purpose_smime(x, ca);
+	if (!ret || ca)
+		return ret;
+	if (ku_reject(x, KU_KEY_ENCIPHERMENT))
+		return 0;
+	return ret;
+}
+
+static int
+check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	if (ca) {
+		int ca_ret;
+		if ((ca_ret = check_ca(x)) != 2)
+			return ca_ret;
+		else
+			return 0;
+	}
+	if (ku_reject(x, KU_CRL_SIGN))
+		return 0;
+	return 1;
+}
+
+/* OCSP helper: this is *not* a full OCSP check. It just checks that
+ * each CA is valid. Additional checks must be made on the chain.
+ */
+static int
+ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	/* Must be a valid CA.  Should we really support the "I don't know"
+	   value (2)? */
+	if (ca)
+		return check_ca(x);
+	/* leaf certificate is checked in OCSP_verify() */
+	return 1;
+}
+
+static int
+check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	int i_ext;
+
+	/* If ca is true we must return if this is a valid CA certificate. */
+	if (ca)
+		return check_ca(x);
+
+	/*
+	 * Check the optional key usage field:
+	 * if Key Usage is present, it must be one of digitalSignature
+	 * and/or nonRepudiation (other values are not consistent and shall
+	 * be rejected).
+	 */
+	if ((x->ex_flags & EXFLAG_KUSAGE) &&
+	    ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
+	    !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
+		return 0;
+
+	/* Only time stamp key usage is permitted and it's required. */
+	if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
+		return 0;
+
+	/* Extended Key Usage MUST be critical */
+	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
+	if (i_ext >= 0) {
+		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
+		if (!X509_EXTENSION_get_critical(ext))
+			return 0;
+	}
+
+	return 1;
+}
+
+static int
+no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
+{
+	return 1;
+}
+
+/* Various checks to see if one certificate issued the second.
+ * This can be used to prune a set of possible issuer certificates
+ * which have been looked up using some simple method such as by
+ * subject name.
+ * These are:
+ * 1. Check issuer_name(subject) == subject_name(issuer)
+ * 2. If akid(subject) exists check it matches issuer
+ * 3. If key_usage(issuer) exists check it supports certificate signing
+ * returns 0 for OK, positive for reason for mismatch, reasons match
+ * codes for X509_verify_cert()
+ */
+
+int
+X509_check_issued(X509 *issuer, X509 *subject)
+{
+	if (X509_NAME_cmp(X509_get_subject_name(issuer),
+	    X509_get_issuer_name(subject)))
+		return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
+	x509v3_cache_extensions(issuer);
+	x509v3_cache_extensions(subject);
+
+	if (subject->akid) {
+		int ret = X509_check_akid(issuer, subject->akid);
+		if (ret != X509_V_OK)
+			return ret;
+	}
+
+	if (subject->ex_flags & EXFLAG_PROXY) {
+		if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+	} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+	return X509_V_OK;
+}
+
+int
+X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
+{
+	if (!akid)
+		return X509_V_OK;
+
+	/* Check key ids (if present) */
+	if (akid->keyid && issuer->skid &&
+	    ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
+		return X509_V_ERR_AKID_SKID_MISMATCH;
+	/* Check serial number */
+	if (akid->serial &&
+	    ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
+		return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+	/* Check issuer name */
+	if (akid->issuer) {
+		/* Ugh, for some peculiar reason AKID includes
+		 * SEQUENCE OF GeneralName. So look for a DirName.
+		 * There may be more than one but we only take any
+		 * notice of the first.
+		 */
+		GENERAL_NAMES *gens;
+		GENERAL_NAME *gen;
+		X509_NAME *nm = NULL;
+		int i;
+		gens = akid->issuer;
+		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+			gen = sk_GENERAL_NAME_value(gens, i);
+			if (gen->type == GEN_DIRNAME) {
+				nm = gen->d.dirn;
+				break;
+			}
+		}
+		if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
+			return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
+	}
+	return X509_V_OK;
+}
diff --git a/src/lib/libcrypto/x509/x509_skey.c b/src/lib/libcrypto/x509/x509_skey.c
new file mode 100644
index 0000000000..a906427378
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_skey.c
@@ -0,0 +1,161 @@
+/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, char *str);
+
+const X509V3_EXT_METHOD v3_skey_id = {
+	.ext_nid = NID_subject_key_identifier,
+	.ext_flags = 0,
+	.it = &ASN1_OCTET_STRING_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
+	.s2i = (X509V3_EXT_S2I)s2i_skey_id,
+	.i2v = NULL,
+	.v2i = NULL,
+	.i2r = NULL,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+char *
+i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
+{
+	return hex_to_string(oct->data, oct->length);
+}
+
+ASN1_OCTET_STRING *
+s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    const char *str)
+{
+	ASN1_OCTET_STRING *oct;
+	long length;
+
+	if (!(oct = ASN1_OCTET_STRING_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if (!(oct->data = string_to_hex(str, &length))) {
+		ASN1_OCTET_STRING_free(oct);
+		return NULL;
+	}
+
+	oct->length = length;
+
+	return oct;
+}
+
+static ASN1_OCTET_STRING *
+s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
+{
+	ASN1_OCTET_STRING *oct;
+	ASN1_BIT_STRING *pk;
+	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
+	unsigned int diglen;
+
+	if (strcmp(str, "hash"))
+		return s2i_ASN1_OCTET_STRING(method, ctx, str);
+
+	if (!(oct = ASN1_OCTET_STRING_new())) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+
+	if (ctx && (ctx->flags == CTX_TEST))
+		return oct;
+
+	if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
+		X509V3error(X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	if (ctx->subject_req)
+		pk = ctx->subject_req->req_info->pubkey->public_key;
+	else
+		pk = ctx->subject_cert->cert_info->key->public_key;
+
+	if (!pk) {
+		X509V3error(X509V3_R_NO_PUBLIC_KEY);
+		goto err;
+	}
+
+	if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen,
+	    EVP_sha1(), NULL))
+		goto err;
+
+	if (!ASN1_STRING_set(oct, pkey_dig, diglen)) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+
+	return oct;
+
+err:
+	ASN1_OCTET_STRING_free(oct);
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_sxnet.c b/src/lib/libcrypto/x509/x509_sxnet.c
new file mode 100644
index 0000000000..e5e98bcecc
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_sxnet.c
@@ -0,0 +1,383 @@
+/* $OpenBSD: x509_sxnet.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/asn1.h>
+#include <openssl/asn1t.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+/* Support for Thawte strong extranet extension */
+
+#define SXNET_TEST
+
+static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
+    int indent);
+#ifdef SXNET_TEST
+static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval);
+#endif
+
+const X509V3_EXT_METHOD v3_sxnet = {
+	.ext_nid = NID_sxnet,
+	.ext_flags = X509V3_EXT_MULTILINE,
+	.it = &SXNET_it,
+	.ext_new = NULL,
+	.ext_free = NULL,
+	.d2i = NULL,
+	.i2d = NULL,
+	.i2s = NULL,
+	.s2i = NULL,
+	.i2v = NULL,
+#ifdef SXNET_TEST
+	.v2i = (X509V3_EXT_V2I)sxnet_v2i,
+#else
+	.v2i = NULL,
+#endif
+	.i2r = (X509V3_EXT_I2R)sxnet_i2r,
+	.r2i = NULL,
+	.usr_data = NULL,
+};
+
+static const ASN1_TEMPLATE SXNETID_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(SXNETID, zone),
+		.field_name = "zone",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(SXNETID, user),
+		.field_name = "user",
+		.item = &ASN1_OCTET_STRING_it,
+	},
+};
+
+const ASN1_ITEM SXNETID_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = SXNETID_seq_tt,
+	.tcount = sizeof(SXNETID_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(SXNETID),
+	.sname = "SXNETID",
+};
+
+
+SXNETID *
+d2i_SXNETID(SXNETID **a, const unsigned char **in, long len)
+{
+	return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &SXNETID_it);
+}
+
+int
+i2d_SXNETID(SXNETID *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it);
+}
+
+SXNETID *
+SXNETID_new(void)
+{
+	return (SXNETID *)ASN1_item_new(&SXNETID_it);
+}
+
+void
+SXNETID_free(SXNETID *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it);
+}
+
+static const ASN1_TEMPLATE SXNET_seq_tt[] = {
+	{
+		.flags = 0,
+		.tag = 0,
+		.offset = offsetof(SXNET, version),
+		.field_name = "version",
+		.item = &ASN1_INTEGER_it,
+	},
+	{
+		.flags = ASN1_TFLG_SEQUENCE_OF,
+		.tag = 0,
+		.offset = offsetof(SXNET, ids),
+		.field_name = "ids",
+		.item = &SXNETID_it,
+	},
+};
+
+const ASN1_ITEM SXNET_it = {
+	.itype = ASN1_ITYPE_SEQUENCE,
+	.utype = V_ASN1_SEQUENCE,
+	.templates = SXNET_seq_tt,
+	.tcount = sizeof(SXNET_seq_tt) / sizeof(ASN1_TEMPLATE),
+	.funcs = NULL,
+	.size = sizeof(SXNET),
+	.sname = "SXNET",
+};
+
+
+SXNET *
+d2i_SXNET(SXNET **a, const unsigned char **in, long len)
+{
+	return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
+	    &SXNET_it);
+}
+
+int
+i2d_SXNET(SXNET *a, unsigned char **out)
+{
+	return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it);
+}
+
+SXNET *
+SXNET_new(void)
+{
+	return (SXNET *)ASN1_item_new(&SXNET_it);
+}
+
+void
+SXNET_free(SXNET *a)
+{
+	ASN1_item_free((ASN1_VALUE *)a, &SXNET_it);
+}
+
+static int
+sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
+{
+	long v;
+	char *tmp;
+	SXNETID *id;
+	int i;
+
+	v = ASN1_INTEGER_get(sx->version);
+	BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
+	for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+		id = sk_SXNETID_value(sx->ids, i);
+		tmp = i2s_ASN1_INTEGER(NULL, id->zone);
+		BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
+		free(tmp);
+		ASN1_STRING_print(out, id->user);
+	}
+	return 1;
+}
+
+#ifdef SXNET_TEST
+
+/* NBB: this is used for testing only. It should *not* be used for anything
+ * else because it will just take static IDs from the configuration file and
+ * they should really be separate values for each user.
+ */
+
+static SXNET *
+sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+    STACK_OF(CONF_VALUE) *nval)
+{
+	CONF_VALUE *cnf;
+	SXNET *sx = NULL;
+	int i;
+
+	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
+		cnf = sk_CONF_VALUE_value(nval, i);
+		if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
+			return NULL;
+	}
+	return sx;
+}
+
+#endif
+
+/* Strong Extranet utility functions */
+
+/* Add an id given the zone as an ASCII number */
+
+int
+SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen)
+{
+	ASN1_INTEGER *izone = NULL;
+
+	if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+		X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
+		return 0;
+	}
+	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+}
+
+/* Add an id given the zone as an unsigned long */
+
+int
+SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
+    int userlen)
+{
+	ASN1_INTEGER *izone = NULL;
+
+	if (!(izone = ASN1_INTEGER_new()) ||
+	    !ASN1_INTEGER_set(izone, lzone)) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		ASN1_INTEGER_free(izone);
+		return 0;
+	}
+	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
+}
+
+/* Add an id given the zone as an ASN1_INTEGER.
+ * Note this version uses the passed integer and doesn't make a copy so don't
+ * free it up afterwards.
+ */
+
+int
+SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
+    int userlen)
+{
+	SXNET *sx = NULL;
+	SXNETID *id = NULL;
+
+	if (!psx || !zone || !user) {
+		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
+		return 0;
+	}
+	if (userlen == -1)
+		userlen = strlen(user);
+	if (userlen > 64) {
+		X509V3error(X509V3_R_USER_TOO_LONG);
+		return 0;
+	}
+	if (!*psx) {
+		if (!(sx = SXNET_new()))
+			goto err;
+		if (!ASN1_INTEGER_set(sx->version, 0))
+			goto err;
+		*psx = sx;
+	} else
+		sx = *psx;
+	if (SXNET_get_id_INTEGER(sx, zone)) {
+		X509V3error(X509V3_R_DUPLICATE_ZONE_ID);
+		return 0;
+	}
+
+	if (!(id = SXNETID_new()))
+		goto err;
+	if (userlen == -1)
+		userlen = strlen(user);
+
+	if (!ASN1_STRING_set(id->user, user, userlen))
+		goto err;
+	if (!sk_SXNETID_push(sx->ids, id))
+		goto err;
+	id->zone = zone;
+	return 1;
+
+err:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	SXNETID_free(id);
+	SXNET_free(sx);
+	*psx = NULL;
+	return 0;
+}
+
+ASN1_OCTET_STRING *
+SXNET_get_id_asc(SXNET *sx, const char *zone)
+{
+	ASN1_INTEGER *izone = NULL;
+	ASN1_OCTET_STRING *oct;
+
+	if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
+		X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
+		return NULL;
+	}
+	oct = SXNET_get_id_INTEGER(sx, izone);
+	ASN1_INTEGER_free(izone);
+	return oct;
+}
+
+ASN1_OCTET_STRING *
+SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
+{
+	ASN1_INTEGER *izone = NULL;
+	ASN1_OCTET_STRING *oct;
+
+	if (!(izone = ASN1_INTEGER_new()) ||
+	    !ASN1_INTEGER_set(izone, lzone)) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		ASN1_INTEGER_free(izone);
+		return NULL;
+	}
+	oct = SXNET_get_id_INTEGER(sx, izone);
+	ASN1_INTEGER_free(izone);
+	return oct;
+}
+
+ASN1_OCTET_STRING *
+SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
+{
+	SXNETID *id;
+	int i;
+
+	for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
+		id = sk_SXNETID_value(sx->ids, i);
+		if (!ASN1_INTEGER_cmp(id->zone, zone))
+			return id->user;
+	}
+	return NULL;
+}
diff --git a/src/lib/libcrypto/x509/x509_utl.c b/src/lib/libcrypto/x509/x509_utl.c
new file mode 100644
index 0000000000..4641152f74
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509_utl.c
@@ -0,0 +1,1387 @@
+/* $OpenBSD: x509_utl.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+/* X509 v3 extension utilities */
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/x509v3.h>
+
+char *bn_to_string(const BIGNUM *bn);
+static char *strip_spaces(char *name);
+static int sk_strcmp(const char * const *a, const char * const *b);
+static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
+    GENERAL_NAMES *gens);
+static void str_free(OPENSSL_STRING str);
+static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
+
+static int ipv4_from_asc(unsigned char *v4, const char *in);
+static int ipv6_from_asc(unsigned char *v6, const char *in);
+static int ipv6_cb(const char *elem, int len, void *usr);
+static int ipv6_hex(unsigned char *out, const char *in, int inlen);
+
+/* Add a CONF_VALUE name-value pair to stack. */
+int
+X509V3_add_value(const char *name, const char *value,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	CONF_VALUE *vtmp = NULL;
+	STACK_OF(CONF_VALUE) *free_exts = NULL;
+
+	if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL)
+		goto err;
+	if (name != NULL) {
+		if ((vtmp->name = strdup(name)) == NULL)
+			goto err;
+	}
+	if (value != NULL) {
+		if ((vtmp->value = strdup(value)) == NULL)
+			goto err;
+	}
+
+	if (*extlist == NULL) {
+		if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL)
+			goto err;
+	}
+
+	if (!sk_CONF_VALUE_push(*extlist, vtmp))
+		goto err;
+
+	return 1;
+
+ err:
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	X509V3_conf_free(vtmp);
+	if (free_exts != NULL) {
+		sk_CONF_VALUE_free(*extlist);
+		*extlist = NULL;
+	}
+	return 0;
+}
+
+int
+X509V3_add_value_uchar(const char *name, const unsigned char *value,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	return X509V3_add_value(name, (const char *)value, extlist);
+}
+
+/* Free function for STACK_OF(CONF_VALUE) */
+
+void
+X509V3_conf_free(CONF_VALUE *conf)
+{
+	if (!conf)
+		return;
+	free(conf->name);
+	free(conf->value);
+	free(conf->section);
+	free(conf);
+}
+
+int
+X509V3_add_value_bool(const char *name, int asn1_bool,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	if (asn1_bool)
+		return X509V3_add_value(name, "TRUE", extlist);
+	return X509V3_add_value(name, "FALSE", extlist);
+}
+
+int
+X509V3_add_value_bool_nf(const char *name, int asn1_bool,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	if (asn1_bool)
+		return X509V3_add_value(name, "TRUE", extlist);
+	return 1;
+}
+
+char *
+bn_to_string(const BIGNUM *bn)
+{
+	const char *sign = "";
+	char *bnstr, *hex;
+	char *ret = NULL;
+
+	/* Only display small numbers in decimal, as conversion is quadratic. */
+	if (BN_num_bits(bn) < 128)
+		return BN_bn2dec(bn);
+
+	if ((hex = bnstr = BN_bn2hex(bn)) == NULL)
+		goto err;
+
+	if (BN_is_negative(bn)) {
+		sign = "-";
+		hex++;
+	}
+
+	if (asprintf(&ret, "%s0x%s", sign, hex) == -1)
+		ret = NULL;
+
+ err:
+	free(bnstr);
+	return ret;
+}
+
+char *
+i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
+{
+	BIGNUM *bntmp;
+	char *strtmp = NULL;
+
+	if (a == NULL)
+		return NULL;
+	if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL ||
+	    (strtmp = bn_to_string(bntmp)) == NULL)
+		X509V3error(ERR_R_MALLOC_FAILURE);
+	BN_free(bntmp);
+	return strtmp;
+}
+
+char *
+i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
+{
+	BIGNUM *bntmp;
+	char *strtmp = NULL;
+
+	if (a == NULL)
+		return NULL;
+	if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL ||
+	    (strtmp = bn_to_string(bntmp)) == NULL)
+		X509V3error(ERR_R_MALLOC_FAILURE);
+	BN_free(bntmp);
+	return strtmp;
+}
+
+ASN1_INTEGER *
+s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
+{
+	BIGNUM *bn = NULL;
+	ASN1_INTEGER *aint;
+	int isneg, ishex;
+	int ret;
+
+	if (!value) {
+		X509V3error(X509V3_R_INVALID_NULL_VALUE);
+		return 0;
+	}
+	bn = BN_new();
+	if (value[0] == '-') {
+		value++;
+		isneg = 1;
+	} else
+		isneg = 0;
+
+	if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
+		value += 2;
+		ishex = 1;
+	} else
+		ishex = 0;
+
+	if (ishex)
+		ret = BN_hex2bn(&bn, value);
+	else
+		ret = BN_dec2bn(&bn, value);
+
+	if (!ret || value[ret]) {
+		BN_free(bn);
+		X509V3error(X509V3_R_BN_DEC2BN_ERROR);
+		return 0;
+	}
+
+	if (isneg && BN_is_zero(bn))
+		isneg = 0;
+
+	aint = BN_to_ASN1_INTEGER(bn, NULL);
+	BN_free(bn);
+	if (!aint) {
+		X509V3error(X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
+		return 0;
+	}
+	if (isneg)
+		aint->type |= V_ASN1_NEG;
+	return aint;
+}
+
+int
+X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
+    STACK_OF(CONF_VALUE) **extlist)
+{
+	char *strtmp;
+	int ret;
+
+	if (!aint)
+		return 1;
+	if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
+		return 0;
+	ret = X509V3_add_value(name, strtmp, extlist);
+	free(strtmp);
+	return ret;
+}
+
+int
+X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
+{
+	char *btmp;
+
+	if (!(btmp = value->value))
+		goto err;
+	if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") ||
+	    !strcmp(btmp, "Y") || !strcmp(btmp, "y") ||
+	    !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
+		*asn1_bool = 0xff;
+		return 1;
+	} else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") ||
+	    !strcmp(btmp, "N") || !strcmp(btmp, "n") ||
+	    !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
+		*asn1_bool = 0;
+		return 1;
+	}
+
+ err:
+	X509V3error(X509V3_R_INVALID_BOOLEAN_STRING);
+	X509V3_conf_err(value);
+	return 0;
+}
+
+int
+X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
+{
+	ASN1_INTEGER *itmp;
+
+	if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
+		X509V3_conf_err(value);
+		return 0;
+	}
+	*aint = itmp;
+	return 1;
+}
+
+#define HDR_NAME	1
+#define HDR_VALUE	2
+
+/*#define DEBUG*/
+
+STACK_OF(CONF_VALUE) *
+X509V3_parse_list(const char *line)
+{
+	char *p, *q, c;
+	char *ntmp, *vtmp;
+	STACK_OF(CONF_VALUE) *values = NULL;
+	char *linebuf;
+	int state;
+
+	/* We are going to modify the line so copy it first */
+	if ((linebuf = strdup(line)) == NULL) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		goto err;
+	}
+	state = HDR_NAME;
+	ntmp = NULL;
+
+	/* Go through all characters */
+	for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') &&
+	    (c != '\n'); p++) {
+
+		switch (state) {
+		case HDR_NAME:
+			if (c == ':') {
+				state = HDR_VALUE;
+				*p = 0;
+				ntmp = strip_spaces(q);
+				if (!ntmp) {
+					X509V3error(X509V3_R_INVALID_NULL_NAME);
+					goto err;
+				}
+				q = p + 1;
+			} else if (c == ',') {
+				*p = 0;
+				ntmp = strip_spaces(q);
+				q = p + 1;
+				if (!ntmp) {
+					X509V3error(X509V3_R_INVALID_NULL_NAME);
+					goto err;
+				}
+				X509V3_add_value(ntmp, NULL, &values);
+			}
+			break;
+
+		case HDR_VALUE:
+			if (c == ',') {
+				state = HDR_NAME;
+				*p = 0;
+				vtmp = strip_spaces(q);
+				if (!vtmp) {
+					X509V3error(X509V3_R_INVALID_NULL_VALUE);
+					goto err;
+				}
+				X509V3_add_value(ntmp, vtmp, &values);
+				ntmp = NULL;
+				q = p + 1;
+			}
+
+		}
+	}
+
+	if (state == HDR_VALUE) {
+		vtmp = strip_spaces(q);
+		if (!vtmp) {
+			X509V3error(X509V3_R_INVALID_NULL_VALUE);
+			goto err;
+		}
+		X509V3_add_value(ntmp, vtmp, &values);
+	} else {
+		ntmp = strip_spaces(q);
+		if (!ntmp) {
+			X509V3error(X509V3_R_INVALID_NULL_NAME);
+			goto err;
+		}
+		X509V3_add_value(ntmp, NULL, &values);
+	}
+	free(linebuf);
+	return values;
+
+ err:
+	free(linebuf);
+	sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
+	return NULL;
+
+}
+
+/* Delete leading and trailing spaces from a string */
+static char *
+strip_spaces(char *name)
+{
+	char *p, *q;
+
+	/* Skip over leading spaces */
+	p = name;
+	while (*p && isspace((unsigned char)*p))
+		p++;
+	if (!*p)
+		return NULL;
+	q = p + strlen(p) - 1;
+	while ((q != p) && isspace((unsigned char)*q))
+		q--;
+	if (p != q)
+		q[1] = 0;
+	if (!*p)
+		return NULL;
+	return p;
+}
+
+/* hex string utilities */
+
+/* Given a buffer of length 'len' return a malloc'ed string with its
+ * hex representation
+ */
+char *
+hex_to_string(const unsigned char *buffer, long len)
+{
+	char *tmp, *q;
+	const unsigned char *p;
+	int i;
+	static const char hexdig[] = "0123456789ABCDEF";
+
+	if (!buffer || !len)
+		return NULL;
+	if (!(tmp = malloc(len * 3 + 1))) {
+		X509V3error(ERR_R_MALLOC_FAILURE);
+		return NULL;
+	}
+	q = tmp;
+	for (i = 0, p = buffer; i < len; i++, p++) {
+		*q++ = hexdig[(*p >> 4) & 0xf];
+		*q++ = hexdig[*p & 0xf];
+		*q++ = ':';
+	}
+	q[-1] = 0;
+	return tmp;
+}
+
+/* Give a string of hex digits convert to
+ * a buffer
+ */
+
+unsigned char *
+string_to_hex(const char *str, long *len)
+{
+	unsigned char *hexbuf, *q;
+	unsigned char ch, cl, *p;
+	if (!str) {
+		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
+		return NULL;
+	}
+	if (!(hexbuf = malloc(strlen(str) >> 1)))
+		goto err;
+	for (p = (unsigned char *)str, q = hexbuf; *p; ) {
+		ch = *p++;
+		if (ch == ':')
+			continue;
+		cl = *p++;
+		if (!cl) {
+			X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS);
+			free(hexbuf);
+			return NULL;
+		}
+		ch = tolower(ch);
+		cl = tolower(cl);
+
+		if ((ch >= '0') && (ch <= '9'))
+			ch -= '0';
+		else if ((ch >= 'a') && (ch <= 'f'))
+			ch -= 'a' - 10;
+		else
+			goto badhex;
+
+		if ((cl >= '0') && (cl <= '9'))
+			cl -= '0';
+		else if ((cl >= 'a') && (cl <= 'f'))
+			cl -= 'a' - 10;
+		else
+			goto badhex;
+
+		*q++ = (ch << 4) | cl;
+	}
+
+	if (len)
+		*len = q - hexbuf;
+
+	return hexbuf;
+
+ err:
+	free(hexbuf);
+	X509V3error(ERR_R_MALLOC_FAILURE);
+	return NULL;
+
+ badhex:
+	free(hexbuf);
+	X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
+	return NULL;
+}
+
+/* V2I name comparison function: returns zero if 'name' matches
+ * cmp or cmp.*
+ */
+
+int
+name_cmp(const char *name, const char *cmp)
+{
+	int len, ret;
+	char c;
+
+	len = strlen(cmp);
+	if ((ret = strncmp(name, cmp, len)))
+		return ret;
+	c = name[len];
+	if (!c || (c=='.'))
+		return 0;
+	return 1;
+}
+
+static int
+sk_strcmp(const char * const *a, const char * const *b)
+{
+	return strcmp(*a, *b);
+}
+
+STACK_OF(OPENSSL_STRING) *
+X509_get1_email(X509 *x)
+{
+	GENERAL_NAMES *gens;
+	STACK_OF(OPENSSL_STRING) *ret;
+
+	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+	ret = get_email(X509_get_subject_name(x), gens);
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	return ret;
+}
+
+STACK_OF(OPENSSL_STRING) *
+X509_get1_ocsp(X509 *x)
+{
+	AUTHORITY_INFO_ACCESS *info;
+	STACK_OF(OPENSSL_STRING) *ret = NULL;
+	int i;
+
+	info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
+	if (!info)
+		return NULL;
+	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
+		ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
+		if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
+			if (ad->location->type == GEN_URI) {
+				if (!append_ia5(&ret,
+				    ad->location->d.uniformResourceIdentifier))
+					break;
+			}
+		}
+	}
+	AUTHORITY_INFO_ACCESS_free(info);
+	return ret;
+}
+
+STACK_OF(OPENSSL_STRING) *
+X509_REQ_get1_email(X509_REQ *x)
+{
+	GENERAL_NAMES *gens;
+	STACK_OF(X509_EXTENSION) *exts;
+	STACK_OF(OPENSSL_STRING) *ret;
+
+	exts = X509_REQ_get_extensions(x);
+	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
+	ret = get_email(X509_REQ_get_subject_name(x), gens);
+	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
+	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	return ret;
+}
+
+
+static STACK_OF(OPENSSL_STRING) *
+get_email(X509_NAME *name, GENERAL_NAMES *gens)
+{
+	STACK_OF(OPENSSL_STRING) *ret = NULL;
+	X509_NAME_ENTRY *ne;
+	ASN1_IA5STRING *email;
+	GENERAL_NAME *gen;
+	int i;
+
+	/* Now add any email address(es) to STACK */
+	i = -1;
+
+	/* First supplied X509_NAME */
+	while ((i = X509_NAME_get_index_by_NID(name,
+	    NID_pkcs9_emailAddress, i)) >= 0) {
+		ne = X509_NAME_get_entry(name, i);
+		email = X509_NAME_ENTRY_get_data(ne);
+		if (!append_ia5(&ret, email))
+			return NULL;
+	}
+	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+		gen = sk_GENERAL_NAME_value(gens, i);
+		if (gen->type != GEN_EMAIL)
+			continue;
+		if (!append_ia5(&ret, gen->d.ia5))
+			return NULL;
+	}
+	return ret;
+}
+
+static void
+str_free(OPENSSL_STRING str)
+{
+	free(str);
+}
+
+static int
+append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
+{
+	char *emtmp;
+
+	/* First some sanity checks */
+	if (email->type != V_ASN1_IA5STRING)
+		return 1;
+	if (!email->data || !email->length)
+		return 1;
+	if (!*sk)
+		*sk = sk_OPENSSL_STRING_new(sk_strcmp);
+	if (!*sk)
+		return 0;
+	/* Don't add duplicates */
+	if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
+		return 1;
+	emtmp = strdup((char *)email->data);
+	if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
+		X509_email_free(*sk);
+		*sk = NULL;
+		return 0;
+	}
+	return 1;
+}
+
+void
+X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
+{
+	sk_OPENSSL_STRING_pop_free(sk, str_free);
+}
+
+typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
+    const unsigned char *subject, size_t subject_len, unsigned int flags);
+
+/* Skip pattern prefix to match "wildcard" subject */
+static void
+skip_prefix(const unsigned char **p, size_t *plen, const unsigned char *subject,
+    size_t subject_len, unsigned int flags)
+{
+	const unsigned char *pattern = *p;
+	size_t pattern_len = *plen;
+
+	/*
+	 * If subject starts with a leading '.' followed by more octets, and
+	 * pattern is longer, compare just an equal-length suffix with the
+	 * full subject (starting at the '.'), provided the prefix contains
+	 * no NULs.
+	 */
+	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
+		return;
+
+	while (pattern_len > subject_len && *pattern) {
+		if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
+		    *pattern == '.')
+			break;
+		++pattern;
+		--pattern_len;
+	}
+
+	/* Skip if entire prefix acceptable */
+	if (pattern_len == subject_len) {
+		*p = pattern;
+		*plen = pattern_len;
+	}
+}
+
+/*
+ * Open/BoringSSL uses memcmp for "equal_case" while their
+ * "equal_nocase" function is a hand-rolled strncasecmp that does not
+ * allow \0 in the pattern. Since an embedded \0 is likely a sign of
+ * problems, we simply don't allow it in either case, and then we use
+ * standard libc funcitons.
+ */
+
+/* Compare using strncasecmp */
+static int
+equal_nocase(const unsigned char *pattern, size_t pattern_len,
+    const unsigned char *subject, size_t subject_len, unsigned int flags)
+{
+	if (memchr(pattern, '\0', pattern_len) != NULL)
+		return 0;
+	if (memchr(subject, '\0', subject_len) != NULL)
+		return 0;
+	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
+	if (pattern_len != subject_len)
+		return 0;
+	return (strncasecmp(pattern, subject, pattern_len) == 0);
+}
+
+/* Compare using strncmp. */
+static int
+equal_case(const unsigned char *pattern, size_t pattern_len,
+    const unsigned char *subject, size_t subject_len, unsigned int flags)
+{
+	if (memchr(pattern, 0, pattern_len) != NULL)
+		return 0;
+	if (memchr(subject, 0, subject_len) != NULL)
+		return 0;
+	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
+	if (pattern_len != subject_len)
+		return 0;
+	return (strncmp(pattern, subject, pattern_len) == 0);
+}
+
+/*
+ * RFC 5280, section 7.5, requires that only the domain is compared in a
+ * case-insensitive manner.
+ */
+static int
+equal_email(const unsigned char *a, size_t a_len, const unsigned char *b,
+    size_t b_len, unsigned int unused_flags)
+{
+	size_t pos = a_len;
+	if (a_len != b_len)
+		return 0;
+	/*
+	 * We search backwards for the '@' character, so that we do not have to
+	 * deal with quoted local-parts.  The domain part is compared in a
+	 * case-insensitive manner.
+	 */
+	while (pos > 0) {
+		pos--;
+		if (a[pos] == '@' || b[pos] == '@') {
+			if (!equal_nocase(a + pos, a_len - pos, b + pos,
+			    a_len - pos, 0))
+				return 0;
+			break;
+		}
+	}
+	if (pos == 0)
+		pos = a_len;
+	return equal_case(a, pos, b, pos, 0);
+}
+
+/*
+ * Compare the prefix and suffix with the subject, and check that the
+ * characters in-between are valid.
+ */
+static int
+wildcard_match(const unsigned char *prefix, size_t prefix_len,
+    const unsigned char *suffix, size_t suffix_len,
+    const unsigned char *subject, size_t subject_len, unsigned int flags)
+{
+	const unsigned char *wildcard_start;
+	const unsigned char *wildcard_end;
+	const unsigned char *p;
+	int allow_multi = 0;
+	int allow_idna = 0;
+
+	if (subject_len < prefix_len + suffix_len)
+		return 0;
+	if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
+		return 0;
+	wildcard_start = subject + prefix_len;
+	wildcard_end = subject + (subject_len - suffix_len);
+	if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
+		return 0;
+	/*
+	 * If the wildcard makes up the entire first label, it must match at
+	 * least one character.
+	 */
+	if (prefix_len == 0 && *suffix == '.') {
+		if (wildcard_start == wildcard_end)
+			return 0;
+		allow_idna = 1;
+		if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
+			allow_multi = 1;
+	}
+	/* IDNA labels cannot match partial wildcards */
+	if (!allow_idna &&
+	    subject_len >= 4
+	    && strncasecmp((char *)subject, "xn--", 4) == 0)
+		return 0;
+	/* The wildcard may match a literal '*' */
+	if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
+		return 1;
+	/*
+	 * Check that the part matched by the wildcard contains only
+	 * permitted characters and only matches a single label unless
+	 * allow_multi is set.
+	 */
+	for (p = wildcard_start; p != wildcard_end; ++p)
+		if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') ||
+		    ('a' <= *p && *p <= 'z') || *p == '-' ||
+		    (allow_multi && *p == '.')))
+			return 0;
+	return 1;
+}
+
+#define LABEL_START     (1 << 0)
+#define LABEL_END       (1 << 1)
+#define LABEL_HYPHEN    (1 << 2)
+#define LABEL_IDNA      (1 << 3)
+
+static const unsigned char *
+valid_star(const unsigned char *p, size_t len, unsigned int flags)
+{
+	const unsigned char *star = 0;
+	size_t i;
+	int state = LABEL_START;
+	int dots = 0;
+	for (i = 0; i < len; ++i) {
+		/*
+		 * Locate first and only legal wildcard, either at the start
+		 * or end of a non-IDNA first and not final label.
+		 */
+		if (p[i] == '*') {
+			int atstart = (state & LABEL_START);
+			int atend = (i == len - 1 || p[i + 1] == '.');
+			/*
+			 * At most one wildcard per pattern.
+			 * No wildcards in IDNA labels.
+			 * No wildcards after the first label.
+			 */
+			if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
+				return NULL;
+			/* Only full-label '*.example.com' wildcards? */
+			if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
+			    && (!atstart || !atend))
+				return NULL;
+			/* No 'foo*bar' wildcards */
+			if (!atstart && !atend)
+				return NULL;
+			star = &p[i];
+			state &= ~LABEL_START;
+		} else if ((state & LABEL_START) != 0) {
+			/*
+			 * At the start of a label, skip any "xn--" and
+			 * remain in the LABEL_START state, but set the
+			 * IDNA label state
+			 */
+			if ((state & LABEL_IDNA) == 0 && len - i >= 4
+			    && strncasecmp((char *)&p[i], "xn--", 4) == 0) {
+				i += 3;
+				state |= LABEL_IDNA;
+				continue;
+			}
+			/* Labels must start with a letter or digit */
+			state &= ~LABEL_START;
+			if (('a' <= p[i] && p[i] <= 'z')
+			    || ('A' <= p[i] && p[i] <= 'Z')
+			    || ('0' <= p[i] && p[i] <= '9'))
+				continue;
+			return NULL;
+		} else if (('a' <= p[i] && p[i] <= 'z')
+		    || ('A' <= p[i] && p[i] <= 'Z')
+		    || ('0' <= p[i] && p[i] <= '9')) {
+			state &= LABEL_IDNA;
+			continue;
+		} else if (p[i] == '.') {
+			if (state & (LABEL_HYPHEN | LABEL_START))
+				return NULL;
+			state = LABEL_START;
+			++dots;
+		} else if (p[i] == '-') {
+			/* no domain/subdomain starts with '-' */
+			if ((state & LABEL_START) != 0)
+				return NULL;
+			state |= LABEL_HYPHEN;
+		} else
+			return NULL;
+	}
+
+	/*
+	 * The final label must not end in a hyphen or ".", and
+	 * there must be at least two dots after the star.
+	 */
+	if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
+		return NULL;
+	return star;
+}
+
+/* Compare using wildcards. */
+static int
+equal_wildcard(const unsigned char *pattern, size_t pattern_len,
+    const unsigned char *subject, size_t subject_len, unsigned int flags)
+{
+	const unsigned char *star = NULL;
+
+	/*
+	 * Subject names starting with '.' can only match a wildcard pattern
+	 * via a subject sub-domain pattern suffix match.
+	 */
+	if (!(subject_len > 1 && subject[0] == '.'))
+		star = valid_star(pattern, pattern_len, flags);
+	if (star == NULL)
+		return equal_nocase(pattern, pattern_len,
+		    subject, subject_len, flags);
+	return wildcard_match(pattern, star - pattern,
+	    star + 1, (pattern + pattern_len) - star - 1,
+	    subject, subject_len, flags);
+}
+
+/*
+ * Compare an ASN1_STRING to a supplied string. If they match return 1. If
+ * cmp_type > 0 only compare if string matches the type, otherwise convert it
+ * to UTF8.
+ */
+
+static int
+do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
+    unsigned int flags, const char *b, size_t blen, char **peername)
+{
+	int rv = 0;
+
+	if (!a->data || !a->length)
+		return 0;
+	if (cmp_type > 0) {
+		if (cmp_type != a->type)
+			return 0;
+		if (cmp_type == V_ASN1_IA5STRING)
+			rv = equal(a->data, a->length, (unsigned char *)b,
+			    blen, flags);
+		else if (a->length == (int)blen && !memcmp(a->data, b, blen))
+			rv = 1;
+		if (rv > 0 && peername &&
+		    (*peername = strndup((char *)a->data, a->length)) == NULL)
+			rv = -1;
+	} else {
+		int astrlen;
+		unsigned char *astr;
+		astrlen = ASN1_STRING_to_UTF8(&astr, a);
+		if (astrlen < 0)
+			return -1;
+		rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
+		if (rv > 0 && peername &&
+		    (*peername = strndup((char *)astr, astrlen)) == NULL)
+			rv = -1;
+		free(astr);
+	}
+	return rv;
+}
+
+static int
+do_x509_check(X509 *x, const char *chk, size_t chklen, unsigned int flags,
+    int check_type, char **peername)
+{
+	GENERAL_NAMES *gens = NULL;
+	X509_NAME *name = NULL;
+	size_t i;
+	int j;
+	int cnid = NID_undef;
+	int alt_type;
+	int san_present = 0;
+	int rv = 0;
+	equal_fn equal;
+
+	/* See below, this flag is internal-only */
+	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
+	if (check_type == GEN_EMAIL) {
+		cnid = NID_pkcs9_emailAddress;
+		alt_type = V_ASN1_IA5STRING;
+		equal = equal_email;
+	} else if (check_type == GEN_DNS) {
+		cnid = NID_commonName;
+		/* Implicit client-side DNS sub-domain pattern */
+		if (chklen > 1 && chk[0] == '.')
+			flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
+		alt_type = V_ASN1_IA5STRING;
+		if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
+			equal = equal_nocase;
+		else
+			equal = equal_wildcard;
+	} else {
+		alt_type = V_ASN1_OCTET_STRING;
+		equal = equal_case;
+	}
+
+	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
+	if (gens != NULL) {
+		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+			GENERAL_NAME *gen;
+			ASN1_STRING *cstr;
+			gen = sk_GENERAL_NAME_value(gens, i);
+			if (gen->type != check_type)
+				continue;
+			san_present = 1;
+			if (check_type == GEN_EMAIL)
+				cstr = gen->d.rfc822Name;
+			else if (check_type == GEN_DNS)
+				cstr = gen->d.dNSName;
+			else
+				cstr = gen->d.iPAddress;
+			/* Positive on success, negative on error! */
+			if ((rv = do_check_string(cstr, alt_type, equal, flags,
+			    chk, chklen, peername)) != 0)
+				break;
+		}
+		GENERAL_NAMES_free(gens);
+		if (rv != 0)
+			return rv;
+		if (cnid == NID_undef ||
+		    (san_present &&
+		    !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
+			return 0;
+	}
+
+	/* We're done if CN-ID is not pertinent */
+	if (cnid == NID_undef)
+		return 0;
+
+	j = -1;
+	name = X509_get_subject_name(x);
+	while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
+		X509_NAME_ENTRY *ne;
+		ASN1_STRING *str;
+		if ((ne = X509_NAME_get_entry(name, j)) == NULL)
+			return -1;
+		if ((str = X509_NAME_ENTRY_get_data(ne)) == NULL)
+			return -1;
+		/* Positive on success, negative on error! */
+		if ((rv = do_check_string(str, -1, equal, flags,
+			 chk, chklen, peername)) != 0)
+			return rv;
+	}
+	return 0;
+}
+
+int
+X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
+    char **peername)
+{
+	if (chk == NULL)
+		return -2;
+	if (chklen == 0)
+		chklen = strlen(chk);
+	else if (memchr(chk, '\0', chklen))
+		return -2;
+	return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
+}
+
+int
+X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags)
+{
+	if (chk == NULL)
+		return -2;
+	if (chklen == 0)
+		chklen = strlen(chk);
+	else if (memchr(chk, '\0', chklen))
+		return -2;
+	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
+}
+
+int
+X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
+    unsigned int flags)
+{
+	if (chk == NULL)
+		return -2;
+	return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
+}
+
+int
+X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
+{
+	unsigned char ipout[16];
+	size_t iplen;
+
+	if (ipasc == NULL)
+		return -2;
+	iplen = (size_t)a2i_ipadd(ipout, ipasc);
+	if (iplen == 0)
+		return -2;
+	return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
+}
+
+/* Convert IP addresses both IPv4 and IPv6 into an
+ * OCTET STRING compatible with RFC3280.
+ */
+
+ASN1_OCTET_STRING *
+a2i_IPADDRESS(const char *ipasc)
+{
+	unsigned char ipout[16];
+	ASN1_OCTET_STRING *ret;
+	int iplen;
+
+	/* If string contains a ':' assume IPv6 */
+
+	iplen = a2i_ipadd(ipout, ipasc);
+
+	if (!iplen)
+		return NULL;
+
+	ret = ASN1_OCTET_STRING_new();
+	if (!ret)
+		return NULL;
+	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
+		ASN1_OCTET_STRING_free(ret);
+		return NULL;
+	}
+	return ret;
+}
+
+ASN1_OCTET_STRING *
+a2i_IPADDRESS_NC(const char *ipasc)
+{
+	ASN1_OCTET_STRING *ret = NULL;
+	unsigned char ipout[32];
+	char *iptmp = NULL, *p;
+	int iplen1, iplen2;
+
+	p = strchr(ipasc, '/');
+	if (!p)
+		return NULL;
+	iptmp = strdup(ipasc);
+	if (!iptmp)
+		return NULL;
+	p = iptmp + (p - ipasc);
+	*p++ = 0;
+
+	iplen1 = a2i_ipadd(ipout, iptmp);
+
+	if (!iplen1)
+		goto err;
+
+	iplen2 = a2i_ipadd(ipout + iplen1, p);
+
+	free(iptmp);
+	iptmp = NULL;
+
+	if (!iplen2 || (iplen1 != iplen2))
+		goto err;
+
+	ret = ASN1_OCTET_STRING_new();
+	if (!ret)
+		goto err;
+	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
+		goto err;
+
+	return ret;
+
+ err:
+	free(iptmp);
+	if (ret)
+		ASN1_OCTET_STRING_free(ret);
+	return NULL;
+}
+
+
+int
+a2i_ipadd(unsigned char *ipout, const char *ipasc)
+{
+	/* If string contains a ':' assume IPv6 */
+
+	if (strchr(ipasc, ':')) {
+		if (!ipv6_from_asc(ipout, ipasc))
+			return 0;
+		return 16;
+	} else {
+		if (!ipv4_from_asc(ipout, ipasc))
+			return 0;
+		return 4;
+	}
+}
+
+static int
+ipv4_from_asc(unsigned char *v4, const char *in)
+{
+	int a0, a1, a2, a3;
+	if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
+		return 0;
+	if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) ||
+	    (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
+		return 0;
+	v4[0] = a0;
+	v4[1] = a1;
+	v4[2] = a2;
+	v4[3] = a3;
+	return 1;
+}
+
+typedef struct {
+	/* Temporary store for IPV6 output */
+	unsigned char tmp[16];
+	/* Total number of bytes in tmp */
+	int total;
+	/* The position of a zero (corresponding to '::') */
+	int zero_pos;
+	/* Number of zeroes */
+	int zero_cnt;
+} IPV6_STAT;
+
+
+static int
+ipv6_from_asc(unsigned char *v6, const char *in)
+{
+	IPV6_STAT v6stat;
+
+	v6stat.total = 0;
+	v6stat.zero_pos = -1;
+	v6stat.zero_cnt = 0;
+
+	/* Treat the IPv6 representation as a list of values
+	 * separated by ':'. The presence of a '::' will parse
+	 * as one, two or three zero length elements.
+	 */
+	if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
+		return 0;
+
+	/* Now for some sanity checks */
+
+	if (v6stat.zero_pos == -1) {
+		/* If no '::' must have exactly 16 bytes */
+		if (v6stat.total != 16)
+			return 0;
+	} else {
+		/* If '::' must have less than 16 bytes */
+		if (v6stat.total == 16)
+			return 0;
+		/* More than three zeroes is an error */
+		if (v6stat.zero_cnt > 3)
+			return 0;
+		/* Can only have three zeroes if nothing else present */
+		else if (v6stat.zero_cnt == 3) {
+			if (v6stat.total > 0)
+				return 0;
+		}
+		/* Can only have two zeroes if at start or end */
+		else if (v6stat.zero_cnt == 2) {
+			if ((v6stat.zero_pos != 0) &&
+			    (v6stat.zero_pos != v6stat.total))
+				return 0;
+		} else
+			/* Can only have one zero if *not* start or end */
+		{
+			if ((v6stat.zero_pos == 0) ||
+			    (v6stat.zero_pos == v6stat.total))
+				return 0;
+		}
+	}
+
+	/* Format result */
+
+	if (v6stat.zero_pos >= 0) {
+		/* Copy initial part */
+		memcpy(v6, v6stat.tmp, v6stat.zero_pos);
+		/* Zero middle */
+		memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
+		/* Copy final part */
+		if (v6stat.total != v6stat.zero_pos)
+			memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
+			    v6stat.tmp + v6stat.zero_pos,
+			    v6stat.total - v6stat.zero_pos);
+	} else
+		memcpy(v6, v6stat.tmp, 16);
+
+	return 1;
+}
+
+static int
+ipv6_cb(const char *elem, int len, void *usr)
+{
+	IPV6_STAT *s = usr;
+
+	/* Error if 16 bytes written */
+	if (s->total == 16)
+		return 0;
+	if (len == 0) {
+		/* Zero length element, corresponds to '::' */
+		if (s->zero_pos == -1)
+			s->zero_pos = s->total;
+		/* If we've already got a :: its an error */
+		else if (s->zero_pos != s->total)
+			return 0;
+		s->zero_cnt++;
+	} else {
+		/* If more than 4 characters could be final a.b.c.d form */
+		if (len > 4) {
+			/* Need at least 4 bytes left */
+			if (s->total > 12)
+				return 0;
+			/* Must be end of string */
+			if (elem[len])
+				return 0;
+			if (!ipv4_from_asc(s->tmp + s->total, elem))
+				return 0;
+			s->total += 4;
+		} else {
+			if (!ipv6_hex(s->tmp + s->total, elem, len))
+				return 0;
+			s->total += 2;
+		}
+	}
+	return 1;
+}
+
+/* Convert a string of up to 4 hex digits into the corresponding
+ * IPv6 form.
+ */
+
+static int
+ipv6_hex(unsigned char *out, const char *in, int inlen)
+{
+	unsigned char c;
+	unsigned int num = 0;
+
+	if (inlen > 4)
+		return 0;
+	while (inlen--) {
+		c = *in++;
+		num <<= 4;
+		if ((c >= '0') && (c <= '9'))
+			num |= c - '0';
+		else if ((c >= 'A') && (c <= 'F'))
+			num |= c - 'A' + 10;
+		else if ((c >= 'a') && (c <= 'f'))
+			num |=  c - 'a' + 10;
+		else
+			return 0;
+	}
+	out[0] = num >> 8;
+	out[1] = num & 0xff;
+	return 1;
+}
+
+int
+X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+    unsigned long chtype)
+{
+	CONF_VALUE *v;
+	int i, mval;
+	char *p, *type;
+
+	if (!nm)
+		return 0;
+
+	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
+		v = sk_CONF_VALUE_value(dn_sk, i);
+		type = v->name;
+		/* Skip past any leading X. X: X, etc to allow for
+		 * multiple instances
+		 */
+		for (p = type; *p; p++)
+			if ((*p == ':') || (*p == ',') || (*p == '.')) {
+				p++;
+				if (*p)
+					type = p;
+				break;
+			}
+		if (*type == '+') {
+			mval = -1;
+			type++;
+		} else
+			mval = 0;
+		if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
+		    (unsigned char *) v->value, -1, -1, mval))
+			return 0;
+	}
+	return 1;
+}
diff --git a/src/lib/libcrypto/x509/x509v3.h b/src/lib/libcrypto/x509/x509v3.h
new file mode 100644
index 0000000000..8f7f5c5794
--- /dev/null
+++ b/src/lib/libcrypto/x509/x509v3.h
@@ -0,0 +1,992 @@
+/* $OpenBSD: x509v3.h,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 1999.
