Move the now internal X.509-related structs into x509_lcl.h.

Garbage collect the now unused LIBRESSL_CRYPTO_INTERNAL and
LIBRESSL_OPAQUE_X509. Include "x509_lcl.h" where needed and
fix a couple of unnecessary reacharounds.

ok jsing

72 files changed, 521 insertions, 451 deletions

diff --git a/lib/libcrypto/Makefile b/lib/libcrypto/Makefile
index f626c16e91f..3f4014409d1 100644
--- a/lib/libcrypto/Makefile
+++ b/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.48 2021/10/31 16:51:16 tb Exp $
+# $OpenBSD: Makefile,v 1.49 2021/11/01 20:53:08 tb Exp $
 
 LIB=	crypto
 LIBREBUILD=y
@@ -18,7 +18,7 @@ CFLAGS+= -Wall -Wundef
 .if ${COMPILER_VERSION:L} == "clang"
 CFLAGS+= -Werror
 .endif
-CFLAGS+= -DLIBRESSL_INTERNAL -DLIBRESSL_CRYPTO_INTERNAL
+CFLAGS+= -DLIBRESSL_INTERNAL
 
 .if !defined(NOPIC)
 CFLAGS+= -DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_FUNOPEN
@@ -29,7 +29,7 @@ CFLAGS+= -DOPENSSL_NO_HW_PADLOCK # XXX enable this?
 
 CFLAGS+= -I${LCRYPTO_SRC}
 CFLAGS+= -I${LCRYPTO_SRC}/asn1 -I${LCRYPTO_SRC}/bn -I${LCRYPTO_SRC}/evp
-CFLAGS+= -I${LCRYPTO_SRC}/modes
+CFLAGS+= -I${LCRYPTO_SRC}/modes -I${LCRYPTO_SRC}/x509
 
 # XXX FIXME ecdsa and ec should be merged
 CFLAGS+= -I${LCRYPTO_SRC}/ecdsa
diff --git a/lib/libcrypto/asn1/a_strex.c b/lib/libcrypto/asn1/a_strex.c
index 4e3deccfdaf..3b66ea8d36d 100644
--- a/lib/libcrypto/asn1/a_strex.c
+++ b/lib/libcrypto/asn1/a_strex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_strex.c,v 1.28 2018/05/19 10:46:28 tb Exp $ */
+/* $OpenBSD: a_strex.c,v 1.29 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -513,7 +513,7 @@ do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent,
 		else
 			ent = X509_NAME_get_entry(n, i);
 		if (prev != -1) {
-			if (prev == ent->set) {
+			if (prev == X509_NAME_ENTRY_set(ent)) {
 				if (!io_ch(arg, sep_mv, sep_mv_len))
 					return -1;
 				outlen += sep_mv_len;
@@ -526,7 +526,7 @@ do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent,
 				outlen += indent;
 			}
 		}
-		prev = ent->set;
+		prev = X509_NAME_ENTRY_set(ent);
 		fn = X509_NAME_ENTRY_get_object(ent);
 		val = X509_NAME_ENTRY_get_data(ent);
 		fn_nid = OBJ_obj2nid(fn);
diff --git a/lib/libcrypto/asn1/n_pkey.c b/lib/libcrypto/asn1/n_pkey.c
index 6c7031677df..89adcd5b116 100644
--- a/lib/libcrypto/asn1/n_pkey.c
+++ b/lib/libcrypto/asn1/n_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: n_pkey.c,v 1.32 2018/08/05 13:35:45 bcook Exp $ */
+/* $OpenBSD: n_pkey.c,v 1.33 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,6 +69,8 @@
 #include <openssl/rsa.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 #ifndef OPENSSL_NO_RC4
 
 typedef struct netscape_pkey_st {
diff --git a/lib/libcrypto/asn1/p8_pkey.c b/lib/libcrypto/asn1/p8_pkey.c
index d2f8e6b0557..18659a6f40e 100644
--- a/lib/libcrypto/asn1/p8_pkey.c
+++ b/lib/libcrypto/asn1/p8_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p8_pkey.c,v 1.19 2018/08/24 20:17:33 tb Exp $ */
+/* $OpenBSD: p8_pkey.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 /* Minor tweak to operation: zero private key data */
 static int
 pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg)
diff --git a/lib/libcrypto/asn1/t_crl.c b/lib/libcrypto/asn1/t_crl.c
index 057b8fe3118..b7f94a86447 100644
--- a/lib/libcrypto/asn1/t_crl.c
+++ b/lib/libcrypto/asn1/t_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_crl.c,v 1.18 2019/05/12 15:56:31 tb Exp $ */
+/* $OpenBSD: t_crl.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -66,6 +66,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 int
 X509_CRL_print_fp(FILE *fp, X509_CRL *x)
 {
diff --git a/lib/libcrypto/asn1/t_req.c b/lib/libcrypto/asn1/t_req.c
index a9b14fed73d..320eaff9c00 100644
--- a/lib/libcrypto/asn1/t_req.c
+++ b/lib/libcrypto/asn1/t_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_req.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */
+/* $OpenBSD: t_req.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,6 +74,8 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "x509_lcl.h"
+
 int
 X509_REQ_print_fp(FILE *fp, X509_REQ *x)
 {
diff --git a/lib/libcrypto/asn1/t_spki.c b/lib/libcrypto/asn1/t_spki.c
index 7f1ed129cfc..56c0956ceb3 100644
--- a/lib/libcrypto/asn1/t_spki.c
+++ b/lib/libcrypto/asn1/t_spki.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_spki.c,v 1.12 2021/08/24 15:23:03 tb Exp $ */
+/* $OpenBSD: t_spki.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -71,6 +71,8 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "x509_lcl.h"
+
 /* Print out an SPKI */
 
 int
diff --git a/lib/libcrypto/asn1/t_x509.c b/lib/libcrypto/asn1/t_x509.c
index 42b00a729aa..d1655a17850 100644
--- a/lib/libcrypto/asn1/t_x509.c
+++ b/lib/libcrypto/asn1/t_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509.c,v 1.34 2021/07/26 16:54:20 tb Exp $ */
+/* $OpenBSD: t_x509.c,v 1.35 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -78,6 +78,7 @@
 #endif
 
 #include "asn1_locl.h"
+#include "x509_lcl.h"
 
 int
 X509_print_fp(FILE *fp, X509 *x)
diff --git a/lib/libcrypto/asn1/t_x509a.c b/lib/libcrypto/asn1/t_x509a.c
index b0346fa6813..6745318b9c2 100644
--- a/lib/libcrypto/asn1/t_x509a.c
+++ b/lib/libcrypto/asn1/t_x509a.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t_x509a.c,v 1.9 2021/07/10 17:45:16 schwarze Exp $ */
+/* $OpenBSD: t_x509a.c,v 1.10 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,8 +62,9 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
-/* X509_CERT_AUX and string set routines
- */
+#include "x509_lcl.h"
+
+/* X509_CERT_AUX and string set routines */
 
 int
 X509_CERT_AUX_print(BIO *out, X509_CERT_AUX *aux, int indent)
diff --git a/lib/libcrypto/asn1/x_attrib.c b/lib/libcrypto/asn1/x_attrib.c
index 04816eab770..a40edc1f1d2 100644
--- a/lib/libcrypto/asn1/x_attrib.c
+++ b/lib/libcrypto/asn1/x_attrib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */
+/* $OpenBSD: x_attrib.c,v 1.15 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 /* X509_ATTRIBUTE: this has the following form:
  *
  * typedef struct x509_attributes_st
diff --git a/lib/libcrypto/asn1/x_crl.c b/lib/libcrypto/asn1/x_crl.c
index bc1783dbfbc..bfc01a22848 100644
--- a/lib/libcrypto/asn1/x_crl.c
+++ b/lib/libcrypto/asn1/x_crl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_crl.c,v 1.34 2019/03/13 20:34:00 tb Exp $ */
+/* $OpenBSD: x_crl.c,v 1.35 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,7 @@
 #include <openssl/x509v3.h>
 
 #include "asn1_locl.h"
+#include "x509_lcl.h"
 