+ */
+/* ====================================================================
+ * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+#ifndef HEADER_X509V3_H
+#define HEADER_X509V3_H
+
+#include <openssl/opensslconf.h>
+
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/conf.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Forward reference */
+struct v3_ext_method;
+struct v3_ext_ctx;
+
+/* Useful typedefs */
+
+typedef void * (*X509V3_EXT_NEW)(void);
+typedef void (*X509V3_EXT_FREE)(void *);
+typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
+typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
+typedef STACK_OF(CONF_VALUE) *
+  (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
+		    STACK_OF(CONF_VALUE) *extlist);
+typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx,
+				 STACK_OF(CONF_VALUE) *values);
+typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
+typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx, const char *str);
+typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
+			      BIO *out, int indent);
+typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
+				 struct v3_ext_ctx *ctx, const char *str);
+
+/* V3 extension structure */
+
+struct v3_ext_method {
+int ext_nid;
+int ext_flags;
+/* If this is set the following four fields are ignored */
+ASN1_ITEM_EXP *it;
+/* Old style ASN1 calls */
+X509V3_EXT_NEW ext_new;
+X509V3_EXT_FREE ext_free;
+X509V3_EXT_D2I d2i;
+X509V3_EXT_I2D i2d;
+
+/* The following pair is used for string extensions */
+X509V3_EXT_I2S i2s;
+X509V3_EXT_S2I s2i;
+
+/* The following pair is used for multi-valued extensions */
+X509V3_EXT_I2V i2v;
+X509V3_EXT_V2I v2i;
+
+/* The following are used for raw extensions */
+X509V3_EXT_I2R i2r;
+X509V3_EXT_R2I r2i;
+
+void *usr_data;	/* Any extension specific data */
+};
+
+typedef struct X509V3_CONF_METHOD_st {
+char *(*get_string)(void *db, const char *section, const char *value);
+STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section);
+void (*free_string)(void *db, char *string);
+void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
+} X509V3_CONF_METHOD;
+
+/* Context specific info */
+struct v3_ext_ctx {
+#define CTX_TEST 0x1
+int flags;
+X509 *issuer_cert;
+X509 *subject_cert;
+X509_REQ *subject_req;
+X509_CRL *crl;
+X509V3_CONF_METHOD *db_meth;
+void *db;
+/* Maybe more here */
+};
+
+typedef struct v3_ext_method X509V3_EXT_METHOD;
+
+DECLARE_STACK_OF(X509V3_EXT_METHOD)
+
+/* ext_flags values */
+#define X509V3_EXT_DYNAMIC	0x1
+#define X509V3_EXT_CTX_DEP	0x2
+#define X509V3_EXT_MULTILINE	0x4
+
+typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
+
+typedef struct BASIC_CONSTRAINTS_st {
+int ca;
+ASN1_INTEGER *pathlen;
+} BASIC_CONSTRAINTS;
+
+
+typedef struct PKEY_USAGE_PERIOD_st {
+ASN1_GENERALIZEDTIME *notBefore;
+ASN1_GENERALIZEDTIME *notAfter;
+} PKEY_USAGE_PERIOD;
+
+typedef struct otherName_st {
+ASN1_OBJECT *type_id;
+ASN1_TYPE *value;
+} OTHERNAME;
+
+typedef struct EDIPartyName_st {
+	ASN1_STRING *nameAssigner;
+	ASN1_STRING *partyName;
+} EDIPARTYNAME;
+
+typedef struct GENERAL_NAME_st {
+
+#define GEN_OTHERNAME	0
+#define GEN_EMAIL	1
+#define GEN_DNS		2
+#define GEN_X400	3
+#define GEN_DIRNAME	4
+#define GEN_EDIPARTY	5
+#define GEN_URI		6
+#define GEN_IPADD	7
+#define GEN_RID		8
+
+int type;
+union {
+	char *ptr;
+	OTHERNAME *otherName; /* otherName */
+	ASN1_IA5STRING *rfc822Name;
+	ASN1_IA5STRING *dNSName;
+	ASN1_TYPE *x400Address;
+	X509_NAME *directoryName;
+	EDIPARTYNAME *ediPartyName;
+	ASN1_IA5STRING *uniformResourceIdentifier;
+	ASN1_OCTET_STRING *iPAddress;
+	ASN1_OBJECT *registeredID;
+
+	/* Old names */
+	ASN1_OCTET_STRING *ip; /* iPAddress */
+	X509_NAME *dirn;		/* dirn */
+	ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
+	ASN1_OBJECT *rid; /* registeredID */
+	ASN1_TYPE *other; /* x400Address */
+} d;
+} GENERAL_NAME;
+
+typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
+
+typedef struct ACCESS_DESCRIPTION_st {
+	ASN1_OBJECT *method;
+	GENERAL_NAME *location;
+} ACCESS_DESCRIPTION;
+
+typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
+
+typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
+
+DECLARE_STACK_OF(GENERAL_NAME)
+
+DECLARE_STACK_OF(ACCESS_DESCRIPTION)
+
+typedef struct DIST_POINT_NAME_st {
+int type;
+union {
+	GENERAL_NAMES *fullname;
+	STACK_OF(X509_NAME_ENTRY) *relativename;
+} name;
+/* If relativename then this contains the full distribution point name */
+X509_NAME *dpname;
+} DIST_POINT_NAME;
+/* All existing reasons */
+#define CRLDP_ALL_REASONS	0x807f
+
+#define CRL_REASON_NONE				-1
+#define CRL_REASON_UNSPECIFIED			0
+#define CRL_REASON_KEY_COMPROMISE		1
+#define CRL_REASON_CA_COMPROMISE		2
+#define CRL_REASON_AFFILIATION_CHANGED		3
+#define CRL_REASON_SUPERSEDED			4
+#define CRL_REASON_CESSATION_OF_OPERATION	5
+#define CRL_REASON_CERTIFICATE_HOLD		6
+#define CRL_REASON_REMOVE_FROM_CRL		8
+#define CRL_REASON_PRIVILEGE_WITHDRAWN		9
+#define CRL_REASON_AA_COMPROMISE		10
+
+struct DIST_POINT_st {
+DIST_POINT_NAME	*distpoint;
+ASN1_BIT_STRING *reasons;
+GENERAL_NAMES *CRLissuer;
+int dp_reasons;
+};
+
+typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
+
+DECLARE_STACK_OF(DIST_POINT)
+
+struct AUTHORITY_KEYID_st {
+ASN1_OCTET_STRING *keyid;
+GENERAL_NAMES *issuer;
+ASN1_INTEGER *serial;
+};
+
+/* Strong extranet structures */
+
+typedef struct SXNET_ID_st {
+	ASN1_INTEGER *zone;
+	ASN1_OCTET_STRING *user;
+} SXNETID;
+
+DECLARE_STACK_OF(SXNETID)
+
+typedef struct SXNET_st {
+	ASN1_INTEGER *version;
+	STACK_OF(SXNETID) *ids;
+} SXNET;
+
+typedef struct NOTICEREF_st {
+	ASN1_STRING *organization;
+	STACK_OF(ASN1_INTEGER) *noticenos;
+} NOTICEREF;
+
+typedef struct USERNOTICE_st {
+	NOTICEREF *noticeref;
+	ASN1_STRING *exptext;
+} USERNOTICE;
+
+typedef struct POLICYQUALINFO_st {
+	ASN1_OBJECT *pqualid;
+	union {
+		ASN1_IA5STRING *cpsuri;
+		USERNOTICE *usernotice;
+		ASN1_TYPE *other;
+	} d;
+} POLICYQUALINFO;
+
+DECLARE_STACK_OF(POLICYQUALINFO)
+
+typedef struct POLICYINFO_st {
+	ASN1_OBJECT *policyid;
+	STACK_OF(POLICYQUALINFO) *qualifiers;
+} POLICYINFO;
+
+typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
+
+DECLARE_STACK_OF(POLICYINFO)
+
+typedef struct POLICY_MAPPING_st {
+	ASN1_OBJECT *issuerDomainPolicy;
+	ASN1_OBJECT *subjectDomainPolicy;
+} POLICY_MAPPING;
+
+DECLARE_STACK_OF(POLICY_MAPPING)
+
+typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
+
+typedef struct GENERAL_SUBTREE_st {
+	GENERAL_NAME *base;
+	ASN1_INTEGER *minimum;
+	ASN1_INTEGER *maximum;
+} GENERAL_SUBTREE;
+
+DECLARE_STACK_OF(GENERAL_SUBTREE)
+
+struct NAME_CONSTRAINTS_st {
+	STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
+	STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
+};
+
+typedef struct POLICY_CONSTRAINTS_st {
+	ASN1_INTEGER *requireExplicitPolicy;
+	ASN1_INTEGER *inhibitPolicyMapping;
+} POLICY_CONSTRAINTS;
+
+/* Proxy certificate structures, see RFC 3820 */
+typedef struct PROXY_POLICY_st
+	{
+	ASN1_OBJECT *policyLanguage;
+	ASN1_OCTET_STRING *policy;
+	} PROXY_POLICY;
+
+typedef struct PROXY_CERT_INFO_EXTENSION_st
+	{
+	ASN1_INTEGER *pcPathLengthConstraint;
+	PROXY_POLICY *proxyPolicy;
+	} PROXY_CERT_INFO_EXTENSION;
+
+PROXY_POLICY *PROXY_POLICY_new(void);
+void PROXY_POLICY_free(PROXY_POLICY *a);
+PROXY_POLICY *d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len);
+int i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out);
+extern const ASN1_ITEM PROXY_POLICY_it;
+PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void);
+void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a);
+PROXY_CERT_INFO_EXTENSION *d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len);
+int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out);
+extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it;
+
+struct ISSUING_DIST_POINT_st
+	{
+	DIST_POINT_NAME *distpoint;
+	int onlyuser;
+	int onlyCA;
+	ASN1_BIT_STRING *onlysomereasons;
+	int indirectCRL;
+	int onlyattr;
+	};
+
+/* Values in idp_flags field */
+/* IDP present */
+#define	IDP_PRESENT	0x1
+/* IDP values inconsistent */
+#define IDP_INVALID	0x2
+/* onlyuser true */
+#define	IDP_ONLYUSER	0x4
+/* onlyCA true */
+#define	IDP_ONLYCA	0x8
+/* onlyattr true */
+#define IDP_ONLYATTR	0x10
+/* indirectCRL true */
+#define IDP_INDIRECT	0x20
+/* onlysomereasons present */
+#define IDP_REASONS	0x40
+
+#define X509V3_conf_err(val) ERR_asprintf_error_data( \
+			"section:%s,name:%s,value:%s", val->section, \
+			val->name, val->value);
+
+#define X509V3_set_ctx_test(ctx) \
+			X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
+#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
+
+#define EXT_BITSTRING(nid, table) { nid, 0, &ASN1_BIT_STRING_it, \
+			0,0,0,0, \
+			0,0, \
+			(X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
+			(X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
+			NULL, NULL, \
+			table}
+
+#define EXT_IA5STRING(nid) { nid, 0, &ASN1_IA5STRING_it, \
+			0,0,0,0, \
+			(X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
+			(X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
+			0,0,0,0, \
+			NULL}
+
+#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
+
+
+/* X509_PURPOSE stuff */
+
+#define EXFLAG_BCONS		0x0001
+#define EXFLAG_KUSAGE		0x0002
+#define EXFLAG_XKUSAGE		0x0004
+#define EXFLAG_NSCERT		0x0008
+
+#define EXFLAG_CA		0x0010
+#define EXFLAG_SI		0x0020  /* Self issued. */
+#define EXFLAG_V1		0x0040
+#define EXFLAG_INVALID		0x0080
+#define EXFLAG_SET		0x0100
+#define EXFLAG_CRITICAL		0x0200
+#define EXFLAG_PROXY		0x0400
+#define EXFLAG_INVALID_POLICY	0x0800
+#define EXFLAG_FRESHEST		0x1000
+#define EXFLAG_SS               0x2000	/* Self signed. */
+
+#define KU_DIGITAL_SIGNATURE	0x0080
+#define KU_NON_REPUDIATION	0x0040
+#define KU_KEY_ENCIPHERMENT	0x0020
+#define KU_DATA_ENCIPHERMENT	0x0010
+#define KU_KEY_AGREEMENT	0x0008
+#define KU_KEY_CERT_SIGN	0x0004
+#define KU_CRL_SIGN		0x0002
+#define KU_ENCIPHER_ONLY	0x0001
+#define KU_DECIPHER_ONLY	0x8000
+
+#define NS_SSL_CLIENT		0x80
+#define NS_SSL_SERVER		0x40
+#define NS_SMIME		0x20
+#define NS_OBJSIGN		0x10
+#define NS_SSL_CA		0x04
+#define NS_SMIME_CA		0x02
+#define NS_OBJSIGN_CA		0x01
+#define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
+
+#define XKU_SSL_SERVER		0x1	
+#define XKU_SSL_CLIENT		0x2
+#define XKU_SMIME		0x4
+#define XKU_CODE_SIGN		0x8
+#define XKU_SGC			0x10
+#define XKU_OCSP_SIGN		0x20
+#define XKU_TIMESTAMP		0x40
+#define XKU_DVCS		0x80
+
+#define X509_PURPOSE_DYNAMIC	0x1
+#define X509_PURPOSE_DYNAMIC_NAME	0x2
+
+typedef struct x509_purpose_st {
+	int purpose;
+	int trust;		/* Default trust ID */
+	int flags;
+	int (*check_purpose)(const struct x509_purpose_st *,
+				const X509 *, int);
+	char *name;
+	char *sname;
+	void *usr_data;
+} X509_PURPOSE;
+
+#define X509_PURPOSE_SSL_CLIENT		1
+#define X509_PURPOSE_SSL_SERVER		2
+#define X509_PURPOSE_NS_SSL_SERVER	3
+#define X509_PURPOSE_SMIME_SIGN		4
+#define X509_PURPOSE_SMIME_ENCRYPT	5
+#define X509_PURPOSE_CRL_SIGN		6
+#define X509_PURPOSE_ANY		7
+#define X509_PURPOSE_OCSP_HELPER	8
+#define X509_PURPOSE_TIMESTAMP_SIGN	9
+
+#define X509_PURPOSE_MIN		1
+#define X509_PURPOSE_MAX		9
+
+/* Flags for X509V3_EXT_print() */
+
+#define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)
+/* Return error for unknown extensions */
+#define X509V3_EXT_DEFAULT		0
+/* Print error for unknown extensions */
+#define X509V3_EXT_ERROR_UNKNOWN	(1L << 16)
+/* ASN1 parse unknown extensions */
+#define X509V3_EXT_PARSE_UNKNOWN	(2L << 16)
+/* BIO_dump unknown extensions */
+#define X509V3_EXT_DUMP_UNKNOWN		(3L << 16)
+
+/* Flags for X509V3_add1_i2d */
+
+#define X509V3_ADD_OP_MASK		0xfL
+#define X509V3_ADD_DEFAULT		0L
+#define X509V3_ADD_APPEND		1L
+#define X509V3_ADD_REPLACE		2L
+#define X509V3_ADD_REPLACE_EXISTING	3L
+#define X509V3_ADD_KEEP_EXISTING	4L
+#define X509V3_ADD_DELETE		5L
+#define X509V3_ADD_SILENT		0x10
+
+DECLARE_STACK_OF(X509_PURPOSE)
+
+BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
+void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a);
+BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len);
+int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out);
+extern const ASN1_ITEM BASIC_CONSTRAINTS_it;
+
+SXNET *SXNET_new(void);
+void SXNET_free(SXNET *a);
+SXNET *d2i_SXNET(SXNET **a, const unsigned char **in, long len);
+int i2d_SXNET(SXNET *a, unsigned char **out);
+extern const ASN1_ITEM SXNET_it;
+SXNETID *SXNETID_new(void);
+void SXNETID_free(SXNETID *a);
+SXNETID *d2i_SXNETID(SXNETID **a, const unsigned char **in, long len);
+int i2d_SXNETID(SXNETID *a, unsigned char **out);
+extern const ASN1_ITEM SXNETID_it;
+
+int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user,
+    int userlen); 
+int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
+    int userlen); 
+int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
+    int userlen); 
+
+ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
+ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
+ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
+
+AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
+void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
+AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len);
+int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out);
+extern const ASN1_ITEM AUTHORITY_KEYID_it;
+
+PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
+void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
+PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len);
+int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out);
+extern const ASN1_ITEM PKEY_USAGE_PERIOD_it;
+
+GENERAL_NAME *GENERAL_NAME_new(void);
+void GENERAL_NAME_free(GENERAL_NAME *a);
+GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len);
+int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out);
+extern const ASN1_ITEM GENERAL_NAME_it;
+GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
+int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
+
+
+
+ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
+				ASN1_BIT_STRING *bits,
+				STACK_OF(CONF_VALUE) *extlist);
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
+int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
+
+GENERAL_NAMES *GENERAL_NAMES_new(void);
+void GENERAL_NAMES_free(GENERAL_NAMES *a);
+GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len);
+int i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out);
+extern const ASN1_ITEM GENERAL_NAMES_it;
+
+STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
+		GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
+GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
+				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
+
+OTHERNAME *OTHERNAME_new(void);
+void OTHERNAME_free(OTHERNAME *a);
+OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len);
+int i2d_OTHERNAME(OTHERNAME *a, unsigned char **out);
+extern const ASN1_ITEM OTHERNAME_it;
+EDIPARTYNAME *EDIPARTYNAME_new(void);
+void EDIPARTYNAME_free(EDIPARTYNAME *a);
+EDIPARTYNAME *d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len);
+int i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out);
+extern const ASN1_ITEM EDIPARTYNAME_it;
+int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
+void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
+void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
+int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
+				ASN1_OBJECT *oid, ASN1_TYPE *value);
+int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
+				ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
+
+char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+    const ASN1_OCTET_STRING *ia5);
+ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
+    X509V3_CTX *ctx, const char *str);
+
+EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void);
+void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a);
+EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len);
+int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out);
+extern const ASN1_ITEM EXTENDED_KEY_USAGE_it;
+int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a);
+
+CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void);
+void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a);
+CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len);
+int i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out);
+extern const ASN1_ITEM CERTIFICATEPOLICIES_it;
+POLICYINFO *POLICYINFO_new(void);
+void POLICYINFO_free(POLICYINFO *a);
+POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len);
+int i2d_POLICYINFO(POLICYINFO *a, unsigned char **out);
+extern const ASN1_ITEM POLICYINFO_it;
+POLICYQUALINFO *POLICYQUALINFO_new(void);
+void POLICYQUALINFO_free(POLICYQUALINFO *a);
+POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len);
+int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out);
+extern const ASN1_ITEM POLICYQUALINFO_it;
+USERNOTICE *USERNOTICE_new(void);
+void USERNOTICE_free(USERNOTICE *a);
+USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len);
+int i2d_USERNOTICE(USERNOTICE *a, unsigned char **out);
+extern const ASN1_ITEM USERNOTICE_it;
+NOTICEREF *NOTICEREF_new(void);
+void NOTICEREF_free(NOTICEREF *a);
+NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len);
+int i2d_NOTICEREF(NOTICEREF *a, unsigned char **out);
+extern const ASN1_ITEM NOTICEREF_it;
+
+CRL_DIST_POINTS *CRL_DIST_POINTS_new(void);
+void CRL_DIST_POINTS_free(CRL_DIST_POINTS *a);
+CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len);
+int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out);
+extern const ASN1_ITEM CRL_DIST_POINTS_it;
+DIST_POINT *DIST_POINT_new(void);
+void DIST_POINT_free(DIST_POINT *a);
+DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len);
+int i2d_DIST_POINT(DIST_POINT *a, unsigned char **out);
+extern const ASN1_ITEM DIST_POINT_it;
+DIST_POINT_NAME *DIST_POINT_NAME_new(void);
+void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
+DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len);
+int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out);
+extern const ASN1_ITEM DIST_POINT_NAME_it;
+ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void);
+void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a);
+ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len);
+int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out);
+extern const ASN1_ITEM ISSUING_DIST_POINT_it;
+
+int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
+
+int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
+
+ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
+void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
+ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len);
+int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out);
+extern const ASN1_ITEM ACCESS_DESCRIPTION_it;
+AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void);
+void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a);
+AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len);
+int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out);
+extern const ASN1_ITEM AUTHORITY_INFO_ACCESS_it;
+
+extern const ASN1_ITEM POLICY_MAPPING_it;
+POLICY_MAPPING *POLICY_MAPPING_new(void);
+void POLICY_MAPPING_free(POLICY_MAPPING *a);
+extern const ASN1_ITEM POLICY_MAPPINGS_it;
+
+extern const ASN1_ITEM GENERAL_SUBTREE_it;
+GENERAL_SUBTREE *GENERAL_SUBTREE_new(void);
+void GENERAL_SUBTREE_free(GENERAL_SUBTREE *a);
+
+extern const ASN1_ITEM NAME_CONSTRAINTS_it;
+NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void);
+void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a);
+
+POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);
+void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a);
+extern const ASN1_ITEM POLICY_CONSTRAINTS_it;
+
+GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
+			       const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       int gen_type, const char *value, int is_nc);
+
+#ifdef HEADER_CONF_H
+GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
+			       CONF_VALUE *cnf);
+GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
+				  const X509V3_EXT_METHOD *method,
+				  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
+void X509V3_conf_free(CONF_VALUE *val);
+
+X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
+    const char *value);
+X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
+    const char *value);
+int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
+    STACK_OF(X509_EXTENSION) **sk);
+int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509 *cert);
+int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509_REQ *req);
+int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
+    X509_CRL *crl);
+
+X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    int ext_nid, const char *value);
+X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *name, const char *value);
+int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509 *cert);
+int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509_REQ *req);
+int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
+    const char *section, X509_CRL *crl);
+
+int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
+			     STACK_OF(CONF_VALUE) **extlist);
+int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
+int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
+void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
+void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
+#endif
+
+char *X509V3_get_string(X509V3_CTX *ctx, const char *name,
+    const char *section);
+STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
+void X509V3_string_free(X509V3_CTX *ctx, char *str);
+void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
+				 X509_REQ *req, X509_CRL *crl, int flags);
+
+int X509V3_add_value(const char *name, const char *value,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_uchar(const char *name, const unsigned char *value,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_bool(const char *name, int asn1_bool,
+						STACK_OF(CONF_VALUE) **extlist);
+int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
+						STACK_OF(CONF_VALUE) **extlist);
+char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
+ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
+char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
+char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
+    const ASN1_ENUMERATED *aint);
+int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
+int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
+int X509V3_EXT_add_alias(int nid_to, int nid_from);
+void X509V3_EXT_cleanup(void);
+
+const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
+int X509V3_add_standard_extensions(void);
+STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
+void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
+    int *idx);
+
+
+X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
+int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
+
+char *hex_to_string(const unsigned char *buffer, long len);
+unsigned char *string_to_hex(const char *str, long *len);
+int name_cmp(const char *name, const char *cmp);
+
+void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
+								 int ml);
+int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
+int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
+
+int X509V3_extensions_print(BIO *out, const char *title,
+    const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
+
+int X509_check_ca(X509 *x);
+int X509_check_purpose(X509 *x, int id, int ca);
+int X509_supported_extension(X509_EXTENSION *ex);
+int X509_PURPOSE_set(int *p, int purpose);
+int X509_check_issued(X509 *issuer, X509 *subject);
+int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
+int X509_PURPOSE_get_count(void);
+X509_PURPOSE * X509_PURPOSE_get0(int idx);
+int X509_PURPOSE_get_by_sname(const char *sname);
+int X509_PURPOSE_get_by_id(int id);
+int X509_PURPOSE_add(int id, int trust, int flags,
+			int (*ck)(const X509_PURPOSE *, const X509 *, int),
+			const char *name, const char *sname, void *arg);
+char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
+char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
+int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
+void X509_PURPOSE_cleanup(void);
+int X509_PURPOSE_get_id(const X509_PURPOSE *);
+
+STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
+STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
+void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
+STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
+
+/* Flags for X509_check_* functions */
+/* Always check subject name for host match even if subject alt names present */
+#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0x1
+/* Disable wildcard matching for dnsName fields and common name. */
+#define X509_CHECK_FLAG_NO_WILDCARDS	0x2
+/* Wildcards must not match a partial label. */
+#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
+/* Allow (non-partial) wildcards to match multiple labels. */
+#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
+/* Constraint verifier subdomain patterns to match a single labels. */
+#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
+
+/*
+ * Match reference identifiers starting with "." to any sub-domain.
+ * This is a non-public flag, turned on implicitly when the subject
+ * reference identity is a DNS name.
+ */
+#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
+
+int X509_check_host(X509 *x, const char *chk, size_t chklen,
+    unsigned int flags, char **peername);
+int X509_check_email(X509 *x, const char *chk, size_t chklen,
+    unsigned int flags);
+int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
+    unsigned int flags);
+int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
+
+ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
+ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
+int a2i_ipadd(unsigned char *ipout, const char *ipasc);
+int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
+						unsigned long chtype);
+
+void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
+DECLARE_STACK_OF(X509_POLICY_NODE)
+
+
+/* BEGIN ERROR CODES */
+/* The following lines are auto generated by the script mkerr.pl. Any changes
+ * made after this point may be overwritten when the script is next run.
+ */
+void ERR_load_X509V3_strings(void);
+
+/* Error codes for the X509V3 functions. */
+
+/* Function codes. */
+#define X509V3_F_A2I_GENERAL_NAME			 164
+#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE		 161
+#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL	 162
+#define X509V3_F_COPY_EMAIL				 122
+#define X509V3_F_COPY_ISSUER				 123
+#define X509V3_F_DO_DIRNAME				 144
+#define X509V3_F_DO_EXT_CONF				 124
+#define X509V3_F_DO_EXT_I2D				 135
+#define X509V3_F_DO_EXT_NCONF				 151
+#define X509V3_F_DO_I2V_NAME_CONSTRAINTS		 148
+#define X509V3_F_GNAMES_FROM_SECTNAME			 156
+#define X509V3_F_HEX_TO_STRING				 111
+#define X509V3_F_I2S_ASN1_ENUMERATED			 121
+#define X509V3_F_I2S_ASN1_IA5STRING			 149
+#define X509V3_F_I2S_ASN1_INTEGER			 120
+#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
+#define X509V3_F_NOTICE_SECTION				 132
+#define X509V3_F_NREF_NOS				 133
+#define X509V3_F_POLICY_SECTION				 131
+#define X509V3_F_PROCESS_PCI_VALUE			 150
+#define X509V3_F_R2I_CERTPOL				 130
+#define X509V3_F_R2I_PCI				 155
+#define X509V3_F_S2I_ASN1_IA5STRING			 100
+#define X509V3_F_S2I_ASN1_INTEGER			 108
+#define X509V3_F_S2I_ASN1_OCTET_STRING			 112
+#define X509V3_F_S2I_ASN1_SKEY_ID			 114
+#define X509V3_F_S2I_SKEY_ID				 115
+#define X509V3_F_SET_DIST_POINT_NAME			 158
+#define X509V3_F_STRING_TO_HEX				 113
+#define X509V3_F_SXNET_ADD_ID_ASC			 125
+#define X509V3_F_SXNET_ADD_ID_INTEGER			 126
+#define X509V3_F_SXNET_ADD_ID_ULONG			 127
+#define X509V3_F_SXNET_GET_ID_ASC			 128
+#define X509V3_F_SXNET_GET_ID_ULONG			 129
+#define X509V3_F_V2I_ASIDENTIFIERS			 163
+#define X509V3_F_V2I_ASN1_BIT_STRING			 101
+#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS		 139
+#define X509V3_F_V2I_AUTHORITY_KEYID			 119
+#define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
+#define X509V3_F_V2I_CRLD				 134
+#define X509V3_F_V2I_EXTENDED_KEY_USAGE			 103
+#define X509V3_F_V2I_GENERAL_NAMES			 118
+#define X509V3_F_V2I_GENERAL_NAME_EX			 117
+#define X509V3_F_V2I_IDP				 157
+#define X509V3_F_V2I_IPADDRBLOCKS			 159
+#define X509V3_F_V2I_ISSUER_ALT				 153
+#define X509V3_F_V2I_NAME_CONSTRAINTS			 147
+#define X509V3_F_V2I_POLICY_CONSTRAINTS			 146
+#define X509V3_F_V2I_POLICY_MAPPINGS			 145
+#define X509V3_F_V2I_SUBJECT_ALT			 154
+#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL		 160
+#define X509V3_F_V3_GENERIC_EXTENSION			 116
+#define X509V3_F_X509V3_ADD1_I2D			 140
+#define X509V3_F_X509V3_ADD_VALUE			 105
+#define X509V3_F_X509V3_EXT_ADD				 104
+#define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
+#define X509V3_F_X509V3_EXT_CONF			 107
+#define X509V3_F_X509V3_EXT_I2D				 136
+#define X509V3_F_X509V3_EXT_NCONF			 152
+#define X509V3_F_X509V3_GET_SECTION			 142
+#define X509V3_F_X509V3_GET_STRING			 143
+#define X509V3_F_X509V3_GET_VALUE_BOOL			 110
+#define X509V3_F_X509V3_PARSE_LIST			 109
+#define X509V3_F_X509_PURPOSE_ADD			 137
+#define X509V3_F_X509_PURPOSE_SET			 141
+
+/* Reason codes. */
+#define X509V3_R_BAD_IP_ADDRESS				 118
+#define X509V3_R_BAD_OBJECT				 119
+#define X509V3_R_BN_DEC2BN_ERROR			 100
+#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR		 101
+#define X509V3_R_DIRNAME_ERROR				 149
+#define X509V3_R_DISTPOINT_ALREADY_SET			 160
+#define X509V3_R_DUPLICATE_ZONE_ID			 133
+#define X509V3_R_ERROR_CONVERTING_ZONE			 131
+#define X509V3_R_ERROR_CREATING_EXTENSION		 144
+#define X509V3_R_ERROR_IN_EXTENSION			 128
+#define X509V3_R_EXPECTED_A_SECTION_NAME		 137
+#define X509V3_R_EXTENSION_EXISTS			 145
+#define X509V3_R_EXTENSION_NAME_ERROR			 115
+#define X509V3_R_EXTENSION_NOT_FOUND			 102
+#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
+#define X509V3_R_EXTENSION_VALUE_ERROR			 116
+#define X509V3_R_ILLEGAL_EMPTY_EXTENSION		 151
+#define X509V3_R_ILLEGAL_HEX_DIGIT			 113
+#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG		 152
+#define X509V3_R_INVALID_MULTIPLE_RDNS			 161
+#define X509V3_R_INVALID_ASNUMBER			 162
+#define X509V3_R_INVALID_ASRANGE			 163
+#define X509V3_R_INVALID_BOOLEAN_STRING			 104
+#define X509V3_R_INVALID_EXTENSION_STRING		 105
+#define X509V3_R_INVALID_INHERITANCE			 165
+#define X509V3_R_INVALID_IPADDRESS			 166
+#define X509V3_R_INVALID_NAME				 106
+#define X509V3_R_INVALID_NULL_ARGUMENT			 107
+#define X509V3_R_INVALID_NULL_NAME			 108
+#define X509V3_R_INVALID_NULL_VALUE			 109
+#define X509V3_R_INVALID_NUMBER				 140
+#define X509V3_R_INVALID_NUMBERS			 141
+#define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
+#define X509V3_R_INVALID_OPTION				 138
+#define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
+#define X509V3_R_INVALID_PROXY_POLICY_SETTING		 153
+#define X509V3_R_INVALID_PURPOSE			 146
+#define X509V3_R_INVALID_SAFI				 164
+#define X509V3_R_INVALID_SECTION			 135
+#define X509V3_R_INVALID_SYNTAX				 143
+#define X509V3_R_ISSUER_DECODE_ERROR			 126
+#define X509V3_R_MISSING_VALUE				 124
+#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS		 142
+#define X509V3_R_NO_CONFIG_DATABASE			 136
+#define X509V3_R_NO_ISSUER_CERTIFICATE			 121
+#define X509V3_R_NO_ISSUER_DETAILS			 127
+#define X509V3_R_NO_POLICY_IDENTIFIER			 139
+#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED	 154
+#define X509V3_R_NO_PUBLIC_KEY				 114
+#define X509V3_R_NO_SUBJECT_DETAILS			 125
+#define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
+#define X509V3_R_OPERATION_NOT_DEFINED			 148
+#define X509V3_R_OTHERNAME_ERROR			 147
+#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED	 155
+#define X509V3_R_POLICY_PATH_LENGTH			 156
+#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED	 157
+#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED	 158
+#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
+#define X509V3_R_SECTION_NOT_FOUND			 150
+#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
+#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
+#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
+#define X509V3_R_UNKNOWN_EXTENSION			 129
+#define X509V3_R_UNKNOWN_EXTENSION_NAME			 130
+#define X509V3_R_UNKNOWN_OPTION				 120
+#define X509V3_R_UNSUPPORTED_OPTION			 117
+#define X509V3_R_UNSUPPORTED_TYPE			 167
+#define X509V3_R_USER_TOO_LONG				 132
+
+#ifdef  __cplusplus
+}
+#endif
+#endif
diff --git a/src/lib/libcrypto/x509v3/ext_dat.h b/src/lib/libcrypto/x509v3/ext_dat.h
deleted file mode 100644
index 1bacb0d5a1..0000000000
--- a/src/lib/libcrypto/x509v3/ext_dat.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/* $OpenBSD: ext_dat.h,v 1.13 2016/12/21 15:49:29 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/opensslconf.h>
-
-__BEGIN_HIDDEN_DECLS
-
-/* This file contains a table of "standard" extensions */
-
-extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku;
-extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo;
-extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id;
-extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate;
-extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl;
-extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff;
-extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc;
-extern X509V3_EXT_METHOD v3_crl_hold, v3_pci;
-extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints;
-extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp;
-extern X509V3_EXT_METHOD v3_addr, v3_asid;
-
-/* This table will be searched using OBJ_bsearch so it *must* kept in
- * order of the ext_nid values.
- */
-
-static const X509V3_EXT_METHOD *standard_exts[] = {
-	&v3_nscert,
-	&v3_ns_ia5_list[0],
-	&v3_ns_ia5_list[1],
-	&v3_ns_ia5_list[2],
-	&v3_ns_ia5_list[3],
-	&v3_ns_ia5_list[4],
-	&v3_ns_ia5_list[5],
-	&v3_ns_ia5_list[6],
-	&v3_skey_id,
-	&v3_key_usage,
-	&v3_pkey_usage_period,
-	&v3_alt[0],
-	&v3_alt[1],
-	&v3_bcons,
-	&v3_crl_num,
-	&v3_cpols,
-	&v3_akey_id,
-	&v3_crld,
-	&v3_ext_ku,
-	&v3_delta_crl,
-	&v3_crl_reason,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_invdate,
-#endif
-	&v3_sxnet,
-	&v3_info,
-#ifndef OPENSSL_NO_OCSP
-	&v3_ocsp_nonce,
-	&v3_ocsp_crlid,
-	&v3_ocsp_accresp,
-	&v3_ocsp_nocheck,
-	&v3_ocsp_acutoff,
-	&v3_ocsp_serviceloc,
-#endif
-	&v3_sinfo,
-	&v3_policy_constraints,
-#ifndef OPENSSL_NO_OCSP
-	&v3_crl_hold,
-#endif
-	&v3_pci,
-	&v3_name_constraints,
-	&v3_policy_mappings,
-	&v3_inhibit_anyp,
-	&v3_idp,
-	&v3_alt[2],
-	&v3_freshest_crl,
-};
-
-/* Number of standard extensions */
-#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *))
-
-__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509v3/pcy_cache.c b/src/lib/libcrypto/x509v3/pcy_cache.c
deleted file mode 100644
index 9c8ba8298b..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_cache.c
+++ /dev/null
@@ -1,271 +0,0 @@
-/* $OpenBSD: pcy_cache.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-static int policy_data_cmp(const X509_POLICY_DATA * const *a,
-    const X509_POLICY_DATA * const *b);
-static int policy_cache_set_int(long *out, ASN1_INTEGER *value);
-
-/* Set cache entry according to CertificatePolicies extension.
- * Note: this destroys the passed CERTIFICATEPOLICIES structure.
- */
-
-static int
-policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit)
-{
-	int i;
-	int ret = 0;
-	X509_POLICY_CACHE *cache = x->policy_cache;
-	X509_POLICY_DATA *data = NULL;
-	POLICYINFO *policy;
-
-	if (sk_POLICYINFO_num(policies) == 0)
-		goto bad_policy;
-	cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp);
-	if (!cache->data)
-		goto bad_policy;
-	for (i = 0; i < sk_POLICYINFO_num(policies); i++) {
-		policy = sk_POLICYINFO_value(policies, i);
-		data = policy_data_new(policy, NULL, crit);
-		if (!data)
-			goto bad_policy;
-		/* Duplicate policy OIDs are illegal: reject if matches
-		 * found.
-		 */
-		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-			if (cache->anyPolicy) {
-				ret = -1;
-				goto bad_policy;
-			}
-			cache->anyPolicy = data;
-		} else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) {
-			ret = -1;
-			goto bad_policy;
-		} else if (!sk_X509_POLICY_DATA_push(cache->data, data))
-			goto bad_policy;
-		data = NULL;
-	}
-	ret = 1;
-
-bad_policy:
-	if (ret == -1)
-		x->ex_flags |= EXFLAG_INVALID_POLICY;
-	if (data)
-		policy_data_free(data);
-	sk_POLICYINFO_pop_free(policies, POLICYINFO_free);
-	if (ret <= 0) {
-		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
-		cache->data = NULL;
-	}
-	return ret;
-}
-
-static int
-policy_cache_new(X509 *x)
-{
-	X509_POLICY_CACHE *cache;
-	ASN1_INTEGER *ext_any = NULL;
-	POLICY_CONSTRAINTS *ext_pcons = NULL;
-	CERTIFICATEPOLICIES *ext_cpols = NULL;
-	POLICY_MAPPINGS *ext_pmaps = NULL;
-	int i;
-
-	cache = malloc(sizeof(X509_POLICY_CACHE));
-	if (!cache)
-		return 0;
-	cache->anyPolicy = NULL;
-	cache->data = NULL;
-	cache->any_skip = -1;
-	cache->explicit_skip = -1;
-	cache->map_skip = -1;
-
-	x->policy_cache = cache;
-
-	/* Handle requireExplicitPolicy *first*. Need to process this
-	 * even if we don't have any policies.
-	 */
-	ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL);
-
-	if (!ext_pcons) {
-		if (i != -1)
-			goto bad_cache;
-	} else {
-		if (!ext_pcons->requireExplicitPolicy &&
-		    !ext_pcons->inhibitPolicyMapping)
-			goto bad_cache;
-		if (!policy_cache_set_int(&cache->explicit_skip,
-		    ext_pcons->requireExplicitPolicy))
-			goto bad_cache;
-		if (!policy_cache_set_int(&cache->map_skip,
-		    ext_pcons->inhibitPolicyMapping))
-			goto bad_cache;
-	}
-
-	/* Process CertificatePolicies */
-
-	ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL);
-	/* If no CertificatePolicies extension or problem decoding then
-	 * there is no point continuing because the valid policies will be
-	 * NULL.
-	 */
-	if (!ext_cpols) {
-		/* If not absent some problem with extension */
-		if (i != -1)
-			goto bad_cache;
-		return 1;
-	}
-
-	i = policy_cache_create(x, ext_cpols, i);
-
-	/* NB: ext_cpols freed by policy_cache_set_policies */
-
-	if (i <= 0)
-		return i;
-
-	ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL);
-
-	if (!ext_pmaps) {
-		/* If not absent some problem with extension */
-		if (i != -1)
-			goto bad_cache;
-	} else {
-		i = policy_cache_set_mapping(x, ext_pmaps);
-		if (i <= 0)
-			goto bad_cache;
-	}
-
-	ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL);
-
-	if (!ext_any) {
-		if (i != -1)
-			goto bad_cache;
-	} else if (!policy_cache_set_int(&cache->any_skip, ext_any))
-		goto bad_cache;
-
-	if (0) {
-bad_cache:
-		x->ex_flags |= EXFLAG_INVALID_POLICY;
-	}
-
-	if (ext_pcons)
-		POLICY_CONSTRAINTS_free(ext_pcons);
-
-	if (ext_any)
-		ASN1_INTEGER_free(ext_any);
-
-	return 1;
-}
-
-void
-policy_cache_free(X509_POLICY_CACHE *cache)
-{
-	if (!cache)
-		return;
-	if (cache->anyPolicy)
-		policy_data_free(cache->anyPolicy);
-	if (cache->data)
-		sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free);
-	free(cache);
-}
-
-const X509_POLICY_CACHE *
-policy_cache_set(X509 *x)
-{
-	if (x->policy_cache == NULL) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509);
-		policy_cache_new(x);
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-	}
-
-	return x->policy_cache;
-}
-
-X509_POLICY_DATA *
-policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id)
-{
-	int idx;
-	X509_POLICY_DATA tmp;
-
-	tmp.valid_policy = (ASN1_OBJECT *)id;
-	idx = sk_X509_POLICY_DATA_find(cache->data, &tmp);
-	if (idx == -1)
-		return NULL;
-	return sk_X509_POLICY_DATA_value(cache->data, idx);
-}
-
-static int
-policy_data_cmp(const X509_POLICY_DATA * const *a,
-    const X509_POLICY_DATA * const *b)
-{
-	return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy);
-}
-
-static int
-policy_cache_set_int(long *out, ASN1_INTEGER *value)
-{
-	if (value == NULL)
-		return 1;
-	if (value->type == V_ASN1_NEG_INTEGER)
-		return 0;
-	*out = ASN1_INTEGER_get(value);
-	return 1;
-}
diff --git a/src/lib/libcrypto/x509v3/pcy_data.c b/src/lib/libcrypto/x509v3/pcy_data.c
deleted file mode 100644
index b3699b0280..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_data.c
+++ /dev/null
@@ -1,129 +0,0 @@
-/* $OpenBSD: pcy_data.c,v 1.9 2015/07/15 16:53:42 miod Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-/* Policy Node routines */
-
-void
-policy_data_free(X509_POLICY_DATA *data)
-{
-	ASN1_OBJECT_free(data->valid_policy);
-	/* Don't free qualifiers if shared */
-	if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS))
-		sk_POLICYQUALINFO_pop_free(data->qualifier_set,
-		    POLICYQUALINFO_free);
-	sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free);
-	free(data);
-}
-
-/* Create a data based on an existing policy. If 'id' is NULL use the
- * oid in the policy, otherwise use 'id'. This behaviour covers the two
- * types of data in RFC3280: data with from a CertificatePolcies extension
- * and additional data with just the qualifiers of anyPolicy and ID from
- * another source.
- */
-
-X509_POLICY_DATA *
-policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit)
-{
-	X509_POLICY_DATA *ret = NULL;
-	ASN1_OBJECT *id = NULL;
-
-	if (policy == NULL && cid == NULL)
-		return NULL;
-	if (cid != NULL) {
-		id = OBJ_dup(cid);
-		if (id == NULL)
-			return NULL;
-	}
-	ret = malloc(sizeof(X509_POLICY_DATA));
-	if (ret == NULL)
-		goto err;
-	ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
-	if (ret->expected_policy_set == NULL)
-		goto err;
-
-	if (crit)
-		ret->flags = POLICY_DATA_FLAG_CRITICAL;
-	else
-		ret->flags = 0;
-
-	if (id != NULL)
-		ret->valid_policy = id;
-	else {
-		ret->valid_policy = policy->policyid;
-		policy->policyid = NULL;
-	}
-
-	if (policy != NULL) {
-		ret->qualifier_set = policy->qualifiers;
-		policy->qualifiers = NULL;
-	} else
-		ret->qualifier_set = NULL;
-
-	return ret;
-
-err:
-	free(ret);
-	ASN1_OBJECT_free(id);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/pcy_int.h b/src/lib/libcrypto/x509v3/pcy_int.h
deleted file mode 100644
index 92b94e2911..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_int.h
+++ /dev/null
@@ -1,209 +0,0 @@
-/* $OpenBSD: pcy_int.h,v 1.5 2016/12/21 15:49:29 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-__BEGIN_HIDDEN_DECLS
-
-typedef struct X509_POLICY_DATA_st X509_POLICY_DATA;
-
-DECLARE_STACK_OF(X509_POLICY_DATA)
-
-/* Internal structures */
-
-/* This structure and the field names correspond to the Policy 'node' of
- * RFC3280. NB this structure contains no pointers to parent or child
- * data: X509_POLICY_NODE contains that. This means that the main policy data
- * can be kept static and cached with the certificate.
- */
-
-struct X509_POLICY_DATA_st {
-	unsigned int flags;
-	/* Policy OID and qualifiers for this data */
-	ASN1_OBJECT *valid_policy;
-	STACK_OF(POLICYQUALINFO) *qualifier_set;
-	STACK_OF(ASN1_OBJECT) *expected_policy_set;
-};
-
-/* X509_POLICY_DATA flags values */
-
-/* This flag indicates the structure has been mapped using a policy mapping
- * extension. If policy mapping is not active its references get deleted.
- */
-
-#define POLICY_DATA_FLAG_MAPPED			0x1
-
-/* This flag indicates the data doesn't correspond to a policy in Certificate
- * Policies: it has been mapped to any policy.
- */
-
-#define POLICY_DATA_FLAG_MAPPED_ANY		0x2
-
-/* AND with flags to see if any mapping has occurred */
-
-#define POLICY_DATA_FLAG_MAP_MASK		0x3
-
-/* qualifiers are shared and shouldn't be freed */
-
-#define POLICY_DATA_FLAG_SHARED_QUALIFIERS	0x4
-
-/* Parent node is an extra node and should be freed */
-
-#define POLICY_DATA_FLAG_EXTRA_NODE		0x8
-
-/* Corresponding CertificatePolicies is critical */
-
-#define POLICY_DATA_FLAG_CRITICAL		0x10
-
-/* This structure is cached with a certificate */
-
-struct X509_POLICY_CACHE_st {
-	/* anyPolicy data or NULL if no anyPolicy */
-	X509_POLICY_DATA *anyPolicy;
-	/* other policy data */
-	STACK_OF(X509_POLICY_DATA) *data;
-	/* If InhibitAnyPolicy present this is its value or -1 if absent. */
-	long any_skip;
-	/* If policyConstraints and requireExplicitPolicy present this is its
-	 * value or -1 if absent.
-	 */
-	long explicit_skip;
-	/* If policyConstraints and policyMapping present this is its
-	 * value or -1 if absent.
-         */
-	long map_skip;
-};
-
-/*#define POLICY_CACHE_FLAG_CRITICAL		POLICY_DATA_FLAG_CRITICAL*/
-
-/* This structure represents the relationship between nodes */
-
-struct X509_POLICY_NODE_st {
-	/* node data this refers to */
-	const X509_POLICY_DATA *data;
-	/* Parent node */
-	X509_POLICY_NODE *parent;
-	/* Number of child nodes */
-	int nchild;
-};
-
-struct X509_POLICY_LEVEL_st {
-	/* Cert for this level */
-	X509 *cert;
-	/* nodes at this level */
-	STACK_OF(X509_POLICY_NODE) *nodes;
-	/* anyPolicy node */
-	X509_POLICY_NODE *anyPolicy;
-	/* Extra data */
-	/*STACK_OF(X509_POLICY_DATA) *extra_data;*/
-	unsigned int flags;
-};
-
-struct X509_POLICY_TREE_st {
-	/* This is the tree 'level' data */
-	X509_POLICY_LEVEL *levels;
-	int nlevel;
-	/* Extra policy data when additional nodes (not from the certificate)
-	 * are required.
-	 */
-	STACK_OF(X509_POLICY_DATA) *extra_data;
-	/* This is the authority constained policy set */
-	STACK_OF(X509_POLICY_NODE) *auth_policies;
-	STACK_OF(X509_POLICY_NODE) *user_policies;
-	unsigned int flags;
-};
-
-/* Set if anyPolicy present in user policies */
-#define POLICY_FLAG_ANY_POLICY		0x2
-
-/* Useful macros */
-
-#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL)
-#define node_critical(node) node_data_critical(node->data)
-
-/* Internal functions */
-
-X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id,
-    int crit);
-void policy_data_free(X509_POLICY_DATA *data);
-
-X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache,
-    const ASN1_OBJECT *id);
-int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps);
-
-
-STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void);
-
-void policy_cache_init(void);
-
-void policy_cache_free(X509_POLICY_CACHE *cache);
-
-X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level,
-    const X509_POLICY_NODE *parent, const ASN1_OBJECT *id);
-
-X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk,
-    const ASN1_OBJECT *id);
-
-int level_add_node(X509_POLICY_LEVEL *level,
-    const X509_POLICY_DATA *data, X509_POLICY_NODE *parent,
-    X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep);
-void policy_node_free(X509_POLICY_NODE *node);
-int policy_node_match(const X509_POLICY_LEVEL *lvl,
-    const X509_POLICY_NODE *node, const ASN1_OBJECT *oid);
-
-const X509_POLICY_CACHE *policy_cache_set(X509 *x);
-
-__END_HIDDEN_DECLS
diff --git a/src/lib/libcrypto/x509v3/pcy_lib.c b/src/lib/libcrypto/x509v3/pcy_lib.c
deleted file mode 100644
index 6f37064063..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_lib.c
+++ /dev/null
@@ -1,157 +0,0 @@
-/* $OpenBSD: pcy_lib.c,v 1.5 2015/02/07 13:19:15 doug Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-/* accessor functions */
-
-/* X509_POLICY_TREE stuff */
-
-int
-X509_policy_tree_level_count(const X509_POLICY_TREE *tree)
-{
-	if (!tree)
-		return 0;
-	return tree->nlevel;
-}
-
-X509_POLICY_LEVEL *
-X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i)
-{
-	if (!tree || (i < 0) || (i >= tree->nlevel))
-		return NULL;
-	return tree->levels + i;
-}
-
-STACK_OF(X509_POLICY_NODE) *
-X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree)
-{
-	if (!tree)
-		return NULL;
-	return tree->auth_policies;
-}
-
-STACK_OF(X509_POLICY_NODE) *
-X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree)
-{
-	if (!tree)
-		return NULL;
-	if (tree->flags & POLICY_FLAG_ANY_POLICY)
-		return tree->auth_policies;
-	else
-		return tree->user_policies;
-}
-
-/* X509_POLICY_LEVEL stuff */
-
-int
-X509_policy_level_node_count(X509_POLICY_LEVEL *level)
-{
-	int n;
-	if (!level)
-		return 0;
-	if (level->anyPolicy)
-		n = 1;
-	else
-		n = 0;
-	if (level->nodes)
-		n += sk_X509_POLICY_NODE_num(level->nodes);
-	return n;
-}
-
-X509_POLICY_NODE *
-X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i)
-{
-	if (!level)
-		return NULL;
-	if (level->anyPolicy) {
-		if (i == 0)
-			return level->anyPolicy;
-		i--;
-	}
-	return sk_X509_POLICY_NODE_value(level->nodes, i);
-}
-
-/* X509_POLICY_NODE stuff */
-
-const ASN1_OBJECT *
-X509_policy_node_get0_policy(const X509_POLICY_NODE *node)
-{
-	if (!node)
-		return NULL;
-	return node->data->valid_policy;
-}
-
-STACK_OF(POLICYQUALINFO) *
-X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node)
-{
-	if (!node)
-		return NULL;
-	return node->data->qualifier_set;
-}
-
-const X509_POLICY_NODE *
-X509_policy_node_get0_parent(const X509_POLICY_NODE *node)
-{
-	if (!node)
-		return NULL;
-	return node->parent;
-}
diff --git a/src/lib/libcrypto/x509v3/pcy_map.c b/src/lib/libcrypto/x509v3/pcy_map.c
deleted file mode 100644
index 6ee1ffe895..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_map.c
+++ /dev/null
@@ -1,126 +0,0 @@
-/* $OpenBSD: pcy_map.c,v 1.4 2014/07/11 08:44:49 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-/* Set policy mapping entries in cache.
- * Note: this modifies the passed POLICY_MAPPINGS structure
- */
-
-int
-policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
-{
-	POLICY_MAPPING *map;
-	X509_POLICY_DATA *data;
-	X509_POLICY_CACHE *cache = x->policy_cache;
-	int i;
-	int ret = 0;
-
-	if (sk_POLICY_MAPPING_num(maps) == 0) {
-		ret = -1;
-		goto bad_mapping;
-	}
-	for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) {
-		map = sk_POLICY_MAPPING_value(maps, i);
-		/* Reject if map to or from anyPolicy */
-		if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) ||
-		    (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) {
-			ret = -1;
-			goto bad_mapping;
-		}
-
-		/* Attempt to find matching policy data */
-		data = policy_cache_find_data(cache, map->issuerDomainPolicy);
-		/* If we don't have anyPolicy can't map */
-		if (!data && !cache->anyPolicy)
-			continue;
-
-		/* Create a NODE from anyPolicy */
-		if (!data) {
-			data = policy_data_new(NULL, map->issuerDomainPolicy,
-			    cache->anyPolicy->flags &
-			    POLICY_DATA_FLAG_CRITICAL);
-			if (!data)
-				goto bad_mapping;
-			data->qualifier_set = cache->anyPolicy->qualifier_set;
-			/*map->issuerDomainPolicy = NULL;*/
-			data->flags |= POLICY_DATA_FLAG_MAPPED_ANY;
-			data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-			if (!sk_X509_POLICY_DATA_push(cache->data, data)) {
-				policy_data_free(data);
-				goto bad_mapping;
-			}
-		} else
-			data->flags |= POLICY_DATA_FLAG_MAPPED;
-		if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
-		    map->subjectDomainPolicy))
-			goto bad_mapping;
-		map->subjectDomainPolicy = NULL;
-	}
-
-	ret = 1;
-
-bad_mapping:
-	if (ret == -1)
-		x->ex_flags |= EXFLAG_INVALID_POLICY;
-	sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
-	return ret;
-}
diff --git a/src/lib/libcrypto/x509v3/pcy_node.c b/src/lib/libcrypto/x509v3/pcy_node.c
deleted file mode 100644
index c966463606..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_node.c
+++ /dev/null
@@ -1,200 +0,0 @@
-/* $OpenBSD: pcy_node.c,v 1.7 2019/04/21 16:25:40 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/asn1.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-static int
-node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b)
-{
-	return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy);
-}
-
-STACK_OF(X509_POLICY_NODE) *
-policy_node_cmp_new(void)
-{
-	return sk_X509_POLICY_NODE_new(node_cmp);
-}
-
-X509_POLICY_NODE *
-tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id)
-{
-	X509_POLICY_DATA n;
-	X509_POLICY_NODE l;
-	int idx;
-
-	n.valid_policy = (ASN1_OBJECT *)id;
-	l.data = &n;
-
-	idx = sk_X509_POLICY_NODE_find(nodes, &l);
-	if (idx == -1)
-		return NULL;
-
-	return sk_X509_POLICY_NODE_value(nodes, idx);
-}
-
-X509_POLICY_NODE *
-level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent,
-    const ASN1_OBJECT *id)
-{
-	X509_POLICY_NODE *node;
-	int i;
-
-	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
-		node = sk_X509_POLICY_NODE_value(level->nodes, i);
-		if (node->parent == parent) {
-			if (!OBJ_cmp(node->data->valid_policy, id))
-				return node;
-		}
-	}
-	return NULL;
-}
-
-
-int
-level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data,
-    X509_POLICY_NODE *parent, X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep)
-{
-	X509_POLICY_NODE *node = NULL;
-
-	if (level) {
-		node = malloc(sizeof(X509_POLICY_NODE));
-		if (!node)
-			goto node_error;
-		node->data = data;
-		node->parent = parent;
-		node->nchild = 0;
-		if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) {
-			if (level->anyPolicy)
-				goto node_error;
-			level->anyPolicy = node;
-			if (parent)
-				parent->nchild++;
-		} else {
-
-			if (!level->nodes)
-				level->nodes = policy_node_cmp_new();
-			if (!level->nodes)
-				goto node_error;
-			if (!sk_X509_POLICY_NODE_push(level->nodes, node))
-				goto node_error;
-			if (parent)
-				parent->nchild++;
-		}
-	}
-
-	if (tree) {
-		if (!tree->extra_data)
-			tree->extra_data = sk_X509_POLICY_DATA_new_null();
-		if (!tree->extra_data)
-			goto node_error_cond;
-		if (!sk_X509_POLICY_DATA_push(tree->extra_data, data))
-			goto node_error_cond;
-	}
-
-	if (nodep)
-		*nodep = node;
-
-	return 1;
-
-node_error_cond:
-	if (level)
-		node = NULL;
-node_error:
-	policy_node_free(node);
-	node = NULL;
-	if (nodep)
-		*nodep = node;
-	return 0;
-}
-
-void
-policy_node_free(X509_POLICY_NODE *node)
-{
-	free(node);
-}
-
-/* See if a policy node matches a policy OID. If mapping enabled look through
- * expected policy set otherwise just valid policy.
- */
-
-int
-policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node,
-    const ASN1_OBJECT *oid)
-{
-	int i;
-	ASN1_OBJECT *policy_oid;
-	const X509_POLICY_DATA *x = node->data;
-
-	if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) ||
-	    !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) {
-		if (!OBJ_cmp(x->valid_policy, oid))
-			return 1;
-		return 0;
-	}
-
-	for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) {
-		policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i);
-		if (!OBJ_cmp(policy_oid, oid))
-			return 1;
-	}
-	return 0;
-}
diff --git a/src/lib/libcrypto/x509v3/pcy_tree.c b/src/lib/libcrypto/x509v3/pcy_tree.c
deleted file mode 100644
index a56c183bc9..0000000000
--- a/src/lib/libcrypto/x509v3/pcy_tree.c
+++ /dev/null
@@ -1,770 +0,0 @@
-/* $OpenBSD: pcy_tree.c,v 1.17 2016/11/05 15:21:20 miod Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2004.
- */
-/* ====================================================================
- * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-/* Enable this to print out the complete policy tree at various point during
- * evaluation.
- */
-
-/*#define OPENSSL_POLICY_DEBUG*/
-
-#ifdef OPENSSL_POLICY_DEBUG
-
-static void
-expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node,
-    int indent)
-{
-	if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) ||
-	    !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK))
-		BIO_puts(err, "  Not Mapped\n");
-	else {
-		int i;
-		STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set;
-		ASN1_OBJECT *oid;
-		BIO_puts(err, "  Expected: ");
-		for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) {
-			oid = sk_ASN1_OBJECT_value(pset, i);
-			if (i)
-				BIO_puts(err, ", ");
-			i2a_ASN1_OBJECT(err, oid);
-		}
-		BIO_puts(err, "\n");
-	}
-}
-
-static void
-tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
-{
-	X509_POLICY_LEVEL *plev;
-	X509_POLICY_NODE *node;
-	int i;
-	BIO *err;
-
-	if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL)
-		return;
-
-	if (!curr)
-		curr = tree->levels + tree->nlevel;
-	else
-		curr++;
-	BIO_printf(err, "Level print after %s\n", str);
-	BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels);
-	for (plev = tree->levels; plev != curr; plev++) {
-		BIO_printf(err, "Level %ld, flags = %x\n",
-		    plev - tree->levels, plev->flags);
-		for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) {
-			node = sk_X509_POLICY_NODE_value(plev->nodes, i);
-			X509_POLICY_NODE_print(err, node, 2);
-			expected_print(err, plev, node, 2);
-			BIO_printf(err, "  Flags: %x\n", node->data->flags);
-		}
-		if (plev->anyPolicy)
-			X509_POLICY_NODE_print(err, plev->anyPolicy, 2);
-	}
-
-	BIO_free(err);
-}
-#else
-
-#define tree_print(a,b,c) /* */
-
-#endif
-
-/* Initialize policy tree. Return values:
- *  0 Some internal error occured.
- * -1 Inconsistent or invalid extensions in certificates.
- *  1 Tree initialized OK.
- *  2 Policy tree is empty.
- *  5 Tree OK and requireExplicitPolicy true.
- *  6 Tree empty and requireExplicitPolicy true.
- */
-
-static int
-tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags)
-{
-	X509_POLICY_TREE *tree;
-	X509_POLICY_LEVEL *level;
-	const X509_POLICY_CACHE *cache;
-	X509_POLICY_DATA *data = NULL;
-	X509 *x;
-	int ret = 1;
-	int i, n;
-	int explicit_policy;
-	int any_skip;
-	int map_skip;
-
-	*ptree = NULL;
-	n = sk_X509_num(certs);
-
-	if (flags & X509_V_FLAG_EXPLICIT_POLICY)
-		explicit_policy = 0;
-	else
-		explicit_policy = n + 1;
-
-	if (flags & X509_V_FLAG_INHIBIT_ANY)
-		any_skip = 0;
-	else
-		any_skip = n + 1;
-
-	if (flags & X509_V_FLAG_INHIBIT_MAP)
-		map_skip = 0;
-	else
-		map_skip = n + 1;
-
-	/* Can't do anything with just a trust anchor */
-	if (n == 1)
-		return 1;
-	/* First setup policy cache in all certificates apart from the
-	 * trust anchor. Note any bad cache results on the way. Also can
-	 * calculate explicit_policy value at this point.
-	 */
-	for (i = n - 2; i >= 0; i--) {
-		x = sk_X509_value(certs, i);
-		X509_check_purpose(x, -1, -1);
-		cache = policy_cache_set(x);
-		/* If cache NULL something bad happened: return immediately */
-		if (cache == NULL)
-			return 0;
-		/* If inconsistent extensions keep a note of it but continue */
-		if (x->ex_flags & EXFLAG_INVALID_POLICY)
-			ret = -1;
-		/* Otherwise if we have no data (hence no CertificatePolicies)
-		 * and haven't already set an inconsistent code note it.
-		 */
-		else if ((ret == 1) && !cache->data)
-			ret = 2;
-		if (explicit_policy > 0) {
-			if (!(x->ex_flags & EXFLAG_SI))
-				explicit_policy--;
-			if ((cache->explicit_skip != -1) &&
-			    (cache->explicit_skip < explicit_policy))
-				explicit_policy = cache->explicit_skip;
-		}
-	}
-
-	if (ret != 1) {
-		if (ret == 2 && !explicit_policy)
-			return 6;
-		return ret;
-	}
-
-
-	/* If we get this far initialize the tree */
-
-	tree = malloc(sizeof(X509_POLICY_TREE));
-
-	if (!tree)
-		return 0;
-
-	tree->flags = 0;
-	tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL));
-	tree->nlevel = 0;
-	tree->extra_data = NULL;
-	tree->auth_policies = NULL;
-	tree->user_policies = NULL;
-
-	if (!tree->levels) {
-		free(tree);
-		return 0;
-	}
-
-	tree->nlevel = n;
-
-	level = tree->levels;
-
-	/* Root data: initialize to anyPolicy */
-
-	data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0);
-
-	if (!data || !level_add_node(level, data, NULL, tree, NULL))
-		goto bad_tree;
-
-	for (i = n - 2; i >= 0; i--) {
-		level++;
-		x = sk_X509_value(certs, i);
-		cache = policy_cache_set(x);
-		CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
-		level->cert = x;
-
-		if (!cache->anyPolicy)
-			level->flags |= X509_V_FLAG_INHIBIT_ANY;
-
-		/* Determine inhibit any and inhibit map flags */
-		if (any_skip == 0) {
-			/* Any matching allowed if certificate is self
-			 * issued and not the last in the chain.
-			 */
-			if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
-				level->flags |= X509_V_FLAG_INHIBIT_ANY;
-		} else {
-			if (!(x->ex_flags & EXFLAG_SI))
-				any_skip--;
-			if ((cache->any_skip >= 0) &&
-			    (cache->any_skip < any_skip))
-				any_skip = cache->any_skip;
-		}
-
-		if (map_skip == 0)
-			level->flags |= X509_V_FLAG_INHIBIT_MAP;
-		else {
-			if (!(x->ex_flags & EXFLAG_SI))
-				map_skip--;
-			if ((cache->map_skip >= 0) &&
-			    (cache->map_skip < map_skip))
-				map_skip = cache->map_skip;
-		}
-
-	}
-
-	*ptree = tree;
-
-	if (explicit_policy)
-		return 1;
-	else
-		return 5;
-
-bad_tree:
-	X509_policy_tree_free(tree);
-
-	return 0;
-}
-
-static int
-tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data)
-{
-	X509_POLICY_LEVEL *last = curr - 1;
-	X509_POLICY_NODE *node;
-	int i, matched = 0;
-
-	/* Iterate through all in nodes linking matches */
-	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
-		node = sk_X509_POLICY_NODE_value(last->nodes, i);
-		if (policy_node_match(last, node, data->valid_policy)) {
-			if (!level_add_node(curr, data, node, NULL, NULL))
-				return 0;
-			matched = 1;
-		}
-	}
-	if (!matched && last->anyPolicy) {
-		if (!level_add_node(curr, data, last->anyPolicy, NULL, NULL))
-			return 0;
-	}
-	return 1;
-}
-
-/* This corresponds to RFC3280 6.1.3(d)(1):
- * link any data from CertificatePolicies onto matching parent
- * or anyPolicy if no match.
- */
-
-static int
-tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache)
-{
-	int i;
-	X509_POLICY_DATA *data;
-
-	for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) {
-		data = sk_X509_POLICY_DATA_value(cache->data, i);
-		/* Look for matching nodes in previous level */
-		if (!tree_link_matching_nodes(curr, data))
-			return 0;
-	}
-	return 1;
-}
-
-/* This corresponds to RFC3280 6.1.3(d)(2):
- * Create new data for any unmatched policies in the parent and link
- * to anyPolicy.
- */
-
-static int
-tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
-    const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
-{
-	X509_POLICY_DATA *data;
-
-	if (id == NULL)
-		id = node->data->valid_policy;
-	/* Create a new node with qualifiers from anyPolicy and
-	 * id from unmatched node.
-	 */
-	data = policy_data_new(NULL, id, node_critical(node));
-
-	if (data == NULL)
-		return 0;
-	/* Curr may not have anyPolicy */
-	data->qualifier_set = cache->anyPolicy->qualifier_set;
-	data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
-	if (!level_add_node(curr, data, node, tree, NULL)) {
-		policy_data_free(data);
-		return 0;
-	}
-
-	return 1;
-}
-
-static int
-tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
-    X509_POLICY_NODE *node, X509_POLICY_TREE *tree)
-{
-	const X509_POLICY_LEVEL *last = curr - 1;
-	int i;
-
-	if ((last->flags & X509_V_FLAG_INHIBIT_MAP) ||
-	    !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) {
-		/* If no policy mapping: matched if one child present */
-		if (node->nchild)
-			return 1;
-		if (!tree_add_unmatched(curr, cache, NULL, node, tree))
-			return 0;
-		/* Add it */
-	} else {
-		/* If mapping: matched if one child per expected policy set */
-		STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set;
-		if (node->nchild == sk_ASN1_OBJECT_num(expset))
-			return 1;
-		/* Locate unmatched nodes */
-		for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) {
-			ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i);
-			if (level_find_node(curr, node, oid))
-				continue;
-			if (!tree_add_unmatched(curr, cache, oid, node, tree))
-				return 0;
-		}
-	}
-
-	return 1;
-}
-
-static int
-tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache,
-    X509_POLICY_TREE *tree)
-{
-	int i;
-	X509_POLICY_NODE *node;
-	X509_POLICY_LEVEL *last = curr - 1;
-
-	for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) {
-		node = sk_X509_POLICY_NODE_value(last->nodes, i);
-
-		if (!tree_link_unmatched(curr, cache, node, tree))
-			return 0;
-	}
-	/* Finally add link to anyPolicy */
-	if (last->anyPolicy) {
-		if (!level_add_node(curr, cache->anyPolicy,
-		    last->anyPolicy, NULL, NULL))
-			return 0;
-	}
-	return 1;
-}
-
-/* Prune the tree: delete any child mapped child data on the current level
- * then proceed up the tree deleting any data with no children. If we ever
- * have no data on a level we can halt because the tree will be empty.
- */
-
-static int
-tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr)
-{
-	STACK_OF(X509_POLICY_NODE) *nodes;
-	X509_POLICY_NODE *node;
-	int i;
-
-	nodes = curr->nodes;
-	if (curr->flags & X509_V_FLAG_INHIBIT_MAP) {
-		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
-			node = sk_X509_POLICY_NODE_value(nodes, i);
-			/* Delete any mapped data: see RFC3280 XXXX */
-			if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) {
-				node->parent->nchild--;
-				free(node);
-				(void)sk_X509_POLICY_NODE_delete(nodes, i);
-			}
-		}
-	}
-
-	for (;;) {
-		--curr;
-		nodes = curr->nodes;
-		for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) {
-			node = sk_X509_POLICY_NODE_value(nodes, i);
-			if (node->nchild == 0) {
-				node->parent->nchild--;
-				free(node);
-				(void)sk_X509_POLICY_NODE_delete(nodes, i);
-			}
-		}
-		if (curr->anyPolicy && !curr->anyPolicy->nchild) {
-			if (curr->anyPolicy->parent)
-				curr->anyPolicy->parent->nchild--;
-			free(curr->anyPolicy);
-			curr->anyPolicy = NULL;
-		}
-		if (curr == tree->levels) {
-			/* If we zapped anyPolicy at top then tree is empty */
-			if (!curr->anyPolicy)
-				return 2;
-			return 1;
-		}
-	}
-
-	return 1;
-}
-
-static int
-tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy)
-{
-	if (!*pnodes) {
-		*pnodes = policy_node_cmp_new();
-		if (!*pnodes)
-			return 0;
-	} else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1)
-		return 1;
-
-	if (!sk_X509_POLICY_NODE_push(*pnodes, pcy))
-		return 0;
-
-	return 1;
-}
-
-/* Calculate the authority set based on policy tree.
- * The 'pnodes' parameter is used as a store for the set of policy nodes
- * used to calculate the user set. If the authority set is not anyPolicy
- * then pnodes will just point to the authority set. If however the authority
- * set is anyPolicy then the set of valid policies (other than anyPolicy)
- * is store in pnodes. The return value of '2' is used in this case to indicate
- * that pnodes should be freed.
- */
-
-static int
-tree_calculate_authority_set(X509_POLICY_TREE *tree,
-    STACK_OF(X509_POLICY_NODE) **pnodes)
-{
-	X509_POLICY_LEVEL *curr;
-	X509_POLICY_NODE *node, *anyptr;
-	STACK_OF(X509_POLICY_NODE) **addnodes;
-	int i, j;
-
-	curr = tree->levels + tree->nlevel - 1;
-
-	/* If last level contains anyPolicy set is anyPolicy */
-	if (curr->anyPolicy) {
-		if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy))
-			return 0;
-		addnodes = pnodes;
-	} else
-		/* Add policies to authority set */
-		addnodes = &tree->auth_policies;
-
-	curr = tree->levels;
-	for (i = 1; i < tree->nlevel; i++) {
-		/* If no anyPolicy node on this this level it can't
-		 * appear on lower levels so end search.
-		 */
-		if (!(anyptr = curr->anyPolicy))
-			break;
-		curr++;
-		for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) {
-			node = sk_X509_POLICY_NODE_value(curr->nodes, j);
-			if ((node->parent == anyptr) &&
-			    !tree_add_auth_node(addnodes, node))
-				return 0;
-		}
-	}
-
-	if (addnodes == pnodes)
-		return 2;
-
-	*pnodes = tree->auth_policies;
-
-	return 1;
-}
-
-static int
-tree_calculate_user_set(X509_POLICY_TREE *tree,
-    STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes)
-{
-	int i;
-	X509_POLICY_NODE *node;
-	ASN1_OBJECT *oid;
-	X509_POLICY_NODE *anyPolicy;
-	X509_POLICY_DATA *extra;
-
-	/* Check if anyPolicy present in authority constrained policy set:
-	 * this will happen if it is a leaf node.
-	 */
-
-	if (sk_ASN1_OBJECT_num(policy_oids) <= 0)
-		return 1;
-
-	anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy;
-
-	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
-		oid = sk_ASN1_OBJECT_value(policy_oids, i);
-		if (OBJ_obj2nid(oid) == NID_any_policy) {
-			tree->flags |= POLICY_FLAG_ANY_POLICY;
-			return 1;
-		}
-	}
-
-	for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) {
-		oid = sk_ASN1_OBJECT_value(policy_oids, i);
-		node = tree_find_sk(auth_nodes, oid);
-		if (!node) {
-			if (!anyPolicy)
-				continue;
-			/* Create a new node with policy ID from user set
-			 * and qualifiers from anyPolicy.
-			 */
-			extra = policy_data_new(NULL, oid,
-			    node_critical(anyPolicy));
-			if (!extra)
-				return 0;
-			extra->qualifier_set = anyPolicy->data->qualifier_set;
-			extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS |
-			    POLICY_DATA_FLAG_EXTRA_NODE;
-			(void) level_add_node(NULL, extra, anyPolicy->parent,
-			    tree, &node);
-		}
-		if (!tree->user_policies) {
-			tree->user_policies = sk_X509_POLICY_NODE_new_null();
-			if (!tree->user_policies)
-				return 1;
-		}
-		if (!sk_X509_POLICY_NODE_push(tree->user_policies, node))
-			return 0;
-	}
-	return 1;
-}
-
-static int
-tree_evaluate(X509_POLICY_TREE *tree)
-{
-	int ret, i;
-	X509_POLICY_LEVEL *curr = tree->levels + 1;
-	const X509_POLICY_CACHE *cache;
-
-	for (i = 1; i < tree->nlevel; i++, curr++) {
-		cache = policy_cache_set(curr->cert);
-		if (!tree_link_nodes(curr, cache))
-			return 0;
-
-		if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) &&
-		    !tree_link_any(curr, cache, tree))
-			return 0;
-		tree_print("before tree_prune()", tree, curr);
-		ret = tree_prune(tree, curr);
-		if (ret != 1)
-			return ret;
-	}
-
-	return 1;
-}
-
-static void
-exnode_free(X509_POLICY_NODE *node)
-{
-	if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE))
-		free(node);
-}
-
-void
-X509_policy_tree_free(X509_POLICY_TREE *tree)
-{
-	X509_POLICY_LEVEL *curr;
-	int i;
-
-	if (!tree)
-		return;
-
-	sk_X509_POLICY_NODE_free(tree->auth_policies);
-	sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free);
-
-	for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) {
-		X509_free(curr->cert);
-		if (curr->nodes)
-			sk_X509_POLICY_NODE_pop_free(curr->nodes,
-		    policy_node_free);
-		if (curr->anyPolicy)
-			policy_node_free(curr->anyPolicy);
-	}
-
-	if (tree->extra_data)
-		sk_X509_POLICY_DATA_pop_free(tree->extra_data,
-		    policy_data_free);
-
-	free(tree->levels);
-	free(tree);
-}
-
-/* Application policy checking function.
- * Return codes:
- *  0 	Internal Error.
- *  1   Successful.
- * -1   One or more certificates contain invalid or inconsistent extensions
- * -2	User constrained policy set empty and requireExplicit true.
- */
-
-int
-X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
-    STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids,
-    unsigned int flags)
-{
-	int ret, ret2;
-	X509_POLICY_TREE *tree = NULL;
-	STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL;
-
-	*ptree = NULL;
-	*pexplicit_policy = 0;
-	ret = tree_init(&tree, certs, flags);
-
-	switch (ret) {
-
-		/* Tree empty requireExplicit False: OK */
-	case 2:
-		return 1;
-
-		/* Some internal error */
-	case -1:
-		return -1;
-
-		/* Some internal error */
-	case 0:
-		return 0;
-
-		/* Tree empty requireExplicit True: Error */
-
-	case 6:
-		*pexplicit_policy = 1;
-		return -2;
-
-		/* Tree OK requireExplicit True: OK and continue */
-	case 5:
-		*pexplicit_policy = 1;
-		break;
-
-		/* Tree OK: continue */
-
-	case 1:
-		if (!tree)
-			/*
-			 * tree_init() returns success and a null tree
-			 * if it's just looking at a trust anchor.
-			 * I'm not sure that returning success here is
-			 * correct, but I'm sure that reporting this
-			 * as an internal error which our caller
-			 * interprets as a malloc failure is wrong.
-			 */
-			return 1;
-		break;
-	}
-
-	if (!tree)
-		goto error;
-	ret = tree_evaluate(tree);
-
-	tree_print("tree_evaluate()", tree, NULL);
-
-	if (ret <= 0)
-		goto error;
-
-	/* Return value 2 means tree empty */
-	if (ret == 2) {
-		X509_policy_tree_free(tree);
-		if (*pexplicit_policy)
-			return -2;
-		else
-			return 1;
-	}
-
-	/* Tree is not empty: continue */
-
-	ret = tree_calculate_authority_set(tree, &auth_nodes);
-	if (ret == 0)
-		goto error;
-
-	ret2 = tree_calculate_user_set(tree, policy_oids, auth_nodes);
-
-	/* Return value 2 means auth_nodes needs to be freed */
-	if (ret == 2)
-		sk_X509_POLICY_NODE_free(auth_nodes);
-
-	if (ret2 == 0)
-		goto error;
-
-	if (tree)
-		*ptree = tree;
-
-	if (*pexplicit_policy) {
-		nodes = X509_policy_tree_get0_user_policies(tree);
-		if (sk_X509_POLICY_NODE_num(nodes) <= 0)
-			return -2;
-	}
-
-	return 1;
-
-error:
-	X509_policy_tree_free(tree);
-
-	return 0;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_akey.c b/src/lib/libcrypto/x509v3/v3_akey.c
deleted file mode 100644
index e49f45fe0a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akey.c
+++ /dev/null
@@ -1,237 +0,0 @@
-/* $OpenBSD: v3_akey.c,v 1.22 2019/04/22 17:10:01 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
-    AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist);
-static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-
-const X509V3_EXT_METHOD v3_akey_id = {
-	.ext_nid = NID_authority_key_identifier,
-	.ext_flags = X509V3_EXT_MULTILINE,
-	.it = &AUTHORITY_KEYID_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_KEYID,
-	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_KEYID,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static STACK_OF(CONF_VALUE) *
-i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid,
-    STACK_OF(CONF_VALUE) *extlist)
-{
-	STACK_OF(CONF_VALUE) *free_extlist = NULL;
-	char *tmpstr = NULL;
-
-	if (extlist == NULL) {
-		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	if (akeyid->keyid != NULL) {
-		if ((tmpstr = hex_to_string(akeyid->keyid->data,
-		    akeyid->keyid->length)) == NULL)
-			goto err;
-		if (!X509V3_add_value("keyid", tmpstr, &extlist))
-			goto err;
-		free(tmpstr);
-		tmpstr = NULL;
-	}
-
-	if (akeyid->issuer != NULL) {
-		if ((extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer,
-		    extlist)) == NULL)
-			goto err;
-	}
-
-	if (akeyid->serial != NULL) {
-		if ((tmpstr = hex_to_string(akeyid->serial->data,
-		    akeyid->serial->length)) == NULL)
-			goto err;
-		if (!X509V3_add_value("serial", tmpstr, &extlist))
-			goto err;
-		free(tmpstr);
-		tmpstr = NULL;
-	}
-
-	if (sk_CONF_VALUE_num(extlist) <= 0)
-		goto err;
-
-	return extlist;
-
- err:
-	free(tmpstr);
-	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
-
-	return NULL;
-}
-
-/*
- * Currently two options:
- * keyid: use the issuers subject keyid, the value 'always' means its is
- * an error if the issuer certificate doesn't have a key id.
- * issuer: use the issuers cert issuer and serial number. The default is
- * to only use this if keyid is not present. With the option 'always'
- * this is always included.
- */
-static AUTHORITY_KEYID *
-v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *values)
-{
-	char keyid = 0, issuer = 0;
-	int i;
-	CONF_VALUE *cnf;
-	ASN1_OCTET_STRING *ikeyid = NULL;
-	X509_NAME *isname = NULL;
-	STACK_OF(GENERAL_NAME) *gens = NULL;
-	GENERAL_NAME *gen = NULL;
-	ASN1_INTEGER *serial = NULL;
-	X509_EXTENSION *ext;
-	X509 *cert;
-	AUTHORITY_KEYID *akeyid = NULL;
-
-	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
-		cnf = sk_CONF_VALUE_value(values, i);
-		if (!strcmp(cnf->name, "keyid")) {
-			keyid = 1;
-			if (cnf->value && !strcmp(cnf->value, "always"))
-				keyid = 2;
-		} else if (!strcmp(cnf->name, "issuer")) {
-			issuer = 1;
-			if (cnf->value && !strcmp(cnf->value, "always"))
-				issuer = 2;
-		} else {
-			X509V3error(X509V3_R_UNKNOWN_OPTION);
-			ERR_asprintf_error_data("name=%s", cnf->name);
-			return NULL;
-		}
-	}
-
-	if (!ctx || !ctx->issuer_cert) {
-		if (ctx && (ctx->flags == CTX_TEST))
-			return AUTHORITY_KEYID_new();
-		X509V3error(X509V3_R_NO_ISSUER_CERTIFICATE);
-		return NULL;
-	}
-
-	cert = ctx->issuer_cert;
-
-	if (keyid) {
-		i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
-		if ((i >= 0)  && (ext = X509_get_ext(cert, i)))
-			ikeyid = X509V3_EXT_d2i(ext);
-		if (keyid == 2 && !ikeyid) {
-			X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
-			return NULL;
-		}
-	}
-
-	if ((issuer && !ikeyid) || (issuer == 2)) {
-		isname = X509_NAME_dup(X509_get_issuer_name(cert));
-		serial = ASN1_INTEGER_dup(X509_get_serialNumber(cert));
-		if (!isname || !serial) {
-			X509V3error(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS);
-			goto err;
-		}
-	}
-
-	if (!(akeyid = AUTHORITY_KEYID_new()))
-		goto err;
-
-	if (isname) {
-		if (!(gens = sk_GENERAL_NAME_new_null()) ||
-		    !(gen = GENERAL_NAME_new()) ||
-		    !sk_GENERAL_NAME_push(gens, gen)) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		gen->type = GEN_DIRNAME;
-		gen->d.dirn = isname;
-	}
-
-	akeyid->issuer = gens;
-	akeyid->serial = serial;
-	akeyid->keyid = ikeyid;
-
-	return akeyid;
-
- err:
-	AUTHORITY_KEYID_free(akeyid);
-	GENERAL_NAME_free(gen);
-	sk_GENERAL_NAME_free(gens);
-	X509_NAME_free(isname);
-	ASN1_INTEGER_free(serial);
-	ASN1_OCTET_STRING_free(ikeyid);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_akeya.c b/src/lib/libcrypto/x509v3/v3_akeya.c
deleted file mode 100644
index 83ef1b5838..0000000000
--- a/src/lib/libcrypto/x509v3/v3_akeya.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/* $OpenBSD: v3_akeya.c,v 1.7 2015/07/25 16:00:14 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-
-static const ASN1_TEMPLATE AUTHORITY_KEYID_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(AUTHORITY_KEYID, keyid),
-		.field_name = "keyid",
-		.item = &ASN1_OCTET_STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(AUTHORITY_KEYID, issuer),
-		.field_name = "issuer",
-		.item = &GENERAL_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 2,
-		.offset = offsetof(AUTHORITY_KEYID, serial),
-		.field_name = "serial",
-		.item = &ASN1_INTEGER_it,
-	},
-};
-
-const ASN1_ITEM AUTHORITY_KEYID_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = AUTHORITY_KEYID_seq_tt,
-	.tcount = sizeof(AUTHORITY_KEYID_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(AUTHORITY_KEYID),
-	.sname = "AUTHORITY_KEYID",
-};
-
-
-AUTHORITY_KEYID *
-d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len)
-{
-	return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &AUTHORITY_KEYID_it);
-}
-
-int
-i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it);
-}
-
-AUTHORITY_KEYID *
-AUTHORITY_KEYID_new(void)
-{
-	return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it);
-}
-
-void
-AUTHORITY_KEYID_free(AUTHORITY_KEYID *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it);
-}
diff --git a/src/lib/libcrypto/x509v3/v3_alt.c b/src/lib/libcrypto/x509v3/v3_alt.c
deleted file mode 100644
index 0f0177ff8b..0000000000
--- a/src/lib/libcrypto/x509v3/v3_alt.c
+++ /dev/null
@@ -1,699 +0,0 @@
-/* $OpenBSD: v3_alt.c,v 1.30 2019/04/22 17:10:01 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p);
-static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens);
-static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx);
-
-const X509V3_EXT_METHOD v3_alt[] = {
-	{
-		.ext_nid = NID_subject_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_subject_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_issuer_alt_name,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = (X509V3_EXT_V2I)v2i_issuer_alt,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_certificate_issuer,
-		.ext_flags = 0,
-		.it = &GENERAL_NAMES_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = (X509V3_EXT_I2V)i2v_GENERAL_NAMES,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-};
-
-STACK_OF(CONF_VALUE) *
-i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens,
-    STACK_OF(CONF_VALUE) *ret)
-{
-	STACK_OF(CONF_VALUE) *free_ret = NULL;
-	GENERAL_NAME *gen;
-	int i;
-
-	if (ret == NULL) {
-		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-		if ((gen = sk_GENERAL_NAME_value(gens, i)) == NULL)
-			goto err;
-		if ((ret = i2v_GENERAL_NAME(method, gen, ret)) == NULL)
-			goto err;
-	}
-
-	return ret;
-
- err:
-	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
-
-	return NULL;
-}
-
-STACK_OF(CONF_VALUE) *
-i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen,
-    STACK_OF(CONF_VALUE) *ret)
-{
-	STACK_OF(CONF_VALUE) *free_ret = NULL;
-	unsigned char *p;
-	char oline[256], htmp[5];
-	int i;
-
-	if (ret == NULL) {
-		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	switch (gen->type) {
-	case GEN_OTHERNAME:
-		if (!X509V3_add_value("othername", "<unsupported>", &ret))
-			goto err;
-		break;
-
-	case GEN_X400:
-		if (!X509V3_add_value("X400Name", "<unsupported>", &ret))
-			goto err;
-		break;
-
-	case GEN_EDIPARTY:
-		if (!X509V3_add_value("EdiPartyName", "<unsupported>", &ret))
-			goto err;
-		break;
-
-	case GEN_EMAIL:
-		if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret))
-			goto err;
-		break;
-
-	case GEN_DNS:
-		if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret))
-			goto err;
-		break;
-
-	case GEN_URI:
-		if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret))
-			goto err;
-		break;
-
-	case GEN_DIRNAME:
-		if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL)
-			goto err;
-		if (!X509V3_add_value("DirName", oline, &ret))
-			goto err;
-		break;
-
-	case GEN_IPADD: /* XXX */
-		p = gen->d.ip->data;
-		if (gen->d.ip->length == 4)
-			(void) snprintf(oline, sizeof oline,
-			    "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
-		else if (gen->d.ip->length == 16) {
-			oline[0] = 0;
-			for (i = 0; i < 8; i++) {
-				(void) snprintf(htmp, sizeof htmp,
-				    "%X", p[0] << 8 | p[1]);
-				p += 2;
-				strlcat(oline, htmp, sizeof(oline));
-				if (i != 7)
-					strlcat(oline, ":", sizeof(oline));
-			}
-		} else {
-			if (!X509V3_add_value("IP Address", "<invalid>", &ret))
-				goto err;
-			break;
-		}
-		if (!X509V3_add_value("IP Address", oline, &ret))
-			goto err;
-		break;
-
-	case GEN_RID:
-		if (!i2t_ASN1_OBJECT(oline, 256, gen->d.rid))
-			goto err;
-		if (!X509V3_add_value("Registered ID", oline, &ret))
-			goto err;
-		break;
-	}
-
-	return ret;
-
- err:
-	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
-
-	return NULL;
-}
-
-int
-GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen)
-{
-	unsigned char *p;
-	int i;
-
-	switch (gen->type) {
-	case GEN_OTHERNAME:
-		BIO_printf(out, "othername:<unsupported>");
-		break;
-
-	case GEN_X400:
-		BIO_printf(out, "X400Name:<unsupported>");
-		break;
-
-	case GEN_EDIPARTY:
-		/* Maybe fix this: it is supported now */
-		BIO_printf(out, "EdiPartyName:<unsupported>");
-		break;
-
-	case GEN_EMAIL:
-		BIO_printf(out, "email:%s", gen->d.ia5->data);
-		break;
-
-	case GEN_DNS:
-		BIO_printf(out, "DNS:%s", gen->d.ia5->data);
-		break;
-
-	case GEN_URI:
-		BIO_printf(out, "URI:%s", gen->d.ia5->data);
-		break;
-
-	case GEN_DIRNAME:
-		BIO_printf(out, "DirName: ");
-		X509_NAME_print_ex(out, gen->d.dirn, 0, XN_FLAG_ONELINE);
-		break;
-
-	case GEN_IPADD:
-		p = gen->d.ip->data;
-		if (gen->d.ip->length == 4)
-			BIO_printf(out, "IP Address:%d.%d.%d.%d",
-			    p[0], p[1], p[2], p[3]);
-		else if (gen->d.ip->length == 16) {
-			BIO_printf(out, "IP Address");
-			for (i = 0; i < 8; i++) {
-				BIO_printf(out, ":%X", p[0] << 8 | p[1]);
-				p += 2;
-			}
-			BIO_puts(out, "\n");
-		} else {
-			BIO_printf(out, "IP Address:<invalid>");
-			break;
-		}
-		break;
-
-	case GEN_RID:
-		BIO_printf(out, "Registered ID");
-		i2a_ASN1_OBJECT(out, gen->d.rid);
-		break;
-	}
-	return 1;
-}
-
-static GENERAL_NAMES *
-v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	GENERAL_NAMES *gens = NULL;
-	CONF_VALUE *cnf;
-	int i;
-
-	if ((gens = sk_GENERAL_NAME_new_null()) == NULL) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if (name_cmp(cnf->name, "issuer") == 0 && cnf->value != NULL &&
-		    strcmp(cnf->value, "copy") == 0) {
-			if (!copy_issuer(ctx, gens))
-				goto err;
-		} else {
-			GENERAL_NAME *gen;
-			if ((gen = v2i_GENERAL_NAME(method, ctx, cnf)) == NULL)
-				goto err;
-			if (sk_GENERAL_NAME_push(gens, gen) == 0) {
-				GENERAL_NAME_free(gen);
-				goto err;
-			}
-		}
-	}
-	return gens;
-
-err:
-	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-	return NULL;
-}
-
-/* Append subject altname of issuer to issuer alt name of subject */
-
-static int
-copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
-{
-	GENERAL_NAMES *ialt;
-	GENERAL_NAME *gen;
-	X509_EXTENSION *ext;
-	int i;
-
-	if (ctx && (ctx->flags == CTX_TEST))
-		return 1;
-	if (!ctx || !ctx->issuer_cert) {
-		X509V3error(X509V3_R_NO_ISSUER_DETAILS);
-		goto err;
-	}
-	i = X509_get_ext_by_NID(ctx->issuer_cert, NID_subject_alt_name, -1);
-	if (i < 0)
-		return 1;
-	if (!(ext = X509_get_ext(ctx->issuer_cert, i)) ||
-	    !(ialt = X509V3_EXT_d2i(ext))) {
-		X509V3error(X509V3_R_ISSUER_DECODE_ERROR);
-		goto err;
-	}
-
-	for (i = 0; i < sk_GENERAL_NAME_num(ialt); i++) {
-		gen = sk_GENERAL_NAME_value(ialt, i);
-		if (!sk_GENERAL_NAME_push(gens, gen)) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-	}
-	sk_GENERAL_NAME_free(ialt);
-
-	return 1;
-
-err:
-	return 0;
-
-}
-
-static GENERAL_NAMES *
-v2i_subject_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	GENERAL_NAMES *gens = NULL;
-	CONF_VALUE *cnf;
-	int i;
-
-	if (!(gens = sk_GENERAL_NAME_new_null())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if (!name_cmp(cnf->name, "email") && cnf->value &&
-		    !strcmp(cnf->value, "copy")) {
-			if (!copy_email(ctx, gens, 0))
-				goto err;
-		} else if (!name_cmp(cnf->name, "email") && cnf->value &&
-		    !strcmp(cnf->value, "move")) {
-			if (!copy_email(ctx, gens, 1))
-				goto err;
-		} else {
-			GENERAL_NAME *gen;
-			if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
-				goto err;
-			if (sk_GENERAL_NAME_push(gens, gen) == 0) {
-				GENERAL_NAME_free(gen);
-				goto err;
-			}
-		}
-	}
-	return gens;
-
-err:
-	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-	return NULL;
-}
-
-/* Copy any email addresses in a certificate or request to
- * GENERAL_NAMES
- */
-
-static int
-copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
-{
-	X509_NAME *nm;
-	ASN1_IA5STRING *email = NULL;
-	X509_NAME_ENTRY *ne;
-	GENERAL_NAME *gen = NULL;
-	int i;
-
-	if (ctx != NULL && ctx->flags == CTX_TEST)
-		return 1;
-	if (!ctx || (!ctx->subject_cert && !ctx->subject_req)) {
-		X509V3error(X509V3_R_NO_SUBJECT_DETAILS);
-		goto err;
-	}
-	/* Find the subject name */
-	if (ctx->subject_cert)
-		nm = X509_get_subject_name(ctx->subject_cert);
-	else
-		nm = X509_REQ_get_subject_name(ctx->subject_req);
-
-	/* Now add any email address(es) to STACK */
-	i = -1;
-	while ((i = X509_NAME_get_index_by_NID(nm,
-	    NID_pkcs9_emailAddress, i)) >= 0) {
-		ne = X509_NAME_get_entry(nm, i);
-		email = ASN1_STRING_dup(X509_NAME_ENTRY_get_data(ne));
-		if (move_p) {
-			X509_NAME_delete_entry(nm, i);
-			X509_NAME_ENTRY_free(ne);
-			i--;
-		}
-		if (!email || !(gen = GENERAL_NAME_new())) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		gen->d.ia5 = email;
-		email = NULL;
-		gen->type = GEN_EMAIL;
-		if (!sk_GENERAL_NAME_push(gens, gen)) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		gen = NULL;
-	}
-
-	return 1;
-
-err:
-	GENERAL_NAME_free(gen);
-	ASN1_IA5STRING_free(email);
-	return 0;
-}
-
-GENERAL_NAMES *
-v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	GENERAL_NAME *gen;
-	GENERAL_NAMES *gens = NULL;
-	CONF_VALUE *cnf;
-	int i;
-
-	if (!(gens = sk_GENERAL_NAME_new_null())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
-			goto err;
-		if (sk_GENERAL_NAME_push(gens, gen) == 0) {
-			GENERAL_NAME_free(gen);
-			goto err;
-		}
-	}
-	return gens;
-
-err:
-	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-	return NULL;
-}
-
-GENERAL_NAME *
-v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    CONF_VALUE *cnf)
-{
-	return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0);
-}
-
-GENERAL_NAME *
-a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, int gen_type, const char *value, int is_nc)
-{
-	char is_string = 0;
-	GENERAL_NAME *gen = NULL;
-
-	if (!value) {
-		X509V3error(X509V3_R_MISSING_VALUE);
-		return NULL;
-	}
-
-	if (out)
-		gen = out;
-	else {
-		gen = GENERAL_NAME_new();
-		if (gen == NULL) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			return NULL;
-		}
-	}
-
-	switch (gen_type) {
-	case GEN_URI:
-	case GEN_EMAIL:
-	case GEN_DNS:
-		is_string = 1;
-		break;
-
-	case GEN_RID:
-		{
-			ASN1_OBJECT *obj;
-			if (!(obj = OBJ_txt2obj(value, 0))) {
-				X509V3error(X509V3_R_BAD_OBJECT);
-				ERR_asprintf_error_data("value=%s", value);
-				goto err;
-			}
-			gen->d.rid = obj;
-		}
-		break;
-
-	case GEN_IPADD:
-		if (is_nc)
-			gen->d.ip = a2i_IPADDRESS_NC(value);
-		else
-			gen->d.ip = a2i_IPADDRESS(value);
-		if (gen->d.ip == NULL) {
-			X509V3error(X509V3_R_BAD_IP_ADDRESS);
-			ERR_asprintf_error_data("value=%s", value);
-			goto err;
-		}
-		break;
-
-	case GEN_DIRNAME:
-		if (!do_dirname(gen, value, ctx)) {
-			X509V3error(X509V3_R_DIRNAME_ERROR);
-			goto err;
-		}
-		break;
-
-	case GEN_OTHERNAME:
-		if (!do_othername(gen, value, ctx)) {
-			X509V3error(X509V3_R_OTHERNAME_ERROR);
-			goto err;
-		}
-		break;
-
-	default:
-		X509V3error(X509V3_R_UNSUPPORTED_TYPE);
-		goto err;
-	}
-
-	if (is_string) {
-		if (!(gen->d.ia5 = ASN1_IA5STRING_new()) ||
-		    !ASN1_STRING_set(gen->d.ia5, value, strlen(value))) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-	}
-
-	gen->type = gen_type;
-
-	return gen;
-
-err:
-	if (out == NULL)
-		GENERAL_NAME_free(gen);
-	return NULL;
-}
-
-GENERAL_NAME *
-v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc)
-{
-	int type;
-	char *name, *value;
-
-	name = cnf->name;
-	value = cnf->value;
-
-	if (!value) {
-		X509V3error(X509V3_R_MISSING_VALUE);
-		return NULL;
-	}
-
-	if (!name_cmp(name, "email"))
-		type = GEN_EMAIL;
-	else if (!name_cmp(name, "URI"))
-		type = GEN_URI;
-	else if (!name_cmp(name, "DNS"))
-		type = GEN_DNS;
-	else if (!name_cmp(name, "RID"))
-		type = GEN_RID;
-	else if (!name_cmp(name, "IP"))
-		type = GEN_IPADD;
-	else if (!name_cmp(name, "dirName"))
-		type = GEN_DIRNAME;
-	else if (!name_cmp(name, "otherName"))
-		type = GEN_OTHERNAME;
-	else {
-		X509V3error(X509V3_R_UNSUPPORTED_OPTION);
-		ERR_asprintf_error_data("name=%s", name);
-		return NULL;
-	}
-
-	return a2i_GENERAL_NAME(out, method, ctx, type, value, is_nc);
-}
-
-static int
-do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
-{
-	char *objtmp = NULL, *p;
-	int objlen;
-
-	if (!(p = strchr(value, ';')))
-		return 0;
-	if (!(gen->d.otherName = OTHERNAME_new()))
-		return 0;
-	/* Free this up because we will overwrite it.