 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
     const X509_REVOKED * const *b);
diff --git a/lib/libcrypto/asn1/x_exten.c b/lib/libcrypto/asn1/x_exten.c
index bb3dffc8218..aba8973632d 100644
--- a/lib/libcrypto/asn1/x_exten.c
+++ b/lib/libcrypto/asn1/x_exten.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_exten.c,v 1.16 2015/07/24 15:09:52 jsing Exp $ */
+/* $OpenBSD: x_exten.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -61,6 +61,8 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 
+#include "x509_lcl.h"
+
 static const ASN1_TEMPLATE X509_EXTENSION_seq_tt[] = {
 	{
 		.offset = offsetof(X509_EXTENSION, object),
diff --git a/lib/libcrypto/asn1/x_name.c b/lib/libcrypto/asn1/x_name.c
index 0961ee33ebb..4563a513483 100644
--- a/lib/libcrypto/asn1/x_name.c
+++ b/lib/libcrypto/asn1/x_name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_name.c,v 1.35 2021/07/04 11:38:37 schwarze Exp $ */
+/* $OpenBSD: x_name.c,v 1.36 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,7 @@
 #include <openssl/x509.h>
 
 #include "asn1_locl.h"
+#include "x509_lcl.h"
 
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
diff --git a/lib/libcrypto/asn1/x_pubkey.c b/lib/libcrypto/asn1/x_pubkey.c
index ea67419cb20..cb16d03301d 100644
--- a/lib/libcrypto/asn1/x_pubkey.c
+++ b/lib/libcrypto/asn1/x_pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_pubkey.c,v 1.27 2018/03/17 14:55:39 jsing Exp $ */
+/* $OpenBSD: x_pubkey.c,v 1.28 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -72,6 +72,7 @@
 #endif
 
 #include "asn1_locl.h"
+#include "x509_lcl.h"
 
 /* Minor tweak to operation: free up EVP_PKEY */
 static int
diff --git a/lib/libcrypto/asn1/x_req.c b/lib/libcrypto/asn1/x_req.c
index eb5210aef6c..38e3790bf4e 100644
--- a/lib/libcrypto/asn1/x_req.c
+++ b/lib/libcrypto/asn1/x_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_req.c,v 1.17 2018/02/22 16:50:30 jsing Exp $ */
+/* $OpenBSD: x_req.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,6 +61,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 /* X509_REQ_INFO is handled in an unusual way to get round
  * invalid encodings. Some broken certificate requests don't
  * encode the attributes field if it is empty. This is in
diff --git a/lib/libcrypto/asn1/x_sig.c b/lib/libcrypto/asn1/x_sig.c
index dc3af45f6d1..6a842da5f0e 100644
--- a/lib/libcrypto/asn1/x_sig.c
+++ b/lib/libcrypto/asn1/x_sig.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_sig.c,v 1.12 2021/10/23 11:41:50 tb Exp $ */
+/* $OpenBSD: x_sig.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,6 +61,8 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 static const ASN1_TEMPLATE X509_SIG_seq_tt[] = {
 	{
 		.offset = offsetof(X509_SIG, algor),
diff --git a/lib/libcrypto/asn1/x_x509.c b/lib/libcrypto/asn1/x_x509.c
index ebe09a6099f..713ffbbb11e 100644
--- a/lib/libcrypto/asn1/x_x509.c
+++ b/lib/libcrypto/asn1/x_x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509.c,v 1.28 2021/10/23 11:56:10 tb Exp $ */
+/* $OpenBSD: x_x509.c,v 1.29 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static const ASN1_AUX X509_CINF_aux = {
 	.flags = ASN1_AFLG_ENCODING,
 	.enc_offset = offsetof(X509_CINF, enc),
diff --git a/lib/libcrypto/asn1/x_x509a.c b/lib/libcrypto/asn1/x_x509a.c
index d5364cb07ba..572178157a6 100644
--- a/lib/libcrypto/asn1/x_x509a.c
+++ b/lib/libcrypto/asn1/x_x509a.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_x509a.c,v 1.16 2021/10/31 16:28:50 tb Exp $ */
+/* $OpenBSD: x_x509a.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,8 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 /* X509_CERT_AUX routines. These are used to encode additional
  * user modifiable data about a certificate. This data is
  * appended to the X509 encoding when the *_X509_AUX routines
diff --git a/lib/libcrypto/cms/cms_lib.c b/lib/libcrypto/cms/cms_lib.c
index b6580dd6f5f..21adef7aec3 100644
--- a/lib/libcrypto/cms/cms_lib.c
+++ b/lib/libcrypto/cms/cms_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_lib.c,v 1.14 2019/08/12 18:13:13 jsing Exp $ */
+/* $OpenBSD: cms_lib.c,v 1.15 2021/11/01 20:53:08 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -59,8 +59,9 @@
 #include <openssl/bio.h>
 #include <openssl/asn1.h>
 #include <openssl/cms.h>
-#include "cms_lcl.h"
 
+#include "cms_lcl.h"
+#include "x509_lcl.h"
 
 CMS_ContentInfo *
 d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len)
diff --git a/lib/libcrypto/ocsp/ocsp_cl.c b/lib/libcrypto/ocsp/ocsp_cl.c
index 677a1b35ddd..da4b5ad04c1 100644
--- a/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.18 2021/10/24 13:50:14 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -136,7 +136,7 @@ OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert)
 
 	if (!sk_X509_push(sig->certs, cert))
 		return 0;
-	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+	X509_up_ref(cert);
 	return 1;
 }
 
diff --git a/lib/libcrypto/ocsp/ocsp_ext.c b/lib/libcrypto/ocsp/ocsp_ext.c
index eb51cfbff5a..c48843492dc 100644
--- a/lib/libcrypto/ocsp/ocsp_ext.c
+++ b/lib/libcrypto/ocsp/ocsp_ext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_ext.c,v 1.18 2018/05/14 23:47:10 tb Exp $ */
+/* $OpenBSD: ocsp_ext.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -70,6 +70,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 /* Standard wrapper functions for extensions */
 
 /* OCSP request extensions */
diff --git a/lib/libcrypto/ocsp/ocsp_srv.c b/lib/libcrypto/ocsp/ocsp_srv.c
index a9e0aaab2f1..5c9ac4d807e 100644
--- a/lib/libcrypto/ocsp/ocsp_srv.c
+++ b/lib/libcrypto/ocsp/ocsp_srv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_srv.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: ocsp_srv.c,v 1.11 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -213,7 +213,7 @@ OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
 
 	if (!sk_X509_push(resp->certs, cert))
 		return 0;
-	CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
+	X509_up_ref(cert);
 	return 1;
 }
 
diff --git a/lib/libcrypto/ocsp/ocsp_vfy.c b/lib/libcrypto/ocsp/ocsp_vfy.c
index e92b5d73262..67d45605ffe 100644
--- a/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_vfy.c,v 1.16 2021/10/24 13:50:14 tb Exp $ */
+/* $OpenBSD: ocsp_vfy.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -60,6 +60,8 @@
 #include <openssl/err.h>
 #include <string.h>
 
+#include "x509_lcl.h"
+
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
     STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags);
 static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
diff --git a/lib/libcrypto/opensslfeatures.h b/lib/libcrypto/opensslfeatures.h
index f16e25e782f..49a5f15b597 100644
--- a/lib/libcrypto/opensslfeatures.h
+++ b/lib/libcrypto/opensslfeatures.h
@@ -6,8 +6,6 @@
 #define LIBRESSL_HAS_TLS1_3
 #define LIBRESSL_HAS_DTLS1_2
 
-#define LIBRESSL_OPAQUE_X509
-
 #define OPENSSL_THREADS
 
 #define OPENSSL_NO_BUF_FREELISTS
diff --git a/lib/libcrypto/ossl_typ.h b/lib/libcrypto/ossl_typ.h
index 234fdca1ea8..99f120644f3 100644
--- a/lib/libcrypto/ossl_typ.h
+++ b/lib/libcrypto/ossl_typ.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ossl_typ.h,v 1.13 2015/09/30 04:10:07 doug Exp $ */
+/* $OpenBSD: ossl_typ.h,v 1.14 2021/11/01 20:53:08 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -127,6 +127,11 @@ typedef struct X509_pubkey_st X509_PUBKEY;
 typedef struct x509_store_st X509_STORE;
 typedef struct x509_store_ctx_st X509_STORE_CTX;
 
+typedef struct x509_object_st X509_OBJECT;
+typedef struct x509_lookup_st X509_LOOKUP;
+typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
+typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
+
 typedef struct pkcs8_priv_key_info_st PKCS8_PRIV_KEY_INFO;
 
 typedef struct v3_ext_ctx X509V3_CTX;
diff --git a/lib/libcrypto/pkcs12/p12_attr.c b/lib/libcrypto/pkcs12/p12_attr.c
index e8e340a2e2a..dc38b7c897c 100644
--- a/lib/libcrypto/pkcs12/p12_attr.c
+++ b/lib/libcrypto/pkcs12/p12_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_attr.c,v 1.13 2021/07/09 14:07:59 tb Exp $ */
+/* $OpenBSD: p12_attr.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -60,6 +60,8 @@
 