-	 * no need to free type_id because it is static
-	 */
-	ASN1_TYPE_free(gen->d.otherName->value);
-	if (!(gen->d.otherName->value = ASN1_generate_v3(p + 1, ctx)))
-		return 0;
-	objlen = p - value;
-	objtmp = malloc(objlen + 1);
-	if (objtmp) {
-		strlcpy(objtmp, value, objlen + 1);
-		gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0);
-		free(objtmp);
-	} else
-		gen->d.otherName->type_id = NULL;
-	if (!gen->d.otherName->type_id)
-		return 0;
-	return 1;
-}
-
-static int
-do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx)
-{
-	int ret;
-	STACK_OF(CONF_VALUE) *sk;
-	X509_NAME *nm;
-
-	if (!(nm = X509_NAME_new()))
-		return 0;
-	sk = X509V3_get_section(ctx, value);
-	if (!sk) {
-		X509V3error(X509V3_R_SECTION_NOT_FOUND);
-		ERR_asprintf_error_data("section=%s", value);
-		X509_NAME_free(nm);
-		return 0;
-	}
-	/* FIXME: should allow other character types... */
-	ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC);
-	if (!ret)
-		X509_NAME_free(nm);
-	gen->d.dirn = nm;
-	X509V3_section_free(ctx, sk);
-
-	return ret;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_bcons.c b/src/lib/libcrypto/x509v3/v3_bcons.c
deleted file mode 100644
index 1626d4e786..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bcons.c
+++ /dev/null
@@ -1,199 +0,0 @@
-/* $OpenBSD: v3_bcons.c,v 1.17 2019/05/08 21:53:10 bcook Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static STACK_OF(CONF_VALUE) *i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
-    BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist);
-static BASIC_CONSTRAINTS *v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-
-const X509V3_EXT_METHOD v3_bcons = {
-	.ext_nid = NID_basic_constraints,
-	.ext_flags = 0,
-	.it = &BASIC_CONSTRAINTS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_BASIC_CONSTRAINTS,
-	.v2i = (X509V3_EXT_V2I)v2i_BASIC_CONSTRAINTS,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE BASIC_CONSTRAINTS_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(BASIC_CONSTRAINTS, ca),
-		.field_name = "ca",
-		.item = &ASN1_FBOOLEAN_it,
-	},
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(BASIC_CONSTRAINTS, pathlen),
-		.field_name = "pathlen",
-		.item = &ASN1_INTEGER_it,
-	},
-};
-
-const ASN1_ITEM BASIC_CONSTRAINTS_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = BASIC_CONSTRAINTS_seq_tt,
-	.tcount = sizeof(BASIC_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(BASIC_CONSTRAINTS),
-	.sname = "BASIC_CONSTRAINTS",
-};
-
-
-BASIC_CONSTRAINTS *
-d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len)
-{
-	return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &BASIC_CONSTRAINTS_it);
-}
-
-int
-i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it);
-}
-
-BASIC_CONSTRAINTS *
-BASIC_CONSTRAINTS_new(void)
-{
-	return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it);
-}
-
-void
-BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it);
-}
-
-
-static STACK_OF(CONF_VALUE) *
-i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons,
-    STACK_OF(CONF_VALUE) *extlist)
-{
-	STACK_OF(CONF_VALUE) *free_extlist = NULL;
-
-	if (extlist == NULL) {
-		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	if (!X509V3_add_value_bool("CA", bcons->ca, &extlist))
-		goto err;
-	if (!X509V3_add_value_int("pathlen", bcons->pathlen, &extlist))
-		goto err;
-
-	return extlist;
-
- err:
-	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
-
-	return NULL;
-}
-
-static BASIC_CONSTRAINTS *
-v2i_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *values)
-{
-	BASIC_CONSTRAINTS *bcons = NULL;
-	CONF_VALUE *val;
-	int i;
-
-	if (!(bcons = BASIC_CONSTRAINTS_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
-		val = sk_CONF_VALUE_value(values, i);
-		if (!strcmp(val->name, "CA")) {
-			if (!X509V3_get_value_bool(val, &bcons->ca))
-				goto err;
-		} else if (!strcmp(val->name, "pathlen")) {
-			if (!X509V3_get_value_int(val, &bcons->pathlen))
-				goto err;
-		} else {
-			X509V3error(X509V3_R_INVALID_NAME);
-			X509V3_conf_err(val);
-			goto err;
-		}
-	}
-	return bcons;
-
-err:
-	BASIC_CONSTRAINTS_free(bcons);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_bitst.c b/src/lib/libcrypto/x509v3/v3_bitst.c
deleted file mode 100644
index 6744461754..0000000000
--- a/src/lib/libcrypto/x509v3/v3_bitst.c
+++ /dev/null
@@ -1,187 +0,0 @@
-/* $OpenBSD: v3_bitst.c,v 1.16 2019/05/08 21:53:10 bcook Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static BIT_STRING_BITNAME ns_cert_type_table[] = {
-	{0, "SSL Client", "client"},
-	{1, "SSL Server", "server"},
-	{2, "S/MIME", "email"},
-	{3, "Object Signing", "objsign"},
-	{4, "Unused", "reserved"},
-	{5, "SSL CA", "sslCA"},
-	{6, "S/MIME CA", "emailCA"},
-	{7, "Object Signing CA", "objCA"},
-	{-1, NULL, NULL}
-};
-
-static BIT_STRING_BITNAME key_usage_type_table[] = {
-	{0, "Digital Signature", "digitalSignature"},
-	{1, "Non Repudiation", "nonRepudiation"},
-	{2, "Key Encipherment", "keyEncipherment"},
-	{3, "Data Encipherment", "dataEncipherment"},
-	{4, "Key Agreement", "keyAgreement"},
-	{5, "Certificate Sign", "keyCertSign"},
-	{6, "CRL Sign", "cRLSign"},
-	{7, "Encipher Only", "encipherOnly"},
-	{8, "Decipher Only", "decipherOnly"},
-	{-1, NULL, NULL}
-};
-
-const X509V3_EXT_METHOD v3_nscert = {
-	.ext_nid = NID_netscape_cert_type,
-	.ext_flags = 0,
-	.it = &ASN1_BIT_STRING_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
-	.v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = ns_cert_type_table,
-};
-
-const X509V3_EXT_METHOD v3_key_usage = {
-	.ext_nid = NID_key_usage,
-	.ext_flags = 0,
-	.it = &ASN1_BIT_STRING_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_ASN1_BIT_STRING,
-	.v2i = (X509V3_EXT_V2I)v2i_ASN1_BIT_STRING,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = key_usage_type_table,
-};
-
-STACK_OF(CONF_VALUE) *
-i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits,
-    STACK_OF(CONF_VALUE) *ret)
-{
-	BIT_STRING_BITNAME *bnam;
-	STACK_OF(CONF_VALUE) *free_ret = NULL;
-
-	if (ret == NULL) {
-		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	for (bnam = method->usr_data; bnam->lname != NULL; bnam++) {
-		if (!ASN1_BIT_STRING_get_bit(bits, bnam->bitnum))
-			continue;
-		if (!X509V3_add_value(bnam->lname, NULL, &ret))
-			goto err;
-	}
-
-	return ret;
-
- err:
-	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
-
-	return NULL;
-}
-
-ASN1_BIT_STRING *
-v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	CONF_VALUE *val;
-	ASN1_BIT_STRING *bs;
-	int i;
-	BIT_STRING_BITNAME *bnam;
-
-	if (!(bs = ASN1_BIT_STRING_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		val = sk_CONF_VALUE_value(nval, i);
-		for (bnam = method->usr_data; bnam->lname; bnam++) {
-			if (!strcmp(bnam->sname, val->name) ||
-			    !strcmp(bnam->lname, val->name) ) {
-				if (!ASN1_BIT_STRING_set_bit(bs,
-				    bnam->bitnum, 1)) {
-					X509V3error(ERR_R_MALLOC_FAILURE);
-					ASN1_BIT_STRING_free(bs);
-					return NULL;
-				}
-				break;
-			}
-		}
-		if (!bnam->lname) {
-			X509V3error(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT);
-			X509V3_conf_err(val);
-			ASN1_BIT_STRING_free(bs);
-			return NULL;
-		}
-	}
-	return bs;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_conf.c b/src/lib/libcrypto/x509v3/v3_conf.c
deleted file mode 100644
index 78ff19808b..0000000000
--- a/src/lib/libcrypto/x509v3/v3_conf.c
+++ /dev/null
@@ -1,570 +0,0 @@
-/* $OpenBSD: v3_conf.c,v 1.23 2018/05/18 19:34:37 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* extension creation utilities */
-
-#include <ctype.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509.h>
-#include <openssl/x509v3.h>
-
-static int v3_check_critical(const char **value);
-static int v3_check_generic(const char **value);
-static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-    int crit, const char *value);
-static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value,
-    int crit, int type, X509V3_CTX *ctx);
-static char *conf_lhash_get_string(void *db, const char *section,
-    const char *value);
-static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db,
-    const char *section);
-static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid,
-    int crit, void *ext_struc);
-static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
-    long *ext_len);
-
-/* CONF *conf:  Config file    */
-/* char *name:  Name    */
-/* char *value:  Value    */
-X509_EXTENSION *
-X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
-    const char *value)
-{
-	int crit;
-	int ext_type;
-	X509_EXTENSION *ret;
-
-	crit = v3_check_critical(&value);
-	if ((ext_type = v3_check_generic(&value)))
-		return v3_generic_extension(name, value, crit, ext_type, ctx);
-	ret = do_ext_nconf(conf, ctx, OBJ_sn2nid(name), crit, value);
-	if (!ret) {
-		X509V3error(X509V3_R_ERROR_IN_EXTENSION);
-		ERR_asprintf_error_data("name=%s, value=%s", name, value);
-	}
-	return ret;
-}
-
-/* CONF *conf:  Config file    */
-/* char *value:  Value    */
-X509_EXTENSION *
-X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-    const char *value)
-{
-	int crit;
-	int ext_type;
-
-	crit = v3_check_critical(&value);
-	if ((ext_type = v3_check_generic(&value)))
-		return v3_generic_extension(OBJ_nid2sn(ext_nid),
-		    value, crit, ext_type, ctx);
-	return do_ext_nconf(conf, ctx, ext_nid, crit, value);
-}
-
-/* CONF *conf:  Config file    */
-/* char *value:  Value    */
-static X509_EXTENSION *
-do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit,
-    const char *value)
-{
-	const X509V3_EXT_METHOD *method;
-	X509_EXTENSION *ext;
-	void *ext_struc;
-
-	if (ext_nid == NID_undef) {
-		X509V3error(X509V3_R_UNKNOWN_EXTENSION_NAME);
-		return NULL;
-	}
-	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
-		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
-		return NULL;
-	}
-	/* Now get internal extension representation based on type */
-	if (method->v2i) {
-		STACK_OF(CONF_VALUE) *nval;
-
-		if (*value == '@')
-			nval = NCONF_get_section(conf, value + 1);
-		else
-			nval = X509V3_parse_list(value);
-		if (sk_CONF_VALUE_num(nval) <= 0) {
-			X509V3error(X509V3_R_INVALID_EXTENSION_STRING);
-			ERR_asprintf_error_data("name=%s,section=%s",
-			    OBJ_nid2sn(ext_nid), value);
-			if (*value != '@')
-				sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-			return NULL;
-		}
-		ext_struc = method->v2i(method, ctx, nval);
-		if (*value != '@')
-			sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-	} else if (method->s2i) {
-		ext_struc = method->s2i(method, ctx, value);
-	} else if (method->r2i) {
-		if (!ctx->db || !ctx->db_meth) {
-			X509V3error(X509V3_R_NO_CONFIG_DATABASE);
-			return NULL;
-		}
-		ext_struc = method->r2i(method, ctx, value);
-	} else {
-		X509V3error(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED);
-		ERR_asprintf_error_data("name=%s", OBJ_nid2sn(ext_nid));
-		return NULL;
-	}
-	if (ext_struc == NULL)
-		return NULL;
-
-	ext = do_ext_i2d(method, ext_nid, crit, ext_struc);
-	if (method->it)
-		ASN1_item_free(ext_struc, method->it);
-	else
-		method->ext_free(ext_struc);
-	return ext;
-}
-
-static X509_EXTENSION *
-do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit,
-    void *ext_struc)
-{
-	unsigned char *ext_der;
-	int ext_len;
-	ASN1_OCTET_STRING *ext_oct = NULL;
-	X509_EXTENSION *ext;
-
-	/* Convert internal representation to DER */
-	if (method->it) {
-		ext_der = NULL;
-		ext_len = ASN1_item_i2d(ext_struc, &ext_der,
-		    method->it);
-		if (ext_len < 0)
-			goto merr;
-	} else {
-		unsigned char *p;
-		ext_len = method->i2d(ext_struc, NULL);
-		if (!(ext_der = malloc(ext_len)))
-			goto merr;
-		p = ext_der;
-		method->i2d(ext_struc, &p);
-	}
-	if (!(ext_oct = ASN1_OCTET_STRING_new()))
-		goto merr;
-	ext_oct->data = ext_der;
-	ext_oct->length = ext_len;
-
-	ext = X509_EXTENSION_create_by_NID(NULL, ext_nid, crit, ext_oct);
-	if (!ext)
-		goto merr;
-	ASN1_OCTET_STRING_free(ext_oct);
-
-	return ext;
-
-merr:
-	ASN1_OCTET_STRING_free(ext_oct);
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	return NULL;
-
-}
-
-/* Given an internal structure, nid and critical flag create an extension */
-
-X509_EXTENSION *
-X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc)
-{
-	const X509V3_EXT_METHOD *method;
-
-	if (!(method = X509V3_EXT_get_nid(ext_nid))) {
-		X509V3error(X509V3_R_UNKNOWN_EXTENSION);
-		return NULL;
-	}
-	return do_ext_i2d(method, ext_nid, crit, ext_struc);
-}
-
-/* Check the extension string for critical flag */
-static int
-v3_check_critical(const char **value)
-{
-	const char *p = *value;
-
-	if ((strlen(p) < 9) || strncmp(p, "critical,", 9))
-		return 0;
-	p += 9;
-	while (isspace((unsigned char)*p)) p++;
-		*value = p;
-	return 1;
-}
-
-/* Check extension string for generic extension and return the type */
-static int
-v3_check_generic(const char **value)
-{
-	int gen_type = 0;
-	const char *p = *value;
-
-	if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) {
-		p += 4;
-		gen_type = 1;
-	} else if ((strlen(p) >= 5) && !strncmp(p, "ASN1:", 5)) {
-		p += 5;
-		gen_type = 2;
-	} else
-		return 0;
-
-	while (isspace((unsigned char)*p))
-		p++;
-	*value = p;
-	return gen_type;
-}
-
-/* Create a generic extension: for now just handle DER type */
-static X509_EXTENSION *
-v3_generic_extension(const char *ext, const char *value, int crit, int gen_type,
-    X509V3_CTX *ctx)
-{
-	unsigned char *ext_der = NULL;
-	long ext_len = 0;
-	ASN1_OBJECT *obj = NULL;
-	ASN1_OCTET_STRING *oct = NULL;
-	X509_EXTENSION *extension = NULL;
-
-	if (!(obj = OBJ_txt2obj(ext, 0))) {
-		X509V3error(X509V3_R_EXTENSION_NAME_ERROR);
-		ERR_asprintf_error_data("name=%s", ext);
-		goto err;
-	}
-
-	if (gen_type == 1)
-		ext_der = string_to_hex(value, &ext_len);
-	else if (gen_type == 2)
-		ext_der = generic_asn1(value, ctx, &ext_len);
-	else {
-		ERR_asprintf_error_data("Unexpected generic extension type %d", gen_type);
-		goto err;
-	}
-
-	if (ext_der == NULL) {
-		X509V3error(X509V3_R_EXTENSION_VALUE_ERROR);
-		ERR_asprintf_error_data("value=%s", value);
-		goto err;
-	}
-
-	if (!(oct = ASN1_OCTET_STRING_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-
-	oct->data = ext_der;
-	oct->length = ext_len;
-	ext_der = NULL;
-
-	extension = X509_EXTENSION_create_by_OBJ(NULL, obj, crit, oct);
-
-err:
-	ASN1_OBJECT_free(obj);
-	ASN1_OCTET_STRING_free(oct);
-	free(ext_der);
-	return extension;
-}
-
-static unsigned char *
-generic_asn1(const char *value, X509V3_CTX *ctx, long *ext_len)
-{
-	ASN1_TYPE *typ;
-	unsigned char *ext_der = NULL;
-
-	typ = ASN1_generate_v3(value, ctx);
-	if (typ == NULL)
-		return NULL;
-	*ext_len = i2d_ASN1_TYPE(typ, &ext_der);
-	ASN1_TYPE_free(typ);
-	return ext_der;
-}
-
-/* This is the main function: add a bunch of extensions based on a config file
- * section to an extension STACK.
- */
-
-int
-X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
-    STACK_OF(X509_EXTENSION) **sk)
-{
-	X509_EXTENSION *ext;
-	STACK_OF(CONF_VALUE) *nval;
-	CONF_VALUE *val;
-	int i;
-
-	if (!(nval = NCONF_get_section(conf, section)))
-		return 0;
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		val = sk_CONF_VALUE_value(nval, i);
-		if (!(ext = X509V3_EXT_nconf(conf, ctx, val->name, val->value)))
-			return 0;
-		if (sk)
-			X509v3_add_ext(sk, ext, -1);
-		X509_EXTENSION_free(ext);
-	}
-	return 1;
-}
-
-/* Convenience functions to add extensions to a certificate, CRL and request */
-
-int
-X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509 *cert)
-{
-	STACK_OF(X509_EXTENSION) **sk = NULL;
-
-	if (cert)
-		sk = &cert->cert_info->extensions;
-	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
-}
-
-/* Same as above but for a CRL */
-
-int
-X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509_CRL *crl)
-{
-	STACK_OF(X509_EXTENSION) **sk = NULL;
-
-	if (crl)
-		sk = &crl->crl->extensions;
-	return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
-}
-
-/* Add extensions to certificate request */
-
-int
-X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509_REQ *req)
-{
-	STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL;
-	int i;
-
-	if (req)
-		sk = &extlist;
-	i = X509V3_EXT_add_nconf_sk(conf, ctx, section, sk);
-	if (!i || !sk)
-		return i;
-	i = X509_REQ_add_extensions(req, extlist);
-	sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free);
-	return i;
-}
-
-/* Config database functions */
-
-char *
-X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section)
-{
-	if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) {
-		X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
-		return NULL;
-	}
-	return ctx->db_meth->get_string(ctx->db, name, section);
-}
-
-STACK_OF(CONF_VALUE) *
-X509V3_get_section(X509V3_CTX *ctx, const char *section)
-{
-	if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) {
-		X509V3error(X509V3_R_OPERATION_NOT_DEFINED);
-		return NULL;
-	}
-	return ctx->db_meth->get_section(ctx->db, section);
-}
-
-void
-X509V3_string_free(X509V3_CTX *ctx, char *str)
-{
-	if (!str)
-		return;
-	if (ctx->db_meth->free_string)
-		ctx->db_meth->free_string(ctx->db, str);
-}
-
-void
-X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section)
-{
-	if (!section)
-		return;
-	if (ctx->db_meth->free_section)
-		ctx->db_meth->free_section(ctx->db, section);
-}
-
-static char *
-nconf_get_string(void *db, const char *section, const char *value)
-{
-	return NCONF_get_string(db, section, value);
-}
-
-static STACK_OF(CONF_VALUE) *
-nconf_get_section(void *db, const char *section)
-{
-	return NCONF_get_section(db, section);
-}
-
-static X509V3_CONF_METHOD nconf_method = {
-	nconf_get_string,
-	nconf_get_section,
-	NULL,
-	NULL
-};
-
-void
-X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
-{
-	ctx->db_meth = &nconf_method;
-	ctx->db = conf;
-}
-
-void
-X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
-    X509_CRL *crl, int flags)
-{
-	ctx->issuer_cert = issuer;
-	ctx->subject_cert = subj;
-	ctx->crl = crl;
-	ctx->subject_req = req;
-	ctx->flags = flags;
-}
-
-/* Old conf compatibility functions */
-
-X509_EXTENSION *
-X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name,
-    const char *value)
-{
-	CONF ctmp;
-
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_nconf(&ctmp, ctx, name, value);
-}
-
-/* LHASH *conf:  Config file    */
-/* char *value:  Value    */
-X509_EXTENSION *
-X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid,
-    const char *value)
-{
-	CONF ctmp;
-
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value);
-}
-
-static char *
-conf_lhash_get_string(void *db, const char *section, const char *value)
-{
-	return CONF_get_string(db, section, value);
-}
-
-static STACK_OF(CONF_VALUE) *
-conf_lhash_get_section(void *db, const char *section)
-{
-	return CONF_get_section(db, section);
-}
-
-static X509V3_CONF_METHOD conf_lhash_method = {
-	conf_lhash_get_string,
-	conf_lhash_get_section,
-	NULL,
-	NULL
-};
-
-void
-X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash)
-{
-	ctx->db_meth = &conf_lhash_method;
-	ctx->db = lhash;
-}
-
-int
-X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509 *cert)
-{
-	CONF ctmp;
-
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert);
-}
-
-/* Same as above but for a CRL */
-
-int
-X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509_CRL *crl)
-{
-	CONF ctmp;
-
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl);
-}
-
-/* Add extensions to certificate request */
-
-int
-X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509_REQ *req)
-{
-	CONF ctmp;
-
-	CONF_set_nconf(&ctmp, conf);
-	return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req);
-}
diff --git a/src/lib/libcrypto/x509v3/v3_cpols.c b/src/lib/libcrypto/x509v3/v3_cpols.c
deleted file mode 100644
index 4359327b8b..0000000000
--- a/src/lib/libcrypto/x509v3/v3_cpols.c
+++ /dev/null
@@ -1,763 +0,0 @@
-/* $OpenBSD: v3_cpols.c,v 1.26 2019/04/21 16:25:40 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-#include "pcy_int.h"
-
-/* Certificate policies extension support: this one is a bit complex... */
-
-static int i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol,
-    BIO *out, int indent);
-static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, char *value);
-static void print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals,
-    int indent);
-static void print_notice(BIO *out, USERNOTICE *notice, int indent);
-static POLICYINFO *policy_section(X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *polstrs, int ia5org);
-static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *unot, int ia5org);
-static int nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos);
-
-const X509V3_EXT_METHOD v3_cpols = {
-	.ext_nid = NID_certificate_policies,
-	.ext_flags = 0,
-	.it = &CERTIFICATEPOLICIES_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = (X509V3_EXT_I2R)i2r_certpol,
-	.r2i = (X509V3_EXT_R2I)r2i_certpol,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE CERTIFICATEPOLICIES_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "CERTIFICATEPOLICIES",
-	.item = &POLICYINFO_it,
-};
-
-const ASN1_ITEM CERTIFICATEPOLICIES_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &CERTIFICATEPOLICIES_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "CERTIFICATEPOLICIES",
-};
-
-
-CERTIFICATEPOLICIES *
-d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len)
-{
-	return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &CERTIFICATEPOLICIES_it);
-}
-
-int
-i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it);
-}
-
-CERTIFICATEPOLICIES *
-CERTIFICATEPOLICIES_new(void)
-{
-	return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it);
-}
-
-void
-CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it);
-}
-
-static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(POLICYINFO, policyid),
-		.field_name = "policyid",
-		.item = &ASN1_OBJECT_it,
-	},
-	{
-		.flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(POLICYINFO, qualifiers),
-		.field_name = "qualifiers",
-		.item = &POLICYQUALINFO_it,
-	},
-};
-
-const ASN1_ITEM POLICYINFO_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = POLICYINFO_seq_tt,
-	.tcount = sizeof(POLICYINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(POLICYINFO),
-	.sname = "POLICYINFO",
-};
-
-
-POLICYINFO *
-d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len)
-{
-	return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &POLICYINFO_it);
-}
-
-int
-i2d_POLICYINFO(POLICYINFO *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it);
-}
-
-POLICYINFO *
-POLICYINFO_new(void)
-{
-	return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it);
-}
-
-void
-POLICYINFO_free(POLICYINFO *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it);
-}
-
-static const ASN1_TEMPLATE policydefault_tt = {
-	.flags = 0,
-	.tag = 0,
-	.offset = offsetof(POLICYQUALINFO, d.other),
-	.field_name = "d.other",
-	.item = &ASN1_ANY_it,
-};
-
-static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = {
-	{
-		.value = NID_id_qt_cps,
-		.tt = {
-			.flags = 0,
-			.tag = 0,
-			.offset = offsetof(POLICYQUALINFO, d.cpsuri),
-			.field_name = "d.cpsuri",
-			.item = &ASN1_IA5STRING_it,
-		},
-	
-	},
-	{
-		.value = NID_id_qt_unotice,
-		.tt = {
-			.flags = 0,
-			.tag = 0,
-			.offset = offsetof(POLICYQUALINFO, d.usernotice),
-			.field_name = "d.usernotice",
-			.item = &USERNOTICE_it,
-		},
-	
-	},
-};
-
-static const ASN1_ADB POLICYQUALINFO_adb = {
-	.flags = 0,
-	.offset = offsetof(POLICYQUALINFO, pqualid),
-	.app_items = 0,
-	.tbl = POLICYQUALINFO_adbtbl,
-	.tblcount = sizeof(POLICYQUALINFO_adbtbl) / sizeof(ASN1_ADB_TABLE),
-	.default_tt = &policydefault_tt,
-	.null_tt = NULL,
-};
-
-static const ASN1_TEMPLATE POLICYQUALINFO_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(POLICYQUALINFO, pqualid),
-		.field_name = "pqualid",
-		.item = &ASN1_OBJECT_it,
-	},
-	{
-		.flags = ASN1_TFLG_ADB_OID,
-		.tag = -1,
-		.offset = 0,
-		.field_name = "POLICYQUALINFO",
-		.item = (const ASN1_ITEM *)&POLICYQUALINFO_adb,
-	},
-};
-
-const ASN1_ITEM POLICYQUALINFO_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = POLICYQUALINFO_seq_tt,
-	.tcount = sizeof(POLICYQUALINFO_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(POLICYQUALINFO),
-	.sname = "POLICYQUALINFO",
-};
-
-
-POLICYQUALINFO *
-d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len)
-{
-	return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &POLICYQUALINFO_it);
-}
-
-int
-i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it);
-}
-
-POLICYQUALINFO *
-POLICYQUALINFO_new(void)
-{
-	return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it);
-}
-
-void
-POLICYQUALINFO_free(POLICYQUALINFO *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it);
-}
-
-static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(USERNOTICE, noticeref),
-		.field_name = "noticeref",
-		.item = &NOTICEREF_it,
-	},
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(USERNOTICE, exptext),
-		.field_name = "exptext",
-		.item = &DISPLAYTEXT_it,
-	},
-};
-
-const ASN1_ITEM USERNOTICE_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = USERNOTICE_seq_tt,
-	.tcount = sizeof(USERNOTICE_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(USERNOTICE),
-	.sname = "USERNOTICE",
-};
-
-
-USERNOTICE *
-d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len)
-{
-	return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &USERNOTICE_it);
-}
-
-int
-i2d_USERNOTICE(USERNOTICE *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it);
-}
-
-USERNOTICE *
-USERNOTICE_new(void)
-{
-	return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it);
-}
-
-void
-USERNOTICE_free(USERNOTICE *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it);
-}
-
-static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(NOTICEREF, organization),
-		.field_name = "organization",
-		.item = &DISPLAYTEXT_it,
-	},
-	{
-		.flags = ASN1_TFLG_SEQUENCE_OF,
-		.tag = 0,
-		.offset = offsetof(NOTICEREF, noticenos),
-		.field_name = "noticenos",
-		.item = &ASN1_INTEGER_it,
-	},
-};
-
-const ASN1_ITEM NOTICEREF_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = NOTICEREF_seq_tt,
-	.tcount = sizeof(NOTICEREF_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(NOTICEREF),
-	.sname = "NOTICEREF",
-};
-
-
-NOTICEREF *
-d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len)
-{
-	return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &NOTICEREF_it);
-}
-
-int
-i2d_NOTICEREF(NOTICEREF *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it);
-}
-
-NOTICEREF *
-NOTICEREF_new(void)
-{
-	return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it);
-}
-
-void
-NOTICEREF_free(NOTICEREF *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it);
-}
-
-static STACK_OF(POLICYINFO) *
-r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
-{
-	STACK_OF(POLICYINFO) *pols = NULL;
-	char *pstr;
-	POLICYINFO *pol;
-	ASN1_OBJECT *pobj;
-	STACK_OF(CONF_VALUE) *vals;
-	CONF_VALUE *cnf;
-	int i, ia5org;
-
-	pols = sk_POLICYINFO_new_null();
-	if (pols == NULL) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	vals = X509V3_parse_list(value);
-	if (vals == NULL) {
-		X509V3error(ERR_R_X509V3_LIB);
-		goto err;
-	}
-	ia5org = 0;
-	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
-		cnf = sk_CONF_VALUE_value(vals, i);
-		if (cnf->value || !cnf->name) {
-			X509V3error(X509V3_R_INVALID_POLICY_IDENTIFIER);
-			X509V3_conf_err(cnf);
-			goto err;
-		}
-		pstr = cnf->name;
-		if (!strcmp(pstr, "ia5org")) {
-			ia5org = 1;
-			continue;
-		} else if (*pstr == '@') {
-			STACK_OF(CONF_VALUE) *polsect;
-			polsect = X509V3_get_section(ctx, pstr + 1);
-			if (!polsect) {
-				X509V3error(X509V3_R_INVALID_SECTION);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			pol = policy_section(ctx, polsect, ia5org);
-			X509V3_section_free(ctx, polsect);
-			if (!pol)
-				goto err;
-		} else {
-			if (!(pobj = OBJ_txt2obj(cnf->name, 0))) {
-				X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			pol = POLICYINFO_new();
-			pol->policyid = pobj;
-		}
-		if (!sk_POLICYINFO_push(pols, pol)){
-			POLICYINFO_free(pol);
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-	}
-	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
-	return pols;
-
-err:
-	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
-	sk_POLICYINFO_pop_free(pols, POLICYINFO_free);
-	return NULL;
-}
-
-static POLICYINFO *
-policy_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *polstrs, int ia5org)
-{
-	int i;
-	CONF_VALUE *cnf;
-	POLICYINFO *pol;
-	POLICYQUALINFO *nqual = NULL;
-
-	if ((pol = POLICYINFO_new()) == NULL)
-		goto merr;
-	for (i = 0; i < sk_CONF_VALUE_num(polstrs); i++) {
-		cnf = sk_CONF_VALUE_value(polstrs, i);
-		if (strcmp(cnf->name, "policyIdentifier") == 0) {
-			ASN1_OBJECT *pobj;
-
-			if ((pobj = OBJ_txt2obj(cnf->value, 0)) == NULL) {
-				X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			pol->policyid = pobj;
-		} else if (name_cmp(cnf->name, "CPS") == 0) {
-			if ((nqual = POLICYQUALINFO_new()) == NULL)
-				goto merr;
-			nqual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
-			nqual->d.cpsuri = ASN1_IA5STRING_new();
-			if (nqual->d.cpsuri == NULL)
-				goto merr;
-			if (ASN1_STRING_set(nqual->d.cpsuri, cnf->value,
-			    strlen(cnf->value)) == 0)
-				goto merr;
-
-			if (pol->qualifiers == NULL) {
-				pol->qualifiers = sk_POLICYQUALINFO_new_null();
-				if (pol->qualifiers == NULL)
-					goto merr;
-			}
-			if (sk_POLICYQUALINFO_push(pol->qualifiers, nqual) == 0)
-				goto merr;
-			nqual = NULL;
-		} else if (name_cmp(cnf->name, "userNotice") == 0) {
-			STACK_OF(CONF_VALUE) *unot;
-			POLICYQUALINFO *qual;
-
-			if (*cnf->value != '@') {
-				X509V3error(X509V3_R_EXPECTED_A_SECTION_NAME);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			unot = X509V3_get_section(ctx, cnf->value + 1);
-			if (unot == NULL) {
-				X509V3error(X509V3_R_INVALID_SECTION);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			qual = notice_section(ctx, unot, ia5org);
-			X509V3_section_free(ctx, unot);
-			if (qual == NULL)
-				goto err;
-
-			if (pol->qualifiers == NULL) {
-				pol->qualifiers = sk_POLICYQUALINFO_new_null();
-				if (pol->qualifiers == NULL)
-					goto merr;
-			}
-			if (sk_POLICYQUALINFO_push(pol->qualifiers, qual) == 0)
-				goto merr;
-		} else {
-			X509V3error(X509V3_R_INVALID_OPTION);
-			X509V3_conf_err(cnf);
-			goto err;
-		}
-	}
-	if (pol->policyid == NULL) {
-		X509V3error(X509V3_R_NO_POLICY_IDENTIFIER);
-		goto err;
-	}
-
-	return pol;
-
-merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-
-err:
-	POLICYQUALINFO_free(nqual);
-	POLICYINFO_free(pol);
-	return NULL;
-}
-
-static POLICYQUALINFO *
-notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org)
-{
-	int i, ret;
-	CONF_VALUE *cnf;
-	USERNOTICE *not;
-	POLICYQUALINFO *qual;
-
-	if (!(qual = POLICYQUALINFO_new()))
-		goto merr;
-	qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
-	if (!(not = USERNOTICE_new()))
-		goto merr;
-	qual->d.usernotice = not;
-	for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
-		cnf = sk_CONF_VALUE_value(unot, i);
-		if (!strcmp(cnf->name, "explicitText")) {
-			if (not->exptext == NULL) {
-				not->exptext = ASN1_VISIBLESTRING_new();
-				if (not->exptext == NULL)
-					goto merr;
-			}
-			if (!ASN1_STRING_set(not->exptext, cnf->value,
-			    strlen(cnf->value)))
-				goto merr;
-		} else if (!strcmp(cnf->name, "organization")) {
-			NOTICEREF *nref;
-			if (!not->noticeref) {
-				if (!(nref = NOTICEREF_new()))
-					goto merr;
-				not->noticeref = nref;
-			} else
-				nref = not->noticeref;
-			if (ia5org)
-				nref->organization->type = V_ASN1_IA5STRING;
-			else
-				nref->organization->type = V_ASN1_VISIBLESTRING;
-			if (!ASN1_STRING_set(nref->organization, cnf->value,
-			    strlen(cnf->value)))
-				goto merr;
-		} else if (!strcmp(cnf->name, "noticeNumbers")) {
-			NOTICEREF *nref;
-			STACK_OF(CONF_VALUE) *nos;
-			if (!not->noticeref) {
-				if (!(nref = NOTICEREF_new()))
-					goto merr;
-				not->noticeref = nref;
-			} else
-				nref = not->noticeref;
-			nos = X509V3_parse_list(cnf->value);
-			if (!nos || !sk_CONF_VALUE_num(nos)) {
-				X509V3error(X509V3_R_INVALID_NUMBERS);
-				X509V3_conf_err(cnf);
-				if (nos != NULL)
-					sk_CONF_VALUE_pop_free(nos,
-					    X509V3_conf_free);
-				goto err;
-			}
-			ret = nref_nos(nref->noticenos, nos);
-			sk_CONF_VALUE_pop_free(nos, X509V3_conf_free);
-			if (!ret)
-				goto err;
-		} else {
-			X509V3error(X509V3_R_INVALID_OPTION);
-			X509V3_conf_err(cnf);
-			goto err;
-		}
-	}
-
-	if (not->noticeref &&
-	    (!not->noticeref->noticenos || !not->noticeref->organization)) {
-		X509V3error(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS);
-		goto err;
-	}
-
-	return qual;
-
-merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-
-err:
-	POLICYQUALINFO_free(qual);
-	return NULL;
-}
-
-static int
-nref_nos(STACK_OF(ASN1_INTEGER) *nnums, STACK_OF(CONF_VALUE) *nos)
-{
-	CONF_VALUE *cnf;
-	ASN1_INTEGER *aint;
-	int i;
-
-	for (i = 0; i < sk_CONF_VALUE_num(nos); i++) {
-		cnf = sk_CONF_VALUE_value(nos, i);
-		if (!(aint = s2i_ASN1_INTEGER(NULL, cnf->name))) {
-			X509V3error(X509V3_R_INVALID_NUMBER);
-			goto err;
-		}
-		if (!sk_ASN1_INTEGER_push(nnums, aint))
-			goto merr;
-	}
-	return 1;
-
-merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-
-err:
-	sk_ASN1_INTEGER_pop_free(nnums, ASN1_STRING_free);
-	return 0;
-}
-
-static int
-i2r_certpol(X509V3_EXT_METHOD *method, STACK_OF(POLICYINFO) *pol, BIO *out,
-    int indent)
-{
-	int i;
-	POLICYINFO *pinfo;
-
-	/* First print out the policy OIDs */
-	for (i = 0; i < sk_POLICYINFO_num(pol); i++) {
-		pinfo = sk_POLICYINFO_value(pol, i);
-		BIO_printf(out, "%*sPolicy: ", indent, "");
-		i2a_ASN1_OBJECT(out, pinfo->policyid);
-		BIO_puts(out, "\n");
-		if (pinfo->qualifiers)
-			print_qualifiers(out, pinfo->qualifiers, indent + 2);
-	}
-	return 1;
-}
-
-static void
-print_qualifiers(BIO *out, STACK_OF(POLICYQUALINFO) *quals, int indent)
-{
-	POLICYQUALINFO *qualinfo;
-	int i;
-
-	for (i = 0; i < sk_POLICYQUALINFO_num(quals); i++) {
-		qualinfo = sk_POLICYQUALINFO_value(quals, i);
-		switch (OBJ_obj2nid(qualinfo->pqualid)) {
-		case NID_id_qt_cps:
-			BIO_printf(out, "%*sCPS: %s\n", indent, "",
-			    qualinfo->d.cpsuri->data);
-			break;
-
-		case NID_id_qt_unotice:
-			BIO_printf(out, "%*sUser Notice:\n", indent, "");
-			print_notice(out, qualinfo->d.usernotice, indent + 2);
-			break;
-
-		default:
-			BIO_printf(out, "%*sUnknown Qualifier: ",
-			    indent + 2, "");
-
-			i2a_ASN1_OBJECT(out, qualinfo->pqualid);
-			BIO_puts(out, "\n");
-			break;
-		}
-	}
-}
-
-static void
-print_notice(BIO *out, USERNOTICE *notice, int indent)
-{
-	int i;
-
-	if (notice->noticeref) {
-		NOTICEREF *ref;
-		ref = notice->noticeref;
-		BIO_printf(out, "%*sOrganization: %s\n", indent, "",
-		    ref->organization->data);
-		BIO_printf(out, "%*sNumber%s: ", indent, "",
-		    sk_ASN1_INTEGER_num(ref->noticenos) > 1 ? "s" : "");
-		for (i = 0; i < sk_ASN1_INTEGER_num(ref->noticenos); i++) {
-			ASN1_INTEGER *num;
-			char *tmp;
-			num = sk_ASN1_INTEGER_value(ref->noticenos, i);
-			if (i)
-				BIO_puts(out, ", ");
-			tmp = i2s_ASN1_INTEGER(NULL, num);
-			BIO_puts(out, tmp);
-			free(tmp);
-		}
-		BIO_puts(out, "\n");
-	}
-	if (notice->exptext)
-		BIO_printf(out, "%*sExplicit Text: %s\n", indent, "",
-		    notice->exptext->data);
-}
-
-void
-X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent)
-{
-	const X509_POLICY_DATA *dat = node->data;
-
-	BIO_printf(out, "%*sPolicy: ", indent, "");
-
-	i2a_ASN1_OBJECT(out, dat->valid_policy);
-	BIO_puts(out, "\n");
-	BIO_printf(out, "%*s%s\n", indent + 2, "",
-	    node_data_critical(dat) ? "Critical" : "Non Critical");
-	if (dat->qualifier_set)
-		print_qualifiers(out, dat->qualifier_set, indent + 2);
-	else
-		BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, "");
-}
diff --git a/src/lib/libcrypto/x509v3/v3_crld.c b/src/lib/libcrypto/x509v3/v3_crld.c
deleted file mode 100644
index 039435f1db..0000000000
--- a/src/lib/libcrypto/x509v3/v3_crld.c
+++ /dev/null
@@ -1,809 +0,0 @@
-/* $OpenBSD: v3_crld.c,v 1.23 2019/04/21 16:25:40 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static void *v2i_crld(const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
-    int indent);
-
-const X509V3_EXT_METHOD v3_crld = {
-	.ext_nid = NID_crl_distribution_points,
-	.ext_flags = 0,
-	.it = &CRL_DIST_POINTS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = v2i_crld,
-	.i2r = i2r_crldp,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_freshest_crl = {
-	.ext_nid = NID_freshest_crl,
-	.ext_flags = 0,
-	.it = &CRL_DIST_POINTS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = v2i_crld,
-	.i2r = i2r_crldp,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static STACK_OF(GENERAL_NAME) *
-gnames_from_sectname(X509V3_CTX *ctx, char *sect)
-{
-	STACK_OF(CONF_VALUE) *gnsect;
-	STACK_OF(GENERAL_NAME) *gens;
-
-	if (*sect == '@')
-		gnsect = X509V3_get_section(ctx, sect + 1);
-	else
-		gnsect = X509V3_parse_list(sect);
-	if (!gnsect) {
-		X509V3error(X509V3_R_SECTION_NOT_FOUND);
-		return NULL;
-	}
-	gens = v2i_GENERAL_NAMES(NULL, ctx, gnsect);
-	if (*sect == '@')
-		X509V3_section_free(ctx, gnsect);
-	else
-		sk_CONF_VALUE_pop_free(gnsect, X509V3_conf_free);
-	return gens;
-}
-
-static int
-set_dist_point_name(DIST_POINT_NAME **pdp, X509V3_CTX *ctx, CONF_VALUE *cnf)
-{
-	STACK_OF(GENERAL_NAME) *fnm = NULL;
-	STACK_OF(X509_NAME_ENTRY) *rnm = NULL;
-
-	if (!strncmp(cnf->name, "fullname", 9)) {
-		fnm = gnames_from_sectname(ctx, cnf->value);
-		if (!fnm)
-			goto err;
-	} else if (!strcmp(cnf->name, "relativename")) {
-		int ret;
-		STACK_OF(CONF_VALUE) *dnsect;
-		X509_NAME *nm;
-		nm = X509_NAME_new();
-		if (!nm)
-			return -1;
-		dnsect = X509V3_get_section(ctx, cnf->value);
-		if (!dnsect) {
-			X509V3error(X509V3_R_SECTION_NOT_FOUND);
-			X509_NAME_free(nm);
-			return -1;
-		}
-		ret = X509V3_NAME_from_section(nm, dnsect, MBSTRING_ASC);
-		X509V3_section_free(ctx, dnsect);
-		rnm = nm->entries;
-		nm->entries = NULL;
-		X509_NAME_free(nm);
-		if (!ret || sk_X509_NAME_ENTRY_num(rnm) <= 0)
-			goto err;
-		/* Since its a name fragment can't have more than one
-		 * RDNSequence
-		 */
-		if (sk_X509_NAME_ENTRY_value(rnm,
-		    sk_X509_NAME_ENTRY_num(rnm) - 1)->set) {
-			X509V3error(X509V3_R_INVALID_MULTIPLE_RDNS);
-			goto err;
-		}
-	} else
-		return 0;
-
-	if (*pdp) {
-		X509V3error(X509V3_R_DISTPOINT_ALREADY_SET);
-		goto err;
-	}
-
-	*pdp = DIST_POINT_NAME_new();
-	if (!*pdp)
-		goto err;
-	if (fnm) {
-		(*pdp)->type = 0;
-		(*pdp)->name.fullname = fnm;
-	} else {
-		(*pdp)->type = 1;
-		(*pdp)->name.relativename = rnm;
-	}
-
-	return 1;
-
-err:
-	sk_GENERAL_NAME_pop_free(fnm, GENERAL_NAME_free);
-	sk_X509_NAME_ENTRY_pop_free(rnm, X509_NAME_ENTRY_free);
-	return -1;
-}
-
-static const BIT_STRING_BITNAME reason_flags[] = {
-	{0, "Unused", "unused"},
-	{1, "Key Compromise", "keyCompromise"},
-	{2, "CA Compromise", "CACompromise"},
-	{3, "Affiliation Changed", "affiliationChanged"},
-	{4, "Superseded", "superseded"},
-	{5, "Cessation Of Operation", "cessationOfOperation"},
-	{6, "Certificate Hold", "certificateHold"},
-	{7, "Privilege Withdrawn", "privilegeWithdrawn"},
-	{8, "AA Compromise", "AACompromise"},
-	{-1, NULL, NULL}
-};
-
-static int
-set_reasons(ASN1_BIT_STRING **preas, char *value)
-{
-	STACK_OF(CONF_VALUE) *rsk = NULL;
-	const BIT_STRING_BITNAME *pbn;
-	const char *bnam;
-	int i, ret = 0;
-
-	if (*preas != NULL)
-		return 0;
-	rsk = X509V3_parse_list(value);
-	if (rsk == NULL)
-		return 0;
-	for (i = 0; i < sk_CONF_VALUE_num(rsk); i++) {
-		bnam = sk_CONF_VALUE_value(rsk, i)->name;
-		if (!*preas) {
-			*preas = ASN1_BIT_STRING_new();
-			if (!*preas)
-				goto err;
-		}
-		for (pbn = reason_flags; pbn->lname; pbn++) {
-			if (!strcmp(pbn->sname, bnam)) {
-				if (!ASN1_BIT_STRING_set_bit(*preas,
-				    pbn->bitnum, 1))
-					goto err;
-				break;
-			}
-		}
-		if (!pbn->lname)
-			goto err;
-	}
-	ret = 1;
-
-err:
-	sk_CONF_VALUE_pop_free(rsk, X509V3_conf_free);
-	return ret;
-}
-
-static int
-print_reasons(BIO *out, const char *rname, ASN1_BIT_STRING *rflags, int indent)
-{
-	int first = 1;
-	const BIT_STRING_BITNAME *pbn;
-
-	BIO_printf(out, "%*s%s:\n%*s", indent, "", rname, indent + 2, "");
-	for (pbn = reason_flags; pbn->lname; pbn++) {
-		if (ASN1_BIT_STRING_get_bit(rflags, pbn->bitnum)) {
-			if (first)
-				first = 0;
-			else
-				BIO_puts(out, ", ");
-			BIO_puts(out, pbn->lname);
-		}
-	}
-	if (first)
-		BIO_puts(out, "<EMPTY>\n");
-	else
-		BIO_puts(out, "\n");
-	return 1;
-}
-
-static DIST_POINT *
-crldp_from_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval)
-{
-	int i;
-	CONF_VALUE *cnf;
-	DIST_POINT *point = NULL;
-
-	point = DIST_POINT_new();
-	if (!point)
-		goto err;
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		int ret;
-		cnf = sk_CONF_VALUE_value(nval, i);
-		ret = set_dist_point_name(&point->distpoint, ctx, cnf);
-		if (ret > 0)
-			continue;
-		if (ret < 0)
-			goto err;
-		if (!strcmp(cnf->name, "reasons")) {
-			if (!set_reasons(&point->reasons, cnf->value))
-				goto err;
-		}
-		else if (!strcmp(cnf->name, "CRLissuer")) {
-			point->CRLissuer =
-			    gnames_from_sectname(ctx, cnf->value);
-			if (!point->CRLissuer)
-				goto err;
-		}
-	}
-
-	return point;
-
-err:
-	DIST_POINT_free(point);
-	return NULL;
-}
-
-static void *
-v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	STACK_OF(DIST_POINT) *crld = NULL;
-	GENERAL_NAMES *gens = NULL;
-	GENERAL_NAME *gen = NULL;
-	CONF_VALUE *cnf;
-	int i;
-
-	if (!(crld = sk_DIST_POINT_new_null()))
-		goto merr;
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		DIST_POINT *point;
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if (!cnf->value) {
-			STACK_OF(CONF_VALUE) *dpsect;
-			dpsect = X509V3_get_section(ctx, cnf->name);
-			if (!dpsect)
-				goto err;
-			point = crldp_from_section(ctx, dpsect);
-			X509V3_section_free(ctx, dpsect);
-			if (!point)
-				goto err;
-			if (!sk_DIST_POINT_push(crld, point)) {
-				DIST_POINT_free(point);
-				goto merr;
-			}
-		} else {
-			if (!(gen = v2i_GENERAL_NAME(method, ctx, cnf)))
-				goto err;
-			if (!(gens = GENERAL_NAMES_new()))
-				goto merr;
-			if (!sk_GENERAL_NAME_push(gens, gen))
-				goto merr;
-			gen = NULL;
-			if (!(point = DIST_POINT_new()))
-				goto merr;
-			if (!sk_DIST_POINT_push(crld, point)) {
-				DIST_POINT_free(point);
-				goto merr;
-			}
-			if (!(point->distpoint = DIST_POINT_NAME_new()))
-				goto merr;
-			point->distpoint->name.fullname = gens;
-			point->distpoint->type = 0;
-			gens = NULL;
-		}
-	}
-	return crld;
-
-merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-err:
-	GENERAL_NAME_free(gen);
-	GENERAL_NAMES_free(gens);
-	sk_DIST_POINT_pop_free(crld, DIST_POINT_free);
-	return NULL;
-}
-
-static int
-dpn_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
-{
-	DIST_POINT_NAME *dpn = (DIST_POINT_NAME *)*pval;
-
-	switch (operation) {
-	case ASN1_OP_NEW_POST:
-		dpn->dpname = NULL;
-		break;
-
-	case ASN1_OP_FREE_POST:
-		if (dpn->dpname)
-			X509_NAME_free(dpn->dpname);
-		break;
-	}
-	return 1;
-}
-
-
-static const ASN1_AUX DIST_POINT_NAME_aux = {
-	.app_data = NULL,
-	.flags = 0,
-	.ref_offset = 0,
-	.ref_lock = 0,
-	.asn1_cb = dpn_cb,
-	.enc_offset = 0,
-};
-static const ASN1_TEMPLATE DIST_POINT_NAME_ch_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF,
-		.tag = 0,
-		.offset = offsetof(DIST_POINT_NAME, name.fullname),
-		.field_name = "name.fullname",
-		.item = &GENERAL_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF,
-		.tag = 1,
-		.offset = offsetof(DIST_POINT_NAME, name.relativename),
-		.field_name = "name.relativename",
-		.item = &X509_NAME_ENTRY_it,
-	},
-};
-
-const ASN1_ITEM DIST_POINT_NAME_it = {
-	.itype = ASN1_ITYPE_CHOICE,
-	.utype = offsetof(DIST_POINT_NAME, type),
-	.templates = DIST_POINT_NAME_ch_tt,
-	.tcount = sizeof(DIST_POINT_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = &DIST_POINT_NAME_aux,
-	.size = sizeof(DIST_POINT_NAME),
-	.sname = "DIST_POINT_NAME",
-};
-
-
-
-DIST_POINT_NAME *
-d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len)
-{
-	return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &DIST_POINT_NAME_it);
-}
-
-int
-i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it);
-}
-
-DIST_POINT_NAME *
-DIST_POINT_NAME_new(void)
-{
-	return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it);
-}
-
-void
-DIST_POINT_NAME_free(DIST_POINT_NAME *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it);
-}
-
-static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(DIST_POINT, distpoint),
-		.field_name = "distpoint",
-		.item = &DIST_POINT_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(DIST_POINT, reasons),
-		.field_name = "reasons",
-		.item = &ASN1_BIT_STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
-		.tag = 2,
-		.offset = offsetof(DIST_POINT, CRLissuer),
-		.field_name = "CRLissuer",
-		.item = &GENERAL_NAME_it,
-	},
-};
-
-const ASN1_ITEM DIST_POINT_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = DIST_POINT_seq_tt,
-	.tcount = sizeof(DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(DIST_POINT),
-	.sname = "DIST_POINT",
-};
-
-
-DIST_POINT *
-d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len)
-{
-	return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &DIST_POINT_it);
-}
-
-int
-i2d_DIST_POINT(DIST_POINT *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it);
-}
-
-DIST_POINT *
-DIST_POINT_new(void)
-{
-	return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it);
-}
-
-void
-DIST_POINT_free(DIST_POINT *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it);
-}
-
-static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "CRLDistributionPoints",
-	.item = &DIST_POINT_it,
-};
-
-const ASN1_ITEM CRL_DIST_POINTS_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &CRL_DIST_POINTS_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "CRL_DIST_POINTS",
-};
-
-
-CRL_DIST_POINTS *
-d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len)
-{
-	return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &CRL_DIST_POINTS_it);
-}
-
-int
-i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it);
-}
-
-CRL_DIST_POINTS *
-CRL_DIST_POINTS_new(void)
-{
-	return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it);
-}
-
-void
-CRL_DIST_POINTS_free(CRL_DIST_POINTS *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it);
-}
-
-static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(ISSUING_DIST_POINT, distpoint),
-		.field_name = "distpoint",
-		.item = &DIST_POINT_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(ISSUING_DIST_POINT, onlyuser),
-		.field_name = "onlyuser",
-		.item = &ASN1_FBOOLEAN_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 2,
-		.offset = offsetof(ISSUING_DIST_POINT, onlyCA),
-		.field_name = "onlyCA",
-		.item = &ASN1_FBOOLEAN_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 3,
-		.offset = offsetof(ISSUING_DIST_POINT, onlysomereasons),
-		.field_name = "onlysomereasons",
-		.item = &ASN1_BIT_STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 4,
-		.offset = offsetof(ISSUING_DIST_POINT, indirectCRL),
-		.field_name = "indirectCRL",
-		.item = &ASN1_FBOOLEAN_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 5,
-		.offset = offsetof(ISSUING_DIST_POINT, onlyattr),
-		.field_name = "onlyattr",
-		.item = &ASN1_FBOOLEAN_it,
-	},
-};
-
-const ASN1_ITEM ISSUING_DIST_POINT_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = ISSUING_DIST_POINT_seq_tt,
-	.tcount = sizeof(ISSUING_DIST_POINT_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(ISSUING_DIST_POINT),
-	.sname = "ISSUING_DIST_POINT",
-};
-
-
-ISSUING_DIST_POINT *
-d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len)
-{
-	return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &ISSUING_DIST_POINT_it);
-}
-
-int
-i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it);
-}
-
-ISSUING_DIST_POINT *
-ISSUING_DIST_POINT_new(void)
-{
-	return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it);
-}
-
-void
-ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it);
-}
-
-static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out,
-    int indent);
-static void *v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval);
-
-const X509V3_EXT_METHOD v3_idp = {
-	NID_issuing_distribution_point, X509V3_EXT_MULTILINE,
-	&ISSUING_DIST_POINT_it,
-	0, 0, 0, 0,
-	0, 0,
-	0,
-	v2i_idp,
-	i2r_idp, 0,
-	NULL
-};
-
-static void *
-v2i_idp(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	ISSUING_DIST_POINT *idp = NULL;
-	CONF_VALUE *cnf;
-	char *name, *val;
-	int i, ret;
-
-	idp = ISSUING_DIST_POINT_new();
-	if (!idp)
-		goto merr;
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		name = cnf->name;
-		val = cnf->value;
-		ret = set_dist_point_name(&idp->distpoint, ctx, cnf);
-		if (ret > 0)
-			continue;
-		if (ret < 0)
-			goto err;
-		if (!strcmp(name, "onlyuser")) {
-			if (!X509V3_get_value_bool(cnf, &idp->onlyuser))
-				goto err;
-		}
-		else if (!strcmp(name, "onlyCA")) {
-			if (!X509V3_get_value_bool(cnf, &idp->onlyCA))
-				goto err;
-		}
-		else if (!strcmp(name, "onlyAA")) {
-			if (!X509V3_get_value_bool(cnf, &idp->onlyattr))
-				goto err;
-		}
-		else if (!strcmp(name, "indirectCRL")) {
-			if (!X509V3_get_value_bool(cnf, &idp->indirectCRL))
-				goto err;
-		}
-		else if (!strcmp(name, "onlysomereasons")) {
-			if (!set_reasons(&idp->onlysomereasons, val))
-				goto err;
-		} else {
-			X509V3error(X509V3_R_INVALID_NAME);
-			X509V3_conf_err(cnf);
-			goto err;
-		}
-	}
-	return idp;
-
-merr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-err:
-	ISSUING_DIST_POINT_free(idp);
-	return NULL;
-}
-
-static int
-print_gens(BIO *out, STACK_OF(GENERAL_NAME) *gens, int indent)
-{
-	int i;
-
-	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-		BIO_printf(out, "%*s", indent + 2, "");
-		GENERAL_NAME_print(out, sk_GENERAL_NAME_value(gens, i));
-		BIO_puts(out, "\n");
-	}
-	return 1;
-}
-
-static int
-print_distpoint(BIO *out, DIST_POINT_NAME *dpn, int indent)
-{
-	if (dpn->type == 0) {
-		BIO_printf(out, "%*sFull Name:\n", indent, "");
-		print_gens(out, dpn->name.fullname, indent);
-	} else {
-		X509_NAME ntmp;
-		ntmp.entries = dpn->name.relativename;
-		BIO_printf(out, "%*sRelative Name:\n%*s",
-		    indent, "", indent + 2, "");
-		X509_NAME_print_ex(out, &ntmp, 0, XN_FLAG_ONELINE);
-		BIO_puts(out, "\n");
-	}
-	return 1;
-}
-
-static int
-i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent)
-{
-	ISSUING_DIST_POINT *idp = pidp;
-
-	if (idp->distpoint)
-		print_distpoint(out, idp->distpoint, indent);
-	if (idp->onlyuser > 0)
-		BIO_printf(out, "%*sOnly User Certificates\n", indent, "");
-	if (idp->onlyCA > 0)
-		BIO_printf(out, "%*sOnly CA Certificates\n", indent, "");
-	if (idp->indirectCRL > 0)
-		BIO_printf(out, "%*sIndirect CRL\n", indent, "");
-	if (idp->onlysomereasons)
-		print_reasons(out, "Only Some Reasons",
-	    idp->onlysomereasons, indent);
-	if (idp->onlyattr > 0)
-		BIO_printf(out, "%*sOnly Attribute Certificates\n", indent, "");
-	if (!idp->distpoint && (idp->onlyuser <= 0) && (idp->onlyCA <= 0) &&
-	    (idp->indirectCRL <= 0) && !idp->onlysomereasons &&
-	    (idp->onlyattr <= 0))
-		BIO_printf(out, "%*s<EMPTY>\n", indent, "");
-
-	return 1;
-}
-
-static int
-i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out, int indent)
-{
-	STACK_OF(DIST_POINT) *crld = pcrldp;
-	DIST_POINT *point;
-	int i;
-
-	for (i = 0; i < sk_DIST_POINT_num(crld); i++) {
-		BIO_puts(out, "\n");
-		point = sk_DIST_POINT_value(crld, i);
-		if (point->distpoint)
-			print_distpoint(out, point->distpoint, indent);
-		if (point->reasons)
-			print_reasons(out, "Reasons", point->reasons,
-		    indent);
-		if (point->CRLissuer) {
-			BIO_printf(out, "%*sCRL Issuer:\n", indent, "");
-			print_gens(out, point->CRLissuer, indent);
-		}
-	}
-	return 1;
-}
-
-int
-DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname)
-{
-	int i;
-	STACK_OF(X509_NAME_ENTRY) *frag;
-	X509_NAME_ENTRY *ne;
-
-	if (!dpn || (dpn->type != 1))
-		return 1;
-	frag = dpn->name.relativename;
-	dpn->dpname = X509_NAME_dup(iname);
-	if (!dpn->dpname)
-		return 0;
-	for (i = 0; i < sk_X509_NAME_ENTRY_num(frag); i++) {
-		ne = sk_X509_NAME_ENTRY_value(frag, i);
-		if (!X509_NAME_add_entry(dpn->dpname, ne, -1, i ? 0 : 1)) {
-			X509_NAME_free(dpn->dpname);
-			dpn->dpname = NULL;
-			return 0;
-		}
-	}
-	/* generate cached encoding of name */
-	if (i2d_X509_NAME(dpn->dpname, NULL) < 0) {
-		X509_NAME_free(dpn->dpname);
-		dpn->dpname = NULL;
-		return 0;
-	}
-	return 1;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_enum.c b/src/lib/libcrypto/x509v3/v3_enum.c
deleted file mode 100644
index 2ef3ea3e90..0000000000
--- a/src/lib/libcrypto/x509v3/v3_enum.c
+++ /dev/null
@@ -1,107 +0,0 @@
-/* $OpenBSD: v3_enum.c,v 1.13 2018/05/19 10:37:02 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-#include <openssl/x509v3.h>
-
-static ENUMERATED_NAMES crl_reasons[] = {
-	{CRL_REASON_UNSPECIFIED, 	 "Unspecified", "unspecified"},
-	{CRL_REASON_KEY_COMPROMISE,	 "Key Compromise", "keyCompromise"},
-	{CRL_REASON_CA_COMPROMISE,	 "CA Compromise", "CACompromise"},
-	{CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"},
-	{CRL_REASON_SUPERSEDED, 	 "Superseded", "superseded"},
-		{CRL_REASON_CESSATION_OF_OPERATION,
-	"Cessation Of Operation", "cessationOfOperation"},
-	{CRL_REASON_CERTIFICATE_HOLD,	 "Certificate Hold", "certificateHold"},
-	{CRL_REASON_REMOVE_FROM_CRL,	 "Remove From CRL", "removeFromCRL"},
-	{CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"},
-	{CRL_REASON_AA_COMPROMISE,	 "AA Compromise", "AACompromise"},
-	{-1, NULL, NULL}
-};
-
-const X509V3_EXT_METHOD v3_crl_reason = {
-	.ext_nid = NID_crl_reason,
-	.ext_flags = 0,
-	.it = &ASN1_ENUMERATED_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = crl_reasons,
-};
-
-char *
-i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e)
-{
-	ENUMERATED_NAMES *enam;
-	long strval;
-
-	strval = ASN1_ENUMERATED_get(e);
-	for (enam = method->usr_data; enam->lname; enam++) {
-		if (strval == enam->bitnum)
-			return strdup(enam->lname);
-	}
-	return i2s_ASN1_ENUMERATED(method, e);
-}
diff --git a/src/lib/libcrypto/x509v3/v3_extku.c b/src/lib/libcrypto/x509v3/v3_extku.c
deleted file mode 100644
index 59185c9bc7..0000000000
--- a/src/lib/libcrypto/x509v3/v3_extku.c
+++ /dev/null
@@ -1,217 +0,0 @@
-/* $OpenBSD: v3_extku.c,v 1.16 2019/04/22 17:26:34 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static void *v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_EXTENDED_KEY_USAGE(
-    const X509V3_EXT_METHOD *method, void *eku, STACK_OF(CONF_VALUE) *extlist);
-
-const X509V3_EXT_METHOD v3_ext_ku = {
-	.ext_nid = NID_ext_key_usage,
-	.ext_flags = 0,
-	.it = &EXTENDED_KEY_USAGE_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = i2v_EXTENDED_KEY_USAGE,
-	.v2i = v2i_EXTENDED_KEY_USAGE,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-/* NB OCSP acceptable responses also is a SEQUENCE OF OBJECT */
-const X509V3_EXT_METHOD v3_ocsp_accresp = {
-	.ext_nid = NID_id_pkix_OCSP_acceptableResponses,
-	.ext_flags = 0,
-	.it = &EXTENDED_KEY_USAGE_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = i2v_EXTENDED_KEY_USAGE,
-	.v2i = v2i_EXTENDED_KEY_USAGE,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE EXTENDED_KEY_USAGE_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "EXTENDED_KEY_USAGE",
-	.item = &ASN1_OBJECT_it,
-};
-
-const ASN1_ITEM EXTENDED_KEY_USAGE_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &EXTENDED_KEY_USAGE_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "EXTENDED_KEY_USAGE",
-};
-
-
-EXTENDED_KEY_USAGE *
-d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len)
-{
-	return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &EXTENDED_KEY_USAGE_it);
-}
-
-int
-i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it);
-}
-
-EXTENDED_KEY_USAGE *
-EXTENDED_KEY_USAGE_new(void)
-{
-	return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it);
-}
-
-void
-EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it);
-}
-
-static STACK_OF(CONF_VALUE) *
-i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a,
-    STACK_OF(CONF_VALUE) *extlist)
-{
-	ASN1_OBJECT *obj;
-	EXTENDED_KEY_USAGE *eku = a;
-	STACK_OF(CONF_VALUE) *free_extlist = NULL;
-	char obj_tmp[80];
-	int i;
-
-	if (extlist == NULL) {
-		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) {
-		if ((obj = sk_ASN1_OBJECT_value(eku, i)) == NULL)
-			goto err;
-		if (!i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, obj))
-			goto err;
-		if (!X509V3_add_value(NULL, obj_tmp, &extlist))
-			goto err;
-	}
-
-	return extlist;
-
- err:
-	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
-
-	return NULL;
-}
-
-static void *
-v2i_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	EXTENDED_KEY_USAGE *extku;
-	char *extval;
-	ASN1_OBJECT *objtmp;
-	CONF_VALUE *val;
-	int i;
-
-	if (!(extku = sk_ASN1_OBJECT_new_null())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		val = sk_CONF_VALUE_value(nval, i);
-		if (val->value)
-			extval = val->value;
-		else
-			extval = val->name;
-		if (!(objtmp = OBJ_txt2obj(extval, 0))) {
-			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
-			X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
-			X509V3_conf_err(val);
-			return NULL;
-		}
-		if (sk_ASN1_OBJECT_push(extku, objtmp) == 0) {
-			ASN1_OBJECT_free(objtmp);
-			sk_ASN1_OBJECT_pop_free(extku, ASN1_OBJECT_free);
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			return NULL;
-		}
-	}
-	return extku;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_genn.c b/src/lib/libcrypto/x509v3/v3_genn.c
deleted file mode 100644
index a6b7a18b17..0000000000
--- a/src/lib/libcrypto/x509v3/v3_genn.c
+++ /dev/null
@@ -1,474 +0,0 @@
-/* $OpenBSD: v3_genn.c,v 1.12 2015/09/26 17:38:41 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-
-#include <stdio.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-
-static const ASN1_TEMPLATE OTHERNAME_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(OTHERNAME, type_id),
-		.field_name = "type_id",
-		.item = &ASN1_OBJECT_it,
-	},
-	/* Maybe have a true ANY DEFINED BY later */
-	{
-		.flags = ASN1_TFLG_EXPLICIT,
-		.tag = 0,
-		.offset = offsetof(OTHERNAME, value),
-		.field_name = "value",
-		.item = &ASN1_ANY_it,
-	},
-};
-
-const ASN1_ITEM OTHERNAME_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = OTHERNAME_seq_tt,
-	.tcount = sizeof(OTHERNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(OTHERNAME),
-	.sname = "OTHERNAME",
-};
-
-
-OTHERNAME *
-d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len)
-{
-	return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &OTHERNAME_it);
-}
-
-int
-i2d_OTHERNAME(OTHERNAME *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it);
-}
-
-OTHERNAME *
-OTHERNAME_new(void)
-{
-	return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it);
-}
-
-void
-OTHERNAME_free(OTHERNAME *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it);
-}
-
-static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(EDIPARTYNAME, nameAssigner),
-		.field_name = "nameAssigner",
-		.item = &DIRECTORYSTRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(EDIPARTYNAME, partyName),
-		.field_name = "partyName",
-		.item = &DIRECTORYSTRING_it,
-	},
-};
-
-const ASN1_ITEM EDIPARTYNAME_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = EDIPARTYNAME_seq_tt,
-	.tcount = sizeof(EDIPARTYNAME_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(EDIPARTYNAME),
-	.sname = "EDIPARTYNAME",
-};
-
-
-EDIPARTYNAME *
-d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len)
-{
-	return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &EDIPARTYNAME_it);
-}
-
-int
-i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it);
-}
-
-EDIPARTYNAME *
-EDIPARTYNAME_new(void)
-{
-	return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it);
-}
-
-void
-EDIPARTYNAME_free(EDIPARTYNAME *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it);
-}
-
-static const ASN1_TEMPLATE GENERAL_NAME_ch_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_OTHERNAME,
-		.offset = offsetof(GENERAL_NAME, d.otherName),
-		.field_name = "d.otherName",
-		.item = &OTHERNAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_EMAIL,
-		.offset = offsetof(GENERAL_NAME, d.rfc822Name),
-		.field_name = "d.rfc822Name",
-		.item = &ASN1_IA5STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_DNS,
-		.offset = offsetof(GENERAL_NAME, d.dNSName),
-		.field_name = "d.dNSName",
-		.item = &ASN1_IA5STRING_it,
-	},
-	/* Don't decode this */
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_X400,
-		.offset = offsetof(GENERAL_NAME, d.x400Address),
-		.field_name = "d.x400Address",
-		.item = &ASN1_SEQUENCE_it,
-	},
-	/* X509_NAME is a CHOICE type so use EXPLICIT */
-	{
-		.flags = ASN1_TFLG_EXPLICIT,
-		.tag = GEN_DIRNAME,
-		.offset = offsetof(GENERAL_NAME, d.directoryName),
-		.field_name = "d.directoryName",
-		.item = &X509_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_EDIPARTY,
-		.offset = offsetof(GENERAL_NAME, d.ediPartyName),
-		.field_name = "d.ediPartyName",
-		.item = &EDIPARTYNAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_URI,
-		.offset = offsetof(GENERAL_NAME, d.uniformResourceIdentifier),
-		.field_name = "d.uniformResourceIdentifier",
-		.item = &ASN1_IA5STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_IPADD,
-		.offset = offsetof(GENERAL_NAME, d.iPAddress),
-		.field_name = "d.iPAddress",
-		.item = &ASN1_OCTET_STRING_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT,
-		.tag = GEN_RID,
-		.offset = offsetof(GENERAL_NAME, d.registeredID),
-		.field_name = "d.registeredID",
-		.item = &ASN1_OBJECT_it,
-	},
-};
-
-const ASN1_ITEM GENERAL_NAME_it = {
-	.itype = ASN1_ITYPE_CHOICE,
-	.utype = offsetof(GENERAL_NAME, type),
-	.templates = GENERAL_NAME_ch_tt,
-	.tcount = sizeof(GENERAL_NAME_ch_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(GENERAL_NAME),
-	.sname = "GENERAL_NAME",
-};
-
-
-GENERAL_NAME *
-d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len)
-{
-	return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &GENERAL_NAME_it);
-}
-
-int
-i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it);
-}
-
-GENERAL_NAME *
-GENERAL_NAME_new(void)
-{
-	return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it);
-}
-
-void
-GENERAL_NAME_free(GENERAL_NAME *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it);
-}
-
-static const ASN1_TEMPLATE GENERAL_NAMES_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "GeneralNames",
-	.item = &GENERAL_NAME_it,
-};
-
-const ASN1_ITEM GENERAL_NAMES_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &GENERAL_NAMES_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "GENERAL_NAMES",
-};
-
-
-GENERAL_NAMES *
-d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len)
-{
-	return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &GENERAL_NAMES_it);
-}
-
-int
-i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it);
-}
-
-GENERAL_NAMES *
-GENERAL_NAMES_new(void)
-{
-	return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it);
-}
-
-void
-GENERAL_NAMES_free(GENERAL_NAMES *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it);
-}
-
-GENERAL_NAME *
-GENERAL_NAME_dup(GENERAL_NAME *a)
-{
-	return ASN1_item_dup(&GENERAL_NAME_it, a);
-}
-
-/* Returns 0 if they are equal, != 0 otherwise. */
-int
-GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
-{
-	int result = -1;
-
-	if (!a || !b || a->type != b->type)
-		return -1;
-	switch (a->type) {
-	case GEN_X400:
-	case GEN_EDIPARTY:
-		result = ASN1_TYPE_cmp(a->d.other, b->d.other);
-		break;
-
-	case GEN_OTHERNAME:
-		result = OTHERNAME_cmp(a->d.otherName, b->d.otherName);
-		break;
-
-	case GEN_EMAIL:
-	case GEN_DNS:
-	case GEN_URI:
-		result = ASN1_STRING_cmp(a->d.ia5, b->d.ia5);
-		break;
-
-	case GEN_DIRNAME:
-		result = X509_NAME_cmp(a->d.dirn, b->d.dirn);
-		break;
-
-	case GEN_IPADD:
-		result = ASN1_OCTET_STRING_cmp(a->d.ip, b->d.ip);
-		break;
-
-	case GEN_RID:
-		result = OBJ_cmp(a->d.rid, b->d.rid);
-		break;
-	}
-	return result;
-}
-
-/* Returns 0 if they are equal, != 0 otherwise. */
-int
-OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b)
-{
-	int result = -1;
-
-	if (!a || !b)
-		return -1;
-	/* Check their type first. */
-	if ((result = OBJ_cmp(a->type_id, b->type_id)) != 0)
-		return result;
-	/* Check the value. */
-	result = ASN1_TYPE_cmp(a->value, b->value);
-	return result;
-}
-
-void
-GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value)
-{
-	switch (type) {
-	case GEN_X400:
-	case GEN_EDIPARTY:
-		a->d.other = value;
-		break;
-
-	case GEN_OTHERNAME:
-		a->d.otherName = value;
-		break;
-
-	case GEN_EMAIL:
-	case GEN_DNS:
-	case GEN_URI:
-		a->d.ia5 = value;
-		break;
-
-	case GEN_DIRNAME:
-		a->d.dirn = value;
-		break;
-
-	case GEN_IPADD:
-		a->d.ip = value;
-		break;
-
-	case GEN_RID:
-		a->d.rid = value;
-		break;
-	}
-	a->type = type;
-}
-
-void *
-GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype)
-{
-	if (ptype)
-		*ptype = a->type;
-	switch (a->type) {
-	case GEN_X400:
-	case GEN_EDIPARTY:
-		return a->d.other;
-
-	case GEN_OTHERNAME:
-		return a->d.otherName;
-
-	case GEN_EMAIL:
-	case GEN_DNS:
-	case GEN_URI:
-		return a->d.ia5;
-
-	case GEN_DIRNAME:
-		return a->d.dirn;
-
-	case GEN_IPADD:
-		return a->d.ip;
-
-	case GEN_RID:
-		return a->d.rid;
-
-	default:
-		return NULL;
-	}
-}
-
-int
-GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid,
-    ASN1_TYPE *value)
-{
-	OTHERNAME *oth;
-
-	oth = OTHERNAME_new();
-	if (!oth)
-		return 0;
-	oth->type_id = oid;
-	oth->value = value;
-	GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth);
-	return 1;
-}
-
-int
-GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid,
-    ASN1_TYPE **pvalue)
-{
-	if (gen->type != GEN_OTHERNAME)
-		return 0;
-	if (poid)
-		*poid = gen->d.otherName->type_id;
-	if (pvalue)
-		*pvalue = gen->d.otherName->value;
-	return 1;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_ia5.c b/src/lib/libcrypto/x509v3/v3_ia5.c
deleted file mode 100644
index a92041e691..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ia5.c
+++ /dev/null
@@ -1,238 +0,0 @@
-/* $OpenBSD: v3_ia5.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static char *i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5);
-static ASN1_IA5STRING *s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, char *str);
-
-const X509V3_EXT_METHOD v3_ns_ia5_list[] = {
-	{
-		.ext_nid = NID_netscape_base_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_revocation_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_renewal_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ca_policy_url,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_ssl_server_name,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = NID_netscape_comment,
-		.ext_flags = 0,
-		.it = &ASN1_IA5STRING_it,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = (X509V3_EXT_I2S)i2s_ASN1_IA5STRING,
-		.s2i = (X509V3_EXT_S2I)s2i_ASN1_IA5STRING,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-	{
-		.ext_nid = -1,
-		.ext_flags = 0,
-		.it = NULL,
-		.ext_new = NULL,
-		.ext_free = NULL,
-		.d2i = NULL,
-		.i2d = NULL,
-		.i2s = NULL,
-		.s2i = NULL,
-		.i2v = NULL,
-		.v2i = NULL,
-		.i2r = NULL,
-		.r2i = NULL,
-		.usr_data = NULL,
-	},
-};
-
-static char *
-i2s_ASN1_IA5STRING(X509V3_EXT_METHOD *method, ASN1_IA5STRING *ia5)
-{
-	char *tmp;
-
-	if (!ia5 || !ia5->length)
-		return NULL;
-	if (!(tmp = malloc(ia5->length + 1))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	memcpy(tmp, ia5->data, ia5->length);
-	tmp[ia5->length] = 0;
-	return tmp;
-}
-
-static ASN1_IA5STRING *
-s2i_ASN1_IA5STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
-{
-	ASN1_IA5STRING *ia5;
-	if (!str) {
-		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
-		return NULL;
-	}
-	if (!(ia5 = ASN1_IA5STRING_new()))
-		goto err;
-	if (!ASN1_STRING_set((ASN1_STRING *)ia5, (unsigned char*)str,
-	    strlen(str))) {
-		ASN1_IA5STRING_free(ia5);
-		goto err;
-	}
-	return ia5;
-
-err:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_info.c b/src/lib/libcrypto/x509v3/v3_info.c
deleted file mode 100644
index a895985510..0000000000
--- a/src/lib/libcrypto/x509v3/v3_info.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/* $OpenBSD: v3_info.c,v 1.27 2019/04/22 17:18:30 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_INFO_ACCESS(
-    X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo,
-    STACK_OF(CONF_VALUE) *ret);
-static AUTHORITY_INFO_ACCESS *v2i_AUTHORITY_INFO_ACCESS(
-    X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-
-const X509V3_EXT_METHOD v3_info = {
-	.ext_nid = NID_info_access,
-	.ext_flags = X509V3_EXT_MULTILINE,
-	.it = &AUTHORITY_INFO_ACCESS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
-	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_sinfo = {
-	.ext_nid = NID_sinfo_access,
-	.ext_flags = X509V3_EXT_MULTILINE,
-	.it = &AUTHORITY_INFO_ACCESS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = (X509V3_EXT_I2V)i2v_AUTHORITY_INFO_ACCESS,
-	.v2i = (X509V3_EXT_V2I)v2i_AUTHORITY_INFO_ACCESS,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE ACCESS_DESCRIPTION_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(ACCESS_DESCRIPTION, method),
-		.field_name = "method",
-		.item = &ASN1_OBJECT_it,
-	},
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(ACCESS_DESCRIPTION, location),
-		.field_name = "location",
-		.item = &GENERAL_NAME_it,
-	},
-};
-
-const ASN1_ITEM ACCESS_DESCRIPTION_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = ACCESS_DESCRIPTION_seq_tt,
-	.tcount = sizeof(ACCESS_DESCRIPTION_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(ACCESS_DESCRIPTION),
-	.sname = "ACCESS_DESCRIPTION",
-};
-
-
-ACCESS_DESCRIPTION *
-d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len)
-{
-	return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &ACCESS_DESCRIPTION_it);
-}
-
-int
-i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it);
-}
-
-ACCESS_DESCRIPTION *
-ACCESS_DESCRIPTION_new(void)
-{
-	return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it);
-}
-
-void
-ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it);
-}
-
-static const ASN1_TEMPLATE AUTHORITY_INFO_ACCESS_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "GeneralNames",
-	.item = &ACCESS_DESCRIPTION_it,
-};
-
-const ASN1_ITEM AUTHORITY_INFO_ACCESS_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &AUTHORITY_INFO_ACCESS_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "AUTHORITY_INFO_ACCESS",
-};
-
-
-AUTHORITY_INFO_ACCESS *
-d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len)
-{
-	return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &AUTHORITY_INFO_ACCESS_it);
-}
-
-int
-i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it);
-}
-
-AUTHORITY_INFO_ACCESS *
-AUTHORITY_INFO_ACCESS_new(void)
-{
-	return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it);
-}
-
-void
-AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it);
-}
-
-static STACK_OF(CONF_VALUE) *
-i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method,
-    AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret)
-{
-	ACCESS_DESCRIPTION *desc;
-	CONF_VALUE *vtmp;
-	STACK_OF(CONF_VALUE) *free_ret = NULL;
-	char objtmp[80], *ntmp;
-	int i;
-
-	if (ret == NULL) {
-		if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) {
-		if ((desc = sk_ACCESS_DESCRIPTION_value(ainfo, i)) == NULL)
-			goto err;
-		if ((ret = i2v_GENERAL_NAME(method, desc->location,
-		    ret)) == NULL)
-			goto err;
-		if ((vtmp = sk_CONF_VALUE_value(ret, i)) == NULL)
-			goto err;
-		if (!i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method))
-			goto err;
-		if (asprintf(&ntmp, "%s - %s", objtmp, vtmp->name) == -1) {
-			ntmp = NULL;
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		free(vtmp->name);
-		vtmp->name = ntmp;
-	}
-
-	return ret;
-
- err:
-	sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free);
-
-	return NULL;
-}
-
-static AUTHORITY_INFO_ACCESS *
-v2i_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	AUTHORITY_INFO_ACCESS *ainfo = NULL;
-	CONF_VALUE *cnf, ctmp;
-	ACCESS_DESCRIPTION *acc;
-	int i, objlen;
-	char *objtmp, *ptmp;
-
-	if (!(ainfo = sk_ACCESS_DESCRIPTION_new_null())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if ((acc = ACCESS_DESCRIPTION_new()) == NULL) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		if (sk_ACCESS_DESCRIPTION_push(ainfo, acc) == 0) {
-			ACCESS_DESCRIPTION_free(acc);
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		ptmp = strchr(cnf->name, ';');
-		if (!ptmp) {
-			X509V3error(X509V3_R_INVALID_SYNTAX);
-			goto err;
-		}
-		objlen = ptmp - cnf->name;
-		ctmp.name = ptmp + 1;
-		ctmp.value = cnf->value;
-		if (!v2i_GENERAL_NAME_ex(acc->location, method, ctx, &ctmp, 0))
-			goto err;
-		if (!(objtmp = malloc(objlen + 1))) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			goto err;
-		}
-		strlcpy(objtmp, cnf->name, objlen + 1);
-		acc->method = OBJ_txt2obj(objtmp, 0);
-		if (!acc->method) {
-			X509V3error(X509V3_R_BAD_OBJECT);
-			ERR_asprintf_error_data("value=%s", objtmp);
-			free(objtmp);
-			goto err;
-		}
-		free(objtmp);
-	}
-	return ainfo;
-
-err:
-	sk_ACCESS_DESCRIPTION_pop_free(ainfo, ACCESS_DESCRIPTION_free);
-	return NULL;
-}
-
-int
-i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a)
-{
-	i2a_ASN1_OBJECT(bp, a->method);
-	return 2;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_int.c b/src/lib/libcrypto/x509v3/v3_int.c
deleted file mode 100644
index f8a5e7df92..0000000000
--- a/src/lib/libcrypto/x509v3/v3_int.c
+++ /dev/null
@@ -1,110 +0,0 @@
-/* $OpenBSD: v3_int.c,v 1.11 2016/12/30 15:54:49 jsing Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-
-#include <openssl/x509v3.h>
-
-const X509V3_EXT_METHOD v3_crl_num = {
-	.ext_nid = NID_crl_number,
-	.ext_flags = 0,
-	.it = &ASN1_INTEGER_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_delta_crl = {
-	.ext_nid = NID_delta_crl,
-	.ext_flags = 0,
-	.it = &ASN1_INTEGER_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = (X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static void *
-s2i_asn1_int(X509V3_EXT_METHOD *meth, X509V3_CTX *ctx, char *value)
-{
-	return s2i_ASN1_INTEGER(meth, value);
-}
-
-const X509V3_EXT_METHOD v3_inhibit_anyp = {
-	NID_inhibit_any_policy, 0, &ASN1_INTEGER_it,
-	0, 0, 0, 0,
-	(X509V3_EXT_I2S)i2s_ASN1_INTEGER,
-	(X509V3_EXT_S2I)s2i_asn1_int,
-	0, 0, 0, 0,
-	NULL
-};
diff --git a/src/lib/libcrypto/x509v3/v3_lib.c b/src/lib/libcrypto/x509v3/v3_lib.c
deleted file mode 100644
index 84e6c0178f..0000000000
--- a/src/lib/libcrypto/x509v3/v3_lib.c
+++ /dev/null
@@ -1,358 +0,0 @@
-/* $OpenBSD: v3_lib.c,v 1.19 2019/04/21 16:29:57 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* X509 v3 extension utilities */
-
-#include <stdio.h>
-
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-#include "ext_dat.h"
-
-static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
-
-static int ext_cmp(const X509V3_EXT_METHOD * const *a,
-    const X509V3_EXT_METHOD * const *b);
-static void ext_list_free(X509V3_EXT_METHOD *ext);
-
-int
-X509V3_EXT_add(X509V3_EXT_METHOD *ext)
-{
-	if (!ext_list && !(ext_list = sk_X509V3_EXT_METHOD_new(ext_cmp))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	if (!sk_X509V3_EXT_METHOD_push(ext_list, ext)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	return 1;
-}
-
-static int
-ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b)
-{
-	return ((*a)->ext_nid - (*b)->ext_nid);
-}
-
-static int ext_cmp_BSEARCH_CMP_FN(const void *, const void *);
-static int ext_cmp(const X509V3_EXT_METHOD * const *, const X509V3_EXT_METHOD * const *);
-static const X509V3_EXT_METHOD * *OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num);
-
-static int
-ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
-{
-	const X509V3_EXT_METHOD * const *a = a_;
-	const X509V3_EXT_METHOD * const *b = b_;
-	return ext_cmp(a, b);
-}
-
-static const X509V3_EXT_METHOD **
-OBJ_bsearch_ext(const X509V3_EXT_METHOD **key,
-    const X509V3_EXT_METHOD *const *base, int num)
-{
-	return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num,
-	    sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN);
-}
-
-const X509V3_EXT_METHOD *
-X509V3_EXT_get_nid(int nid)
-{
-	X509V3_EXT_METHOD tmp;
-	const X509V3_EXT_METHOD *t = &tmp, * const *ret;
-	int idx;
-
-	if (nid < 0)
-		return NULL;
-	tmp.ext_nid = nid;
-	ret = OBJ_bsearch_ext(&t, standard_exts, STANDARD_EXTENSION_COUNT);
-	if (ret)
-		return *ret;
-	if (!ext_list)
-		return NULL;
-	idx = sk_X509V3_EXT_METHOD_find(ext_list, &tmp);
-	if (idx == -1)
-		return NULL;
-	return sk_X509V3_EXT_METHOD_value(ext_list, idx);
-}
-
-const X509V3_EXT_METHOD *
-X509V3_EXT_get(X509_EXTENSION *ext)
-{
-	int nid;
-
-	if ((nid = OBJ_obj2nid(ext->object)) == NID_undef)
-		return NULL;
-	return X509V3_EXT_get_nid(nid);
-}
-
-int
-X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist)
-{
-	for (; extlist->ext_nid!=-1; extlist++)
-		if (!X509V3_EXT_add(extlist))
-			return 0;
-	return 1;
-}
-
-int
-X509V3_EXT_add_alias(int nid_to, int nid_from)
-{
-	const X509V3_EXT_METHOD *ext;
-	X509V3_EXT_METHOD *tmpext;
-
-	if (!(ext = X509V3_EXT_get_nid(nid_from))) {
-		X509V3error(X509V3_R_EXTENSION_NOT_FOUND);
-		return 0;
-	}
-	if (!(tmpext = malloc(sizeof(X509V3_EXT_METHOD)))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return 0;
-	}
-	*tmpext = *ext;
-	tmpext->ext_nid = nid_to;
-	tmpext->ext_flags |= X509V3_EXT_DYNAMIC;
-	return X509V3_EXT_add(tmpext);
-}
-
-void
-X509V3_EXT_cleanup(void)
-{
-	sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free);
-	ext_list = NULL;
-}
-
-static void
-ext_list_free(X509V3_EXT_METHOD *ext)
-{
-	if (ext->ext_flags & X509V3_EXT_DYNAMIC)
-		free(ext);
-}
-
-/* Legacy function: we don't need to add standard extensions
- * any more because they are now kept in ext_dat.h.
- */
-
-int
-X509V3_add_standard_extensions(void)
-{
-	return 1;
-}
-
-/* Return an extension internal structure */
-
-void *
-X509V3_EXT_d2i(X509_EXTENSION *ext)
-{
-	const X509V3_EXT_METHOD *method;
-	const unsigned char *p;
-
-	if (!(method = X509V3_EXT_get(ext)))
-		return NULL;
-	p = ext->value->data;
-	if (method->it)
-		return ASN1_item_d2i(NULL, &p, ext->value->length,
-		    method->it);
-	return method->d2i(NULL, &p, ext->value->length);
-}
-
-/* Get critical flag and decoded version of extension from a NID.
- * The "idx" variable returns the last found extension and can
- * be used to retrieve multiple extensions of the same NID.
- * However multiple extensions with the same NID is usually
- * due to a badly encoded certificate so if idx is NULL we
- * choke if multiple extensions exist.
- * The "crit" variable is set to the critical value.
- * The return value is the decoded extension or NULL on
- * error. The actual error can have several different causes,
- * the value of *crit reflects the cause:
- * >= 0, extension found but not decoded (reflects critical value).
- * -1 extension not found.
- * -2 extension occurs more than once.
- */
-
-void *
-X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
-{
-	int lastpos, i;
-	X509_EXTENSION *ex, *found_ex = NULL;
-
-	if (!x) {
-		if (idx)
-			*idx = -1;
-		if (crit)
-			*crit = -1;
-		return NULL;
-	}
-	if (idx)
-		lastpos = *idx + 1;
-	else
-		lastpos = 0;
-	if (lastpos < 0)
-		lastpos = 0;
-	for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
-		ex = sk_X509_EXTENSION_value(x, i);
-		if (OBJ_obj2nid(ex->object) == nid) {
-			if (idx) {
-				*idx = i;
-				found_ex = ex;
-				break;
-			} else if (found_ex) {
-				/* Found more than one */
-				if (crit)
-					*crit = -2;
-				return NULL;
-			}
-			found_ex = ex;
-		}
-	}
-	if (found_ex) {
-		/* Found it */
-		if (crit)
-			*crit = X509_EXTENSION_get_critical(found_ex);
-		return X509V3_EXT_d2i(found_ex);
-	}
-
-	/* Extension not found */
-	if (idx)
-		*idx = -1;
-	if (crit)
-		*crit = -1;
-	return NULL;
-}
-
-/* This function is a general extension append, replace and delete utility.
- * The precise operation is governed by the 'flags' value. The 'crit' and
- * 'value' arguments (if relevant) are the extensions internal structure.
- */
-
-int
-X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
-    int crit, unsigned long flags)
-{
-	int extidx = -1;
-	int errcode;
-	X509_EXTENSION *ext, *extmp;
-	unsigned long ext_op = flags & X509V3_ADD_OP_MASK;
-
-	/* If appending we don't care if it exists, otherwise
-	 * look for existing extension.
-	 */
-	if (ext_op != X509V3_ADD_APPEND)
-		extidx = X509v3_get_ext_by_NID(*x, nid, -1);
-
-	/* See if extension exists */
-	if (extidx >= 0) {
-		/* If keep existing, nothing to do */
-		if (ext_op == X509V3_ADD_KEEP_EXISTING)
-			return 1;
-		/* If default then its an error */
-		if (ext_op == X509V3_ADD_DEFAULT) {
-			errcode = X509V3_R_EXTENSION_EXISTS;
-			goto err;
-		}
-		/* If delete, just delete it */
-		if (ext_op == X509V3_ADD_DELETE) {
-			if (!sk_X509_EXTENSION_delete(*x, extidx))
-				return -1;
-			return 1;
-		}
-	} else {
-		/* If replace existing or delete, error since
-		 * extension must exist
-		 */
-		if ((ext_op == X509V3_ADD_REPLACE_EXISTING) ||
-		    (ext_op == X509V3_ADD_DELETE)) {
-			errcode = X509V3_R_EXTENSION_NOT_FOUND;
-			goto err;
-		}
-	}
-
-	/* If we get this far then we have to create an extension:
-	 * could have some flags for alternative encoding schemes...
-	 */
-
-	ext = X509V3_EXT_i2d(nid, crit, value);
-
-	if (!ext) {
-		X509V3error(X509V3_R_ERROR_CREATING_EXTENSION);
-		return 0;
-	}
-
-	/* If extension exists replace it.. */
-	if (extidx >= 0) {
-		extmp = sk_X509_EXTENSION_value(*x, extidx);
-		X509_EXTENSION_free(extmp);
-		if (!sk_X509_EXTENSION_set(*x, extidx, ext))
-			return -1;
-		return 1;
-	}
-
-	if (!*x && !(*x = sk_X509_EXTENSION_new_null()))
-		return -1;
-	if (!sk_X509_EXTENSION_push(*x, ext))
-		return -1;
-
-	return 1;
-
-err:
-	if (!(flags & X509V3_ADD_SILENT))
-		X509V3error(errcode);
-	return 0;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_ncons.c b/src/lib/libcrypto/x509v3/v3_ncons.c
deleted file mode 100644
index 4913135cf9..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ncons.c
+++ /dev/null
@@ -1,556 +0,0 @@
-/* $OpenBSD: v3_ncons.c,v 1.13 2017/07/20 19:45:08 tedu Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
-    void *a, BIO *bp, int ind);
-static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
-    STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name);
-static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip);
-
-static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc);
-static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen);
-static int nc_dn(X509_NAME *sub, X509_NAME *nm);
-static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns);
-static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml);
-static int nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base);
-
-const X509V3_EXT_METHOD v3_name_constraints = {
-	.ext_nid = NID_name_constraints,
-	.ext_flags = 0,
-	.it = &NAME_CONSTRAINTS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = v2i_NAME_CONSTRAINTS,
-	.i2r = i2r_NAME_CONSTRAINTS,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE GENERAL_SUBTREE_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(GENERAL_SUBTREE, base),
-		.field_name = "base",
-		.item = &GENERAL_NAME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(GENERAL_SUBTREE, minimum),
-		.field_name = "minimum",
-		.item = &ASN1_INTEGER_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(GENERAL_SUBTREE, maximum),
-		.field_name = "maximum",
-		.item = &ASN1_INTEGER_it,
-	},
-};
-
-const ASN1_ITEM GENERAL_SUBTREE_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = GENERAL_SUBTREE_seq_tt,
-	.tcount = sizeof(GENERAL_SUBTREE_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(GENERAL_SUBTREE),
-	.sname = "GENERAL_SUBTREE",
-};
-
-static const ASN1_TEMPLATE NAME_CONSTRAINTS_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(NAME_CONSTRAINTS, permittedSubtrees),
-		.field_name = "permittedSubtrees",
-		.item = &GENERAL_SUBTREE_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(NAME_CONSTRAINTS, excludedSubtrees),
-		.field_name = "excludedSubtrees",
-		.item = &GENERAL_SUBTREE_it,
-	},
-};
-
-const ASN1_ITEM NAME_CONSTRAINTS_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = NAME_CONSTRAINTS_seq_tt,
-	.tcount = sizeof(NAME_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(NAME_CONSTRAINTS),
-	.sname = "NAME_CONSTRAINTS",
-};
-
-
-GENERAL_SUBTREE *
-GENERAL_SUBTREE_new(void)
-{
-	return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it);
-}
-
-void
-GENERAL_SUBTREE_free(GENERAL_SUBTREE *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it);
-}
-
-NAME_CONSTRAINTS *
-NAME_CONSTRAINTS_new(void)
-{
-	return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it);
-}
-
-void
-NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it);
-}
-
-static void *
-v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	int i;
-	CONF_VALUE tval, *val;
-	STACK_OF(GENERAL_SUBTREE) **ptree = NULL;
-	NAME_CONSTRAINTS *ncons = NULL;
-	GENERAL_SUBTREE *sub = NULL;
-
-	ncons = NAME_CONSTRAINTS_new();
-	if (!ncons)
-		goto memerr;
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		val = sk_CONF_VALUE_value(nval, i);
-		if (!strncmp(val->name, "permitted", 9) && val->name[9]) {
-			ptree = &ncons->permittedSubtrees;
-			tval.name = val->name + 10;
-		} else if (!strncmp(val->name, "excluded", 8) && val->name[8]) {
-			ptree = &ncons->excludedSubtrees;
-			tval.name = val->name + 9;
-		} else {
-			X509V3error(X509V3_R_INVALID_SYNTAX);
-			goto err;
-		}
-		tval.value = val->value;
-		sub = GENERAL_SUBTREE_new();
-		if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
-			goto err;
-		if (!*ptree)
-			*ptree = sk_GENERAL_SUBTREE_new_null();
-		if (!*ptree || !sk_GENERAL_SUBTREE_push(*ptree, sub))
-			goto memerr;
-		sub = NULL;
-	}
-
-	return ncons;
-
-memerr:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-err:
-	NAME_CONSTRAINTS_free(ncons);
-	GENERAL_SUBTREE_free(sub);
-	return NULL;
-}
-
-static int
-i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, BIO *bp, int ind)
-{
-	NAME_CONSTRAINTS *ncons = a;
-
-	do_i2r_name_constraints(method, ncons->permittedSubtrees,
-	    bp, ind, "Permitted");
-	do_i2r_name_constraints(method, ncons->excludedSubtrees,
-	    bp, ind, "Excluded");
-	return 1;
-}
-
-static int
-do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
-    STACK_OF(GENERAL_SUBTREE) *trees, BIO *bp, int ind, char *name)
-{
-	GENERAL_SUBTREE *tree;
-	int i;
-
-	if (sk_GENERAL_SUBTREE_num(trees) > 0)
-		BIO_printf(bp, "%*s%s:\n", ind, "", name);
-	for (i = 0; i < sk_GENERAL_SUBTREE_num(trees); i++) {
-		tree = sk_GENERAL_SUBTREE_value(trees, i);
-		BIO_printf(bp, "%*s", ind + 2, "");
-		if (tree->base->type == GEN_IPADD)
-			print_nc_ipadd(bp, tree->base->d.ip);
-		else
-			GENERAL_NAME_print(bp, tree->base);
-		BIO_puts(bp, "\n");
-	}
-	return 1;
-}
-
-static int
-print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip)
-{
-	int i, len;
-	unsigned char *p;
-
-	p = ip->data;
-	len = ip->length;
-	BIO_puts(bp, "IP:");
-	if (len == 8) {
-		BIO_printf(bp, "%d.%d.%d.%d/%d.%d.%d.%d",
-		    p[0], p[1], p[2], p[3], p[4], p[5], p[6], p[7]);
-	} else if (len == 32) {
-		for (i = 0; i < 16; i++) {
-			BIO_printf(bp, "%X", p[0] << 8 | p[1]);
-			p += 2;
-			if (i == 7)
-				BIO_puts(bp, "/");
-			else if (i != 15)
-				BIO_puts(bp, ":");
-		}
-	} else
-		BIO_printf(bp, "IP Address:<invalid>");
-	return 1;
-}
-
-/* Check a certificate conforms to a specified set of constraints.
- * Return values:
- *  X509_V_OK: All constraints obeyed.
- *  X509_V_ERR_PERMITTED_VIOLATION: Permitted subtree violation.
- *  X509_V_ERR_EXCLUDED_VIOLATION: Excluded subtree violation.
- *  X509_V_ERR_SUBTREE_MINMAX: Min or max values present and matching type.
- *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE:  Unsupported constraint type.
- *  X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: bad unsupported constraint syntax.
- *  X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: bad or unsupported syntax of name
- */
-
-int
-NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
-{
-	int r, i;
-	X509_NAME *nm;
-
-	nm = X509_get_subject_name(x);
-
-	if (X509_NAME_entry_count(nm) > 0) {
-		GENERAL_NAME gntmp;
-		gntmp.type = GEN_DIRNAME;
-		gntmp.d.directoryName = nm;
-
-		r = nc_match(&gntmp, nc);
-
-		if (r != X509_V_OK)
-			return r;
-
-		gntmp.type = GEN_EMAIL;
-
-		/* Process any email address attributes in subject name */
-
-		for (i = -1;;) {
-			X509_NAME_ENTRY *ne;
-			i = X509_NAME_get_index_by_NID(nm,
-			    NID_pkcs9_emailAddress, i);
-			if (i == -1)
-				break;
-			ne = X509_NAME_get_entry(nm, i);
-			gntmp.d.rfc822Name = X509_NAME_ENTRY_get_data(ne);
-			if (gntmp.d.rfc822Name->type != V_ASN1_IA5STRING)
-				return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-
-			r = nc_match(&gntmp, nc);
-
-			if (r != X509_V_OK)
-				return r;
-		}
-
-	}
-
-	for (i = 0; i < sk_GENERAL_NAME_num(x->altname); i++) {
-		GENERAL_NAME *gen = sk_GENERAL_NAME_value(x->altname, i);
-		r = nc_match(gen, nc);
-		if (r != X509_V_OK)
-			return r;
-	}
-
-	return X509_V_OK;
-}
-
-static int
-nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
-{
-	GENERAL_SUBTREE *sub;
-	int i, r, match = 0;
-
-	/* Permitted subtrees: if any subtrees exist of matching the type
-	 * at least one subtree must match.
-	 */
-
-	for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) {
-		sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
-		if (gen->type != sub->base->type)
-			continue;
-		if (sub->minimum || sub->maximum)
-			return X509_V_ERR_SUBTREE_MINMAX;
-		/* If we already have a match don't bother trying any more */
-		if (match == 2)
-			continue;
-		if (match == 0)
-			match = 1;
-		r = nc_match_single(gen, sub->base);
-		if (r == X509_V_OK)
-			match = 2;
-		else if (r != X509_V_ERR_PERMITTED_VIOLATION)
-			return r;
-	}
-
-	if (match == 1)
-		return X509_V_ERR_PERMITTED_VIOLATION;
-
-	/* Excluded subtrees: must not match any of these */
-
-	for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) {
-		sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i);
-		if (gen->type != sub->base->type)
-			continue;
-		if (sub->minimum || sub->maximum)
-			return X509_V_ERR_SUBTREE_MINMAX;
-
-		r = nc_match_single(gen, sub->base);
-		if (r == X509_V_OK)
-			return X509_V_ERR_EXCLUDED_VIOLATION;
-		else if (r != X509_V_ERR_PERMITTED_VIOLATION)
-			return r;
-
-	}
-
-	return X509_V_OK;
-}
-
-static int
-nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base)
-{
-	switch (base->type) {
-	case GEN_DIRNAME:
-		return nc_dn(gen->d.directoryName, base->d.directoryName);
-
-	case GEN_DNS:
-		return nc_dns(gen->d.dNSName, base->d.dNSName);
-
-	case GEN_EMAIL:
-		return nc_email(gen->d.rfc822Name, base->d.rfc822Name);
-
-	case GEN_URI:
-		return nc_uri(gen->d.uniformResourceIdentifier,
-		    base->d.uniformResourceIdentifier);
-
-	default:
-		return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE;
-	}
-}
-
-/* directoryName name constraint matching.
- * The canonical encoding of X509_NAME makes this comparison easy. It is
- * matched if the subtree is a subset of the name.
- */
-
-static int
-nc_dn(X509_NAME *nm, X509_NAME *base)
-{
-	/* Ensure canonical encodings are up to date.  */
-	if (nm->modified && i2d_X509_NAME(nm, NULL) < 0)
-		return X509_V_ERR_OUT_OF_MEM;
-	if (base->modified && i2d_X509_NAME(base, NULL) < 0)
-		return X509_V_ERR_OUT_OF_MEM;
-	if (base->canon_enclen > nm->canon_enclen)
-		return X509_V_ERR_PERMITTED_VIOLATION;
-	if (memcmp(base->canon_enc, nm->canon_enc, base->canon_enclen))
-		return X509_V_ERR_PERMITTED_VIOLATION;
-	return X509_V_OK;
-}
-
-static int
-nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
-{
-	char *baseptr = (char *)base->data;
-	char *dnsptr = (char *)dns->data;
-
-	/* Empty matches everything */
-	if (!*baseptr)
-		return X509_V_OK;
-	/* Otherwise can add zero or more components on the left so
-	 * compare RHS and if dns is longer and expect '.' as preceding
-	 * character.
-	 */
-	if (dns->length > base->length) {
-		dnsptr += dns->length - base->length;
-		if (baseptr[0] != '.' && dnsptr[-1] != '.')
-			return X509_V_ERR_PERMITTED_VIOLATION;
-	}
-
-	if (strcasecmp(baseptr, dnsptr))
-		return X509_V_ERR_PERMITTED_VIOLATION;
-
-	return X509_V_OK;
-}
-
-static int
-nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base)
-{
-	const char *baseptr = (char *)base->data;
-	const char *emlptr = (char *)eml->data;
-	const char *baseat = strchr(baseptr, '@');
-	const char *emlat = strchr(emlptr, '@');
-
-	if (!emlat)
-		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-	/* Special case: inital '.' is RHS match */
-	if (!baseat && (*baseptr == '.')) {
-		if (eml->length > base->length) {
-			emlptr += eml->length - base->length;
-			if (!strcasecmp(baseptr, emlptr))
-				return X509_V_OK;
-		}
-		return X509_V_ERR_PERMITTED_VIOLATION;
-	}
-
-	/* If we have anything before '@' match local part */
-
-	if (baseat) {
-		if (baseat != baseptr) {
-			if ((baseat - baseptr) != (emlat - emlptr))
-				return X509_V_ERR_PERMITTED_VIOLATION;
-			/* Case sensitive match of local part */
-			if (strncmp(baseptr, emlptr, emlat - emlptr))
-				return X509_V_ERR_PERMITTED_VIOLATION;
-		}
-		/* Position base after '@' */
-		baseptr = baseat + 1;
-	}
-	emlptr = emlat + 1;
-	/* Just have hostname left to match: case insensitive */
-	if (strcasecmp(baseptr, emlptr))
-		return X509_V_ERR_PERMITTED_VIOLATION;
-
-	return X509_V_OK;
-}
-
-static int
-nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base)
-{
-	const char *baseptr = (char *)base->data;
-	const char *hostptr = (char *)uri->data;
-	const char *p = strchr(hostptr, ':');
-	int hostlen;
-
-	/* Check for foo:// and skip past it */
-	if (!p || (p[1] != '/') || (p[2] != '/'))
-		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-	hostptr = p + 3;
-
-	/* Determine length of hostname part of URI */
-
-	/* Look for a port indicator as end of hostname first */
-
-	p = strchr(hostptr, ':');
-	/* Otherwise look for trailing slash */
-	if (!p)
-		p = strchr(hostptr, '/');
-
-	if (!p)
-		hostlen = strlen(hostptr);
-	else
-		hostlen = p - hostptr;
-
-	if (hostlen == 0)
-		return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
-
-	/* Special case: inital '.' is RHS match */
-	if (*baseptr == '.') {
-		if (hostlen > base->length) {
-			p = hostptr + hostlen - base->length;
-			if (!strncasecmp(p, baseptr, base->length))
-				return X509_V_OK;
-		}
-		return X509_V_ERR_PERMITTED_VIOLATION;
-	}
-
-	if ((base->length != (int)hostlen) ||
-	    strncasecmp(hostptr, baseptr, hostlen))
-		return X509_V_ERR_PERMITTED_VIOLATION;
-
-	return X509_V_OK;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_ocsp.c b/src/lib/libcrypto/x509v3/v3_ocsp.c
deleted file mode 100644
index 8ebda2e770..0000000000
--- a/src/lib/libcrypto/x509v3/v3_ocsp.c
+++ /dev/null
@@ -1,380 +0,0 @@
-/* $OpenBSD: v3_ocsp.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/opensslconf.h>
-
-#ifndef OPENSSL_NO_OCSP
-
-#include <openssl/asn1.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/ocsp.h>
-#include <openssl/x509v3.h>
-
-/* OCSP extensions and a couple of CRL entry extensions
- */
-
-static int i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *nonce,
-    BIO *out, int indent);
-static int i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *nonce,
-    BIO *out, int indent);
-static int i2r_object(const X509V3_EXT_METHOD *method, void *obj, BIO *out,
-    int indent);
-
-static void *ocsp_nonce_new(void);
-static int i2d_ocsp_nonce(void *a, unsigned char **pp);
-static void *d2i_ocsp_nonce(void *a, const unsigned char **pp, long length);
-static void ocsp_nonce_free(void *a);
-static int i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce,
-    BIO *out, int indent);
-
-static int i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method,
-    void *nocheck, BIO *out, int indent);
-static void *s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    const char *str);
-static int i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in,
-    BIO *bp, int ind);
-
-const X509V3_EXT_METHOD v3_ocsp_crlid = {
-	.ext_nid = NID_id_pkix_OCSP_CrlID,
-	.ext_flags = 0,
-	.it = &OCSP_CRLID_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_crlid,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_ocsp_acutoff = {
-	.ext_nid = NID_id_pkix_OCSP_archiveCutoff,
-	.ext_flags = 0,
-	.it = &ASN1_GENERALIZEDTIME_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_acutoff,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_crl_invdate = {
-	.ext_nid = NID_invalidity_date,
-	.ext_flags = 0,
-	.it = &ASN1_GENERALIZEDTIME_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_acutoff,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_crl_hold = {
-	.ext_nid = NID_hold_instruction_code,
-	.ext_flags = 0,
-	.it = &ASN1_OBJECT_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_object,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nonce = {
-	.ext_nid = NID_id_pkix_OCSP_Nonce,
-	.ext_flags = 0,
-	.it = NULL,
-	.ext_new = ocsp_nonce_new,
-	.ext_free = ocsp_nonce_free,
-	.d2i = d2i_ocsp_nonce,
-	.i2d = i2d_ocsp_nonce,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_nonce,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_ocsp_nocheck = {
-	.ext_nid = NID_id_pkix_OCSP_noCheck,
-	.ext_flags = 0,
-	.it = &ASN1_NULL_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = s2i_ocsp_nocheck,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_nocheck,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-const X509V3_EXT_METHOD v3_ocsp_serviceloc = {
-	.ext_nid = NID_id_pkix_OCSP_serviceLocator,
-	.ext_flags = 0,
-	.it = &OCSP_SERVICELOC_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = i2r_ocsp_serviceloc,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static int
-i2r_ocsp_crlid(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
-{
-	OCSP_CRLID *a = in;
-	if (a->crlUrl) {
-		if (BIO_printf(bp, "%*scrlUrl: ", ind, "") <= 0)
-			goto err;
-		if (!ASN1_STRING_print(bp, (ASN1_STRING*)a->crlUrl))
-			goto err;
-		if (BIO_write(bp, "\n", 1) <= 0)
-			goto err;
-	}
-	if (a->crlNum) {
-		if (BIO_printf(bp, "%*scrlNum: ", ind, "") <= 0)
-			goto err;
-		if (i2a_ASN1_INTEGER(bp, a->crlNum) <= 0)
-			goto err;
-		if (BIO_write(bp, "\n", 1) <= 0)
-			goto err;
-	}
-	if (a->crlTime) {
-		if (BIO_printf(bp, "%*scrlTime: ", ind, "") <= 0)
-			goto err;
-		if (!ASN1_GENERALIZEDTIME_print(bp, a->crlTime))
-			goto err;
-		if (BIO_write(bp, "\n", 1) <= 0)
-			goto err;
-	}
-	return 1;
-
-err:
-	return 0;
-}
-
-static int
-i2r_ocsp_acutoff(const X509V3_EXT_METHOD *method, void *cutoff, BIO *bp,
-    int ind)
-{
-	if (BIO_printf(bp, "%*s", ind, "") <= 0)
-		return 0;
-	if (!ASN1_GENERALIZEDTIME_print(bp, cutoff))
-		return 0;
-	return 1;
-}
-
-static int
-i2r_object(const X509V3_EXT_METHOD *method, void *oid, BIO *bp, int ind)
-{
-	if (BIO_printf(bp, "%*s", ind, "") <= 0)
-		return 0;
-	if (i2a_ASN1_OBJECT(bp, oid) <= 0)
-		return 0;
-	return 1;
-}
-
-/* OCSP nonce. This is needs special treatment because it doesn't have
- * an ASN1 encoding at all: it just contains arbitrary data.