 #include <openssl/pkcs12.h>
 
+#include "x509_lcl.h"
+
 /* Add a local keyid to a safebag */
 
 int
diff --git a/lib/libcrypto/pkcs12/p12_mutl.c b/lib/libcrypto/pkcs12/p12_mutl.c
index d45ab078fd9..14ded8532d0 100644
--- a/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.24 2021/07/09 14:08:00 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -68,6 +68,8 @@
 #include <openssl/hmac.h>
 #include <openssl/pkcs12.h>
 
+#include "x509_lcl.h"
+
 /* Generate a MAC */
 int
 PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
diff --git a/lib/libcrypto/pkcs12/p12_npas.c b/lib/libcrypto/pkcs12/p12_npas.c
index d6b12edab3d..62ec368af7c 100644
--- a/lib/libcrypto/pkcs12/p12_npas.c
+++ b/lib/libcrypto/pkcs12/p12_npas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_npas.c,v 1.13 2018/05/13 14:22:34 tb Exp $ */
+/* $OpenBSD: p12_npas.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -63,6 +63,8 @@
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "x509_lcl.h"
+
 /* PKCS#12 password change routine */
 
 static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass);
diff --git a/lib/libcrypto/pkcs12/p12_p8d.c b/lib/libcrypto/pkcs12/p12_p8d.c
index 0286d4acf54..ce1b28bc290 100644
--- a/lib/libcrypto/pkcs12/p12_p8d.c
+++ b/lib/libcrypto/pkcs12/p12_p8d.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_p8d.c,v 1.7 2018/05/13 14:28:14 tb Exp $ */
+/* $OpenBSD: p12_p8d.c,v 1.8 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -60,6 +60,8 @@
 
 #include <openssl/pkcs12.h>
 
+#include "x509_lcl.h"
+
 PKCS8_PRIV_KEY_INFO *
 PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen)
 {
diff --git a/lib/libcrypto/pkcs12/p12_p8e.c b/lib/libcrypto/pkcs12/p12_p8e.c
index 5e3fc6486a8..7f5f61d69f1 100644
--- a/lib/libcrypto/pkcs12/p12_p8e.c
+++ b/lib/libcrypto/pkcs12/p12_p8e.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_p8e.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: p12_p8e.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -61,6 +61,8 @@
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "x509_lcl.h"
+
 X509_SIG *
 PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass,
     int passlen, unsigned char *salt, int saltlen, int iter,
diff --git a/lib/libcrypto/pkcs7/pk7_doit.c b/lib/libcrypto/pkcs7/pk7_doit.c
index 81a72f6815a..6d921e5cff2 100644
--- a/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.44 2019/10/04 18:03:55 tb Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.45 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype,
     void *value);
 static ASN1_TYPE *get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid);
diff --git a/lib/libcrypto/pkcs7/pk7_lib.c b/lib/libcrypto/pkcs7/pk7_lib.c
index afcc179240f..24cb0fe4c64 100644
--- a/lib/libcrypto/pkcs7/pk7_lib.c
+++ b/lib/libcrypto/pkcs7/pk7_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_lib.c,v 1.21 2020/01/21 10:18:52 inoguchi Exp $ */
+/* $OpenBSD: pk7_lib.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,6 +63,7 @@
 #include <openssl/x509.h>
 
 #include "asn1_locl.h"
+#include "x509_lcl.h"
 
 long
 PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
diff --git a/lib/libcrypto/pkcs7/pk7_smime.c b/lib/libcrypto/pkcs7/pk7_smime.c
index bf9f2dd82a4..f11d23e30d7 100644
--- a/lib/libcrypto/pkcs7/pk7_smime.c
+++ b/lib/libcrypto/pkcs7/pk7_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_smime.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: pk7_smime.c,v 1.23 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -64,6 +64,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 
 PKCS7 *
diff --git a/lib/libcrypto/rsa/rsa_sign.c b/lib/libcrypto/rsa/rsa_sign.c
index d205046bd35..9ee61a381c4 100644
--- a/lib/libcrypto/rsa/rsa_sign.c
+++ b/lib/libcrypto/rsa/rsa_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_sign.c,v 1.32 2021/05/14 18:03:42 tb Exp $ */
+/* $OpenBSD: rsa_sign.c,v 1.33 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,7 @@
 #include <openssl/x509.h>
 
 #include "rsa_locl.h"
+#include "x509_lcl.h"
 
 /* Size of an SSL signature: MD5+SHA1 */
 #define SSL_SIG_LENGTH	36
diff --git a/lib/libcrypto/ts/ts_lib.c b/lib/libcrypto/ts/ts_lib.c
index 293564118fd..cdfa9db3510 100644
--- a/lib/libcrypto/ts/ts_lib.c
+++ b/lib/libcrypto/ts/ts_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_lib.c,v 1.10 2015/09/10 14:29:22 jsing Exp $ */
+/* $OpenBSD: ts_lib.c,v 1.11 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -64,6 +64,8 @@
 #include <openssl/ts.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 /* Local function declarations. */
 
 /* Function definitions. */
diff --git a/lib/libcrypto/ts/ts_rsp_sign.c b/lib/libcrypto/ts/ts_rsp_sign.c
index 6125fdd4be4..828407aa4b8 100644
--- a/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.23 2019/07/03 03:24:04 deraadt Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -65,6 +65,8 @@
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "x509_lcl.h"
+
 /* Private function declarations. */
 
 static ASN1_INTEGER *def_serial_cb(struct TS_resp_ctx *, void *);
diff --git a/lib/libcrypto/ts/ts_rsp_verify.c b/lib/libcrypto/ts/ts_rsp_verify.c
index 46704dfd2be..2e72ff47aef 100644
--- a/lib/libcrypto/ts/ts_rsp_verify.c
+++ b/lib/libcrypto/ts/ts_rsp_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_verify.c,v 1.21 2021/07/02 11:15:08 schwarze Exp $ */
+/* $OpenBSD: ts_rsp_verify.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -64,6 +64,8 @@
 #include <openssl/pkcs7.h>
 #include <openssl/ts.h>
 
+#include "x509_lcl.h"
+
 /* Private function declarations. */
 
 static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted,
diff --git a/lib/libcrypto/x509/by_dir.c b/lib/libcrypto/x509/by_dir.c
index 04eada8ad05..0ff60644f5e 100644
--- a/lib/libcrypto/x509/by_dir.c
+++ b/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.39 2018/08/05 14:17:12 bcook Exp $ */
+/* $OpenBSD: by_dir.c,v 1.40 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -56,6 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
+#include <sys/stat.h>
 #include <sys/types.h>
 
 #include <errno.h>
@@ -70,7 +71,7 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
-# include <sys/stat.h>
+#include "x509_lcl.h"
 
 typedef struct lookup_dir_hashes_st {
 	unsigned long hash;
diff --git a/lib/libcrypto/x509/by_file.c b/lib/libcrypto/x509/by_file.c
index b2c8ef6cfaf..f719636412e 100644
--- a/lib/libcrypto/x509/by_file.c
+++ b/lib/libcrypto/x509/by_file.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_file.c,v 1.21 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: by_file.c,v 1.22 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,6 +67,8 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc,
     long argl, char **ret);
 
diff --git a/lib/libcrypto/x509/by_mem.c b/lib/libcrypto/x509/by_mem.c
index 34d4040d848..272877f843f 100644
--- a/lib/libcrypto/x509/by_mem.c
+++ b/lib/libcrypto/x509/by_mem.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_mem.c,v 1.4 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: by_mem.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,6 +68,8 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **);
 
 static X509_LOOKUP_METHOD x509_mem_lookup = {
diff --git a/lib/libcrypto/x509/pcy_cache.c b/lib/libcrypto/x509/pcy_cache.c
index 896ba7d59ef..debca302863 100644
--- a/lib/libcrypto/x509/pcy_cache.c
+++ b/lib/libcrypto/x509/pcy_cache.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_cache.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -60,6 +60,7 @@
 #include <openssl/x509v3.h>
 
 #include "pcy_int.h"
+#include "x509_lcl.h"
 
 static int policy_data_cmp(const X509_POLICY_DATA * const *a,
     const X509_POLICY_DATA * const *b);
diff --git a/lib/libcrypto/x509/pcy_map.c b/lib/libcrypto/x509/pcy_map.c
index 287a430c2c0..f2e5d325524 100644
--- a/lib/libcrypto/x509/pcy_map.c
+++ b/lib/libcrypto/x509/pcy_map.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_map.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -60,6 +60,7 @@
 #include <openssl/x509v3.h>
 