- */
-
-static void *
-ocsp_nonce_new(void)
-{
-	return ASN1_OCTET_STRING_new();
-}
-
-static int
-i2d_ocsp_nonce(void *a, unsigned char **pp)
-{
-	ASN1_OCTET_STRING *os = a;
-
-	if (pp) {
-		memcpy(*pp, os->data, os->length);
-		*pp += os->length;
-	}
-	return os->length;
-}
-
-static void *
-d2i_ocsp_nonce(void *a, const unsigned char **pp, long length)
-{
-	ASN1_OCTET_STRING *os, **pos;
-
-	pos = a;
-	if (pos == NULL || *pos == NULL) {
-		os = ASN1_OCTET_STRING_new();
-		if (os == NULL)
-			goto err;
-	} else
-		os = *pos;
-	if (ASN1_OCTET_STRING_set(os, *pp, length) == 0)
-		goto err;
-
-	*pp += length;
-
-	if (pos != NULL)
-		*pos = os;
-	return os;
-
-err:
-	if (pos == NULL || *pos != os)
-		ASN1_OCTET_STRING_free(os);
-	OCSPerror(ERR_R_MALLOC_FAILURE);
-	return NULL;
-}
-
-static void
-ocsp_nonce_free(void *a)
-{
-	ASN1_OCTET_STRING_free(a);
-}
-
-static int
-i2r_ocsp_nonce(const X509V3_EXT_METHOD *method, void *nonce, BIO *out,
-    int indent)
-{
-	if (BIO_printf(out, "%*s", indent, "") <= 0)
-		return 0;
-	if (i2a_ASN1_STRING(out, nonce, V_ASN1_OCTET_STRING) <= 0)
-		return 0;
-	return 1;
-}
-
-/* Nocheck is just a single NULL. Don't print anything and always set it */
-
-static int
-i2r_ocsp_nocheck(const X509V3_EXT_METHOD *method, void *nocheck, BIO *out,
-    int indent)
-{
-	return 1;
-}
-
-static void *
-s2i_ocsp_nocheck(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    const char *str)
-{
-	return ASN1_NULL_new();
-}
-
-static int
-i2r_ocsp_serviceloc(const X509V3_EXT_METHOD *method, void *in, BIO *bp, int ind)
-{
-	int i;
-	OCSP_SERVICELOC *a = in;
-	ACCESS_DESCRIPTION *ad;
-
-	if (BIO_printf(bp, "%*sIssuer: ", ind, "") <= 0)
-		goto err;
-	if (X509_NAME_print_ex(bp, a->issuer, 0, XN_FLAG_ONELINE) <= 0)
-		goto err;
-	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(a->locator); i++) {
-		ad = sk_ACCESS_DESCRIPTION_value(a->locator, i);
-		if (BIO_printf(bp, "\n%*s", (2 * ind), "") <= 0)
-			goto err;
-		if (i2a_ASN1_OBJECT(bp, ad->method) <= 0)
-			goto err;
-		if (BIO_puts(bp, " - ") <= 0)
-			goto err;
-		if (GENERAL_NAME_print(bp, ad->location) <= 0)
-			goto err;
-	}
-	return 1;
-
-err:
-	return 0;
-}
-#endif
diff --git a/src/lib/libcrypto/x509v3/v3_pci.c b/src/lib/libcrypto/x509v3/v3_pci.c
deleted file mode 100644
index 437b3aee3d..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pci.c
+++ /dev/null
@@ -1,310 +0,0 @@
-/* $OpenBSD: v3_pci.c,v 1.13 2017/05/02 04:11:08 deraadt Exp $ */
-/* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard@levitte.org)
- */
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext,
-    BIO *out, int indent);
-static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, char *str);
-
-const X509V3_EXT_METHOD v3_pci = {
-	.ext_nid = NID_proxyCertInfo,
-	.ext_flags = 0,
-	.it = &PROXY_CERT_INFO_EXTENSION_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = (X509V3_EXT_I2R)i2r_pci,
-	.r2i = (X509V3_EXT_R2I)r2i_pci,
-	.usr_data = NULL,
-};
-
-static int
-i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out,
-    int indent)
-{
-	BIO_printf(out, "%*sPath Length Constraint: ", indent, "");
-	if (pci->pcPathLengthConstraint)
-		i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint);
-	else
-		BIO_printf(out, "infinite");
-	BIO_puts(out, "\n");
-	BIO_printf(out, "%*sPolicy Language: ", indent, "");
-	i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage);
-	BIO_puts(out, "\n");
-	if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data)
-		BIO_printf(out, "%*sPolicy Text: %s\n", indent, "",
-		    pci->proxyPolicy->policy->data);
-	return 1;
-}
-
-static int
-process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language,
-    ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy)
-{
-	int free_policy = 0;
-
-	if (strcmp(val->name, "language") == 0) {
-		if (*language) {
-			X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED);
-			X509V3_conf_err(val);
-			return 0;
-		}
-		if (!(*language = OBJ_txt2obj(val->value, 0))) {
-			X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER);
-			X509V3_conf_err(val);
-			return 0;
-		}
-	}
-	else if (strcmp(val->name, "pathlen") == 0) {
-		if (*pathlen) {
-			X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED);
-			X509V3_conf_err(val);
-			return 0;
-		}
-		if (!X509V3_get_value_int(val, pathlen)) {
-			X509V3error(X509V3_R_POLICY_PATH_LENGTH);
-			X509V3_conf_err(val);
-			return 0;
-		}
-	}
-	else if (strcmp(val->name, "policy") == 0) {
-		unsigned char *tmp_data = NULL;
-		long val_len;
-		if (!*policy) {
-			*policy = ASN1_OCTET_STRING_new();
-			if (!*policy) {
-				X509V3error(ERR_R_MALLOC_FAILURE);
-				X509V3_conf_err(val);
-				return 0;
-			}
-			free_policy = 1;
-		}
-		if (strncmp(val->value, "hex:", 4) == 0) {
-			unsigned char *tmp_data2 =
-			    string_to_hex(val->value + 4, &val_len);
-
-			if (!tmp_data2) {
-				X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
-				X509V3_conf_err(val);
-				goto err;
-			}
-
-			tmp_data = realloc((*policy)->data,
-			    (*policy)->length + val_len + 1);
-			if (tmp_data) {
-				(*policy)->data = tmp_data;
-				memcpy(&(*policy)->data[(*policy)->length],
-				    tmp_data2, val_len);
-				(*policy)->length += val_len;
-				(*policy)->data[(*policy)->length] = '\0';
-			} else {
-				free(tmp_data2);
-				free((*policy)->data);
-				(*policy)->data = NULL;
-				(*policy)->length = 0;
-				X509V3error(ERR_R_MALLOC_FAILURE);
-				X509V3_conf_err(val);
-				goto err;
-			}
-			free(tmp_data2);
-		}
-		else if (strncmp(val->value, "file:", 5) == 0) {
-			unsigned char buf[2048];
-			int n;
-			BIO *b = BIO_new_file(val->value + 5, "r");
-			if (!b) {
-				X509V3error(ERR_R_BIO_LIB);
-				X509V3_conf_err(val);
-				goto err;
-			}
-			while ((n = BIO_read(b, buf, sizeof(buf))) > 0 ||
-			    (n == 0 && BIO_should_retry(b))) {
-				if (!n)
-					continue;
-
-				tmp_data = realloc((*policy)->data,
-				    (*policy)->length + n + 1);
-
-				if (!tmp_data)
-					break;
-
-				(*policy)->data = tmp_data;
-				memcpy(&(*policy)->data[(*policy)->length],
-				    buf, n);
-				(*policy)->length += n;
-				(*policy)->data[(*policy)->length] = '\0';
-			}
-			BIO_free_all(b);
-
-			if (n < 0) {
-				X509V3error(ERR_R_BIO_LIB);
-				X509V3_conf_err(val);
-				goto err;
-			}
-		}
-		else if (strncmp(val->value, "text:", 5) == 0) {
-			val_len = strlen(val->value + 5);
-			tmp_data = realloc((*policy)->data,
-			    (*policy)->length + val_len + 1);
-			if (tmp_data) {
-				(*policy)->data = tmp_data;
-				memcpy(&(*policy)->data[(*policy)->length],
-				    val->value + 5, val_len);
-				(*policy)->length += val_len;
-				(*policy)->data[(*policy)->length] = '\0';
-			} else {
-				free((*policy)->data);
-				(*policy)->data = NULL;
-				(*policy)->length = 0;
-				X509V3error(ERR_R_MALLOC_FAILURE);
-				X509V3_conf_err(val);
-				goto err;
-			}
-		} else {
-			X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG);
-			X509V3_conf_err(val);
-			goto err;
-		}
-		if (!tmp_data) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			X509V3_conf_err(val);
-			goto err;
-		}
-	}
-	return 1;
-
-err:
-	if (free_policy) {
-		ASN1_OCTET_STRING_free(*policy);
-		*policy = NULL;
-	}
-	return 0;
-}
-
-static PROXY_CERT_INFO_EXTENSION *
-r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value)
-{
-	PROXY_CERT_INFO_EXTENSION *pci = NULL;
-	STACK_OF(CONF_VALUE) *vals;
-	ASN1_OBJECT *language = NULL;
-	ASN1_INTEGER *pathlen = NULL;
-	ASN1_OCTET_STRING *policy = NULL;
-	int i, j;
-
-	vals = X509V3_parse_list(value);
-	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
-		CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i);
-		if (!cnf->name || (*cnf->name != '@' && !cnf->value)) {
-			X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING);
-			X509V3_conf_err(cnf);
-			goto err;
-		}
-		if (*cnf->name == '@') {
-			STACK_OF(CONF_VALUE) *sect;
-			int success_p = 1;
-
-			sect = X509V3_get_section(ctx, cnf->name + 1);
-			if (!sect) {
-				X509V3error(X509V3_R_INVALID_SECTION);
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-			for (j = 0; success_p &&
-			    j < sk_CONF_VALUE_num(sect); j++) {
-				success_p = process_pci_value(
-				    sk_CONF_VALUE_value(sect, j),
-				    &language, &pathlen, &policy);
-			}
-			X509V3_section_free(ctx, sect);
-			if (!success_p)
-				goto err;
-		} else {
-			if (!process_pci_value(cnf,
-			    &language, &pathlen, &policy)) {
-				X509V3_conf_err(cnf);
-				goto err;
-			}
-		}
-	}
-
-	/* Language is mandatory */
-	if (!language) {
-		X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED);
-		goto err;
-	}
-	i = OBJ_obj2nid(language);
-	if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) {
-		X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY);
-		goto err;
-	}
-
-	pci = PROXY_CERT_INFO_EXTENSION_new();
-	if (!pci) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-
-	pci->proxyPolicy->policyLanguage = language;
-	language = NULL;
-	pci->proxyPolicy->policy = policy;
-	policy = NULL;
-	pci->pcPathLengthConstraint = pathlen;
-	pathlen = NULL;
-	goto end;
-
-err:
-	ASN1_OBJECT_free(language);
-	language = NULL;
-	ASN1_INTEGER_free(pathlen);
-	pathlen = NULL;
-	ASN1_OCTET_STRING_free(policy);
-	policy = NULL;
-end:
-	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
-	return pci;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_pcia.c b/src/lib/libcrypto/x509v3/v3_pcia.c
deleted file mode 100644
index f9ec02c00a..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcia.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/* $OpenBSD: v3_pcia.c,v 1.6 2015/07/25 16:00:14 jsing Exp $ */
-/* Contributed to the OpenSSL Project 2004
- * by Richard Levitte (richard@levitte.org)
- */
-/* Copyright (c) 2004 Kungliga Tekniska Högskolan
- * (Royal Institute of Technology, Stockholm, Sweden).
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * 3. Neither the name of the Institute nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509v3.h>
-
-static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(PROXY_POLICY, policyLanguage),
-		.field_name = "policyLanguage",
-		.item = &ASN1_OBJECT_it,
-	},
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(PROXY_POLICY, policy),
-		.field_name = "policy",
-		.item = &ASN1_OCTET_STRING_it,
-	},
-};
-
-const ASN1_ITEM PROXY_POLICY_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = PROXY_POLICY_seq_tt,
-	.tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(PROXY_POLICY),
-	.sname = "PROXY_POLICY",
-};
-
-
-PROXY_POLICY *
-d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len)
-{
-	return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &PROXY_POLICY_it);
-}
-
-int
-i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it);
-}
-
-PROXY_POLICY *
-PROXY_POLICY_new(void)
-{
-	return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it);
-}
-
-void
-PROXY_POLICY_free(PROXY_POLICY *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it);
-}
-
-static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint),
-		.field_name = "pcPathLengthConstraint",
-		.item = &ASN1_INTEGER_it,
-	},
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy),
-		.field_name = "proxyPolicy",
-		.item = &PROXY_POLICY_it,
-	},
-};
-
-const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = PROXY_CERT_INFO_EXTENSION_seq_tt,
-	.tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(PROXY_CERT_INFO_EXTENSION),
-	.sname = "PROXY_CERT_INFO_EXTENSION",
-};
-
-
-PROXY_CERT_INFO_EXTENSION *
-d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len)
-{
-	return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &PROXY_CERT_INFO_EXTENSION_it);
-}
-
-int
-i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it);
-}
-
-PROXY_CERT_INFO_EXTENSION *
-PROXY_CERT_INFO_EXTENSION_new(void)
-{
-	return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it);
-}
-
-void
-PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it);
-}
diff --git a/src/lib/libcrypto/x509v3/v3_pcons.c b/src/lib/libcrypto/x509v3/v3_pcons.c
deleted file mode 100644
index 8c490a19ab..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pcons.c
+++ /dev/null
@@ -1,194 +0,0 @@
-/* $OpenBSD: v3_pcons.c,v 1.12 2019/04/22 17:29:13 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static STACK_OF(CONF_VALUE) *
-i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *bcons,
-    STACK_OF(CONF_VALUE) *extlist);
-static void *v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values);
-
-const X509V3_EXT_METHOD v3_policy_constraints = {
-	.ext_nid = NID_policy_constraints,
-	.ext_flags = 0,
-	.it = &POLICY_CONSTRAINTS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = i2v_POLICY_CONSTRAINTS,
-	.v2i = v2i_POLICY_CONSTRAINTS,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE POLICY_CONSTRAINTS_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(POLICY_CONSTRAINTS, requireExplicitPolicy),
-		.field_name = "requireExplicitPolicy",
-		.item = &ASN1_INTEGER_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(POLICY_CONSTRAINTS, inhibitPolicyMapping),
-		.field_name = "inhibitPolicyMapping",
-		.item = &ASN1_INTEGER_it,
-	},
-};
-
-const ASN1_ITEM POLICY_CONSTRAINTS_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = POLICY_CONSTRAINTS_seq_tt,
-	.tcount = sizeof(POLICY_CONSTRAINTS_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(POLICY_CONSTRAINTS),
-	.sname = "POLICY_CONSTRAINTS",
-};
-
-
-POLICY_CONSTRAINTS *
-POLICY_CONSTRAINTS_new(void)
-{
-	return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it);
-}
-
-void
-POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it);
-}
-
-static STACK_OF(CONF_VALUE) *
-i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a,
-    STACK_OF(CONF_VALUE) *extlist)
-{
-	POLICY_CONSTRAINTS *pcons = a;
-	STACK_OF(CONF_VALUE) *free_extlist = NULL;
-
-	if (extlist == NULL) {
-		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	if (!X509V3_add_value_int("Require Explicit Policy",
-	    pcons->requireExplicitPolicy, &extlist))
-		goto err;
-	if (!X509V3_add_value_int("Inhibit Policy Mapping",
-	    pcons->inhibitPolicyMapping, &extlist))
-		goto err;
-
-	return extlist;
-
- err:
-	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
-
-	return NULL;
-}
-
-static void *
-v2i_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *values)
-{
-	POLICY_CONSTRAINTS *pcons = NULL;
-	CONF_VALUE *val;
-	int i;
-
-	if (!(pcons = POLICY_CONSTRAINTS_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
-		val = sk_CONF_VALUE_value(values, i);
-		if (!strcmp(val->name, "requireExplicitPolicy")) {
-			if (!X509V3_get_value_int(val,
-			    &pcons->requireExplicitPolicy)) goto err;
-		} else if (!strcmp(val->name, "inhibitPolicyMapping")) {
-			if (!X509V3_get_value_int(val,
-			    &pcons->inhibitPolicyMapping)) goto err;
-		} else {
-			X509V3error(X509V3_R_INVALID_NAME);
-			X509V3_conf_err(val);
-			goto err;
-		}
-	}
-	if (!pcons->inhibitPolicyMapping && !pcons->requireExplicitPolicy) {
-		X509V3error(X509V3_R_ILLEGAL_EMPTY_EXTENSION);
-		goto err;
-	}
-
-	return pcons;
-
-err:
-	POLICY_CONSTRAINTS_free(pcons);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_pku.c b/src/lib/libcrypto/x509v3/v3_pku.c
deleted file mode 100644
index ce6b8a0c1e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pku.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/* $OpenBSD: v3_pku.c,v 1.14 2019/04/21 16:38:01 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/x509v3.h>
-
-static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method,
-    PKEY_USAGE_PERIOD *usage, BIO *out, int indent);
-
-const X509V3_EXT_METHOD v3_pkey_usage_period = {
-	.ext_nid = NID_private_key_usage_period,
-	.ext_flags = 0,
-	.it = &PKEY_USAGE_PERIOD_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = (X509V3_EXT_I2R)i2r_PKEY_USAGE_PERIOD,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE PKEY_USAGE_PERIOD_seq_tt[] = {
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 0,
-		.offset = offsetof(PKEY_USAGE_PERIOD, notBefore),
-		.field_name = "notBefore",
-		.item = &ASN1_GENERALIZEDTIME_it,
-	},
-	{
-		.flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL,
-		.tag = 1,
-		.offset = offsetof(PKEY_USAGE_PERIOD, notAfter),
-		.field_name = "notAfter",
-		.item = &ASN1_GENERALIZEDTIME_it,
-	},
-};
-
-const ASN1_ITEM PKEY_USAGE_PERIOD_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = PKEY_USAGE_PERIOD_seq_tt,
-	.tcount = sizeof(PKEY_USAGE_PERIOD_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(PKEY_USAGE_PERIOD),
-	.sname = "PKEY_USAGE_PERIOD",
-};
-
-
-PKEY_USAGE_PERIOD *
-d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len)
-{
-	return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &PKEY_USAGE_PERIOD_it);
-}
-
-int
-i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it);
-}
-
-PKEY_USAGE_PERIOD *
-PKEY_USAGE_PERIOD_new(void)
-{
-	return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it);
-}
-
-void
-PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it);
-}
-
-static int
-i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage,
-    BIO *out, int indent)
-{
-	BIO_printf(out, "%*s", indent, "");
-	if (usage->notBefore) {
-		BIO_write(out, "Not Before: ", 12);
-		ASN1_GENERALIZEDTIME_print(out, usage->notBefore);
-		if (usage->notAfter)
-			BIO_write(out, ", ", 2);
-	}
-	if (usage->notAfter) {
-		BIO_write(out, "Not After: ", 11);
-		ASN1_GENERALIZEDTIME_print(out, usage->notAfter);
-	}
-	return 1;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_pmaps.c b/src/lib/libcrypto/x509v3/v3_pmaps.c
deleted file mode 100644
index 37264649c8..0000000000
--- a/src/lib/libcrypto/x509v3/v3_pmaps.c
+++ /dev/null
@@ -1,235 +0,0 @@
-/* $OpenBSD: v3_pmaps.c,v 1.13 2019/05/08 21:53:10 bcook Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 2003 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-
-#include <stdio.h>
-
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static void *v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-static STACK_OF(CONF_VALUE) *i2v_POLICY_MAPPINGS(
-    const X509V3_EXT_METHOD *method, void *pmps, STACK_OF(CONF_VALUE) *extlist);
-
-const X509V3_EXT_METHOD v3_policy_mappings = {
-	.ext_nid = NID_policy_mappings,
-	.ext_flags = 0,
-	.it = &POLICY_MAPPINGS_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = i2v_POLICY_MAPPINGS,
-	.v2i = v2i_POLICY_MAPPINGS,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE POLICY_MAPPING_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(POLICY_MAPPING, issuerDomainPolicy),
-		.field_name = "issuerDomainPolicy",
-		.item = &ASN1_OBJECT_it,
-	},
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(POLICY_MAPPING, subjectDomainPolicy),
-		.field_name = "subjectDomainPolicy",
-		.item = &ASN1_OBJECT_it,
-	},
-};
-
-const ASN1_ITEM POLICY_MAPPING_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = POLICY_MAPPING_seq_tt,
-	.tcount = sizeof(POLICY_MAPPING_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(POLICY_MAPPING),
-	.sname = "POLICY_MAPPING",
-};
-
-static const ASN1_TEMPLATE POLICY_MAPPINGS_item_tt = {
-	.flags = ASN1_TFLG_SEQUENCE_OF,
-	.tag = 0,
-	.offset = 0,
-	.field_name = "POLICY_MAPPINGS",
-	.item = &POLICY_MAPPING_it,
-};
-
-const ASN1_ITEM POLICY_MAPPINGS_it = {
-	.itype = ASN1_ITYPE_PRIMITIVE,
-	.utype = -1,
-	.templates = &POLICY_MAPPINGS_item_tt,
-	.tcount = 0,
-	.funcs = NULL,
-	.size = 0,
-	.sname = "POLICY_MAPPINGS",
-};
-
-
-POLICY_MAPPING *
-POLICY_MAPPING_new(void)
-{
-	return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it);
-}
-
-void
-POLICY_MAPPING_free(POLICY_MAPPING *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it);
-}
-
-static STACK_OF(CONF_VALUE) *
-i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a,
-    STACK_OF(CONF_VALUE) *extlist)
-{
-	STACK_OF(CONF_VALUE) *free_extlist = NULL;
-	POLICY_MAPPINGS *pmaps = a;
-	POLICY_MAPPING *pmap;
-	char issuer[80], subject[80];
-	int i;
-
-	if (extlist == NULL) {
-		if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL)
-			return NULL;
-	}
-
-	for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) {
-		if ((pmap = sk_POLICY_MAPPING_value(pmaps, i)) == NULL)
-			goto err;
-		if (!i2t_ASN1_OBJECT(issuer, sizeof issuer,
-		    pmap->issuerDomainPolicy))
-			goto err;
-		if (!i2t_ASN1_OBJECT(subject, sizeof subject,
-		    pmap->subjectDomainPolicy))
-			goto err;
-		if (!X509V3_add_value(issuer, subject, &extlist))
-			goto err;
-	}
-
-	return extlist;
-
- err:
-	sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free);
-
-	return NULL;
-}
-
-static void *
-v2i_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	POLICY_MAPPINGS *pmaps = NULL;
-	POLICY_MAPPING *pmap = NULL;
-	ASN1_OBJECT *obj1 = NULL, *obj2 = NULL;
-	CONF_VALUE *val;
-	int i, rc;
-
-	if (!(pmaps = sk_POLICY_MAPPING_new_null())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		val = sk_CONF_VALUE_value(nval, i);
-		if (!val->value || !val->name) {
-			rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
-			goto err;
-		}
-		obj1 = OBJ_txt2obj(val->name, 0);
-		obj2 = OBJ_txt2obj(val->value, 0);
-		if (!obj1 || !obj2) {
-			rc = X509V3_R_INVALID_OBJECT_IDENTIFIER;
-			goto err;
-		}
-		pmap = POLICY_MAPPING_new();
-		if (!pmap) {
-	    		rc = ERR_R_MALLOC_FAILURE;
-			goto err;
-		}
-		pmap->issuerDomainPolicy = obj1;
-		pmap->subjectDomainPolicy = obj2;
-		obj1 = obj2 = NULL;
-		if (sk_POLICY_MAPPING_push(pmaps, pmap) == 0) {
-	    		rc = ERR_R_MALLOC_FAILURE;
-			goto err;
-		}
-		pmap = NULL;
-	}
-	return pmaps;
-
-err:
-	sk_POLICY_MAPPING_pop_free(pmaps, POLICY_MAPPING_free);
-	X509V3error(rc);
-	if (rc == X509V3_R_INVALID_OBJECT_IDENTIFIER)
-		X509V3_conf_err(val);
-	ASN1_OBJECT_free(obj1);
-	ASN1_OBJECT_free(obj2);
-	POLICY_MAPPING_free(pmap);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_prn.c b/src/lib/libcrypto/x509v3/v3_prn.c
deleted file mode 100644
index f294c36b3e..0000000000
--- a/src/lib/libcrypto/x509v3/v3_prn.c
+++ /dev/null
@@ -1,225 +0,0 @@
-/* $OpenBSD: v3_prn.c,v 1.20 2018/05/19 10:41:53 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* X509 v3 extension utilities */
-
-#include <stdio.h>
-
-#include <openssl/conf.h>
-#include <openssl/x509v3.h>
-
-/* Extension printing routines */
-
-static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
-    int indent, int supported);
-
-/* Print out a name+value stack */
-
-void
-X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml)
-{
-	int i;
-	CONF_VALUE *nval;
-
-	if (!val)
-		return;
-	if (!ml || !sk_CONF_VALUE_num(val)) {
-		BIO_printf(out, "%*s", indent, "");
-		if (!sk_CONF_VALUE_num(val))
-			BIO_puts(out, "<EMPTY>\n");
-	}
-	for (i = 0; i < sk_CONF_VALUE_num(val); i++) {
-		if (ml)
-			BIO_printf(out, "%*s", indent, "");
-		else if (i > 0) BIO_printf(out, ", ");
-			nval = sk_CONF_VALUE_value(val, i);
-		if (!nval->name)
-			BIO_puts(out, nval->value);
-		else if (!nval->value)
-			BIO_puts(out, nval->name);
-		else
-			BIO_printf(out, "%s:%s", nval->name, nval->value);
-		if (ml)
-			BIO_puts(out, "\n");
-	}
-}
-
-/* Main routine: print out a general extension */
-
-int
-X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent)
-{
-	void *ext_str = NULL;
-	char *value = NULL;
-	const unsigned char *p;
-	const X509V3_EXT_METHOD *method;
-	STACK_OF(CONF_VALUE) *nval = NULL;
-	int ok = 1;
-
-	if (!(method = X509V3_EXT_get(ext)))
-		return unknown_ext_print(out, ext, flag, indent, 0);
-	p = ext->value->data;
-	if (method->it)
-		ext_str = ASN1_item_d2i(NULL, &p, ext->value->length,
-		    method->it);
-	else
-		ext_str = method->d2i(NULL, &p, ext->value->length);
-
-	if (!ext_str)
-		return unknown_ext_print(out, ext, flag, indent, 1);
-
-	if (method->i2s) {
-		if (!(value = method->i2s(method, ext_str))) {
-			ok = 0;
-			goto err;
-		}
-		BIO_printf(out, "%*s%s", indent, "", value);
-	} else if (method->i2v) {
-		if (!(nval = method->i2v(method, ext_str, NULL))) {
-			ok = 0;
-			goto err;
-		}
-		X509V3_EXT_val_prn(out, nval, indent,
-		    method->ext_flags & X509V3_EXT_MULTILINE);
-	} else if (method->i2r) {
-		if (!method->i2r(method, ext_str, out, indent))
-			ok = 0;
-	} else
-		ok = 0;
-
-err:
-	sk_CONF_VALUE_pop_free(nval, X509V3_conf_free);
-	free(value);
-	if (method->it)
-		ASN1_item_free(ext_str, method->it);
-	else
-		method->ext_free(ext_str);
-	return ok;
-}
-
-int
-X509V3_extensions_print(BIO *bp, const char *title,
-    const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent)
-{
-	int i, j;
-
-	if (sk_X509_EXTENSION_num(exts) <= 0)
-		return 1;
-
-	if (title) {
-		BIO_printf(bp, "%*s%s:\n",indent, "", title);
-		indent += 4;
-	}
-
-	for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-		ASN1_OBJECT *obj;
-		X509_EXTENSION *ex;
-		ex = sk_X509_EXTENSION_value(exts, i);
-		if (indent && BIO_printf(bp, "%*s",indent, "") <= 0)
-			return 0;
-		obj = X509_EXTENSION_get_object(ex);
-		i2a_ASN1_OBJECT(bp, obj);
-		j = X509_EXTENSION_get_critical(ex);
-		if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0)
-			return 0;
-		if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) {
-			BIO_printf(bp, "%*s", indent + 4, "");
-			ASN1_STRING_print(bp, ex->value);
-		}
-		if (BIO_write(bp, "\n",1) <= 0)
-			return 0;
-	}
-	return 1;
-}
-
-static int
-unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
-    int indent, int supported)
-{
-	switch (flag & X509V3_EXT_UNKNOWN_MASK) {
-	case X509V3_EXT_DEFAULT:
-		return 0;
-	case X509V3_EXT_ERROR_UNKNOWN:
-		if (supported)
-			BIO_printf(out, "%*s<Parse Error>", indent, "");
-		else
-			BIO_printf(out, "%*s<Not Supported>", indent, "");
-		return 1;
-	case X509V3_EXT_PARSE_UNKNOWN:
-		return ASN1_parse_dump(out,
-		    ext->value->data, ext->value->length, indent, -1);
-	case X509V3_EXT_DUMP_UNKNOWN:
-		return BIO_dump_indent(out, (char *)ext->value->data,
-		    ext->value->length, indent);
-	default:
-		return 1;
-	}
-}
-
-
-int
-X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent)
-{
-	BIO *bio_tmp;
-	int ret;
-
-	if (!(bio_tmp = BIO_new_fp(fp, BIO_NOCLOSE)))
-		return 0;
-	ret = X509V3_EXT_print(bio_tmp, ext, flag, indent);
-	BIO_free(bio_tmp);
-	return ret;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
deleted file mode 100644
index 0fdec224a3..0000000000
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ /dev/null
@@ -1,893 +0,0 @@
-/* $OpenBSD: v3_purp.c,v 1.31 2018/05/18 18:30:03 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 2001.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/opensslconf.h>
-
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-#include <openssl/x509_vfy.h>
-
-#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
-#define ku_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
-#define xku_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_XKUSAGE) && !((x)->ex_xkusage & (usage)))
-#define ns_reject(x, usage) \
-	(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-
-static void x509v3_cache_extensions(X509 *x);
-
-static int check_ssl_ca(const X509 *x);
-static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int purpose_smime(const X509 *x, int ca);
-static int check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
-    int ca);
-static int no_check(const X509_PURPOSE *xp, const X509 *x, int ca);
-static int ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca);
-
-static int xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b);
-static void xptable_free(X509_PURPOSE *p);
-
-static X509_PURPOSE xstandard[] = {
-	{X509_PURPOSE_SSL_CLIENT, X509_TRUST_SSL_CLIENT, 0, check_purpose_ssl_client, "SSL client", "sslclient", NULL},
-	{X509_PURPOSE_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ssl_server, "SSL server", "sslserver", NULL},
-	{X509_PURPOSE_NS_SSL_SERVER, X509_TRUST_SSL_SERVER, 0, check_purpose_ns_ssl_server, "Netscape SSL server", "nssslserver", NULL},
-	{X509_PURPOSE_SMIME_SIGN, X509_TRUST_EMAIL, 0, check_purpose_smime_sign, "S/MIME signing", "smimesign", NULL},
-	{X509_PURPOSE_SMIME_ENCRYPT, X509_TRUST_EMAIL, 0, check_purpose_smime_encrypt, "S/MIME encryption", "smimeencrypt", NULL},
-	{X509_PURPOSE_CRL_SIGN, X509_TRUST_COMPAT, 0, check_purpose_crl_sign, "CRL signing", "crlsign", NULL},
-	{X509_PURPOSE_ANY, X509_TRUST_DEFAULT, 0, no_check, "Any Purpose", "any", NULL},
-	{X509_PURPOSE_OCSP_HELPER, X509_TRUST_COMPAT, 0, ocsp_helper, "OCSP helper", "ocsphelper", NULL},
-	{X509_PURPOSE_TIMESTAMP_SIGN, X509_TRUST_TSA, 0, check_purpose_timestamp_sign, "Time Stamp signing", "timestampsign", NULL},
-};
-
-#define X509_PURPOSE_COUNT (sizeof(xstandard)/sizeof(X509_PURPOSE))
-
-static STACK_OF(X509_PURPOSE) *xptable = NULL;
-
-static int
-xp_cmp(const X509_PURPOSE * const *a, const X509_PURPOSE * const *b)
-{
-	return (*a)->purpose - (*b)->purpose;
-}
-
-/* As much as I'd like to make X509_check_purpose use a "const" X509*
- * I really can't because it does recalculate hashes and do other non-const
- * things. */
-int
-X509_check_purpose(X509 *x, int id, int ca)
-{
-	int idx;
-	const X509_PURPOSE *pt;
-
-	if (!(x->ex_flags & EXFLAG_SET)) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509);
-		x509v3_cache_extensions(x);
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-	}
-	if (id == -1)
-		return 1;
-	idx = X509_PURPOSE_get_by_id(id);
-	if (idx == -1)
-		return -1;
-	pt = X509_PURPOSE_get0(idx);
-	return pt->check_purpose(pt, x, ca);
-}
-
-int
-X509_PURPOSE_set(int *p, int purpose)
-{
-	if (X509_PURPOSE_get_by_id(purpose) == -1) {
-		X509V3error(X509V3_R_INVALID_PURPOSE);
-		return 0;
-	}
-	*p = purpose;
-	return 1;
-}
-
-int
-X509_PURPOSE_get_count(void)
-{
-	if (!xptable)
-		return X509_PURPOSE_COUNT;
-	return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT;
-}
-
-X509_PURPOSE *
-X509_PURPOSE_get0(int idx)
-{
-	if (idx < 0)
-		return NULL;
-	if (idx < (int)X509_PURPOSE_COUNT)
-		return xstandard + idx;
-	return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT);
-}
-
-int
-X509_PURPOSE_get_by_sname(const char *sname)
-{
-	int i;
-	X509_PURPOSE *xptmp;
-
-	for (i = 0; i < X509_PURPOSE_get_count(); i++) {
-		xptmp = X509_PURPOSE_get0(i);
-		if (!strcmp(xptmp->sname, sname))
-			return i;
-	}
-	return -1;
-}
-
-int
-X509_PURPOSE_get_by_id(int purpose)
-{
-	X509_PURPOSE tmp;
-	int idx;
-
-	if ((purpose >= X509_PURPOSE_MIN) && (purpose <= X509_PURPOSE_MAX))
-		return purpose - X509_PURPOSE_MIN;
-	tmp.purpose = purpose;
-	if (!xptable)
-		return -1;
-	idx = sk_X509_PURPOSE_find(xptable, &tmp);
-	if (idx == -1)
-		return -1;
-	return idx + X509_PURPOSE_COUNT;
-}
-
-int
-X509_PURPOSE_add(int id, int trust, int flags,
-    int (*ck)(const X509_PURPOSE *, const X509 *, int), const char *name,
-    const char *sname, void *arg)
-{
-	int idx;
-	X509_PURPOSE *ptmp;
-	char *name_dup, *sname_dup;
-
-	name_dup = sname_dup = NULL;
-
-	if (name == NULL || sname == NULL) {
-		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
-		return 0;
-	}
-
-	/* This is set according to what we change: application can't set it */
-	flags &= ~X509_PURPOSE_DYNAMIC;
-	/* This will always be set for application modified trust entries */
-	flags |= X509_PURPOSE_DYNAMIC_NAME;
-	/* Get existing entry if any */
-	idx = X509_PURPOSE_get_by_id(id);
-	/* Need a new entry */
-	if (idx == -1) {
-		if ((ptmp = malloc(sizeof(X509_PURPOSE))) == NULL) {
-			X509V3error(ERR_R_MALLOC_FAILURE);
-			return 0;
-		}
-		ptmp->flags = X509_PURPOSE_DYNAMIC;
-	} else
-		ptmp = X509_PURPOSE_get0(idx);
-
-	if ((name_dup = strdup(name)) == NULL)
-		goto err;
-	if ((sname_dup = strdup(sname)) == NULL)
-		goto err;
-
-	/* free existing name if dynamic */
-	if (ptmp->flags & X509_PURPOSE_DYNAMIC_NAME) {
-		free(ptmp->name);
-		free(ptmp->sname);
-	}
-	/* dup supplied name */
-	ptmp->name = name_dup;
-	ptmp->sname = sname_dup;
-	/* Keep the dynamic flag of existing entry */
-	ptmp->flags &= X509_PURPOSE_DYNAMIC;
-	/* Set all other flags */
-	ptmp->flags |= flags;
-
-	ptmp->purpose = id;
-	ptmp->trust = trust;
-	ptmp->check_purpose = ck;
-	ptmp->usr_data = arg;
-
-	/* If its a new entry manage the dynamic table */
-	if (idx == -1) {
-		if (xptable == NULL &&
-		    (xptable = sk_X509_PURPOSE_new(xp_cmp)) == NULL)
-			goto err;
-		if (sk_X509_PURPOSE_push(xptable, ptmp) == 0)
-			goto err;
-	}
-	return 1;
-
-err:
-	free(name_dup);
-	free(sname_dup);
-	if (idx == -1)
-		free(ptmp);
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	return 0;
-}
-
-static void
-xptable_free(X509_PURPOSE *p)
-{
-	if (!p)
-		return;
-	if (p->flags & X509_PURPOSE_DYNAMIC) {
-		if (p->flags & X509_PURPOSE_DYNAMIC_NAME) {
-			free(p->name);
-			free(p->sname);
-		}
-		free(p);
-	}
-}
-
-void
-X509_PURPOSE_cleanup(void)
-{
-	unsigned int i;
-
-	sk_X509_PURPOSE_pop_free(xptable, xptable_free);
-	for(i = 0; i < X509_PURPOSE_COUNT; i++)
-		xptable_free(xstandard + i);
-	xptable = NULL;
-}
-
-int
-X509_PURPOSE_get_id(const X509_PURPOSE *xp)
-{
-	return xp->purpose;
-}
-
-char *
-X509_PURPOSE_get0_name(const X509_PURPOSE *xp)
-{
-	return xp->name;
-}
-
-char *
-X509_PURPOSE_get0_sname(const X509_PURPOSE *xp)
-{
-	return xp->sname;
-}
-
-int
-X509_PURPOSE_get_trust(const X509_PURPOSE *xp)
-{
-	return xp->trust;
-}
-
-static int
-nid_cmp(const int *a, const int *b)
-{
-	return *a - *b;
-}
-
-static int nid_cmp_BSEARCH_CMP_FN(const void *, const void *);
-static int nid_cmp(int const *, int const *);
-static int *OBJ_bsearch_nid(int *key, int const *base, int num);
-
-static int
-nid_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_)
-{
-	int const *a = a_;
-	int const *b = b_;
-	return nid_cmp(a, b);
-}
-
-static int *
-OBJ_bsearch_nid(int *key, int const *base, int num)
-{
-	return (int *)OBJ_bsearch_(key, base, num, sizeof(int),
-	    nid_cmp_BSEARCH_CMP_FN);
-}
-
-int
-X509_supported_extension(X509_EXTENSION *ex)
-{
-	/* This table is a list of the NIDs of supported extensions:
-	 * that is those which are used by the verify process. If
-	 * an extension is critical and doesn't appear in this list
-	 * then the verify process will normally reject the certificate.
-	 * The list must be kept in numerical order because it will be
-	 * searched using bsearch.
-	 */
-
-	static const int supported_nids[] = {
-		NID_netscape_cert_type, /* 71 */
-		NID_key_usage,		/* 83 */
-		NID_subject_alt_name,	/* 85 */
-		NID_basic_constraints,	/* 87 */
-		NID_certificate_policies, /* 89 */
-		NID_ext_key_usage,	/* 126 */
-		NID_policy_constraints,	/* 401 */
-		NID_proxyCertInfo,	/* 663 */
-		NID_name_constraints,	/* 666 */
-		NID_policy_mappings,	/* 747 */
-		NID_inhibit_any_policy	/* 748 */
-	};
-
-	int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));
-
-	if (ex_nid == NID_undef)
-		return 0;
-
-	if (OBJ_bsearch_nid(&ex_nid, supported_nids,
-	    sizeof(supported_nids) / sizeof(int)))
-		return 1;
-	return 0;
-}
-
-static void
-setup_dp(X509 *x, DIST_POINT *dp)
-{
-	X509_NAME *iname = NULL;
-	int i;
-
-	if (dp->reasons) {
-		if (dp->reasons->length > 0)
-			dp->dp_reasons = dp->reasons->data[0];
-		if (dp->reasons->length > 1)
-			dp->dp_reasons |= (dp->reasons->data[1] << 8);
-		dp->dp_reasons &= CRLDP_ALL_REASONS;
-	} else
-		dp->dp_reasons = CRLDP_ALL_REASONS;
-	if (!dp->distpoint || (dp->distpoint->type != 1))
-		return;
-	for (i = 0; i < sk_GENERAL_NAME_num(dp->CRLissuer); i++) {
-		GENERAL_NAME *gen = sk_GENERAL_NAME_value(dp->CRLissuer, i);
-		if (gen->type == GEN_DIRNAME) {
-			iname = gen->d.directoryName;
-			break;
-		}
-	}
-	if (!iname)
-		iname = X509_get_issuer_name(x);
-
-	DIST_POINT_set_dpname(dp->distpoint, iname);
-
-}
-
-static void
-setup_crldp(X509 *x)
-{
-	int i;
-
-	x->crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
-	for (i = 0; i < sk_DIST_POINT_num(x->crldp); i++)
-		setup_dp(x, sk_DIST_POINT_value(x->crldp, i));
-}
-
-static void
-x509v3_cache_extensions(X509 *x)
-{
-	BASIC_CONSTRAINTS *bs;
-	PROXY_CERT_INFO_EXTENSION *pci;
-	ASN1_BIT_STRING *usage;
-	ASN1_BIT_STRING *ns;
-	EXTENDED_KEY_USAGE *extusage;
-	X509_EXTENSION *ex;
-	int i;
-
-	if (x->ex_flags & EXFLAG_SET)
-		return;
-
-#ifndef OPENSSL_NO_SHA
-	X509_digest(x, EVP_sha1(), x->sha1_hash, NULL);
-#endif
-
-	/* V1 should mean no extensions ... */
-	if (!X509_get_version(x))
-		x->ex_flags |= EXFLAG_V1;
-
-	/* Handle basic constraints */
-	if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, NULL, NULL))) {
-		if (bs->ca)
-			x->ex_flags |= EXFLAG_CA;
-		if (bs->pathlen) {
-			if ((bs->pathlen->type == V_ASN1_NEG_INTEGER) ||
-			    !bs->ca) {
-				x->ex_flags |= EXFLAG_INVALID;
-				x->ex_pathlen = 0;
-			} else
-				x->ex_pathlen = ASN1_INTEGER_get(bs->pathlen);
-		} else
-			x->ex_pathlen = -1;
-		BASIC_CONSTRAINTS_free(bs);
-		x->ex_flags |= EXFLAG_BCONS;
-	}
-
-	/* Handle proxy certificates */
-	if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
-		if (x->ex_flags & EXFLAG_CA ||
-		    X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 ||
-		    X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
-			x->ex_flags |= EXFLAG_INVALID;
-		}
-		if (pci->pcPathLengthConstraint) {
-			if (pci->pcPathLengthConstraint->type ==
-			    V_ASN1_NEG_INTEGER) {
-				x->ex_flags |= EXFLAG_INVALID;
-				x->ex_pcpathlen = 0;
-			} else
-				x->ex_pcpathlen =
-				    ASN1_INTEGER_get(pci->
-				      pcPathLengthConstraint);
-		} else
-			x->ex_pcpathlen = -1;
-		PROXY_CERT_INFO_EXTENSION_free(pci);
-		x->ex_flags |= EXFLAG_PROXY;
-	}
-
-	/* Handle key usage */
-	if ((usage = X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
-		if (usage->length > 0) {
-			x->ex_kusage = usage->data[0];
-			if (usage->length > 1)
-				x->ex_kusage |= usage->data[1] << 8;
-		} else
-			x->ex_kusage = 0;
-		x->ex_flags |= EXFLAG_KUSAGE;
-		ASN1_BIT_STRING_free(usage);
-	}
-	x->ex_xkusage = 0;
-	if ((extusage = X509_get_ext_d2i(x, NID_ext_key_usage, NULL, NULL))) {
-		x->ex_flags |= EXFLAG_XKUSAGE;
-		for (i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
-			switch (OBJ_obj2nid(sk_ASN1_OBJECT_value(extusage, i))) {
-			case NID_server_auth:
-				x->ex_xkusage |= XKU_SSL_SERVER;
-				break;
-
-			case NID_client_auth:
-				x->ex_xkusage |= XKU_SSL_CLIENT;
-				break;
-
-			case NID_email_protect:
-				x->ex_xkusage |= XKU_SMIME;
-				break;
-
-			case NID_code_sign:
-				x->ex_xkusage |= XKU_CODE_SIGN;
-				break;
-
-			case NID_ms_sgc:
-			case NID_ns_sgc:
-				x->ex_xkusage |= XKU_SGC;
-				break;
-
-			case NID_OCSP_sign:
-				x->ex_xkusage |= XKU_OCSP_SIGN;
-				break;
-
-			case NID_time_stamp:
-				x->ex_xkusage |= XKU_TIMESTAMP;
-				break;
-
-			case NID_dvcs:
-				x->ex_xkusage |= XKU_DVCS;
-				break;
-			}
-		}
-		sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
-	}
-
-	if ((ns = X509_get_ext_d2i(x, NID_netscape_cert_type, NULL, NULL))) {
-		if (ns->length > 0)
-			x->ex_nscert = ns->data[0];
-		else
-			x->ex_nscert = 0;
-		x->ex_flags |= EXFLAG_NSCERT;
-		ASN1_BIT_STRING_free(ns);
-	}
-
-	x->skid = X509_get_ext_d2i(x, NID_subject_key_identifier, NULL, NULL);
-	x->akid = X509_get_ext_d2i(x, NID_authority_key_identifier, NULL, NULL);
-
-	/* Does subject name match issuer? */
-	if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
-		x->ex_flags |= EXFLAG_SI;
-		/* If SKID matches AKID also indicate self signed. */
-		if (X509_check_akid(x, x->akid) == X509_V_OK &&
-		    !ku_reject(x, KU_KEY_CERT_SIGN))
-			x->ex_flags |= EXFLAG_SS;
-	}
-
-	x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
-	x->nc = X509_get_ext_d2i(x, NID_name_constraints, &i, NULL);
-	if (!x->nc && (i != -1))
-		x->ex_flags |= EXFLAG_INVALID;
-	setup_crldp(x);
-
-	for (i = 0; i < X509_get_ext_count(x); i++) {
-		ex = X509_get_ext(x, i);
-		if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) ==
-		    NID_freshest_crl)
-			x->ex_flags |= EXFLAG_FRESHEST;
-		if (!X509_EXTENSION_get_critical(ex))
-			continue;
-		if (!X509_supported_extension(ex)) {
-			x->ex_flags |= EXFLAG_CRITICAL;
-			break;
-		}
-	}
-	x->ex_flags |= EXFLAG_SET;
-}
-
-/* CA checks common to all purposes
- * return codes:
- * 0 not a CA
- * 1 is a CA
- * 2 basicConstraints absent so "maybe" a CA
- * 3 basicConstraints absent but self signed V1.
- * 4 basicConstraints absent but keyUsage present and keyCertSign asserted.
- */
-
-static int
-check_ca(const X509 *x)
-{
-	/* keyUsage if present should allow cert signing */
-	if (ku_reject(x, KU_KEY_CERT_SIGN))
-		return 0;
-	if (x->ex_flags & EXFLAG_BCONS) {
-		if (x->ex_flags & EXFLAG_CA)
-			return 1;
-		/* If basicConstraints says not a CA then say so */
-		else
-			return 0;
-	} else {
-		/* we support V1 roots for...  uh, I don't really know why. */
-		if ((x->ex_flags & V1_ROOT) == V1_ROOT)
-			return 3;
-		/* If key usage present it must have certSign so tolerate it */
-		else if (x->ex_flags & EXFLAG_KUSAGE)
-			return 4;
-		/* Older certificates could have Netscape-specific CA types */
-		else if (x->ex_flags & EXFLAG_NSCERT &&
-		    x->ex_nscert & NS_ANY_CA)
-			return 5;
-		/* can this still be regarded a CA certificate?  I doubt it */
-		return 0;
-	}
-}
-
-int
-X509_check_ca(X509 *x)
-{
-	if (!(x->ex_flags & EXFLAG_SET)) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509);
-		x509v3_cache_extensions(x);
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509);
-	}
-
-	return check_ca(x);
-}
-
-/* Check SSL CA: common checks for SSL client and server */
-static int
-check_ssl_ca(const X509 *x)
-{
-	int ca_ret;
-
-	ca_ret = check_ca(x);
-	if (!ca_ret)
-		return 0;
-	/* check nsCertType if present */
-	if (ca_ret != 5 || x->ex_nscert & NS_SSL_CA)
-		return ca_ret;
-	else
-		return 0;
-}
-
-static int
-check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	if (xku_reject(x, XKU_SSL_CLIENT))
-		return 0;
-	if (ca)
-		return check_ssl_ca(x);
-	/* We need to do digital signatures with it */
-	if (ku_reject(x, KU_DIGITAL_SIGNATURE))
-		return 0;
-	/* nsCertType if present should allow SSL client use */
-	if (ns_reject(x, NS_SSL_CLIENT))
-		return 0;
-	return 1;
-}
-
-static int
-check_purpose_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	if (xku_reject(x, XKU_SSL_SERVER|XKU_SGC))
-		return 0;
-	if (ca)
-		return check_ssl_ca(x);
-
-	if (ns_reject(x, NS_SSL_SERVER))
-		return 0;
-	/* Now as for keyUsage: we'll at least need to sign OR encipher */
-	if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_KEY_ENCIPHERMENT))
-		return 0;
-
-	return 1;
-}
-
-static int
-check_purpose_ns_ssl_server(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	int ret;
-
-	ret = check_purpose_ssl_server(xp, x, ca);
-	if (!ret || ca)
-		return ret;
-	/* We need to encipher or Netscape complains */
-	if (ku_reject(x, KU_KEY_ENCIPHERMENT))
-		return 0;
-	return ret;
-}
-
-/* common S/MIME checks */
-static int
-purpose_smime(const X509 *x, int ca)
-{
-	if (xku_reject(x, XKU_SMIME))
-		return 0;
-	if (ca) {
-		int ca_ret;
-		ca_ret = check_ca(x);
-		if (!ca_ret)
-			return 0;
-		/* check nsCertType if present */
-		if (ca_ret != 5 || x->ex_nscert & NS_SMIME_CA)
-			return ca_ret;
-		else
-			return 0;
-	}
-	if (x->ex_flags & EXFLAG_NSCERT) {
-		if (x->ex_nscert & NS_SMIME)
-			return 1;
-		/* Workaround for some buggy certificates */
-		if (x->ex_nscert & NS_SSL_CLIENT)
-			return 2;
-		return 0;
-	}
-	return 1;
-}
-
-static int
-check_purpose_smime_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	int ret;
-
-	ret = purpose_smime(x, ca);
-	if (!ret || ca)
-		return ret;
-	if (ku_reject(x, KU_DIGITAL_SIGNATURE|KU_NON_REPUDIATION))
-		return 0;
-	return ret;
-}
-
-static int
-check_purpose_smime_encrypt(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	int ret;
-
-	ret = purpose_smime(x, ca);
-	if (!ret || ca)
-		return ret;
-	if (ku_reject(x, KU_KEY_ENCIPHERMENT))
-		return 0;
-	return ret;
-}
-
-static int
-check_purpose_crl_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	if (ca) {
-		int ca_ret;
-		if ((ca_ret = check_ca(x)) != 2)
-			return ca_ret;
-		else
-			return 0;
-	}
-	if (ku_reject(x, KU_CRL_SIGN))
-		return 0;
-	return 1;
-}
-
-/* OCSP helper: this is *not* a full OCSP check. It just checks that
- * each CA is valid. Additional checks must be made on the chain.