 #include "pcy_int.h"
+#include "x509_lcl.h"
 
 /* Set policy mapping entries in cache.
  * Note: this modifies the passed POLICY_MAPPINGS structure
diff --git a/lib/libcrypto/x509/pcy_tree.c b/lib/libcrypto/x509/pcy_tree.c
index d0f7cd1adac..284c08e66a1 100644
--- a/lib/libcrypto/x509/pcy_tree.c
+++ b/lib/libcrypto/x509/pcy_tree.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: pcy_tree.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -60,6 +60,7 @@
 #include <openssl/x509v3.h>
 
 #include "pcy_int.h"
+#include "x509_lcl.h"
 
 /* Enable this to print out the complete policy tree at various point during
  * evaluation.
diff --git a/lib/libcrypto/x509/x509.h b/lib/libcrypto/x509/x509.h
index 9a44bf30aa2..4624628bf83 100644
--- a/lib/libcrypto/x509/x509.h
+++ b/lib/libcrypto/x509/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.86 2021/11/01 08:14:36 tb Exp $ */
+/* $OpenBSD: x509.h,v 1.87 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -139,171 +139,33 @@ typedef struct X509_val_st {
 	ASN1_TIME *notAfter;
 } X509_VAL;
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-struct X509_pubkey_st {
-	X509_ALGOR *algor;
-	ASN1_BIT_STRING *public_key;
-	EVP_PKEY *pkey;
-};
-
-typedef struct X509_sig_st {
-	X509_ALGOR *algor;
-	ASN1_OCTET_STRING *digest;
-} X509_SIG;
-
-typedef struct X509_name_entry_st {
-	ASN1_OBJECT *object;
-	ASN1_STRING *value;
-	int set;
-	int size;	/* temp variable */
-} X509_NAME_ENTRY;
-#else
 typedef struct X509_sig_st X509_SIG;
+
 typedef struct X509_name_entry_st X509_NAME_ENTRY;
-#endif
 
 DECLARE_STACK_OF(X509_NAME_ENTRY)
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-/* we always keep X509_NAMEs in 2 forms. */
-struct X509_name_st {
-	STACK_OF(X509_NAME_ENTRY) *entries;
-	int modified;	/* true if 'bytes' needs to be built */
-#ifndef OPENSSL_NO_BUFFER
-	BUF_MEM *bytes;
-#else
-	char *bytes;
-#endif
-/*	unsigned long hash; Keep the hash around for lookups */
-	unsigned char *canon_enc;
-	int canon_enclen;
-} /* X509_NAME */;
-#endif
-
 DECLARE_STACK_OF(X509_NAME)
 
 #define X509_EX_V_NETSCAPE_HACK		0x8000
 #define X509_EX_V_INIT			0x0001
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct X509_extension_st {
-	ASN1_OBJECT *object;
-	ASN1_BOOLEAN critical;
-	ASN1_OCTET_STRING *value;
-} X509_EXTENSION;
-#else
 typedef struct X509_extension_st X509_EXTENSION;
-#endif
 
 typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
 
 DECLARE_STACK_OF(X509_EXTENSION)
 
-/* a sequence of these are used */
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct x509_attributes_st {
-	ASN1_OBJECT *object;
-	int single; /* 0 for a set, 1 for a single item (which is wrong) */
-	union {
-		char		*ptr;
-/* 0 */		STACK_OF(ASN1_TYPE) *set;
-/* 1 */		ASN1_TYPE	*single;
-	} value;
-} X509_ATTRIBUTE;
-#else
 typedef struct x509_attributes_st X509_ATTRIBUTE;
-#endif
 
 DECLARE_STACK_OF(X509_ATTRIBUTE)
 
-
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct X509_req_info_st {
-	ASN1_ENCODING enc;
-	ASN1_INTEGER *version;
-	X509_NAME *subject;
-	X509_PUBKEY *pubkey;
-	/*  d=2 hl=2 l=  0 cons: cont: 00 */
-	STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
-} X509_REQ_INFO;
-
-typedef struct X509_req_st {
-	X509_REQ_INFO *req_info;
-	X509_ALGOR *sig_alg;
-	ASN1_BIT_STRING *signature;
-	int references;
-} X509_REQ;
-
-typedef struct x509_cinf_st {
-	ASN1_INTEGER *version;		/* [ 0 ] default of v1 */
-	ASN1_INTEGER *serialNumber;
-	X509_ALGOR *signature;
-	X509_NAME *issuer;
-	X509_VAL *validity;
-	X509_NAME *subject;
-	X509_PUBKEY *key;
-	ASN1_BIT_STRING *issuerUID;		/* [ 1 ] optional in v2 */
-	ASN1_BIT_STRING *subjectUID;		/* [ 2 ] optional in v2 */
-	STACK_OF(X509_EXTENSION) *extensions;	/* [ 3 ] optional in v3 */
-	ASN1_ENCODING enc;
-} X509_CINF;
-#else
 typedef struct X509_req_info_st X509_REQ_INFO;
-typedef struct X509_req_st X509_REQ;
-typedef struct x509_cinf_st X509_CINF;
-#endif
 
-/* This stuff is certificate "auxiliary info"
- * it contains details which are useful in certificate
- * stores and databases. When used this is tagged onto
- * the end of the certificate itself
- */
+typedef struct X509_req_st X509_REQ;
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct x509_cert_aux_st {
-	STACK_OF(ASN1_OBJECT) *trust;		/* trusted uses */
-	STACK_OF(ASN1_OBJECT) *reject;		/* rejected uses */
-	ASN1_UTF8STRING *alias;			/* "friendly name" */
-	ASN1_OCTET_STRING *keyid;		/* key id of private key */
-	STACK_OF(X509_ALGOR) *other;		/* other unspecified info */
-} X509_CERT_AUX;
-#else
 typedef struct x509_cert_aux_st X509_CERT_AUX;
-#endif
 
-struct x509_st;
-
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-struct x509_st {
-	X509_CINF *cert_info;
-	X509_ALGOR *sig_alg;
-	ASN1_BIT_STRING *signature;
-	int valid;
-	int references;
-	char *name;
-	CRYPTO_EX_DATA ex_data;
-	/* These contain copies of various extension values */
-	long ex_pathlen;
-	long ex_pcpathlen;
-	unsigned long ex_flags;
-	unsigned long ex_kusage;
-	unsigned long ex_xkusage;
-	unsigned long ex_nscert;
-	ASN1_OCTET_STRING *skid;
-	AUTHORITY_KEYID *akid;
-	X509_POLICY_CACHE *policy_cache;
-	STACK_OF(DIST_POINT) *crldp;
-	STACK_OF(GENERAL_NAME) *altname;
-	NAME_CONSTRAINTS *nc;
-#ifndef OPENSSL_NO_RFC3779
-	STACK_OF(IPAddressFamily) *rfc3779_addr;
-	struct ASIdentifiers_st *rfc3779_asid;
-#endif
-#ifndef OPENSSL_NO_SHA
-	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
-#endif
-	X509_CERT_AUX *aux;
-} /* X509 */;
-#endif
+typedef struct x509_cinf_st X509_CINF;
 
 DECLARE_STACK_OF(X509)
 
@@ -322,6 +184,7 @@ DECLARE_STACK_OF(X509_TRUST)
 
 /* standard trust ids */
 
+/* OpenSSL changed this to 0 */
 #define X509_TRUST_DEFAULT	-1	/* Only valid in purpose settings */
 