- */
-static int
-ocsp_helper(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	/* Must be a valid CA.  Should we really support the "I don't know"
-	   value (2)? */
-	if (ca)
-		return check_ca(x);
-	/* leaf certificate is checked in OCSP_verify() */
-	return 1;
-}
-
-static int
-check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	int i_ext;
-
-	/* If ca is true we must return if this is a valid CA certificate. */
-	if (ca)
-		return check_ca(x);
-
-	/*
-	 * Check the optional key usage field:
-	 * if Key Usage is present, it must be one of digitalSignature
-	 * and/or nonRepudiation (other values are not consistent and shall
-	 * be rejected).
-	 */
-	if ((x->ex_flags & EXFLAG_KUSAGE) &&
-	    ((x->ex_kusage & ~(KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE)) ||
-	    !(x->ex_kusage & (KU_NON_REPUDIATION | KU_DIGITAL_SIGNATURE))))
-		return 0;
-
-	/* Only time stamp key usage is permitted and it's required. */
-	if (!(x->ex_flags & EXFLAG_XKUSAGE) || x->ex_xkusage != XKU_TIMESTAMP)
-		return 0;
-
-	/* Extended Key Usage MUST be critical */
-	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
-	if (i_ext >= 0) {
-		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
-		if (!X509_EXTENSION_get_critical(ext))
-			return 0;
-	}
-
-	return 1;
-}
-
-static int
-no_check(const X509_PURPOSE *xp, const X509 *x, int ca)
-{
-	return 1;
-}
-
-/* Various checks to see if one certificate issued the second.
- * This can be used to prune a set of possible issuer certificates
- * which have been looked up using some simple method such as by
- * subject name.
- * These are:
- * 1. Check issuer_name(subject) == subject_name(issuer)
- * 2. If akid(subject) exists check it matches issuer
- * 3. If key_usage(issuer) exists check it supports certificate signing
- * returns 0 for OK, positive for reason for mismatch, reasons match
- * codes for X509_verify_cert()
- */
-
-int
-X509_check_issued(X509 *issuer, X509 *subject)
-{
-	if (X509_NAME_cmp(X509_get_subject_name(issuer),
-	    X509_get_issuer_name(subject)))
-		return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
-	x509v3_cache_extensions(issuer);
-	x509v3_cache_extensions(subject);
-
-	if (subject->akid) {
-		int ret = X509_check_akid(issuer, subject->akid);
-		if (ret != X509_V_OK)
-			return ret;
-	}
-
-	if (subject->ex_flags & EXFLAG_PROXY) {
-		if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
-			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
-	} else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
-		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
-	return X509_V_OK;
-}
-
-int
-X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
-{
-	if (!akid)
-		return X509_V_OK;
-
-	/* Check key ids (if present) */
-	if (akid->keyid && issuer->skid &&
-	    ASN1_OCTET_STRING_cmp(akid->keyid, issuer->skid) )
-		return X509_V_ERR_AKID_SKID_MISMATCH;
-	/* Check serial number */
-	if (akid->serial &&
-	    ASN1_INTEGER_cmp(X509_get_serialNumber(issuer), akid->serial))
-		return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-	/* Check issuer name */
-	if (akid->issuer) {
-		/* Ugh, for some peculiar reason AKID includes
-		 * SEQUENCE OF GeneralName. So look for a DirName.
-		 * There may be more than one but we only take any
-		 * notice of the first.
-		 */
-		GENERAL_NAMES *gens;
-		GENERAL_NAME *gen;
-		X509_NAME *nm = NULL;
-		int i;
-		gens = akid->issuer;
-		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-			gen = sk_GENERAL_NAME_value(gens, i);
-			if (gen->type == GEN_DIRNAME) {
-				nm = gen->d.dirn;
-				break;
-			}
-		}
-		if (nm && X509_NAME_cmp(nm, X509_get_issuer_name(issuer)))
-			return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
-	}
-	return X509_V_OK;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_skey.c b/src/lib/libcrypto/x509v3/v3_skey.c
deleted file mode 100644
index aec2d5b7ec..0000000000
--- a/src/lib/libcrypto/x509v3/v3_skey.c
+++ /dev/null
@@ -1,161 +0,0 @@
-/* $OpenBSD: v3_skey.c,v 1.16 2018/05/19 10:37:02 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, char *str);
-
-const X509V3_EXT_METHOD v3_skey_id = {
-	.ext_nid = NID_subject_key_identifier,
-	.ext_flags = 0,
-	.it = &ASN1_OCTET_STRING_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = (X509V3_EXT_I2S)i2s_ASN1_OCTET_STRING,
-	.s2i = (X509V3_EXT_S2I)s2i_skey_id,
-	.i2v = NULL,
-	.v2i = NULL,
-	.i2r = NULL,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-char *
-i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct)
-{
-	return hex_to_string(oct->data, oct->length);
-}
-
-ASN1_OCTET_STRING *
-s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    const char *str)
-{
-	ASN1_OCTET_STRING *oct;
-	long length;
-
-	if (!(oct = ASN1_OCTET_STRING_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-	if (!(oct->data = string_to_hex(str, &length))) {
-		ASN1_OCTET_STRING_free(oct);
-		return NULL;
-	}
-
-	oct->length = length;
-
-	return oct;
-}
-
-static ASN1_OCTET_STRING *
-s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str)
-{
-	ASN1_OCTET_STRING *oct;
-	ASN1_BIT_STRING *pk;
-	unsigned char pkey_dig[EVP_MAX_MD_SIZE];
-	unsigned int diglen;
-
-	if (strcmp(str, "hash"))
-		return s2i_ASN1_OCTET_STRING(method, ctx, str);
-
-	if (!(oct = ASN1_OCTET_STRING_new())) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-
-	if (ctx && (ctx->flags == CTX_TEST))
-		return oct;
-
-	if (!ctx || (!ctx->subject_req && !ctx->subject_cert)) {
-		X509V3error(X509V3_R_NO_PUBLIC_KEY);
-		goto err;
-	}
-
-	if (ctx->subject_req)
-		pk = ctx->subject_req->req_info->pubkey->public_key;
-	else
-		pk = ctx->subject_cert->cert_info->key->public_key;
-
-	if (!pk) {
-		X509V3error(X509V3_R_NO_PUBLIC_KEY);
-		goto err;
-	}
-
-	if (!EVP_Digest(pk->data, pk->length, pkey_dig, &diglen,
-	    EVP_sha1(), NULL))
-		goto err;
-
-	if (!ASN1_STRING_set(oct, pkey_dig, diglen)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-
-	return oct;
-
-err:
-	ASN1_OCTET_STRING_free(oct);
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_sxnet.c b/src/lib/libcrypto/x509v3/v3_sxnet.c
deleted file mode 100644
index 400bc26346..0000000000
--- a/src/lib/libcrypto/x509v3/v3_sxnet.c
+++ /dev/null
@@ -1,383 +0,0 @@
-/* $OpenBSD: v3_sxnet.c,v 1.22 2019/03/13 20:34:00 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/asn1.h>
-#include <openssl/asn1t.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-/* Support for Thawte strong extranet extension */
-
-#define SXNET_TEST
-
-static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out,
-    int indent);
-#ifdef SXNET_TEST
-static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval);
-#endif
-
-const X509V3_EXT_METHOD v3_sxnet = {
-	.ext_nid = NID_sxnet,
-	.ext_flags = X509V3_EXT_MULTILINE,
-	.it = &SXNET_it,
-	.ext_new = NULL,
-	.ext_free = NULL,
-	.d2i = NULL,
-	.i2d = NULL,
-	.i2s = NULL,
-	.s2i = NULL,
-	.i2v = NULL,
-#ifdef SXNET_TEST
-	.v2i = (X509V3_EXT_V2I)sxnet_v2i,
-#else
-	.v2i = NULL,
-#endif
-	.i2r = (X509V3_EXT_I2R)sxnet_i2r,
-	.r2i = NULL,
-	.usr_data = NULL,
-};
-
-static const ASN1_TEMPLATE SXNETID_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(SXNETID, zone),
-		.field_name = "zone",
-		.item = &ASN1_INTEGER_it,
-	},
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(SXNETID, user),
-		.field_name = "user",
-		.item = &ASN1_OCTET_STRING_it,
-	},
-};
-
-const ASN1_ITEM SXNETID_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = SXNETID_seq_tt,
-	.tcount = sizeof(SXNETID_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(SXNETID),
-	.sname = "SXNETID",
-};
-
-
-SXNETID *
-d2i_SXNETID(SXNETID **a, const unsigned char **in, long len)
-{
-	return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &SXNETID_it);
-}
-
-int
-i2d_SXNETID(SXNETID *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it);
-}
-
-SXNETID *
-SXNETID_new(void)
-{
-	return (SXNETID *)ASN1_item_new(&SXNETID_it);
-}
-
-void
-SXNETID_free(SXNETID *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it);
-}
-
-static const ASN1_TEMPLATE SXNET_seq_tt[] = {
-	{
-		.flags = 0,
-		.tag = 0,
-		.offset = offsetof(SXNET, version),
-		.field_name = "version",
-		.item = &ASN1_INTEGER_it,
-	},
-	{
-		.flags = ASN1_TFLG_SEQUENCE_OF,
-		.tag = 0,
-		.offset = offsetof(SXNET, ids),
-		.field_name = "ids",
-		.item = &SXNETID_it,
-	},
-};
-
-const ASN1_ITEM SXNET_it = {
-	.itype = ASN1_ITYPE_SEQUENCE,
-	.utype = V_ASN1_SEQUENCE,
-	.templates = SXNET_seq_tt,
-	.tcount = sizeof(SXNET_seq_tt) / sizeof(ASN1_TEMPLATE),
-	.funcs = NULL,
-	.size = sizeof(SXNET),
-	.sname = "SXNET",
-};
-
-
-SXNET *
-d2i_SXNET(SXNET **a, const unsigned char **in, long len)
-{
-	return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len,
-	    &SXNET_it);
-}
-
-int
-i2d_SXNET(SXNET *a, unsigned char **out)
-{
-	return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it);
-}
-
-SXNET *
-SXNET_new(void)
-{
-	return (SXNET *)ASN1_item_new(&SXNET_it);
-}
-
-void
-SXNET_free(SXNET *a)
-{
-	ASN1_item_free((ASN1_VALUE *)a, &SXNET_it);
-}
-
-static int
-sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent)
-{
-	long v;
-	char *tmp;
-	SXNETID *id;
-	int i;
-
-	v = ASN1_INTEGER_get(sx->version);
-	BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v);
-	for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
-		id = sk_SXNETID_value(sx->ids, i);
-		tmp = i2s_ASN1_INTEGER(NULL, id->zone);
-		BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp);
-		free(tmp);
-		ASN1_STRING_print(out, id->user);
-	}
-	return 1;
-}
-
-#ifdef SXNET_TEST
-
-/* NBB: this is used for testing only. It should *not* be used for anything
- * else because it will just take static IDs from the configuration file and
- * they should really be separate values for each user.
- */
-
-static SXNET *
-sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-    STACK_OF(CONF_VALUE) *nval)
-{
-	CONF_VALUE *cnf;
-	SXNET *sx = NULL;
-	int i;
-
-	for (i = 0; i < sk_CONF_VALUE_num(nval); i++) {
-		cnf = sk_CONF_VALUE_value(nval, i);
-		if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1))
-			return NULL;
-	}
-	return sx;
-}
-
-#endif
-
-/* Strong Extranet utility functions */
-
-/* Add an id given the zone as an ASCII number */
-
-int
-SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen)
-{
-	ASN1_INTEGER *izone = NULL;
-
-	if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
-		X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
-		return 0;
-	}
-	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
-}
-
-/* Add an id given the zone as an unsigned long */
-
-int
-SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
-    int userlen)
-{
-	ASN1_INTEGER *izone = NULL;
-
-	if (!(izone = ASN1_INTEGER_new()) ||
-	    !ASN1_INTEGER_set(izone, lzone)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		ASN1_INTEGER_free(izone);
-		return 0;
-	}
-	return SXNET_add_id_INTEGER(psx, izone, user, userlen);
-}
-
-/* Add an id given the zone as an ASN1_INTEGER.
- * Note this version uses the passed integer and doesn't make a copy so don't
- * free it up afterwards.
- */
-
-int
-SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user,
-    int userlen)
-{
-	SXNET *sx = NULL;
-	SXNETID *id = NULL;
-
-	if (!psx || !zone || !user) {
-		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
-		return 0;
-	}
-	if (userlen == -1)
-		userlen = strlen(user);
-	if (userlen > 64) {
-		X509V3error(X509V3_R_USER_TOO_LONG);
-		return 0;
-	}
-	if (!*psx) {
-		if (!(sx = SXNET_new()))
-			goto err;
-		if (!ASN1_INTEGER_set(sx->version, 0))
-			goto err;
-		*psx = sx;
-	} else
-		sx = *psx;
-	if (SXNET_get_id_INTEGER(sx, zone)) {
-		X509V3error(X509V3_R_DUPLICATE_ZONE_ID);
-		return 0;
-	}
-
-	if (!(id = SXNETID_new()))
-		goto err;
-	if (userlen == -1)
-		userlen = strlen(user);
-
-	if (!ASN1_STRING_set(id->user, user, userlen))
-		goto err;
-	if (!sk_SXNETID_push(sx->ids, id))
-		goto err;
-	id->zone = zone;
-	return 1;
-
-err:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	SXNETID_free(id);
-	SXNET_free(sx);
-	*psx = NULL;
-	return 0;
-}
-
-ASN1_OCTET_STRING *
-SXNET_get_id_asc(SXNET *sx, const char *zone)
-{
-	ASN1_INTEGER *izone = NULL;
-	ASN1_OCTET_STRING *oct;
-
-	if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) {
-		X509V3error(X509V3_R_ERROR_CONVERTING_ZONE);
-		return NULL;
-	}
-	oct = SXNET_get_id_INTEGER(sx, izone);
-	ASN1_INTEGER_free(izone);
-	return oct;
-}
-
-ASN1_OCTET_STRING *
-SXNET_get_id_ulong(SXNET *sx, unsigned long lzone)
-{
-	ASN1_INTEGER *izone = NULL;
-	ASN1_OCTET_STRING *oct;
-
-	if (!(izone = ASN1_INTEGER_new()) ||
-	    !ASN1_INTEGER_set(izone, lzone)) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		ASN1_INTEGER_free(izone);
-		return NULL;
-	}
-	oct = SXNET_get_id_INTEGER(sx, izone);
-	ASN1_INTEGER_free(izone);
-	return oct;
-}
-
-ASN1_OCTET_STRING *
-SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone)
-{
-	SXNETID *id;
-	int i;
-
-	for (i = 0; i < sk_SXNETID_num(sx->ids); i++) {
-		id = sk_SXNETID_value(sx->ids, i);
-		if (!ASN1_INTEGER_cmp(id->zone, zone))
-			return id->user;
-	}
-	return NULL;
-}
diff --git a/src/lib/libcrypto/x509v3/v3_utl.c b/src/lib/libcrypto/x509v3/v3_utl.c
deleted file mode 100644
index a051baae62..0000000000
--- a/src/lib/libcrypto/x509v3/v3_utl.c
+++ /dev/null
@@ -1,1387 +0,0 @@
-/* $OpenBSD: v3_utl.c,v 1.37 2019/04/16 19:42:20 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project.
- */
-/* ====================================================================
- * Copyright (c) 1999-2003 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* X509 v3 extension utilities */
-
-#include <ctype.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <openssl/bn.h>
-#include <openssl/conf.h>
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-char *bn_to_string(const BIGNUM *bn);
-static char *strip_spaces(char *name);
-static int sk_strcmp(const char * const *a, const char * const *b);
-static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name,
-    GENERAL_NAMES *gens);
-static void str_free(OPENSSL_STRING str);
-static int append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email);
-
-static int ipv4_from_asc(unsigned char *v4, const char *in);
-static int ipv6_from_asc(unsigned char *v6, const char *in);
-static int ipv6_cb(const char *elem, int len, void *usr);
-static int ipv6_hex(unsigned char *out, const char *in, int inlen);
-
-/* Add a CONF_VALUE name-value pair to stack. */
-int
-X509V3_add_value(const char *name, const char *value,
-    STACK_OF(CONF_VALUE) **extlist)
-{
-	CONF_VALUE *vtmp = NULL;
-	STACK_OF(CONF_VALUE) *free_exts = NULL;
-
-	if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL)
-		goto err;
-	if (name != NULL) {
-		if ((vtmp->name = strdup(name)) == NULL)
-			goto err;
-	}
-	if (value != NULL) {
-		if ((vtmp->value = strdup(value)) == NULL)
-			goto err;
-	}
-
-	if (*extlist == NULL) {
-		if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL)
-			goto err;
-	}
-
-	if (!sk_CONF_VALUE_push(*extlist, vtmp))
-		goto err;
-
-	return 1;
-
- err:
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	X509V3_conf_free(vtmp);
-	if (free_exts != NULL) {
-		sk_CONF_VALUE_free(*extlist);
-		*extlist = NULL;
-	}
-	return 0;
-}
-
-int
-X509V3_add_value_uchar(const char *name, const unsigned char *value,
-    STACK_OF(CONF_VALUE) **extlist)
-{
-	return X509V3_add_value(name, (const char *)value, extlist);
-}
-
-/* Free function for STACK_OF(CONF_VALUE) */
-
-void
-X509V3_conf_free(CONF_VALUE *conf)
-{
-	if (!conf)
-		return;
-	free(conf->name);
-	free(conf->value);
-	free(conf->section);
-	free(conf);
-}
-
-int
-X509V3_add_value_bool(const char *name, int asn1_bool,
-    STACK_OF(CONF_VALUE) **extlist)
-{
-	if (asn1_bool)
-		return X509V3_add_value(name, "TRUE", extlist);
-	return X509V3_add_value(name, "FALSE", extlist);
-}
-
-int
-X509V3_add_value_bool_nf(const char *name, int asn1_bool,
-    STACK_OF(CONF_VALUE) **extlist)
-{
-	if (asn1_bool)
-		return X509V3_add_value(name, "TRUE", extlist);
-	return 1;
-}
-
-char *
-bn_to_string(const BIGNUM *bn)
-{
-	const char *sign = "";
-	char *bnstr, *hex;
-	char *ret = NULL;
-
-	/* Only display small numbers in decimal, as conversion is quadratic. */
-	if (BN_num_bits(bn) < 128)
-		return BN_bn2dec(bn);
-
-	if ((hex = bnstr = BN_bn2hex(bn)) == NULL)
-		goto err;
-
-	if (BN_is_negative(bn)) {
-		sign = "-";
-		hex++;
-	}
-
-	if (asprintf(&ret, "%s0x%s", sign, hex) == -1)
-		ret = NULL;
-
- err:
-	free(bnstr);
-	return ret;
-}
-
-char *
-i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a)
-{
-	BIGNUM *bntmp;
-	char *strtmp = NULL;
-
-	if (a == NULL)
-		return NULL;
-	if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL ||
-	    (strtmp = bn_to_string(bntmp)) == NULL)
-		X509V3error(ERR_R_MALLOC_FAILURE);
-	BN_free(bntmp);
-	return strtmp;
-}
-
-char *
-i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a)
-{
-	BIGNUM *bntmp;
-	char *strtmp = NULL;
-
-	if (a == NULL)
-		return NULL;
-	if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL ||
-	    (strtmp = bn_to_string(bntmp)) == NULL)
-		X509V3error(ERR_R_MALLOC_FAILURE);
-	BN_free(bntmp);
-	return strtmp;
-}
-
-ASN1_INTEGER *
-s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value)
-{
-	BIGNUM *bn = NULL;
-	ASN1_INTEGER *aint;
-	int isneg, ishex;
-	int ret;
-
-	if (!value) {
-		X509V3error(X509V3_R_INVALID_NULL_VALUE);
-		return 0;
-	}
-	bn = BN_new();
-	if (value[0] == '-') {
-		value++;
-		isneg = 1;
-	} else
-		isneg = 0;
-
-	if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) {
-		value += 2;
-		ishex = 1;
-	} else
-		ishex = 0;
-
-	if (ishex)
-		ret = BN_hex2bn(&bn, value);
-	else
-		ret = BN_dec2bn(&bn, value);
-
-	if (!ret || value[ret]) {
-		BN_free(bn);
-		X509V3error(X509V3_R_BN_DEC2BN_ERROR);
-		return 0;
-	}
-
-	if (isneg && BN_is_zero(bn))
-		isneg = 0;
-
-	aint = BN_to_ASN1_INTEGER(bn, NULL);
-	BN_free(bn);
-	if (!aint) {
-		X509V3error(X509V3_R_BN_TO_ASN1_INTEGER_ERROR);
-		return 0;
-	}
-	if (isneg)
-		aint->type |= V_ASN1_NEG;
-	return aint;
-}
-
-int
-X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
-    STACK_OF(CONF_VALUE) **extlist)
-{
-	char *strtmp;
-	int ret;
-
-	if (!aint)
-		return 1;
-	if (!(strtmp = i2s_ASN1_INTEGER(NULL, aint)))
-		return 0;
-	ret = X509V3_add_value(name, strtmp, extlist);
-	free(strtmp);
-	return ret;
-}
-
-int
-X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool)
-{
-	char *btmp;
-
-	if (!(btmp = value->value))
-		goto err;
-	if (!strcmp(btmp, "TRUE") || !strcmp(btmp, "true") ||
-	    !strcmp(btmp, "Y") || !strcmp(btmp, "y") ||
-	    !strcmp(btmp, "YES") || !strcmp(btmp, "yes")) {
-		*asn1_bool = 0xff;
-		return 1;
-	} else if (!strcmp(btmp, "FALSE") || !strcmp(btmp, "false") ||
-	    !strcmp(btmp, "N") || !strcmp(btmp, "n") ||
-	    !strcmp(btmp, "NO") || !strcmp(btmp, "no")) {
-		*asn1_bool = 0;
-		return 1;
-	}
-
- err:
-	X509V3error(X509V3_R_INVALID_BOOLEAN_STRING);
-	X509V3_conf_err(value);
-	return 0;
-}
-
-int
-X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint)
-{
-	ASN1_INTEGER *itmp;
-
-	if (!(itmp = s2i_ASN1_INTEGER(NULL, value->value))) {
-		X509V3_conf_err(value);
-		return 0;
-	}
-	*aint = itmp;
-	return 1;
-}
-
-#define HDR_NAME	1
-#define HDR_VALUE	2
-
-/*#define DEBUG*/
-
-STACK_OF(CONF_VALUE) *
-X509V3_parse_list(const char *line)
-{
-	char *p, *q, c;
-	char *ntmp, *vtmp;
-	STACK_OF(CONF_VALUE) *values = NULL;
-	char *linebuf;
-	int state;
-
-	/* We are going to modify the line so copy it first */
-	if ((linebuf = strdup(line)) == NULL) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		goto err;
-	}
-	state = HDR_NAME;
-	ntmp = NULL;
-
-	/* Go through all characters */
-	for (p = linebuf, q = linebuf; (c = *p) && (c != '\r') &&
-	    (c != '\n'); p++) {
-
-		switch (state) {
-		case HDR_NAME:
-			if (c == ':') {
-				state = HDR_VALUE;
-				*p = 0;
-				ntmp = strip_spaces(q);
-				if (!ntmp) {
-					X509V3error(X509V3_R_INVALID_NULL_NAME);
-					goto err;
-				}
-				q = p + 1;
-			} else if (c == ',') {
-				*p = 0;
-				ntmp = strip_spaces(q);
-				q = p + 1;
-				if (!ntmp) {
-					X509V3error(X509V3_R_INVALID_NULL_NAME);
-					goto err;
-				}
-				X509V3_add_value(ntmp, NULL, &values);
-			}
-			break;
-
-		case HDR_VALUE:
-			if (c == ',') {
-				state = HDR_NAME;
-				*p = 0;
-				vtmp = strip_spaces(q);
-				if (!vtmp) {
-					X509V3error(X509V3_R_INVALID_NULL_VALUE);
-					goto err;
-				}
-				X509V3_add_value(ntmp, vtmp, &values);
-				ntmp = NULL;
-				q = p + 1;
-			}
-
-		}
-	}
-
-	if (state == HDR_VALUE) {
-		vtmp = strip_spaces(q);
-		if (!vtmp) {
-			X509V3error(X509V3_R_INVALID_NULL_VALUE);
-			goto err;
-		}
-		X509V3_add_value(ntmp, vtmp, &values);
-	} else {
-		ntmp = strip_spaces(q);
-		if (!ntmp) {
-			X509V3error(X509V3_R_INVALID_NULL_NAME);
-			goto err;
-		}
-		X509V3_add_value(ntmp, NULL, &values);
-	}
-	free(linebuf);
-	return values;
-
- err:
-	free(linebuf);
-	sk_CONF_VALUE_pop_free(values, X509V3_conf_free);
-	return NULL;
-
-}
-
-/* Delete leading and trailing spaces from a string */
-static char *
-strip_spaces(char *name)
-{
-	char *p, *q;
-
-	/* Skip over leading spaces */
-	p = name;
-	while (*p && isspace((unsigned char)*p))
-		p++;
-	if (!*p)
-		return NULL;
-	q = p + strlen(p) - 1;
-	while ((q != p) && isspace((unsigned char)*q))
-		q--;
-	if (p != q)
-		q[1] = 0;
-	if (!*p)
-		return NULL;
-	return p;
-}
-
-/* hex string utilities */
-
-/* Given a buffer of length 'len' return a malloc'ed string with its
- * hex representation
- */
-char *
-hex_to_string(const unsigned char *buffer, long len)
-{
-	char *tmp, *q;
-	const unsigned char *p;
-	int i;
-	static const char hexdig[] = "0123456789ABCDEF";
-
-	if (!buffer || !len)
-		return NULL;
-	if (!(tmp = malloc(len * 3 + 1))) {
-		X509V3error(ERR_R_MALLOC_FAILURE);
-		return NULL;
-	}
-	q = tmp;
-	for (i = 0, p = buffer; i < len; i++, p++) {
-		*q++ = hexdig[(*p >> 4) & 0xf];
-		*q++ = hexdig[*p & 0xf];
-		*q++ = ':';
-	}
-	q[-1] = 0;
-	return tmp;
-}
-
-/* Give a string of hex digits convert to
- * a buffer
- */
-
-unsigned char *
-string_to_hex(const char *str, long *len)
-{
-	unsigned char *hexbuf, *q;
-	unsigned char ch, cl, *p;
-	if (!str) {
-		X509V3error(X509V3_R_INVALID_NULL_ARGUMENT);
-		return NULL;
-	}
-	if (!(hexbuf = malloc(strlen(str) >> 1)))
-		goto err;
-	for (p = (unsigned char *)str, q = hexbuf; *p; ) {
-		ch = *p++;
-		if (ch == ':')
-			continue;
-		cl = *p++;
-		if (!cl) {
-			X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS);
-			free(hexbuf);
-			return NULL;
-		}
-		ch = tolower(ch);
-		cl = tolower(cl);
-
-		if ((ch >= '0') && (ch <= '9'))
-			ch -= '0';
-		else if ((ch >= 'a') && (ch <= 'f'))
-			ch -= 'a' - 10;
-		else
-			goto badhex;
-
-		if ((cl >= '0') && (cl <= '9'))
-			cl -= '0';
-		else if ((cl >= 'a') && (cl <= 'f'))
-			cl -= 'a' - 10;
-		else
-			goto badhex;
-
-		*q++ = (ch << 4) | cl;
-	}
-
-	if (len)
-		*len = q - hexbuf;
-
-	return hexbuf;
-
- err:
-	free(hexbuf);
-	X509V3error(ERR_R_MALLOC_FAILURE);
-	return NULL;
-
- badhex:
-	free(hexbuf);
-	X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT);
-	return NULL;
-}
-
-/* V2I name comparison function: returns zero if 'name' matches
- * cmp or cmp.*
- */
-
-int
-name_cmp(const char *name, const char *cmp)
-{
-	int len, ret;
-	char c;
-
-	len = strlen(cmp);
-	if ((ret = strncmp(name, cmp, len)))
-		return ret;
-	c = name[len];
-	if (!c || (c=='.'))
-		return 0;
-	return 1;
-}
-
-static int
-sk_strcmp(const char * const *a, const char * const *b)
-{
-	return strcmp(*a, *b);
-}
-
-STACK_OF(OPENSSL_STRING) *
-X509_get1_email(X509 *x)
-{
-	GENERAL_NAMES *gens;
-	STACK_OF(OPENSSL_STRING) *ret;
-
-	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
-	ret = get_email(X509_get_subject_name(x), gens);
-	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-	return ret;
-}
-
-STACK_OF(OPENSSL_STRING) *
-X509_get1_ocsp(X509 *x)
-{
-	AUTHORITY_INFO_ACCESS *info;
-	STACK_OF(OPENSSL_STRING) *ret = NULL;
-	int i;
-
-	info = X509_get_ext_d2i(x, NID_info_access, NULL, NULL);
-	if (!info)
-		return NULL;
-	for (i = 0; i < sk_ACCESS_DESCRIPTION_num(info); i++) {
-		ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(info, i);
-		if (OBJ_obj2nid(ad->method) == NID_ad_OCSP) {
-			if (ad->location->type == GEN_URI) {
-				if (!append_ia5(&ret,
-				    ad->location->d.uniformResourceIdentifier))
-					break;
-			}
-		}
-	}
-	AUTHORITY_INFO_ACCESS_free(info);
-	return ret;
-}
-
-STACK_OF(OPENSSL_STRING) *
-X509_REQ_get1_email(X509_REQ *x)
-{
-	GENERAL_NAMES *gens;
-	STACK_OF(X509_EXTENSION) *exts;
-	STACK_OF(OPENSSL_STRING) *ret;
-
-	exts = X509_REQ_get_extensions(x);
-	gens = X509V3_get_d2i(exts, NID_subject_alt_name, NULL, NULL);
-	ret = get_email(X509_REQ_get_subject_name(x), gens);
-	sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free);
-	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
-	return ret;
-}
-
-
-static STACK_OF(OPENSSL_STRING) *
-get_email(X509_NAME *name, GENERAL_NAMES *gens)
-{
-	STACK_OF(OPENSSL_STRING) *ret = NULL;
-	X509_NAME_ENTRY *ne;
-	ASN1_IA5STRING *email;
-	GENERAL_NAME *gen;
-	int i;
-
-	/* Now add any email address(es) to STACK */
-	i = -1;
-
-	/* First supplied X509_NAME */
-	while ((i = X509_NAME_get_index_by_NID(name,
-	    NID_pkcs9_emailAddress, i)) >= 0) {
-		ne = X509_NAME_get_entry(name, i);
-		email = X509_NAME_ENTRY_get_data(ne);
-		if (!append_ia5(&ret, email))
-			return NULL;
-	}
-	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-		gen = sk_GENERAL_NAME_value(gens, i);
-		if (gen->type != GEN_EMAIL)
-			continue;
-		if (!append_ia5(&ret, gen->d.ia5))
-			return NULL;
-	}
-	return ret;
-}
-
-static void
-str_free(OPENSSL_STRING str)
-{
-	free(str);
-}
-
-static int
-append_ia5(STACK_OF(OPENSSL_STRING) **sk, ASN1_IA5STRING *email)
-{
-	char *emtmp;
-
-	/* First some sanity checks */
-	if (email->type != V_ASN1_IA5STRING)
-		return 1;
-	if (!email->data || !email->length)
-		return 1;
-	if (!*sk)
-		*sk = sk_OPENSSL_STRING_new(sk_strcmp);
-	if (!*sk)
-		return 0;
-	/* Don't add duplicates */
-	if (sk_OPENSSL_STRING_find(*sk, (char *)email->data) != -1)
-		return 1;
-	emtmp = strdup((char *)email->data);
-	if (!emtmp || !sk_OPENSSL_STRING_push(*sk, emtmp)) {
-		X509_email_free(*sk);
-		*sk = NULL;
-		return 0;
-	}
-	return 1;
-}
-
-void
-X509_email_free(STACK_OF(OPENSSL_STRING) *sk)
-{
-	sk_OPENSSL_STRING_pop_free(sk, str_free);
-}
-
-typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len,
-    const unsigned char *subject, size_t subject_len, unsigned int flags);
-
-/* Skip pattern prefix to match "wildcard" subject */
-static void
-skip_prefix(const unsigned char **p, size_t *plen, const unsigned char *subject,
-    size_t subject_len, unsigned int flags)
-{
-	const unsigned char *pattern = *p;
-	size_t pattern_len = *plen;
-
-	/*
-	 * If subject starts with a leading '.' followed by more octets, and
-	 * pattern is longer, compare just an equal-length suffix with the
-	 * full subject (starting at the '.'), provided the prefix contains
-	 * no NULs.
-	 */
-	if ((flags & _X509_CHECK_FLAG_DOT_SUBDOMAINS) == 0)
-		return;
-
-	while (pattern_len > subject_len && *pattern) {
-		if ((flags & X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS) &&
-		    *pattern == '.')
-			break;
-		++pattern;
-		--pattern_len;
-	}
-
-	/* Skip if entire prefix acceptable */
-	if (pattern_len == subject_len) {
-		*p = pattern;
-		*plen = pattern_len;
-	}
-}
-
-/*
- * Open/BoringSSL uses memcmp for "equal_case" while their
- * "equal_nocase" function is a hand-rolled strncasecmp that does not
- * allow \0 in the pattern. Since an embedded \0 is likely a sign of
- * problems, we simply don't allow it in either case, and then we use
- * standard libc funcitons.
- */
-
-/* Compare using strncasecmp */
-static int
-equal_nocase(const unsigned char *pattern, size_t pattern_len,
-    const unsigned char *subject, size_t subject_len, unsigned int flags)
-{
-	if (memchr(pattern, '\0', pattern_len) != NULL)
-		return 0;
-	if (memchr(subject, '\0', subject_len) != NULL)
-		return 0;
-	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
-	if (pattern_len != subject_len)
-		return 0;
-	return (strncasecmp(pattern, subject, pattern_len) == 0);
-}
-
-/* Compare using strncmp. */
-static int
-equal_case(const unsigned char *pattern, size_t pattern_len,
-    const unsigned char *subject, size_t subject_len, unsigned int flags)
-{
-	if (memchr(pattern, 0, pattern_len) != NULL)
-		return 0;
-	if (memchr(subject, 0, subject_len) != NULL)
-		return 0;
-	skip_prefix(&pattern, &pattern_len, subject, subject_len, flags);
-	if (pattern_len != subject_len)
-		return 0;
-	return (strncmp(pattern, subject, pattern_len) == 0);
-}
-
-/*
- * RFC 5280, section 7.5, requires that only the domain is compared in a
- * case-insensitive manner.
- */
-static int
-equal_email(const unsigned char *a, size_t a_len, const unsigned char *b,
-    size_t b_len, unsigned int unused_flags)
-{
-	size_t pos = a_len;
-	if (a_len != b_len)
-		return 0;
-	/*
-	 * We search backwards for the '@' character, so that we do not have to
-	 * deal with quoted local-parts.  The domain part is compared in a
-	 * case-insensitive manner.
-	 */
-	while (pos > 0) {
-		pos--;
-		if (a[pos] == '@' || b[pos] == '@') {
-			if (!equal_nocase(a + pos, a_len - pos, b + pos,
-			    a_len - pos, 0))
-				return 0;
-			break;
-		}
-	}
-	if (pos == 0)
-		pos = a_len;
-	return equal_case(a, pos, b, pos, 0);
-}
-
-/*
- * Compare the prefix and suffix with the subject, and check that the
- * characters in-between are valid.
- */
-static int
-wildcard_match(const unsigned char *prefix, size_t prefix_len,
-    const unsigned char *suffix, size_t suffix_len,
-    const unsigned char *subject, size_t subject_len, unsigned int flags)
-{
-	const unsigned char *wildcard_start;
-	const unsigned char *wildcard_end;
-	const unsigned char *p;
-	int allow_multi = 0;
-	int allow_idna = 0;
-
-	if (subject_len < prefix_len + suffix_len)
-		return 0;
-	if (!equal_nocase(prefix, prefix_len, subject, prefix_len, flags))
-		return 0;
-	wildcard_start = subject + prefix_len;
-	wildcard_end = subject + (subject_len - suffix_len);
-	if (!equal_nocase(wildcard_end, suffix_len, suffix, suffix_len, flags))
-		return 0;
-	/*
-	 * If the wildcard makes up the entire first label, it must match at
-	 * least one character.
-	 */
-	if (prefix_len == 0 && *suffix == '.') {
-		if (wildcard_start == wildcard_end)
-			return 0;
-		allow_idna = 1;
-		if (flags & X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS)
-			allow_multi = 1;
-	}
-	/* IDNA labels cannot match partial wildcards */
-	if (!allow_idna &&
-	    subject_len >= 4
-	    && strncasecmp((char *)subject, "xn--", 4) == 0)
-		return 0;
-	/* The wildcard may match a literal '*' */
-	if (wildcard_end == wildcard_start + 1 && *wildcard_start == '*')
-		return 1;
-	/*
-	 * Check that the part matched by the wildcard contains only
-	 * permitted characters and only matches a single label unless
-	 * allow_multi is set.
-	 */
-	for (p = wildcard_start; p != wildcard_end; ++p)
-		if (!(('0' <= *p && *p <= '9') || ('A' <= *p && *p <= 'Z') ||
-		    ('a' <= *p && *p <= 'z') || *p == '-' ||
-		    (allow_multi && *p == '.')))
-			return 0;
-	return 1;
-}
-
-#define LABEL_START     (1 << 0)
-#define LABEL_END       (1 << 1)
-#define LABEL_HYPHEN    (1 << 2)
-#define LABEL_IDNA      (1 << 3)
-
-static const unsigned char *
-valid_star(const unsigned char *p, size_t len, unsigned int flags)
-{
-	const unsigned char *star = 0;
-	size_t i;
-	int state = LABEL_START;
-	int dots = 0;
-	for (i = 0; i < len; ++i) {
-		/*
-		 * Locate first and only legal wildcard, either at the start
-		 * or end of a non-IDNA first and not final label.
-		 */
-		if (p[i] == '*') {
-			int atstart = (state & LABEL_START);
-			int atend = (i == len - 1 || p[i + 1] == '.');
-			/*
-			 * At most one wildcard per pattern.
-			 * No wildcards in IDNA labels.
-			 * No wildcards after the first label.
-			 */
-			if (star != NULL || (state & LABEL_IDNA) != 0 || dots)
-				return NULL;
-			/* Only full-label '*.example.com' wildcards? */
-			if ((flags & X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)
-			    && (!atstart || !atend))
-				return NULL;
-			/* No 'foo*bar' wildcards */
-			if (!atstart && !atend)
-				return NULL;
-			star = &p[i];
-			state &= ~LABEL_START;
-		} else if ((state & LABEL_START) != 0) {
-			/*
-			 * At the start of a label, skip any "xn--" and
-			 * remain in the LABEL_START state, but set the
-			 * IDNA label state
-			 */
-			if ((state & LABEL_IDNA) == 0 && len - i >= 4
-			    && strncasecmp((char *)&p[i], "xn--", 4) == 0) {
-				i += 3;
-				state |= LABEL_IDNA;
-				continue;
-			}
-			/* Labels must start with a letter or digit */
-			state &= ~LABEL_START;
-			if (('a' <= p[i] && p[i] <= 'z')
-			    || ('A' <= p[i] && p[i] <= 'Z')
-			    || ('0' <= p[i] && p[i] <= '9'))
-				continue;
-			return NULL;
-		} else if (('a' <= p[i] && p[i] <= 'z')
-		    || ('A' <= p[i] && p[i] <= 'Z')
-		    || ('0' <= p[i] && p[i] <= '9')) {
-			state &= LABEL_IDNA;
-			continue;
-		} else if (p[i] == '.') {
-			if (state & (LABEL_HYPHEN | LABEL_START))
-				return NULL;
-			state = LABEL_START;
-			++dots;
-		} else if (p[i] == '-') {
-			/* no domain/subdomain starts with '-' */
-			if ((state & LABEL_START) != 0)
-				return NULL;
-			state |= LABEL_HYPHEN;
-		} else
-			return NULL;
-	}
-
-	/*
-	 * The final label must not end in a hyphen or ".", and
-	 * there must be at least two dots after the star.
-	 */
-	if ((state & (LABEL_START | LABEL_HYPHEN)) != 0 || dots < 2)
-		return NULL;
-	return star;
-}
-
-/* Compare using wildcards. */
-static int
-equal_wildcard(const unsigned char *pattern, size_t pattern_len,
-    const unsigned char *subject, size_t subject_len, unsigned int flags)
-{
-	const unsigned char *star = NULL;
-
-	/*
-	 * Subject names starting with '.' can only match a wildcard pattern
-	 * via a subject sub-domain pattern suffix match.
-	 */
-	if (!(subject_len > 1 && subject[0] == '.'))
-		star = valid_star(pattern, pattern_len, flags);
-	if (star == NULL)
-		return equal_nocase(pattern, pattern_len,
-		    subject, subject_len, flags);
-	return wildcard_match(pattern, star - pattern,
-	    star + 1, (pattern + pattern_len) - star - 1,
-	    subject, subject_len, flags);
-}
-
-/*
- * Compare an ASN1_STRING to a supplied string. If they match return 1. If
- * cmp_type > 0 only compare if string matches the type, otherwise convert it
- * to UTF8.
- */
-
-static int
-do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
-    unsigned int flags, const char *b, size_t blen, char **peername)
-{
-	int rv = 0;
-
-	if (!a->data || !a->length)
-		return 0;
-	if (cmp_type > 0) {
-		if (cmp_type != a->type)
-			return 0;
-		if (cmp_type == V_ASN1_IA5STRING)
-			rv = equal(a->data, a->length, (unsigned char *)b,
-			    blen, flags);
-		else if (a->length == (int)blen && !memcmp(a->data, b, blen))
-			rv = 1;
-		if (rv > 0 && peername &&
-		    (*peername = strndup((char *)a->data, a->length)) == NULL)
-			rv = -1;
-	} else {
-		int astrlen;
-		unsigned char *astr;
-		astrlen = ASN1_STRING_to_UTF8(&astr, a);
-		if (astrlen < 0)
-			return -1;
-		rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
-		if (rv > 0 && peername &&
-		    (*peername = strndup((char *)astr, astrlen)) == NULL)
-			rv = -1;
-		free(astr);
-	}
-	return rv;
-}
-
-static int
-do_x509_check(X509 *x, const char *chk, size_t chklen, unsigned int flags,
-    int check_type, char **peername)
-{
-	GENERAL_NAMES *gens = NULL;
-	X509_NAME *name = NULL;
-	size_t i;
-	int j;
-	int cnid = NID_undef;
-	int alt_type;
-	int san_present = 0;
-	int rv = 0;
-	equal_fn equal;
-
-	/* See below, this flag is internal-only */
-	flags &= ~_X509_CHECK_FLAG_DOT_SUBDOMAINS;
-	if (check_type == GEN_EMAIL) {
-		cnid = NID_pkcs9_emailAddress;
-		alt_type = V_ASN1_IA5STRING;
-		equal = equal_email;
-	} else if (check_type == GEN_DNS) {
-		cnid = NID_commonName;
-		/* Implicit client-side DNS sub-domain pattern */
-		if (chklen > 1 && chk[0] == '.')
-			flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS;
-		alt_type = V_ASN1_IA5STRING;
-		if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
-			equal = equal_nocase;
-		else
-			equal = equal_wildcard;
-	} else {
-		alt_type = V_ASN1_OCTET_STRING;
-		equal = equal_case;
-	}
-
-	gens = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
-	if (gens != NULL) {
-		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
-			GENERAL_NAME *gen;
-			ASN1_STRING *cstr;
-			gen = sk_GENERAL_NAME_value(gens, i);
-			if (gen->type != check_type)
-				continue;
-			san_present = 1;
-			if (check_type == GEN_EMAIL)
-				cstr = gen->d.rfc822Name;
-			else if (check_type == GEN_DNS)
-				cstr = gen->d.dNSName;
-			else
-				cstr = gen->d.iPAddress;
-			/* Positive on success, negative on error! */
-			if ((rv = do_check_string(cstr, alt_type, equal, flags,
-			    chk, chklen, peername)) != 0)
-				break;
-		}
-		GENERAL_NAMES_free(gens);
-		if (rv != 0)
-			return rv;
-		if (cnid == NID_undef ||
-		    (san_present &&
-		    !(flags & X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT)))
-			return 0;
-	}
-
-	/* We're done if CN-ID is not pertinent */
-	if (cnid == NID_undef)
-		return 0;
-
-	j = -1;
-	name = X509_get_subject_name(x);
-	while ((j = X509_NAME_get_index_by_NID(name, cnid, j)) >= 0) {
-		X509_NAME_ENTRY *ne;
-		ASN1_STRING *str;
-		if ((ne = X509_NAME_get_entry(name, j)) == NULL)
-			return -1;
-		if ((str = X509_NAME_ENTRY_get_data(ne)) == NULL)
-			return -1;
-		/* Positive on success, negative on error! */
-		if ((rv = do_check_string(str, -1, equal, flags,
-			 chk, chklen, peername)) != 0)
-			return rv;
-	}
-	return 0;
-}
-
-int
-X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags,
-    char **peername)
-{
-	if (chk == NULL)
-		return -2;
-	if (chklen == 0)
-		chklen = strlen(chk);
-	else if (memchr(chk, '\0', chklen))
-		return -2;
-	return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername);
-}
-
-int
-X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags)
-{
-	if (chk == NULL)
-		return -2;
-	if (chklen == 0)
-		chklen = strlen(chk);
-	else if (memchr(chk, '\0', chklen))
-		return -2;
-	return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL);
-}
-
-int
-X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
-    unsigned int flags)
-{
-	if (chk == NULL)
-		return -2;
-	return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL);
-}
-
-int
-X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags)
-{
-	unsigned char ipout[16];
-	size_t iplen;
-
-	if (ipasc == NULL)
-		return -2;
-	iplen = (size_t)a2i_ipadd(ipout, ipasc);
-	if (iplen == 0)
-		return -2;
-	return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL);
-}
-
-/* Convert IP addresses both IPv4 and IPv6 into an
- * OCTET STRING compatible with RFC3280.
- */
-
-ASN1_OCTET_STRING *
-a2i_IPADDRESS(const char *ipasc)
-{
-	unsigned char ipout[16];
-	ASN1_OCTET_STRING *ret;
-	int iplen;
-
-	/* If string contains a ':' assume IPv6 */
-
-	iplen = a2i_ipadd(ipout, ipasc);
-
-	if (!iplen)
-		return NULL;
-
-	ret = ASN1_OCTET_STRING_new();
-	if (!ret)
-		return NULL;
-	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen)) {
-		ASN1_OCTET_STRING_free(ret);
-		return NULL;
-	}
-	return ret;
-}
-
-ASN1_OCTET_STRING *
-a2i_IPADDRESS_NC(const char *ipasc)
-{
-	ASN1_OCTET_STRING *ret = NULL;
-	unsigned char ipout[32];
-	char *iptmp = NULL, *p;
-	int iplen1, iplen2;
-
-	p = strchr(ipasc, '/');
-	if (!p)
-		return NULL;
-	iptmp = strdup(ipasc);
-	if (!iptmp)
-		return NULL;
-	p = iptmp + (p - ipasc);
-	*p++ = 0;
-
-	iplen1 = a2i_ipadd(ipout, iptmp);
-
-	if (!iplen1)
-		goto err;
-
-	iplen2 = a2i_ipadd(ipout + iplen1, p);
-
-	free(iptmp);
-	iptmp = NULL;
-
-	if (!iplen2 || (iplen1 != iplen2))
-		goto err;
-
-	ret = ASN1_OCTET_STRING_new();
-	if (!ret)
-		goto err;
-	if (!ASN1_OCTET_STRING_set(ret, ipout, iplen1 + iplen2))
-		goto err;
-
-	return ret;
-
- err:
-	free(iptmp);
-	if (ret)
-		ASN1_OCTET_STRING_free(ret);
-	return NULL;
-}
-
-
-int
-a2i_ipadd(unsigned char *ipout, const char *ipasc)
-{
-	/* If string contains a ':' assume IPv6 */
-
-	if (strchr(ipasc, ':')) {
-		if (!ipv6_from_asc(ipout, ipasc))
-			return 0;
-		return 16;
-	} else {
-		if (!ipv4_from_asc(ipout, ipasc))
-			return 0;
-		return 4;
-	}
-}
-
-static int
-ipv4_from_asc(unsigned char *v4, const char *in)
-{
-	int a0, a1, a2, a3;
-	if (sscanf(in, "%d.%d.%d.%d", &a0, &a1, &a2, &a3) != 4)
-		return 0;
-	if ((a0 < 0) || (a0 > 255) || (a1 < 0) || (a1 > 255) ||
-	    (a2 < 0) || (a2 > 255) || (a3 < 0) || (a3 > 255))
-		return 0;
-	v4[0] = a0;
-	v4[1] = a1;
-	v4[2] = a2;
-	v4[3] = a3;
-	return 1;
-}
-
-typedef struct {
-	/* Temporary store for IPV6 output */
-	unsigned char tmp[16];
-	/* Total number of bytes in tmp */
-	int total;
-	/* The position of a zero (corresponding to '::') */
-	int zero_pos;
-	/* Number of zeroes */
-	int zero_cnt;
-} IPV6_STAT;
-
-
-static int
-ipv6_from_asc(unsigned char *v6, const char *in)
-{
-	IPV6_STAT v6stat;
-
-	v6stat.total = 0;
-	v6stat.zero_pos = -1;
-	v6stat.zero_cnt = 0;
-
-	/* Treat the IPv6 representation as a list of values
-	 * separated by ':'. The presence of a '::' will parse
-	 * as one, two or three zero length elements.