 #define X509_TRUST_COMPAT	1
@@ -422,66 +285,13 @@ DECLARE_STACK_OF(X509_TRUST)
 			XN_FLAG_FN_LN | \
 			XN_FLAG_FN_ALIGN)
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-struct x509_revoked_st {
-	ASN1_INTEGER *serialNumber;
-	ASN1_TIME *revocationDate;
-	STACK_OF(X509_EXTENSION) /* optional */ *extensions;
-	/* Set up if indirect CRL */
-	STACK_OF(GENERAL_NAME) *issuer;
-	/* Revocation reason */
-	int reason;
-	int sequence; /* load sequence */
-};
-#endif
-
 DECLARE_STACK_OF(X509_REVOKED)
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct X509_crl_info_st {
-	ASN1_INTEGER *version;
-	X509_ALGOR *sig_alg;
-	X509_NAME *issuer;
-	ASN1_TIME *lastUpdate;
-	ASN1_TIME *nextUpdate;
-	STACK_OF(X509_REVOKED) *revoked;
-	STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
-	ASN1_ENCODING enc;
-} X509_CRL_INFO;
-#else
 typedef struct X509_crl_info_st X509_CRL_INFO;
-#endif
-
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-struct X509_crl_st {
-	/* actual signature */
-	X509_CRL_INFO *crl;
-	X509_ALGOR *sig_alg;
-	ASN1_BIT_STRING *signature;
-	int references;
-	int flags;
-	/* Copies of various extensions */
-	AUTHORITY_KEYID *akid;
-	ISSUING_DIST_POINT *idp;
-	/* Convenient breakdown of IDP */
-	int idp_flags;
-	int idp_reasons;
-	/* CRL and base CRL numbers for delta processing */
-	ASN1_INTEGER *crl_number;
-	ASN1_INTEGER *base_crl_number;
-#ifndef OPENSSL_NO_SHA
-	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
-#endif
-	STACK_OF(GENERAL_NAMES) *issuers;
-	const X509_CRL_METHOD *meth;
-	void *meth_data;
-} /* X509_CRL */;
-#endif
 
 DECLARE_STACK_OF(X509_CRL)
 
-typedef struct private_key_st
-	{
+typedef struct private_key_st {
 	int version;
 	/* The PKCS#8 data types */
 	X509_ALGOR *enc_algor;
@@ -499,7 +309,7 @@ typedef struct private_key_st
 	EVP_CIPHER_INFO cipher;
 
 	int references;
-	} X509_PKEY;
+} X509_PKEY;
 
 #ifndef OPENSSL_NO_EVP
 typedef struct X509_info_st {
@@ -561,18 +371,6 @@ typedef struct PBKDF2PARAM_st {
 	X509_ALGOR *prf;
 } PBKDF2PARAM;
 
-
-/* PKCS#8 private key info structure */
-
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-struct pkcs8_priv_key_info_st {
-        ASN1_INTEGER *version;
-        X509_ALGOR *pkeyalg;
-        ASN1_OCTET_STRING *pkey;
-        STACK_OF(X509_ATTRIBUTE) *attributes;
-};
-#endif
-
 #ifdef  __cplusplus
 }
 #endif
diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c
index 313896167b7..ddb0e4af124 100644
--- a/lib/libcrypto/x509/x509_addr.c
+++ b/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.18 2021/10/25 11:55:27 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /*
  * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -24,6 +24,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 #ifndef OPENSSL_NO_RFC3779
 
 /*
diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c
index d990bc01587..d2247e09c1f 100644
--- a/lib/libcrypto/x509/x509_asid.c
+++ b/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_asid.c,v 1.18 2021/10/25 11:55:27 tb Exp $ */
+/*	$OpenBSD: x509_asid.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /*
  * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -26,6 +26,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 #ifndef OPENSSL_NO_RFC3779
 
 static const ASN1_TEMPLATE ASRange_seq_tt[] = {
diff --git a/lib/libcrypto/x509/x509_att.c b/lib/libcrypto/x509/x509_att.c
index 1479b918c76..38aa0631432 100644
--- a/lib/libcrypto/x509/x509_att.c
+++ b/lib/libcrypto/x509/x509_att.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_att.c,v 1.17 2018/05/18 19:21:33 tb Exp $ */
+/* $OpenBSD: x509_att.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 int
 X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x)
 {
diff --git a/lib/libcrypto/x509/x509_cmp.c b/lib/libcrypto/x509/x509_cmp.c
index 6d6e8408994..134a0827302 100644
--- a/lib/libcrypto/x509/x509_cmp.c
+++ b/lib/libcrypto/x509/x509_cmp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_cmp.c,v 1.35 2019/03/13 20:34:00 tb Exp $ */
+/* $OpenBSD: x509_cmp.c,v 1.36 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,6 +68,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 int
 X509_issuer_and_serial_cmp(const X509 *a, const X509 *b)
 {
diff --git a/lib/libcrypto/x509/x509_conf.c b/lib/libcrypto/x509/x509_conf.c
index 8bf2d10b9f5..cd703fc1563 100644
--- a/lib/libcrypto/x509/x509_conf.c
+++ b/lib/libcrypto/x509/x509_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_conf.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -66,6 +66,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static int v3_check_critical(const char **value);
 static int v3_check_generic(const char **value);
 static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid,
diff --git a/lib/libcrypto/x509/x509_crld.c b/lib/libcrypto/x509/x509_crld.c
index ff60a880fad..6b6f7953787 100644
--- a/lib/libcrypto/x509/x509_crld.c
+++ b/lib/libcrypto/x509/x509_crld.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */
+/* $OpenBSD: x509_crld.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -65,6 +65,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static void *v2i_crld(const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static int i2r_crldp(const X509V3_EXT_METHOD *method, void *pcrldp, BIO *out,
diff --git a/lib/libcrypto/x509/x509_ext.c b/lib/libcrypto/x509/x509_ext.c
index 21374a26e20..14459511993 100644
--- a/lib/libcrypto/x509/x509_ext.c
+++ b/lib/libcrypto/x509/x509_ext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ext.c,v 1.12 2018/05/18 19:28:27 tb Exp $ */
+/* $OpenBSD: x509_ext.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 int
 X509_CRL_get_ext_count(const X509_CRL *x)
 {
diff --git a/lib/libcrypto/x509/x509_internal.h b/lib/libcrypto/x509/x509_internal.h
index 90fafccae0f..7ca67a853b6 100644
--- a/lib/libcrypto/x509/x509_internal.h
+++ b/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.13 2021/10/26 09:09:53 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.14 2021/11/01 20:53:08 tb Exp $ */
 /*
  * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
  *
@@ -22,6 +22,8 @@
 
 #include <openssl/x509_verify.h>
 
+#include "x509_lcl.h"
+
 /* Hard limits on structure size and number of signature checks. */
 #define X509_VERIFY_MAX_CHAINS		8	/* Max validated chains */
 #define X509_VERIFY_MAX_CHAIN_CERTS	32	/* Max depth of a chain */
diff --git a/lib/libcrypto/x509/x509_lcl.h b/lib/libcrypto/x509/x509_lcl.h
index 3e83b66dd61..1b352aee787 100644
--- a/lib/libcrypto/x509/x509_lcl.h
+++ b/lib/libcrypto/x509/x509_lcl.h
@@ -56,8 +56,325 @@
  *
  */
 
+#ifndef HEADER_X509_LCL_H
+#define HEADER_X509_LCL_H
+
 __BEGIN_HIDDEN_DECLS
 
+struct X509_pubkey_st {
+	X509_ALGOR *algor;
+	ASN1_BIT_STRING *public_key;
+	EVP_PKEY *pkey;
+};
+
+struct X509_sig_st {
+	X509_ALGOR *algor;
+	ASN1_OCTET_STRING *digest;
+} /* X509_SIG */;
+
+struct X509_name_entry_st {
+	ASN1_OBJECT *object;
+	ASN1_STRING *value;
+	int set;
+	int size;	/* temp variable */
+} /* X509_NAME_ENTRY */;
+
+/* we always keep X509_NAMEs in 2 forms. */
+struct X509_name_st {
+	STACK_OF(X509_NAME_ENTRY) *entries;
+	int modified;	/* true if 'bytes' needs to be built */
+#ifndef OPENSSL_NO_BUFFER
+	BUF_MEM *bytes;
+#else
+	char *bytes;
+#endif
+/*	unsigned long hash; Keep the hash around for lookups */
+	unsigned char *canon_enc;
+	int canon_enclen;
+} /* X509_NAME */;
+
+struct X509_extension_st {
+	ASN1_OBJECT *object;
+	ASN1_BOOLEAN critical;
+	ASN1_OCTET_STRING *value;
+} /* X509_EXTENSION */;
+
+struct x509_attributes_st {
+	ASN1_OBJECT *object;
+	int single; /* 0 for a set, 1 for a single item (which is wrong) */
+	union {
+		char		*ptr;
+/* 0 */		STACK_OF(ASN1_TYPE) *set;
+/* 1 */		ASN1_TYPE	*single;
+	} value;
+} /* X509_ATTRIBUTE */;
+
+struct X509_req_info_st {
+	ASN1_ENCODING enc;
+	ASN1_INTEGER *version;
+	X509_NAME *subject;
+	X509_PUBKEY *pubkey;
+	/*  d=2 hl=2 l=  0 cons: cont: 00 */
+	STACK_OF(X509_ATTRIBUTE) *attributes; /* [ 0 ] */
+} /* X509_REQ_INFO */;
+
+struct X509_req_st {
+	X509_REQ_INFO *req_info;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int references;
+} /* X509_REQ */;
+
+/*
+ * This stuff is certificate "auxiliary info" it contains details which are
+ * useful in certificate stores and databases. When used this is tagged onto
+ * the end of the certificate itself.
+ */
+struct x509_cert_aux_st {
+	STACK_OF(ASN1_OBJECT) *trust;		/* trusted uses */
+	STACK_OF(ASN1_OBJECT) *reject;		/* rejected uses */
+	ASN1_UTF8STRING *alias;			/* "friendly name" */
+	ASN1_OCTET_STRING *keyid;		/* key id of private key */
+	STACK_OF(X509_ALGOR) *other;		/* other unspecified info */
+} /* X509_CERT_AUX */;
+
+struct x509_cinf_st {
+	ASN1_INTEGER *version;		/* [ 0 ] default of v1 */
+	ASN1_INTEGER *serialNumber;
+	X509_ALGOR *signature;
+	X509_NAME *issuer;
+	X509_VAL *validity;
+	X509_NAME *subject;
+	X509_PUBKEY *key;
+	ASN1_BIT_STRING *issuerUID;		/* [ 1 ] optional in v2 */
+	ASN1_BIT_STRING *subjectUID;		/* [ 2 ] optional in v2 */
+	STACK_OF(X509_EXTENSION) *extensions;	/* [ 3 ] optional in v3 */
+	ASN1_ENCODING enc;
+} /* X509_CINF */;
+
+struct x509_st {
+	X509_CINF *cert_info;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int valid;
+	int references;
+	char *name;
+	CRYPTO_EX_DATA ex_data;
+	/* These contain copies of various extension values */
+	long ex_pathlen;
+	long ex_pcpathlen;
+	unsigned long ex_flags;
+	unsigned long ex_kusage;
+	unsigned long ex_xkusage;
+	unsigned long ex_nscert;
+	ASN1_OCTET_STRING *skid;
+	AUTHORITY_KEYID *akid;
+	X509_POLICY_CACHE *policy_cache;
+	STACK_OF(DIST_POINT) *crldp;
+	STACK_OF(GENERAL_NAME) *altname;
+	NAME_CONSTRAINTS *nc;
+#ifndef OPENSSL_NO_RFC3779
+	STACK_OF(IPAddressFamily) *rfc3779_addr;
+	struct ASIdentifiers_st *rfc3779_asid;
+#endif
+#ifndef OPENSSL_NO_SHA
+	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#endif
+	X509_CERT_AUX *aux;
+} /* X509 */;
+
+struct x509_revoked_st {
+	ASN1_INTEGER *serialNumber;
+	ASN1_TIME *revocationDate;
+	STACK_OF(X509_EXTENSION) /* optional */ *extensions;
+	/* Set up if indirect CRL */
+	STACK_OF(GENERAL_NAME) *issuer;
+	/* Revocation reason */
+	int reason;
+	int sequence; /* load sequence */
+};
+
+struct X509_crl_info_st {
+	ASN1_INTEGER *version;
+	X509_ALGOR *sig_alg;
+	X509_NAME *issuer;
+	ASN1_TIME *lastUpdate;
+	ASN1_TIME *nextUpdate;
+	STACK_OF(X509_REVOKED) *revoked;
+	STACK_OF(X509_EXTENSION) /* [0] */ *extensions;
+	ASN1_ENCODING enc;
+} /* X509_CRL_INFO */;
+
+struct X509_crl_st {
+	/* actual signature */
+	X509_CRL_INFO *crl;
+	X509_ALGOR *sig_alg;
+	ASN1_BIT_STRING *signature;
+	int references;
+	int flags;
+	/* Copies of various extensions */
+	AUTHORITY_KEYID *akid;
+	ISSUING_DIST_POINT *idp;
+	/* Convenient breakdown of IDP */
+	int idp_flags;
+	int idp_reasons;
+	/* CRL and base CRL numbers for delta processing */
+	ASN1_INTEGER *crl_number;
+	ASN1_INTEGER *base_crl_number;
+#ifndef OPENSSL_NO_SHA
+	unsigned char sha1_hash[SHA_DIGEST_LENGTH];
+#endif
+	STACK_OF(GENERAL_NAMES) *issuers;
+	const X509_CRL_METHOD *meth;
+	void *meth_data;
+} /* X509_CRL */;
+
+struct pkcs8_priv_key_info_st {
+        ASN1_INTEGER *version;
+        X509_ALGOR *pkeyalg;
+        ASN1_OCTET_STRING *pkey;
+        STACK_OF(X509_ATTRIBUTE) *attributes;
+};
+
+struct x509_object_st {
+	/* one of the above types */
+	int type;
+	union {
+		char *ptr;
+		X509 *x509;
+		X509_CRL *crl;
+		EVP_PKEY *pkey;
+	} data;
+} /* X509_OBJECT */;
+
+struct x509_lookup_method_st {
+	const char *name;
+	int (*new_item)(X509_LOOKUP *ctx);
+	void (*free)(X509_LOOKUP *ctx);
+	int (*init)(X509_LOOKUP *ctx);
+	int (*shutdown)(X509_LOOKUP *ctx);
+	int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
+	    char **ret);
+	int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	    X509_OBJECT *ret);
+	int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name,
+	    ASN1_INTEGER *serial,X509_OBJECT *ret);
+	int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type,
+	    const unsigned char *bytes, int len, X509_OBJECT *ret);
+	int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str,
+	    int len, X509_OBJECT *ret);
+} /* X509_LOOKUP_METHOD */;
+
+struct X509_VERIFY_PARAM_st {
+	char *name;
+	time_t check_time;	/* Time to use */
+	unsigned long inh_flags; /* Inheritance flags */
+	unsigned long flags;	/* Various verify flags */
+	int purpose;		/* purpose to check untrusted certificates */
+	int trust;		/* trust setting to check */
+	int depth;		/* Verify depth */
+	STACK_OF(ASN1_OBJECT) *policies;	/* Permissible policies */
+	X509_VERIFY_PARAM_ID *id;	/* opaque ID data */
+} /* X509_VERIFY_PARAM */;
+
+/*
+ * This is used to hold everything.  It is used for all certificate
+ * validation.  Once we have a certificate chain, the 'verify'
+ * function is then called to actually check the cert chain.
+ */
+struct x509_store_st {
+	/* The following is a cache of trusted certs */
+	int cache;	/* if true, stash any hits */
+	STACK_OF(X509_OBJECT) *objs;	/* Cache of all objects */
+
+	/* These are external lookup methods */
+	STACK_OF(X509_LOOKUP) *get_cert_methods;
+
+	X509_VERIFY_PARAM *param;
+
+	/* Callbacks for various operations */
+	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
+	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
+	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
+	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
+	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
+	int (*cleanup)(X509_STORE_CTX *ctx);
+
+	CRYPTO_EX_DATA ex_data;
+	int references;
+} /* X509_STORE */;
+
+/* This is the functions plus an instance of the local variables. */
+struct x509_lookup_st {
+	int init;			/* have we been started */
+	int skip;			/* don't use us. */
+	X509_LOOKUP_METHOD *method;	/* the functions */
+	char *method_data;		/* method data */
+
+	X509_STORE *store_ctx;	/* who owns us */
+} /* X509_LOOKUP */;
+
+/*
+ * This is used when verifying cert chains.  Since the gathering of the cert
+ * chain can take some time (and has to be 'retried'), this needs to be kept
+ * and passed around.
+ */
+struct x509_store_ctx_st {
+	X509_STORE *ctx;
+	int current_method;	/* used when looking up certs */
+
+	/* The following are set by the caller */
+	X509 *cert;		/* The cert to check */
+	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
+	STACK_OF(X509_CRL) *crls;	/* set of CRLs passed in */
+
+	X509_VERIFY_PARAM *param;
+	void *other_ctx;	/* Other info for use with get_issuer() */
+
+	/* Callbacks for various operations */
+	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
+	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
+	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
+	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
+	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
+	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
+	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
+	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
+	int (*check_policy)(X509_STORE_CTX *ctx);
+	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
+	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
+	int (*cleanup)(X509_STORE_CTX *ctx);
+
+	/* The following is built up */
+	int valid;		/* if 0, rebuild chain */
+	int last_untrusted;	/* XXX: number of untrusted certs in chain!!! */
+	STACK_OF(X509) *chain;		/* chain of X509s - built up and trusted */
+	X509_POLICY_TREE *tree;	/* Valid policy tree */
+
+	int explicit_policy;	/* Require explicit policy value */
+
+	/* When something goes wrong, this is why */
+	int error_depth;
+	int error;
+	X509 *current_cert;
+	X509 *current_issuer;	/* cert currently being tested as valid issuer */
+	X509_CRL *current_crl;	/* current CRL */
+
+	int current_crl_score;  /* score of current CRL */
+	unsigned int current_reasons;  /* Reason mask */
+
+	X509_STORE_CTX *parent; /* For CRL path validation: parent context */
+
+	CRYPTO_EX_DATA ex_data;
+} /* X509_STORE_CTX */;
+
 int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet);
 