-	 */
-	if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat))
-		return 0;
-
-	/* Now for some sanity checks */
-
-	if (v6stat.zero_pos == -1) {
-		/* If no '::' must have exactly 16 bytes */
-		if (v6stat.total != 16)
-			return 0;
-	} else {
-		/* If '::' must have less than 16 bytes */
-		if (v6stat.total == 16)
-			return 0;
-		/* More than three zeroes is an error */
-		if (v6stat.zero_cnt > 3)
-			return 0;
-		/* Can only have three zeroes if nothing else present */
-		else if (v6stat.zero_cnt == 3) {
-			if (v6stat.total > 0)
-				return 0;
-		}
-		/* Can only have two zeroes if at start or end */
-		else if (v6stat.zero_cnt == 2) {
-			if ((v6stat.zero_pos != 0) &&
-			    (v6stat.zero_pos != v6stat.total))
-				return 0;
-		} else
-			/* Can only have one zero if *not* start or end */
-		{
-			if ((v6stat.zero_pos == 0) ||
-			    (v6stat.zero_pos == v6stat.total))
-				return 0;
-		}
-	}
-
-	/* Format result */
-
-	if (v6stat.zero_pos >= 0) {
-		/* Copy initial part */
-		memcpy(v6, v6stat.tmp, v6stat.zero_pos);
-		/* Zero middle */
-		memset(v6 + v6stat.zero_pos, 0, 16 - v6stat.total);
-		/* Copy final part */
-		if (v6stat.total != v6stat.zero_pos)
-			memcpy(v6 + v6stat.zero_pos + 16 - v6stat.total,
-			    v6stat.tmp + v6stat.zero_pos,
-			    v6stat.total - v6stat.zero_pos);
-	} else
-		memcpy(v6, v6stat.tmp, 16);
-
-	return 1;
-}
-
-static int
-ipv6_cb(const char *elem, int len, void *usr)
-{
-	IPV6_STAT *s = usr;
-
-	/* Error if 16 bytes written */
-	if (s->total == 16)
-		return 0;
-	if (len == 0) {
-		/* Zero length element, corresponds to '::' */
-		if (s->zero_pos == -1)
-			s->zero_pos = s->total;
-		/* If we've already got a :: its an error */
-		else if (s->zero_pos != s->total)
-			return 0;
-		s->zero_cnt++;
-	} else {
-		/* If more than 4 characters could be final a.b.c.d form */
-		if (len > 4) {
-			/* Need at least 4 bytes left */
-			if (s->total > 12)
-				return 0;
-			/* Must be end of string */
-			if (elem[len])
-				return 0;
-			if (!ipv4_from_asc(s->tmp + s->total, elem))
-				return 0;
-			s->total += 4;
-		} else {
-			if (!ipv6_hex(s->tmp + s->total, elem, len))
-				return 0;
-			s->total += 2;
-		}
-	}
-	return 1;
-}
-
-/* Convert a string of up to 4 hex digits into the corresponding
- * IPv6 form.
- */
-
-static int
-ipv6_hex(unsigned char *out, const char *in, int inlen)
-{
-	unsigned char c;
-	unsigned int num = 0;
-
-	if (inlen > 4)
-		return 0;
-	while (inlen--) {
-		c = *in++;
-		num <<= 4;
-		if ((c >= '0') && (c <= '9'))
-			num |= c - '0';
-		else if ((c >= 'A') && (c <= 'F'))
-			num |= c - 'A' + 10;
-		else if ((c >= 'a') && (c <= 'f'))
-			num |=  c - 'a' + 10;
-		else
-			return 0;
-	}
-	out[0] = num >> 8;
-	out[1] = num & 0xff;
-	return 1;
-}
-
-int
-X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
-    unsigned long chtype)
-{
-	CONF_VALUE *v;
-	int i, mval;
-	char *p, *type;
-
-	if (!nm)
-		return 0;
-
-	for (i = 0; i < sk_CONF_VALUE_num(dn_sk); i++) {
-		v = sk_CONF_VALUE_value(dn_sk, i);
-		type = v->name;
-		/* Skip past any leading X. X: X, etc to allow for
-		 * multiple instances
-		 */
-		for (p = type; *p; p++)
-			if ((*p == ':') || (*p == ',') || (*p == '.')) {
-				p++;
-				if (*p)
-					type = p;
-				break;
-			}
-		if (*type == '+') {
-			mval = -1;
-			type++;
-		} else
-			mval = 0;
-		if (!X509_NAME_add_entry_by_txt(nm, type, chtype,
-		    (unsigned char *) v->value, -1, -1, mval))
-			return 0;
-	}
-	return 1;
-}
diff --git a/src/lib/libcrypto/x509v3/v3err.c b/src/lib/libcrypto/x509v3/v3err.c
deleted file mode 100644
index a49632a069..0000000000
--- a/src/lib/libcrypto/x509v3/v3err.c
+++ /dev/null
@@ -1,226 +0,0 @@
-/* $OpenBSD: v3err.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */
-/* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    openssl-core@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-/* NOTE: this file was auto generated by the mkerr.pl script: any changes
- * made to it will be overwritten when the script next updates this file,
- * only reason strings will be preserved.
- */
-
-#include <stdio.h>
-
-#include <openssl/opensslconf.h>
-
-#include <openssl/err.h>
-#include <openssl/x509v3.h>
-
-/* BEGIN ERROR CODES */
-#ifndef OPENSSL_NO_ERR
-
-#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
-#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
-
-static ERR_STRING_DATA X509V3_str_functs[] = {
-	{ERR_FUNC(X509V3_F_A2I_GENERAL_NAME),	"A2I_GENERAL_NAME"},
-	{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE),	"ASIDENTIFIERCHOICE_CANONIZE"},
-	{ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL),	"ASIDENTIFIERCHOICE_IS_CANONICAL"},
-	{ERR_FUNC(X509V3_F_COPY_EMAIL),	"COPY_EMAIL"},
-	{ERR_FUNC(X509V3_F_COPY_ISSUER),	"COPY_ISSUER"},
-	{ERR_FUNC(X509V3_F_DO_DIRNAME),	"DO_DIRNAME"},
-	{ERR_FUNC(X509V3_F_DO_EXT_CONF),	"DO_EXT_CONF"},
-	{ERR_FUNC(X509V3_F_DO_EXT_I2D),	"DO_EXT_I2D"},
-	{ERR_FUNC(X509V3_F_DO_EXT_NCONF),	"DO_EXT_NCONF"},
-	{ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS),	"DO_I2V_NAME_CONSTRAINTS"},
-	{ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME),	"GNAMES_FROM_SECTNAME"},
-	{ERR_FUNC(X509V3_F_HEX_TO_STRING),	"hex_to_string"},
-	{ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED),	"i2s_ASN1_ENUMERATED"},
-	{ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING),	"I2S_ASN1_IA5STRING"},
-	{ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER),	"i2s_ASN1_INTEGER"},
-	{ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS),	"I2V_AUTHORITY_INFO_ACCESS"},
-	{ERR_FUNC(X509V3_F_NOTICE_SECTION),	"NOTICE_SECTION"},
-	{ERR_FUNC(X509V3_F_NREF_NOS),	"NREF_NOS"},
-	{ERR_FUNC(X509V3_F_POLICY_SECTION),	"POLICY_SECTION"},
-	{ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE),	"PROCESS_PCI_VALUE"},
-	{ERR_FUNC(X509V3_F_R2I_CERTPOL),	"R2I_CERTPOL"},
-	{ERR_FUNC(X509V3_F_R2I_PCI),	"R2I_PCI"},
-	{ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING),	"S2I_ASN1_IA5STRING"},
-	{ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER),	"s2i_ASN1_INTEGER"},
-	{ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING),	"s2i_ASN1_OCTET_STRING"},
-	{ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID),	"S2I_ASN1_SKEY_ID"},
-	{ERR_FUNC(X509V3_F_S2I_SKEY_ID),	"S2I_SKEY_ID"},
-	{ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME),	"SET_DIST_POINT_NAME"},
-	{ERR_FUNC(X509V3_F_STRING_TO_HEX),	"string_to_hex"},
-	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC),	"SXNET_add_id_asc"},
-	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER),	"SXNET_add_id_INTEGER"},
-	{ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG),	"SXNET_add_id_ulong"},
-	{ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC),	"SXNET_get_id_asc"},
-	{ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG),	"SXNET_get_id_ulong"},
-	{ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS),	"V2I_ASIDENTIFIERS"},
-	{ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING),	"v2i_ASN1_BIT_STRING"},
-	{ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS),	"V2I_AUTHORITY_INFO_ACCESS"},
-	{ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID),	"V2I_AUTHORITY_KEYID"},
-	{ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS),	"V2I_BASIC_CONSTRAINTS"},
-	{ERR_FUNC(X509V3_F_V2I_CRLD),	"V2I_CRLD"},
-	{ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE),	"V2I_EXTENDED_KEY_USAGE"},
-	{ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES),	"v2i_GENERAL_NAMES"},
-	{ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX),	"v2i_GENERAL_NAME_ex"},
-	{ERR_FUNC(X509V3_F_V2I_IDP),	"V2I_IDP"},
-	{ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS),	"V2I_IPADDRBLOCKS"},
-	{ERR_FUNC(X509V3_F_V2I_ISSUER_ALT),	"V2I_ISSUER_ALT"},
-	{ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS),	"V2I_NAME_CONSTRAINTS"},
-	{ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS),	"V2I_POLICY_CONSTRAINTS"},
-	{ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS),	"V2I_POLICY_MAPPINGS"},
-	{ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT),	"V2I_SUBJECT_ALT"},
-	{ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL),	"V3_ADDR_VALIDATE_PATH_INTERNAL"},
-	{ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION),	"V3_GENERIC_EXTENSION"},
-	{ERR_FUNC(X509V3_F_X509V3_ADD1_I2D),	"X509V3_add1_i2d"},
-	{ERR_FUNC(X509V3_F_X509V3_ADD_VALUE),	"X509V3_add_value"},
-	{ERR_FUNC(X509V3_F_X509V3_EXT_ADD),	"X509V3_EXT_add"},
-	{ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS),	"X509V3_EXT_add_alias"},
-	{ERR_FUNC(X509V3_F_X509V3_EXT_CONF),	"X509V3_EXT_conf"},
-	{ERR_FUNC(X509V3_F_X509V3_EXT_I2D),	"X509V3_EXT_i2d"},
-	{ERR_FUNC(X509V3_F_X509V3_EXT_NCONF),	"X509V3_EXT_nconf"},
-	{ERR_FUNC(X509V3_F_X509V3_GET_SECTION),	"X509V3_get_section"},
-	{ERR_FUNC(X509V3_F_X509V3_GET_STRING),	"X509V3_get_string"},
-	{ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL),	"X509V3_get_value_bool"},
-	{ERR_FUNC(X509V3_F_X509V3_PARSE_LIST),	"X509V3_parse_list"},
-	{ERR_FUNC(X509V3_F_X509_PURPOSE_ADD),	"X509_PURPOSE_add"},
-	{ERR_FUNC(X509V3_F_X509_PURPOSE_SET),	"X509_PURPOSE_set"},
-	{0, NULL}
-};
-
-static ERR_STRING_DATA X509V3_str_reasons[] = {
-	{ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     , "bad ip address"},
-	{ERR_REASON(X509V3_R_BAD_OBJECT)         , "bad object"},
-	{ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    , "bn dec2bn error"},
-	{ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"},
-	{ERR_REASON(X509V3_R_DIRNAME_ERROR)      , "dirname error"},
-	{ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"},
-	{ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID)  , "duplicate zone id"},
-	{ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"},
-	{ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"},
-	{ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"},
-	{ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"},
-	{ERR_REASON(X509V3_R_EXTENSION_EXISTS)   , "extension exists"},
-	{ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"},
-	{ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"},
-	{ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"},
-	{ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"},
-	{ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"},
-	{ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT)  , "illegal hex digit"},
-	{ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"},
-	{ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"},
-	{ERR_REASON(X509V3_R_INVALID_ASNUMBER)   , "invalid asnumber"},
-	{ERR_REASON(X509V3_R_INVALID_ASRANGE)    , "invalid asrange"},
-	{ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"},
-	{ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"},
-	{ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"},
-	{ERR_REASON(X509V3_R_INVALID_IPADDRESS)  , "invalid ipaddress"},
-	{ERR_REASON(X509V3_R_INVALID_NAME)       , "invalid name"},
-	{ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"},
-	{ERR_REASON(X509V3_R_INVALID_NULL_NAME)  , "invalid null name"},
-	{ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"},
-	{ERR_REASON(X509V3_R_INVALID_NUMBER)     , "invalid number"},
-	{ERR_REASON(X509V3_R_INVALID_NUMBERS)    , "invalid numbers"},
-	{ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"},
-	{ERR_REASON(X509V3_R_INVALID_OPTION)     , "invalid option"},
-	{ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"},
-	{ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"},
-	{ERR_REASON(X509V3_R_INVALID_PURPOSE)    , "invalid purpose"},
-	{ERR_REASON(X509V3_R_INVALID_SAFI)       , "invalid safi"},
-	{ERR_REASON(X509V3_R_INVALID_SECTION)    , "invalid section"},
-	{ERR_REASON(X509V3_R_INVALID_SYNTAX)     , "invalid syntax"},
-	{ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"},
-	{ERR_REASON(X509V3_R_MISSING_VALUE)      , "missing value"},
-	{ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"},
-	{ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"},
-	{ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"},
-	{ERR_REASON(X509V3_R_NO_ISSUER_DETAILS)  , "no issuer details"},
-	{ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"},
-	{ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"},
-	{ERR_REASON(X509V3_R_NO_PUBLIC_KEY)      , "no public key"},
-	{ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"},
-	{ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"},
-	{ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"},
-	{ERR_REASON(X509V3_R_OTHERNAME_ERROR)    , "othername error"},
-	{ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"},
-	{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"},
-	{ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"},
-	{ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"},
-	{ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"},
-	{ERR_REASON(X509V3_R_SECTION_NOT_FOUND)  , "section not found"},
-	{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"},
-	{ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"},
-	{ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"},
-	{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION)  , "unknown extension"},
-	{ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"},
-	{ERR_REASON(X509V3_R_UNKNOWN_OPTION)     , "unknown option"},
-	{ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"},
-	{ERR_REASON(X509V3_R_UNSUPPORTED_TYPE)   , "unsupported type"},
-	{ERR_REASON(X509V3_R_USER_TOO_LONG)      , "user too long"},
-	{0, NULL}
-};
-
-#endif
-
-void
-ERR_load_X509V3_strings(void)
-{
-#ifndef OPENSSL_NO_ERR
-	if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
-		ERR_load_strings(0, X509V3_str_functs);
-		ERR_load_strings(0, X509V3_str_reasons);
-	}
-#endif
-}
diff --git a/src/lib/libcrypto/x509v3/x509v3.h b/src/lib/libcrypto/x509v3/x509v3.h
deleted file mode 100644
index 5d6c588730..0000000000
--- a/src/lib/libcrypto/x509v3/x509v3.h
+++ /dev/null
@@ -1,992 +0,0 @@
-/* $OpenBSD: x509v3.h,v 1.30 2018/05/19 10:50:08 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * project 1999.
- */
-/* ====================================================================
- * Copyright (c) 1999-2004 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer. 
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#ifndef HEADER_X509V3_H
-#define HEADER_X509V3_H
-
-#include <openssl/opensslconf.h>
-
-#include <openssl/bio.h>
-#include <openssl/x509.h>
-#include <openssl/conf.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Forward reference */
-struct v3_ext_method;
-struct v3_ext_ctx;
-
-/* Useful typedefs */
-
-typedef void * (*X509V3_EXT_NEW)(void);
-typedef void (*X509V3_EXT_FREE)(void *);
-typedef void * (*X509V3_EXT_D2I)(void *, const unsigned char ** , long);
-typedef int (*X509V3_EXT_I2D)(void *, unsigned char **);
-typedef STACK_OF(CONF_VALUE) *
-  (*X509V3_EXT_I2V)(const struct v3_ext_method *method, void *ext,
-		    STACK_OF(CONF_VALUE) *extlist);
-typedef void * (*X509V3_EXT_V2I)(const struct v3_ext_method *method,
-				 struct v3_ext_ctx *ctx,
-				 STACK_OF(CONF_VALUE) *values);
-typedef char * (*X509V3_EXT_I2S)(const struct v3_ext_method *method, void *ext);
-typedef void * (*X509V3_EXT_S2I)(const struct v3_ext_method *method,
-				 struct v3_ext_ctx *ctx, const char *str);
-typedef int (*X509V3_EXT_I2R)(const struct v3_ext_method *method, void *ext,
-			      BIO *out, int indent);
-typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method,
-				 struct v3_ext_ctx *ctx, const char *str);
-
-/* V3 extension structure */
-
-struct v3_ext_method {
-int ext_nid;
-int ext_flags;
-/* If this is set the following four fields are ignored */
-ASN1_ITEM_EXP *it;
-/* Old style ASN1 calls */
-X509V3_EXT_NEW ext_new;
-X509V3_EXT_FREE ext_free;
-X509V3_EXT_D2I d2i;
-X509V3_EXT_I2D i2d;
-
-/* The following pair is used for string extensions */
-X509V3_EXT_I2S i2s;
-X509V3_EXT_S2I s2i;
-
-/* The following pair is used for multi-valued extensions */
-X509V3_EXT_I2V i2v;
-X509V3_EXT_V2I v2i;
-
-/* The following are used for raw extensions */
-X509V3_EXT_I2R i2r;
-X509V3_EXT_R2I r2i;
-
-void *usr_data;	/* Any extension specific data */
-};
-
-typedef struct X509V3_CONF_METHOD_st {
-char *(*get_string)(void *db, const char *section, const char *value);
-STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section);
-void (*free_string)(void *db, char *string);
-void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
-} X509V3_CONF_METHOD;
-
-/* Context specific info */
-struct v3_ext_ctx {
-#define CTX_TEST 0x1
-int flags;
-X509 *issuer_cert;
-X509 *subject_cert;
-X509_REQ *subject_req;
-X509_CRL *crl;
-X509V3_CONF_METHOD *db_meth;
-void *db;
-/* Maybe more here */
-};
-
-typedef struct v3_ext_method X509V3_EXT_METHOD;
-
-DECLARE_STACK_OF(X509V3_EXT_METHOD)
-
-/* ext_flags values */
-#define X509V3_EXT_DYNAMIC	0x1
-#define X509V3_EXT_CTX_DEP	0x2
-#define X509V3_EXT_MULTILINE	0x4
-
-typedef BIT_STRING_BITNAME ENUMERATED_NAMES;
-
-typedef struct BASIC_CONSTRAINTS_st {
-int ca;
-ASN1_INTEGER *pathlen;
-} BASIC_CONSTRAINTS;
-
-
-typedef struct PKEY_USAGE_PERIOD_st {
-ASN1_GENERALIZEDTIME *notBefore;
-ASN1_GENERALIZEDTIME *notAfter;
-} PKEY_USAGE_PERIOD;
-
-typedef struct otherName_st {
-ASN1_OBJECT *type_id;
-ASN1_TYPE *value;
-} OTHERNAME;
-
-typedef struct EDIPartyName_st {
-	ASN1_STRING *nameAssigner;
-	ASN1_STRING *partyName;
-} EDIPARTYNAME;
-
-typedef struct GENERAL_NAME_st {
-
-#define GEN_OTHERNAME	0
-#define GEN_EMAIL	1
-#define GEN_DNS		2
-#define GEN_X400	3
-#define GEN_DIRNAME	4
-#define GEN_EDIPARTY	5
-#define GEN_URI		6
-#define GEN_IPADD	7
-#define GEN_RID		8
-
-int type;
-union {
-	char *ptr;
-	OTHERNAME *otherName; /* otherName */
-	ASN1_IA5STRING *rfc822Name;
-	ASN1_IA5STRING *dNSName;
-	ASN1_TYPE *x400Address;
-	X509_NAME *directoryName;
-	EDIPARTYNAME *ediPartyName;
-	ASN1_IA5STRING *uniformResourceIdentifier;
-	ASN1_OCTET_STRING *iPAddress;
-	ASN1_OBJECT *registeredID;
-
-	/* Old names */
-	ASN1_OCTET_STRING *ip; /* iPAddress */
-	X509_NAME *dirn;		/* dirn */
-	ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */
-	ASN1_OBJECT *rid; /* registeredID */
-	ASN1_TYPE *other; /* x400Address */
-} d;
-} GENERAL_NAME;
-
-typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-
-typedef struct ACCESS_DESCRIPTION_st {
-	ASN1_OBJECT *method;
-	GENERAL_NAME *location;
-} ACCESS_DESCRIPTION;
-
-typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
-
-typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
-
-DECLARE_STACK_OF(GENERAL_NAME)
-
-DECLARE_STACK_OF(ACCESS_DESCRIPTION)
-
-typedef struct DIST_POINT_NAME_st {
-int type;
-union {
-	GENERAL_NAMES *fullname;
-	STACK_OF(X509_NAME_ENTRY) *relativename;
-} name;
-/* If relativename then this contains the full distribution point name */
-X509_NAME *dpname;
-} DIST_POINT_NAME;
-/* All existing reasons */
-#define CRLDP_ALL_REASONS	0x807f
-
-#define CRL_REASON_NONE				-1
-#define CRL_REASON_UNSPECIFIED			0
-#define CRL_REASON_KEY_COMPROMISE		1
-#define CRL_REASON_CA_COMPROMISE		2
-#define CRL_REASON_AFFILIATION_CHANGED		3
-#define CRL_REASON_SUPERSEDED			4
-#define CRL_REASON_CESSATION_OF_OPERATION	5
-#define CRL_REASON_CERTIFICATE_HOLD		6
-#define CRL_REASON_REMOVE_FROM_CRL		8
-#define CRL_REASON_PRIVILEGE_WITHDRAWN		9
-#define CRL_REASON_AA_COMPROMISE		10
-
-struct DIST_POINT_st {
-DIST_POINT_NAME	*distpoint;
-ASN1_BIT_STRING *reasons;
-GENERAL_NAMES *CRLissuer;
-int dp_reasons;
-};
-
-typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
-
-DECLARE_STACK_OF(DIST_POINT)
-
-struct AUTHORITY_KEYID_st {
-ASN1_OCTET_STRING *keyid;
-GENERAL_NAMES *issuer;
-ASN1_INTEGER *serial;
-};
-
-/* Strong extranet structures */
-
-typedef struct SXNET_ID_st {
-	ASN1_INTEGER *zone;
-	ASN1_OCTET_STRING *user;
-} SXNETID;
-
-DECLARE_STACK_OF(SXNETID)
-
-typedef struct SXNET_st {
-	ASN1_INTEGER *version;
-	STACK_OF(SXNETID) *ids;
-} SXNET;
-
-typedef struct NOTICEREF_st {
-	ASN1_STRING *organization;
-	STACK_OF(ASN1_INTEGER) *noticenos;
-} NOTICEREF;
-
-typedef struct USERNOTICE_st {
-	NOTICEREF *noticeref;
-	ASN1_STRING *exptext;
-} USERNOTICE;
-
-typedef struct POLICYQUALINFO_st {
-	ASN1_OBJECT *pqualid;
-	union {
-		ASN1_IA5STRING *cpsuri;
-		USERNOTICE *usernotice;
-		ASN1_TYPE *other;
-	} d;
-} POLICYQUALINFO;
-
-DECLARE_STACK_OF(POLICYQUALINFO)
-
-typedef struct POLICYINFO_st {
-	ASN1_OBJECT *policyid;
-	STACK_OF(POLICYQUALINFO) *qualifiers;
-} POLICYINFO;
-
-typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
-
-DECLARE_STACK_OF(POLICYINFO)
-
-typedef struct POLICY_MAPPING_st {
-	ASN1_OBJECT *issuerDomainPolicy;
-	ASN1_OBJECT *subjectDomainPolicy;
-} POLICY_MAPPING;
-
-DECLARE_STACK_OF(POLICY_MAPPING)
-
-typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
-
-typedef struct GENERAL_SUBTREE_st {
-	GENERAL_NAME *base;
-	ASN1_INTEGER *minimum;
-	ASN1_INTEGER *maximum;
-} GENERAL_SUBTREE;
-
-DECLARE_STACK_OF(GENERAL_SUBTREE)
-
-struct NAME_CONSTRAINTS_st {
-	STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
-	STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
-};
-
-typedef struct POLICY_CONSTRAINTS_st {
-	ASN1_INTEGER *requireExplicitPolicy;
-	ASN1_INTEGER *inhibitPolicyMapping;
-} POLICY_CONSTRAINTS;
-
-/* Proxy certificate structures, see RFC 3820 */
-typedef struct PROXY_POLICY_st
-	{
-	ASN1_OBJECT *policyLanguage;
-	ASN1_OCTET_STRING *policy;
-	} PROXY_POLICY;
-
-typedef struct PROXY_CERT_INFO_EXTENSION_st
-	{
-	ASN1_INTEGER *pcPathLengthConstraint;
-	PROXY_POLICY *proxyPolicy;
-	} PROXY_CERT_INFO_EXTENSION;
-
-PROXY_POLICY *PROXY_POLICY_new(void);
-void PROXY_POLICY_free(PROXY_POLICY *a);
-PROXY_POLICY *d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len);
-int i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out);
-extern const ASN1_ITEM PROXY_POLICY_it;
-PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void);
-void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a);
-PROXY_CERT_INFO_EXTENSION *d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len);
-int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out);
-extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it;
-
-struct ISSUING_DIST_POINT_st
-	{
-	DIST_POINT_NAME *distpoint;
-	int onlyuser;
-	int onlyCA;
-	ASN1_BIT_STRING *onlysomereasons;
-	int indirectCRL;
-	int onlyattr;
-	};
-
-/* Values in idp_flags field */
-/* IDP present */
-#define	IDP_PRESENT	0x1
-/* IDP values inconsistent */
-#define IDP_INVALID	0x2
-/* onlyuser true */
-#define	IDP_ONLYUSER	0x4
-/* onlyCA true */
-#define	IDP_ONLYCA	0x8
-/* onlyattr true */
-#define IDP_ONLYATTR	0x10
-/* indirectCRL true */
-#define IDP_INDIRECT	0x20
-/* onlysomereasons present */
-#define IDP_REASONS	0x40
-
-#define X509V3_conf_err(val) ERR_asprintf_error_data( \
-			"section:%s,name:%s,value:%s", val->section, \
-			val->name, val->value);
-
-#define X509V3_set_ctx_test(ctx) \
-			X509V3_set_ctx(ctx, NULL, NULL, NULL, NULL, CTX_TEST)
-#define X509V3_set_ctx_nodb(ctx) (ctx)->db = NULL;
-
-#define EXT_BITSTRING(nid, table) { nid, 0, &ASN1_BIT_STRING_it, \
-			0,0,0,0, \
-			0,0, \
-			(X509V3_EXT_I2V)i2v_ASN1_BIT_STRING, \
-			(X509V3_EXT_V2I)v2i_ASN1_BIT_STRING, \
-			NULL, NULL, \
-			table}
-
-#define EXT_IA5STRING(nid) { nid, 0, &ASN1_IA5STRING_it, \
-			0,0,0,0, \
-			(X509V3_EXT_I2S)i2s_ASN1_IA5STRING, \
-			(X509V3_EXT_S2I)s2i_ASN1_IA5STRING, \
-			0,0,0,0, \
-			NULL}
-
-#define EXT_END { -1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
-
-
-/* X509_PURPOSE stuff */
-
-#define EXFLAG_BCONS		0x0001
-#define EXFLAG_KUSAGE		0x0002
-#define EXFLAG_XKUSAGE		0x0004
-#define EXFLAG_NSCERT		0x0008
-
-#define EXFLAG_CA		0x0010
-#define EXFLAG_SI		0x0020  /* Self issued. */
-#define EXFLAG_V1		0x0040
-#define EXFLAG_INVALID		0x0080
-#define EXFLAG_SET		0x0100
-#define EXFLAG_CRITICAL		0x0200
-#define EXFLAG_PROXY		0x0400
-#define EXFLAG_INVALID_POLICY	0x0800
-#define EXFLAG_FRESHEST		0x1000
-#define EXFLAG_SS               0x2000	/* Self signed. */
-
-#define KU_DIGITAL_SIGNATURE	0x0080
-#define KU_NON_REPUDIATION	0x0040
-#define KU_KEY_ENCIPHERMENT	0x0020
-#define KU_DATA_ENCIPHERMENT	0x0010
-#define KU_KEY_AGREEMENT	0x0008
-#define KU_KEY_CERT_SIGN	0x0004
-#define KU_CRL_SIGN		0x0002
-#define KU_ENCIPHER_ONLY	0x0001
-#define KU_DECIPHER_ONLY	0x8000
-
-#define NS_SSL_CLIENT		0x80
-#define NS_SSL_SERVER		0x40
-#define NS_SMIME		0x20
-#define NS_OBJSIGN		0x10
-#define NS_SSL_CA		0x04
-#define NS_SMIME_CA		0x02
-#define NS_OBJSIGN_CA		0x01
-#define NS_ANY_CA		(NS_SSL_CA|NS_SMIME_CA|NS_OBJSIGN_CA)
-
-#define XKU_SSL_SERVER		0x1	
-#define XKU_SSL_CLIENT		0x2
-#define XKU_SMIME		0x4
-#define XKU_CODE_SIGN		0x8
-#define XKU_SGC			0x10
-#define XKU_OCSP_SIGN		0x20
-#define XKU_TIMESTAMP		0x40
-#define XKU_DVCS		0x80
-
-#define X509_PURPOSE_DYNAMIC	0x1
-#define X509_PURPOSE_DYNAMIC_NAME	0x2
-
-typedef struct x509_purpose_st {
-	int purpose;
-	int trust;		/* Default trust ID */
-	int flags;
-	int (*check_purpose)(const struct x509_purpose_st *,
-				const X509 *, int);
-	char *name;
-	char *sname;
-	void *usr_data;
-} X509_PURPOSE;
-
-#define X509_PURPOSE_SSL_CLIENT		1
-#define X509_PURPOSE_SSL_SERVER		2
-#define X509_PURPOSE_NS_SSL_SERVER	3
-#define X509_PURPOSE_SMIME_SIGN		4
-#define X509_PURPOSE_SMIME_ENCRYPT	5
-#define X509_PURPOSE_CRL_SIGN		6
-#define X509_PURPOSE_ANY		7
-#define X509_PURPOSE_OCSP_HELPER	8
-#define X509_PURPOSE_TIMESTAMP_SIGN	9
-
-#define X509_PURPOSE_MIN		1
-#define X509_PURPOSE_MAX		9
-
-/* Flags for X509V3_EXT_print() */
-
-#define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)
-/* Return error for unknown extensions */
-#define X509V3_EXT_DEFAULT		0
-/* Print error for unknown extensions */
-#define X509V3_EXT_ERROR_UNKNOWN	(1L << 16)
-/* ASN1 parse unknown extensions */
-#define X509V3_EXT_PARSE_UNKNOWN	(2L << 16)
-/* BIO_dump unknown extensions */
-#define X509V3_EXT_DUMP_UNKNOWN		(3L << 16)
-
-/* Flags for X509V3_add1_i2d */
-
-#define X509V3_ADD_OP_MASK		0xfL
-#define X509V3_ADD_DEFAULT		0L
-#define X509V3_ADD_APPEND		1L
-#define X509V3_ADD_REPLACE		2L
-#define X509V3_ADD_REPLACE_EXISTING	3L
-#define X509V3_ADD_KEEP_EXISTING	4L
-#define X509V3_ADD_DELETE		5L
-#define X509V3_ADD_SILENT		0x10
-
-DECLARE_STACK_OF(X509_PURPOSE)
-
-BASIC_CONSTRAINTS *BASIC_CONSTRAINTS_new(void);
-void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a);
-BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len);
-int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out);
-extern const ASN1_ITEM BASIC_CONSTRAINTS_it;
-
-SXNET *SXNET_new(void);
-void SXNET_free(SXNET *a);
-SXNET *d2i_SXNET(SXNET **a, const unsigned char **in, long len);
-int i2d_SXNET(SXNET *a, unsigned char **out);
-extern const ASN1_ITEM SXNET_it;
-SXNETID *SXNETID_new(void);
-void SXNETID_free(SXNETID *a);
-SXNETID *d2i_SXNETID(SXNETID **a, const unsigned char **in, long len);
-int i2d_SXNETID(SXNETID *a, unsigned char **out);
-extern const ASN1_ITEM SXNETID_it;
-
-int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user,
-    int userlen); 
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user,
-    int userlen); 
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user,
-    int userlen); 
-
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone);
-ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
-ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
-
-AUTHORITY_KEYID *AUTHORITY_KEYID_new(void);
-void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a);
-AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len);
-int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out);
-extern const ASN1_ITEM AUTHORITY_KEYID_it;
-
-PKEY_USAGE_PERIOD *PKEY_USAGE_PERIOD_new(void);
-void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a);
-PKEY_USAGE_PERIOD *d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len);
-int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out);
-extern const ASN1_ITEM PKEY_USAGE_PERIOD_it;
-
-GENERAL_NAME *GENERAL_NAME_new(void);
-void GENERAL_NAME_free(GENERAL_NAME *a);
-GENERAL_NAME *d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len);
-int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out);
-extern const ASN1_ITEM GENERAL_NAME_it;
-GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
-int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
-
-
-
-ASN1_BIT_STRING *v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-				X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-STACK_OF(CONF_VALUE) *i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method,
-				ASN1_BIT_STRING *bits,
-				STACK_OF(CONF_VALUE) *extlist);
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret);
-int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen);
-
-GENERAL_NAMES *GENERAL_NAMES_new(void);
-void GENERAL_NAMES_free(GENERAL_NAMES *a);
-GENERAL_NAMES *d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len);
-int i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out);
-extern const ASN1_ITEM GENERAL_NAMES_it;
-
-STACK_OF(CONF_VALUE) *i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method,
-		GENERAL_NAMES *gen, STACK_OF(CONF_VALUE) *extlist);
-GENERAL_NAMES *v2i_GENERAL_NAMES(const X509V3_EXT_METHOD *method,
-				 X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
-
-OTHERNAME *OTHERNAME_new(void);
-void OTHERNAME_free(OTHERNAME *a);
-OTHERNAME *d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len);
-int i2d_OTHERNAME(OTHERNAME *a, unsigned char **out);
-extern const ASN1_ITEM OTHERNAME_it;
-EDIPARTYNAME *EDIPARTYNAME_new(void);
-void EDIPARTYNAME_free(EDIPARTYNAME *a);
-EDIPARTYNAME *d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len);
-int i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out);
-extern const ASN1_ITEM EDIPARTYNAME_it;
-int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
-void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
-void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
-int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
-				ASN1_OBJECT *oid, ASN1_TYPE *value);
-int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
-				ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
-
-char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-    const ASN1_OCTET_STRING *ia5);
-ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method,
-    X509V3_CTX *ctx, const char *str);
-
-EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void);
-void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a);
-EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len);
-int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out);
-extern const ASN1_ITEM EXTENDED_KEY_USAGE_it;
-int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a);
-
-CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void);
-void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a);
-CERTIFICATEPOLICIES *d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long len);
-int i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out);
-extern const ASN1_ITEM CERTIFICATEPOLICIES_it;
-POLICYINFO *POLICYINFO_new(void);
-void POLICYINFO_free(POLICYINFO *a);
-POLICYINFO *d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len);
-int i2d_POLICYINFO(POLICYINFO *a, unsigned char **out);
-extern const ASN1_ITEM POLICYINFO_it;
-POLICYQUALINFO *POLICYQUALINFO_new(void);
-void POLICYQUALINFO_free(POLICYQUALINFO *a);
-POLICYQUALINFO *d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len);
-int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out);
-extern const ASN1_ITEM POLICYQUALINFO_it;
-USERNOTICE *USERNOTICE_new(void);
-void USERNOTICE_free(USERNOTICE *a);
-USERNOTICE *d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len);
-int i2d_USERNOTICE(USERNOTICE *a, unsigned char **out);
-extern const ASN1_ITEM USERNOTICE_it;
-NOTICEREF *NOTICEREF_new(void);
-void NOTICEREF_free(NOTICEREF *a);
-NOTICEREF *d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len);
-int i2d_NOTICEREF(NOTICEREF *a, unsigned char **out);
-extern const ASN1_ITEM NOTICEREF_it;
-
-CRL_DIST_POINTS *CRL_DIST_POINTS_new(void);
-void CRL_DIST_POINTS_free(CRL_DIST_POINTS *a);
-CRL_DIST_POINTS *d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len);
-int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out);
-extern const ASN1_ITEM CRL_DIST_POINTS_it;
-DIST_POINT *DIST_POINT_new(void);
-void DIST_POINT_free(DIST_POINT *a);
-DIST_POINT *d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len);
-int i2d_DIST_POINT(DIST_POINT *a, unsigned char **out);
-extern const ASN1_ITEM DIST_POINT_it;
-DIST_POINT_NAME *DIST_POINT_NAME_new(void);
-void DIST_POINT_NAME_free(DIST_POINT_NAME *a);
-DIST_POINT_NAME *d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len);
-int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out);
-extern const ASN1_ITEM DIST_POINT_NAME_it;
-ISSUING_DIST_POINT *ISSUING_DIST_POINT_new(void);
-void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a);
-ISSUING_DIST_POINT *d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long len);
-int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out);
-extern const ASN1_ITEM ISSUING_DIST_POINT_it;
-
-int DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname);
-
-int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc);
-
-ACCESS_DESCRIPTION *ACCESS_DESCRIPTION_new(void);
-void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a);
-ACCESS_DESCRIPTION *d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long len);
-int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out);
-extern const ASN1_ITEM ACCESS_DESCRIPTION_it;
-AUTHORITY_INFO_ACCESS *AUTHORITY_INFO_ACCESS_new(void);
-void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a);
-AUTHORITY_INFO_ACCESS *d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, long len);
-int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out);
-extern const ASN1_ITEM AUTHORITY_INFO_ACCESS_it;
-
-extern const ASN1_ITEM POLICY_MAPPING_it;
-POLICY_MAPPING *POLICY_MAPPING_new(void);
-void POLICY_MAPPING_free(POLICY_MAPPING *a);
-extern const ASN1_ITEM POLICY_MAPPINGS_it;
-
-extern const ASN1_ITEM GENERAL_SUBTREE_it;
-GENERAL_SUBTREE *GENERAL_SUBTREE_new(void);
-void GENERAL_SUBTREE_free(GENERAL_SUBTREE *a);
-
-extern const ASN1_ITEM NAME_CONSTRAINTS_it;
-NAME_CONSTRAINTS *NAME_CONSTRAINTS_new(void);
-void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a);
-
-POLICY_CONSTRAINTS *POLICY_CONSTRAINTS_new(void);
-void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a);
-extern const ASN1_ITEM POLICY_CONSTRAINTS_it;
-
-GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out,
-			       const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-			       int gen_type, const char *value, int is_nc);
-
-#ifdef HEADER_CONF_H
-GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx,
-			       CONF_VALUE *cnf);
-GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out,
-				  const X509V3_EXT_METHOD *method,
-				  X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc);
-void X509V3_conf_free(CONF_VALUE *val);
-
-X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
-    const char *value);
-X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name,
-    const char *value);
-int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section,
-    STACK_OF(X509_EXTENSION) **sk);
-int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509 *cert);
-int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509_REQ *req);
-int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section,
-    X509_CRL *crl);
-
-X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    int ext_nid, const char *value);
-X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *name, const char *value);
-int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509 *cert);
-int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509_REQ *req);
-int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx,
-    const char *section, X509_CRL *crl);
-
-int X509V3_add_value_bool_nf(const char *name, int asn1_bool,
-			     STACK_OF(CONF_VALUE) **extlist);
-int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool);
-int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint);
-void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf);
-void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash);
-#endif
-
-char *X509V3_get_string(X509V3_CTX *ctx, const char *name,
-    const char *section);
-STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section);
-void X509V3_string_free(X509V3_CTX *ctx, char *str);
-void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section);
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject,
-				 X509_REQ *req, X509_CRL *crl, int flags);
-
-int X509V3_add_value(const char *name, const char *value,
-						STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_uchar(const char *name, const unsigned char *value,
-						STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_bool(const char *name, int asn1_bool,
-						STACK_OF(CONF_VALUE) **extlist);
-int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint,
-						STACK_OF(CONF_VALUE) **extlist);
-char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint);
-ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value);
-char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint);
-char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth,
-    const ASN1_ENUMERATED *aint);
-int X509V3_EXT_add(X509V3_EXT_METHOD *ext);
-int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
-int X509V3_EXT_add_alias(int nid_to, int nid_from);
-void X509V3_EXT_cleanup(void);
-
-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
-const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
-int X509V3_add_standard_extensions(void);
-STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
-void *X509V3_EXT_d2i(X509_EXTENSION *ext);
-void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
-    int *idx);
-
-
-X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);
-int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, int crit, unsigned long flags);
-
-char *hex_to_string(const unsigned char *buffer, long len);
-unsigned char *string_to_hex(const char *str, long *len);
-int name_cmp(const char *name, const char *cmp);
-
-void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
-								 int ml);
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent);
-int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
-
-int X509V3_extensions_print(BIO *out, const char *title,
-    const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent);
-
-int X509_check_ca(X509 *x);
-int X509_check_purpose(X509 *x, int id, int ca);
-int X509_supported_extension(X509_EXTENSION *ex);
-int X509_PURPOSE_set(int *p, int purpose);
-int X509_check_issued(X509 *issuer, X509 *subject);
-int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid);
-int X509_PURPOSE_get_count(void);
-X509_PURPOSE * X509_PURPOSE_get0(int idx);
-int X509_PURPOSE_get_by_sname(const char *sname);
-int X509_PURPOSE_get_by_id(int id);
-int X509_PURPOSE_add(int id, int trust, int flags,
-			int (*ck)(const X509_PURPOSE *, const X509 *, int),
-			const char *name, const char *sname, void *arg);
-char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
-char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
-int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
-void X509_PURPOSE_cleanup(void);
-int X509_PURPOSE_get_id(const X509_PURPOSE *);
-
-STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
-STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);
-void X509_email_free(STACK_OF(OPENSSL_STRING) *sk);
-STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x);
-
-/* Flags for X509_check_* functions */
-/* Always check subject name for host match even if subject alt names present */
-#define X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT	0x1
-/* Disable wildcard matching for dnsName fields and common name. */
-#define X509_CHECK_FLAG_NO_WILDCARDS	0x2
-/* Wildcards must not match a partial label. */
-#define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0x4
-/* Allow (non-partial) wildcards to match multiple labels. */
-#define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8
-/* Constraint verifier subdomain patterns to match a single labels. */
-#define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10
-
-/*
- * Match reference identifiers starting with "." to any sub-domain.
- * This is a non-public flag, turned on implicitly when the subject
- * reference identity is a DNS name.
- */
-#define _X509_CHECK_FLAG_DOT_SUBDOMAINS 0x8000
-
-int X509_check_host(X509 *x, const char *chk, size_t chklen,
-    unsigned int flags, char **peername);
-int X509_check_email(X509 *x, const char *chk, size_t chklen,
-    unsigned int flags);
-int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen,
-    unsigned int flags);
-int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags);
-
-ASN1_OCTET_STRING *a2i_IPADDRESS(const char *ipasc);
-ASN1_OCTET_STRING *a2i_IPADDRESS_NC(const char *ipasc);
-int a2i_ipadd(unsigned char *ipout, const char *ipasc);
-int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk,
-						unsigned long chtype);
-
-void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-DECLARE_STACK_OF(X509_POLICY_NODE)
-
-
-/* BEGIN ERROR CODES */
-/* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
- */
-void ERR_load_X509V3_strings(void);
-
-/* Error codes for the X509V3 functions. */
-
-/* Function codes. */
-#define X509V3_F_A2I_GENERAL_NAME			 164
-#define X509V3_F_ASIDENTIFIERCHOICE_CANONIZE		 161
-#define X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL	 162
-#define X509V3_F_COPY_EMAIL				 122
-#define X509V3_F_COPY_ISSUER				 123
-#define X509V3_F_DO_DIRNAME				 144
-#define X509V3_F_DO_EXT_CONF				 124
-#define X509V3_F_DO_EXT_I2D				 135
-#define X509V3_F_DO_EXT_NCONF				 151
-#define X509V3_F_DO_I2V_NAME_CONSTRAINTS		 148
-#define X509V3_F_GNAMES_FROM_SECTNAME			 156
-#define X509V3_F_HEX_TO_STRING				 111
-#define X509V3_F_I2S_ASN1_ENUMERATED			 121
-#define X509V3_F_I2S_ASN1_IA5STRING			 149
-#define X509V3_F_I2S_ASN1_INTEGER			 120
-#define X509V3_F_I2V_AUTHORITY_INFO_ACCESS		 138
-#define X509V3_F_NOTICE_SECTION				 132
-#define X509V3_F_NREF_NOS				 133
-#define X509V3_F_POLICY_SECTION				 131
-#define X509V3_F_PROCESS_PCI_VALUE			 150
-#define X509V3_F_R2I_CERTPOL				 130
-#define X509V3_F_R2I_PCI				 155
-#define X509V3_F_S2I_ASN1_IA5STRING			 100
-#define X509V3_F_S2I_ASN1_INTEGER			 108
-#define X509V3_F_S2I_ASN1_OCTET_STRING			 112
-#define X509V3_F_S2I_ASN1_SKEY_ID			 114
-#define X509V3_F_S2I_SKEY_ID				 115
-#define X509V3_F_SET_DIST_POINT_NAME			 158
-#define X509V3_F_STRING_TO_HEX				 113
-#define X509V3_F_SXNET_ADD_ID_ASC			 125
-#define X509V3_F_SXNET_ADD_ID_INTEGER			 126
-#define X509V3_F_SXNET_ADD_ID_ULONG			 127
-#define X509V3_F_SXNET_GET_ID_ASC			 128
-#define X509V3_F_SXNET_GET_ID_ULONG			 129
-#define X509V3_F_V2I_ASIDENTIFIERS			 163
-#define X509V3_F_V2I_ASN1_BIT_STRING			 101
-#define X509V3_F_V2I_AUTHORITY_INFO_ACCESS		 139
-#define X509V3_F_V2I_AUTHORITY_KEYID			 119
-#define X509V3_F_V2I_BASIC_CONSTRAINTS			 102
-#define X509V3_F_V2I_CRLD				 134
-#define X509V3_F_V2I_EXTENDED_KEY_USAGE			 103
-#define X509V3_F_V2I_GENERAL_NAMES			 118
-#define X509V3_F_V2I_GENERAL_NAME_EX			 117
-#define X509V3_F_V2I_IDP				 157
-#define X509V3_F_V2I_IPADDRBLOCKS			 159
-#define X509V3_F_V2I_ISSUER_ALT				 153
-#define X509V3_F_V2I_NAME_CONSTRAINTS			 147
-#define X509V3_F_V2I_POLICY_CONSTRAINTS			 146
-#define X509V3_F_V2I_POLICY_MAPPINGS			 145
-#define X509V3_F_V2I_SUBJECT_ALT			 154
-#define X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL		 160
-#define X509V3_F_V3_GENERIC_EXTENSION			 116
-#define X509V3_F_X509V3_ADD1_I2D			 140
-#define X509V3_F_X509V3_ADD_VALUE			 105
-#define X509V3_F_X509V3_EXT_ADD				 104
-#define X509V3_F_X509V3_EXT_ADD_ALIAS			 106
-#define X509V3_F_X509V3_EXT_CONF			 107
-#define X509V3_F_X509V3_EXT_I2D				 136
-#define X509V3_F_X509V3_EXT_NCONF			 152
-#define X509V3_F_X509V3_GET_SECTION			 142
-#define X509V3_F_X509V3_GET_STRING			 143
-#define X509V3_F_X509V3_GET_VALUE_BOOL			 110
-#define X509V3_F_X509V3_PARSE_LIST			 109
-#define X509V3_F_X509_PURPOSE_ADD			 137
-#define X509V3_F_X509_PURPOSE_SET			 141
-
-/* Reason codes. */
-#define X509V3_R_BAD_IP_ADDRESS				 118
-#define X509V3_R_BAD_OBJECT				 119
-#define X509V3_R_BN_DEC2BN_ERROR			 100
-#define X509V3_R_BN_TO_ASN1_INTEGER_ERROR		 101
-#define X509V3_R_DIRNAME_ERROR				 149
-#define X509V3_R_DISTPOINT_ALREADY_SET			 160
-#define X509V3_R_DUPLICATE_ZONE_ID			 133
-#define X509V3_R_ERROR_CONVERTING_ZONE			 131
-#define X509V3_R_ERROR_CREATING_EXTENSION		 144
-#define X509V3_R_ERROR_IN_EXTENSION			 128
-#define X509V3_R_EXPECTED_A_SECTION_NAME		 137
-#define X509V3_R_EXTENSION_EXISTS			 145
-#define X509V3_R_EXTENSION_NAME_ERROR			 115
-#define X509V3_R_EXTENSION_NOT_FOUND			 102
-#define X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED	 103
-#define X509V3_R_EXTENSION_VALUE_ERROR			 116
-#define X509V3_R_ILLEGAL_EMPTY_EXTENSION		 151
-#define X509V3_R_ILLEGAL_HEX_DIGIT			 113
-#define X509V3_R_INCORRECT_POLICY_SYNTAX_TAG		 152
-#define X509V3_R_INVALID_MULTIPLE_RDNS			 161
-#define X509V3_R_INVALID_ASNUMBER			 162
-#define X509V3_R_INVALID_ASRANGE			 163
-#define X509V3_R_INVALID_BOOLEAN_STRING			 104
-#define X509V3_R_INVALID_EXTENSION_STRING		 105
-#define X509V3_R_INVALID_INHERITANCE			 165
-#define X509V3_R_INVALID_IPADDRESS			 166
-#define X509V3_R_INVALID_NAME				 106
-#define X509V3_R_INVALID_NULL_ARGUMENT			 107
-#define X509V3_R_INVALID_NULL_NAME			 108
-#define X509V3_R_INVALID_NULL_VALUE			 109
-#define X509V3_R_INVALID_NUMBER				 140
-#define X509V3_R_INVALID_NUMBERS			 141
-#define X509V3_R_INVALID_OBJECT_IDENTIFIER		 110
-#define X509V3_R_INVALID_OPTION				 138
-#define X509V3_R_INVALID_POLICY_IDENTIFIER		 134
-#define X509V3_R_INVALID_PROXY_POLICY_SETTING		 153
-#define X509V3_R_INVALID_PURPOSE			 146
-#define X509V3_R_INVALID_SAFI				 164
-#define X509V3_R_INVALID_SECTION			 135
-#define X509V3_R_INVALID_SYNTAX				 143
-#define X509V3_R_ISSUER_DECODE_ERROR			 126
-#define X509V3_R_MISSING_VALUE				 124
-#define X509V3_R_NEED_ORGANIZATION_AND_NUMBERS		 142
-#define X509V3_R_NO_CONFIG_DATABASE			 136
-#define X509V3_R_NO_ISSUER_CERTIFICATE			 121
-#define X509V3_R_NO_ISSUER_DETAILS			 127
-#define X509V3_R_NO_POLICY_IDENTIFIER			 139
-#define X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED	 154
-#define X509V3_R_NO_PUBLIC_KEY				 114
-#define X509V3_R_NO_SUBJECT_DETAILS			 125
-#define X509V3_R_ODD_NUMBER_OF_DIGITS			 112
-#define X509V3_R_OPERATION_NOT_DEFINED			 148
-#define X509V3_R_OTHERNAME_ERROR			 147
-#define X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED	 155
-#define X509V3_R_POLICY_PATH_LENGTH			 156
-#define X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED	 157
-#define X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED	 158
-#define X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY 159
-#define X509V3_R_SECTION_NOT_FOUND			 150
-#define X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS		 122
-#define X509V3_R_UNABLE_TO_GET_ISSUER_KEYID		 123
-#define X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT		 111
-#define X509V3_R_UNKNOWN_EXTENSION			 129
-#define X509V3_R_UNKNOWN_EXTENSION_NAME			 130
-#define X509V3_R_UNKNOWN_OPTION				 120
-#define X509V3_R_UNSUPPORTED_OPTION			 117
-#define X509V3_R_UNSUPPORTED_TYPE			 167
-#define X509V3_R_USER_TOO_LONG				 132
-
-#ifdef  __cplusplus
-}
-#endif
-#endif
-- 
cgit v1.2.3-55-g6feb