 __END_HIDDEN_DECLS
+
+#endif /* !HEADER_X509_LCL_H */
diff --git a/lib/libcrypto/x509/x509_lib.c b/lib/libcrypto/x509/x509_lib.c
index 211d0adfeec..a518d5b950d 100644
--- a/lib/libcrypto/x509/x509_lib.c
+++ b/lib/libcrypto/x509/x509_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.2 2020/09/14 11:35:32 beck Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.3 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -64,6 +64,7 @@
 #include <openssl/x509v3.h>
 
 #include "ext_dat.h"
+#include "x509_lcl.h"
 
 static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL;
 
diff --git a/lib/libcrypto/x509/x509_ncons.c b/lib/libcrypto/x509/x509_ncons.c
index 1621f986171..613527005a5 100644
--- a/lib/libcrypto/x509/x509_ncons.c
+++ b/lib/libcrypto/x509/x509_ncons.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_ncons.c,v 1.4 2020/09/16 18:12:06 beck Exp $ */
+/* $OpenBSD: x509_ncons.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -64,6 +64,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval);
 static int i2r_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method,
diff --git a/lib/libcrypto/x509/x509_obj.c b/lib/libcrypto/x509/x509_obj.c
index 5c537990206..58ffa3a2f25 100644
--- a/lib/libcrypto/x509/x509_obj.c
+++ b/lib/libcrypto/x509/x509_obj.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_obj.c,v 1.18 2018/05/18 18:19:31 tb Exp $ */
+/* $OpenBSD: x509_obj.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,6 +65,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 char *
 X509_NAME_oneline(const X509_NAME *a, char *buf, int len)
 {
diff --git a/lib/libcrypto/x509/x509_prn.c b/lib/libcrypto/x509/x509_prn.c
index 5c15cc390fc..4977051d4a9 100644
--- a/lib/libcrypto/x509/x509_prn.c
+++ b/lib/libcrypto/x509/x509_prn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* $OpenBSD: x509_prn.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,8 @@
 #include <openssl/conf.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 /* Extension printing routines */
 
 static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c
index 8a5f6704a24..67a7b51fb15 100644
--- a/lib/libcrypto/x509/x509_purp.c
+++ b/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.11 2021/10/29 12:11:13 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -65,6 +65,8 @@
 #include <openssl/x509v3.h>
 #include <openssl/x509_vfy.h>
 
+#include "x509_lcl.h"
+
 #define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
 #define ku_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
diff --git a/lib/libcrypto/x509/x509_r2x.c b/lib/libcrypto/x509/x509_r2x.c
index 525163bc3e5..143d0f1aa09 100644
--- a/lib/libcrypto/x509/x509_r2x.c
+++ b/lib/libcrypto/x509/x509_r2x.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_r2x.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */
+/* $OpenBSD: x509_r2x.c,v 1.12 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 X509 *
 X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey)
 {
diff --git a/lib/libcrypto/x509/x509_req.c b/lib/libcrypto/x509/x509_req.c
index c81fe4a3a9c..556e32b317b 100644
--- a/lib/libcrypto/x509/x509_req.c
+++ b/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.23 2021/10/23 11:56:10 tb Exp $ */
+/* $OpenBSD: x509_req.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,6 +70,8 @@
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 X509_REQ *
 X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
 {
diff --git a/lib/libcrypto/x509/x509_set.c b/lib/libcrypto/x509/x509_set.c
index c4ce8e5674d..5784f2203e0 100644
--- a/lib/libcrypto/x509/x509_set.c
+++ b/lib/libcrypto/x509/x509_set.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_set.c,v 1.19 2021/11/01 08:14:36 tb Exp $ */
+/* $OpenBSD: x509_set.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,6 +63,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 const STACK_OF(X509_EXTENSION) *
 X509_get0_extensions(const X509 *x)
 {
diff --git a/lib/libcrypto/x509/x509_skey.c b/lib/libcrypto/x509/x509_skey.c
index a9064273788..58bb66bc059 100644
--- a/lib/libcrypto/x509/x509_skey.c
+++ b/lib/libcrypto/x509/x509_skey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */
+/* $OpenBSD: x509_skey.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     X509V3_CTX *ctx, char *str);
 
diff --git a/lib/libcrypto/x509/x509_trs.c b/lib/libcrypto/x509/x509_trs.c
index 1a60e5a3cf4..72d616a1066 100644
--- a/lib/libcrypto/x509/x509_trs.c
+++ b/lib/libcrypto/x509/x509_trs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_trs.c,v 1.24 2021/07/23 20:50:28 schwarze Exp $ */
+/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -62,6 +62,8 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b);
 static void trtable_free(X509_TRUST *p);
 
diff --git a/lib/libcrypto/x509/x509_v3.c b/lib/libcrypto/x509/x509_v3.c
index 524d5511ed2..9aefb8d99df 100644
--- a/lib/libcrypto/x509/x509_v3.c
+++ b/lib/libcrypto/x509/x509_v3.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_v3.c,v 1.17 2018/05/19 10:54:40 tb Exp $ */
+/* $OpenBSD: x509_v3.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "x509_lcl.h"
+
 int
 X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x)
 {
diff --git a/lib/libcrypto/x509/x509_vfy.c b/lib/libcrypto/x509/x509_vfy.c
index 4c3fe7f3e3e..664474139cd 100644
--- a/lib/libcrypto/x509/x509_vfy.c
+++ b/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.92 2021/10/26 15:14:18 job Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.93 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -76,8 +76,6 @@
 #include "asn1_locl.h"
 #include "vpm_int.h"
 #include "x509_internal.h"
-#include "x509_lcl.h"
-#include "x509_internal.h"
 
 /* CRL score values */
 
diff --git a/lib/libcrypto/x509/x509_vfy.h b/lib/libcrypto/x509/x509_vfy.h
index 61ea11b71ac..133ffda337e 100644
--- a/lib/libcrypto/x509/x509_vfy.h
+++ b/lib/libcrypto/x509/x509_vfy.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.h,v 1.45 2021/11/01 08:14:36 tb Exp $ */
+/* $OpenBSD: x509_vfy.h,v 1.46 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -100,173 +100,17 @@ typedef enum {
 	X509_LU_CRL,
 } X509_LOOKUP_TYPE;
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-typedef struct x509_object_st {
-	/* one of the above types */
-	int type;
-	union {
-		char *ptr;
-		X509 *x509;
-		X509_CRL *crl;
-		EVP_PKEY *pkey;
-	} data;
-} X509_OBJECT;
-#else
-typedef struct x509_object_st X509_OBJECT;
-#endif
-
-typedef struct x509_lookup_st X509_LOOKUP;
 
 DECLARE_STACK_OF(X509_LOOKUP)
 DECLARE_STACK_OF(X509_OBJECT)
+DECLARE_STACK_OF(X509_VERIFY_PARAM)
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-/* This is a static that defines the function interface */
-typedef struct x509_lookup_method_st {
-	const char *name;
-	int (*new_item)(X509_LOOKUP *ctx);
-	void (*free)(X509_LOOKUP *ctx);
-	int (*init)(X509_LOOKUP *ctx);
-	int (*shutdown)(X509_LOOKUP *ctx);
-	int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl,
-	    char **ret);
-	int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name,
-	    X509_OBJECT *ret);
-	int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name,
-	    ASN1_INTEGER *serial,X509_OBJECT *ret);
-	int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type,
-	    const unsigned char *bytes, int len, X509_OBJECT *ret);
-	int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str,
-	    int len, X509_OBJECT *ret);
-} X509_LOOKUP_METHOD;
-
+/* unused in OpenSSL */
 typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID;
 
-/* This structure hold all parameters associated with a verify operation
- * by including an X509_VERIFY_PARAM structure in related structures the
- * parameters used can be customized
- */
-
-typedef struct X509_VERIFY_PARAM_st {
-	char *name;
-	time_t check_time;	/* Time to use */
-	unsigned long inh_flags; /* Inheritance flags */
-	unsigned long flags;	/* Various verify flags */
-	int purpose;		/* purpose to check untrusted certificates */
-	int trust;		/* trust setting to check */
-	int depth;		/* Verify depth */
-	STACK_OF(ASN1_OBJECT) *policies;	/* Permissible policies */
-	X509_VERIFY_PARAM_ID *id;	/* opaque ID data */
-} X509_VERIFY_PARAM;
-#else
-typedef struct x509_lookup_method_st X509_LOOKUP_METHOD;
-typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM;
-#endif
-
-DECLARE_STACK_OF(X509_VERIFY_PARAM)
-
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-/*
- * This is used to hold everything.  It is used for all certificate
- * validation.  Once we have a certificate chain, the 'verify'
- * function is then called to actually check the cert chain.
- */
-struct x509_store_st {
-	/* The following is a cache of trusted certs */
-	int cache;	/* if true, stash any hits */
-	STACK_OF(X509_OBJECT) *objs;	/* Cache of all objects */
-
-	/* These are external lookup methods */
-	STACK_OF(X509_LOOKUP) *get_cert_methods;
-
-	X509_VERIFY_PARAM *param;
-
-	/* Callbacks for various operations */
-	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
-	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);	/* error callback */
-	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
-	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
-	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	int (*cleanup)(X509_STORE_CTX *ctx);
-
-	CRYPTO_EX_DATA ex_data;
-	int references;
-} /* X509_STORE */;
-#endif
 
 int X509_STORE_set_depth(X509_STORE *store, int depth);
 
-#if defined(LIBRESSL_CRYPTO_INTERNAL) || !defined(LIBRESSL_OPAQUE_X509)
-/* This is the functions plus an instance of the local variables. */
-struct x509_lookup_st {
-	int init;			/* have we been started */
-	int skip;			/* don't use us. */
-	X509_LOOKUP_METHOD *method;	/* the functions */
-	char *method_data;		/* method data */
-
-	X509_STORE *store_ctx;	/* who owns us */
-} /* X509_LOOKUP */;
-
-/*
- * This is used when verifying cert chains.  Since the gathering of the cert
- * chain can take some time (and has to be 'retried'), this needs to be kept
- * and passed around.
- */
-struct x509_store_ctx_st {
-	X509_STORE *ctx;
-	int current_method;	/* used when looking up certs */
-
-	/* The following are set by the caller */
-	X509 *cert;		/* The cert to check */
-	STACK_OF(X509) *untrusted;	/* chain of X509s - untrusted - passed in */
-	STACK_OF(X509_CRL) *crls;	/* set of CRLs passed in */
-
-	X509_VERIFY_PARAM *param;
-	void *other_ctx;	/* Other info for use with get_issuer() */
-
-	/* Callbacks for various operations */
-	int (*verify)(X509_STORE_CTX *ctx);	/* called to verify a certificate */
-	int (*verify_cb)(int ok,X509_STORE_CTX *ctx);		/* error callback */
-	int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);	/* get issuers cert from ctx */
-	int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); /* check issued */
-	int (*check_revocation)(X509_STORE_CTX *ctx); /* Check revocation status of chain */
-	int (*get_crl)(X509_STORE_CTX *ctx, X509_CRL **crl, X509 *x); /* retrieve CRL */
-	int (*check_crl)(X509_STORE_CTX *ctx, X509_CRL *crl); /* Check CRL validity */
-	int (*cert_crl)(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x); /* Check certificate against CRL */
-	int (*check_policy)(X509_STORE_CTX *ctx);
-	STACK_OF(X509) * (*lookup_certs)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	STACK_OF(X509_CRL) * (*lookup_crls)(X509_STORE_CTX *ctx, X509_NAME *nm);
-	int (*cleanup)(X509_STORE_CTX *ctx);
-
-	/* The following is built up */
-	int valid;		/* if 0, rebuild chain */
-	int last_untrusted;	/* XXX: number of untrusted certs in chain!!! */
-	STACK_OF(X509) *chain; 		/* chain of X509s - built up and trusted */
-	X509_POLICY_TREE *tree;	/* Valid policy tree */
-
-	int explicit_policy;	/* Require explicit policy value */
-
-	/* When something goes wrong, this is why */
-	int error_depth;
-	int error;
-	X509 *current_cert;
-	X509 *current_issuer;	/* cert currently being tested as valid issuer */
-	X509_CRL *current_crl;	/* current CRL */
-
-	int current_crl_score;  /* score of current CRL */
-	unsigned int current_reasons;  /* Reason mask */
-
-	X509_STORE_CTX *parent; /* For CRL path validation: parent context */
-
-	CRYPTO_EX_DATA ex_data;
-} /* X509_STORE_CTX */;
-#endif
-
 void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
 
 #define X509_STORE_CTX_set_app_data(ctx,data) \
diff --git a/lib/libcrypto/x509/x509_vpm.c b/lib/libcrypto/x509/x509_vpm.c
index 42ea6e72c95..13171e40f5c 100644
--- a/lib/libcrypto/x509/x509_vpm.c
+++ b/lib/libcrypto/x509/x509_vpm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vpm.c,v 1.27 2021/09/30 18:23:46 jsing Exp $ */
+/* $OpenBSD: x509_vpm.c,v 1.28 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2004.
  */
@@ -67,6 +67,7 @@
 #include <openssl/x509v3.h>
 
 #include "vpm_int.h"
+#include "x509_lcl.h"
 
 /* X509_VERIFY_PARAM functions */
 
diff --git a/lib/libcrypto/x509/x509cset.c b/lib/libcrypto/x509/x509cset.c
index 98fbdc2025c..b3af77d90e5 100644
--- a/lib/libcrypto/x509/x509cset.c
+++ b/lib/libcrypto/x509/x509cset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509cset.c,v 1.15 2021/10/23 11:56:10 tb Exp $ */
+/* $OpenBSD: x509cset.c,v 1.16 2021/11/01 20:53:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -63,8 +63,10 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 int
-X509_CRL_up_ref(X509_CRL *x)   
+X509_CRL_up_ref(X509_CRL *x)
 {
 	int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL);
 	return (refs > 1) ? 1 : 0;
diff --git a/lib/libcrypto/x509/x509name.c b/lib/libcrypto/x509/x509name.c
index 3649d6ab7cd..878d7878461 100644
--- a/lib/libcrypto/x509/x509name.c
+++ b/lib/libcrypto/x509/x509name.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509name.c,v 1.26 2018/05/30 15:35:45 tb Exp $ */
+/* $OpenBSD: x509name.c,v 1.27 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -66,6 +66,8 @@
 #include <openssl/stack.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 int
 X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len)
 {
diff --git a/lib/libcrypto/x509/x509rset.c b/lib/libcrypto/x509/x509rset.c
index dabeda2a64e..a2dd9e4cd2b 100644
--- a/lib/libcrypto/x509/x509rset.c
+++ b/lib/libcrypto/x509/x509rset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509rset.c,v 1.8 2021/10/21 16:47:01 tb Exp $ */
+/* $OpenBSD: x509rset.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -63,6 +63,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 int
 X509_REQ_set_version(X509_REQ *x, long version)
 {
diff --git a/lib/libcrypto/x509/x509type.c b/lib/libcrypto/x509/x509type.c
index 315a5c2326f..1748ee5110b 100644
--- a/lib/libcrypto/x509/x509type.c
+++ b/lib/libcrypto/x509/x509type.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509type.c,v 1.13 2018/05/30 15:59:33 tb Exp $ */
+/* $OpenBSD: x509type.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -62,6 +62,8 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
+#include "x509_lcl.h"
+
 int
 X509_certificate_type(const X509 *x, const EVP_PKEY *pkey)
 {
diff --git a/lib/libcrypto/x509/x_all.c b/lib/libcrypto/x509/x_all.c
index 36c12b80e5e..c06e74c9157 100644
--- a/lib/libcrypto/x509/x_all.c
+++ b/lib/libcrypto/x509/x_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x_all.c,v 1.23 2016/12/30 15:24:51 jsing Exp $ */
+/* $OpenBSD: x_all.c,v 1.24 2021/11/01 20:53:08 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -73,6 +73,8 @@
 #include <openssl/rsa.h>
 #endif
 
+#include "x509_lcl.h"
+
 X509 *
 d2i_X509_bio(BIO *bp, X509 **x509)
 {