In OpenSSL builds, declare STACK for datatypes ...

... and only *define* them in the source files that need them.
Use DEFINE_OR_DECLARE which is set appropriately for internal builds
and not non-deprecated builds.

Deprecate stack-of-block

Better documentation

Move some ASN1 struct typedefs to types.h

Update ParseC to handle this.  Most of all, ParseC needed to be more
consistent.  The handlers are "recursive", in so far that they are called
again and again until they terminate, which depends entirely on what the
"massager" returns.  There's a comment at the beginning of ParseC that
explains how that works. {Richard Levtte}

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/10669)

22 files changed, 125 insertions, 121 deletions

diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h
index f58781272d..a5b14152a9 100644
--- a/include/openssl/asn1.h
+++ b/include/openssl/asn1.h
@@ -119,8 +119,14 @@ extern "C" {
 # define SMIME_OLDMIME           0x400
 # define SMIME_CRLFEOL           0x800
 # define SMIME_STREAM            0x1000
-    struct X509_algor_st;
-DEFINE_STACK_OF(X509_ALGOR)
+
+DEFINE_OR_DECLARE_STACK_OF(ASN1_GENERALSTRING)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_INTEGER)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_OBJECT)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_STRING_TABLE)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_UTF8STRING)
+DEFINE_OR_DECLARE_STACK_OF(X509_ALGOR)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_TYPE)
 
 # define ASN1_STRING_FLAG_BITS_LEFT 0x08/* Set if 0x07 has bits left value */
 /*
@@ -187,15 +193,14 @@ typedef struct ASN1_ENCODING_st {
  (B_ASN1_PRINTABLESTRING|B_ASN1_T61STRING|B_ASN1_BMPSTRING|B_ASN1_UTF8STRING)
 # define PKCS9STRING_TYPE (DIRSTRING_TYPE|B_ASN1_IA5STRING)
 
-typedef struct asn1_string_table_st {
+struct asn1_string_table_st {
     int nid;
     long minsize;
     long maxsize;
     unsigned long mask;
     unsigned long flags;
-} ASN1_STRING_TABLE;
+};
 
-DEFINE_STACK_OF(ASN1_STRING_TABLE)
 
 /* size limits: this stuff is taken straight from RFC2459 */
 
@@ -419,13 +424,8 @@ typedef const ASN1_ITEM *ASN1_ITEM_EXP (void);
                                 ASN1_STRFLGS_DUMP_UNKNOWN | \
                                 ASN1_STRFLGS_DUMP_DER)
 
-DEFINE_STACK_OF(ASN1_INTEGER)
-
-DEFINE_STACK_OF(ASN1_GENERALSTRING)
 
-DEFINE_STACK_OF(ASN1_UTF8STRING)
-
-typedef struct asn1_type_st {
+struct asn1_type_st {
     int type;
     union {
         char *ptr;
@@ -454,9 +454,8 @@ typedef struct asn1_type_st {
         ASN1_STRING *sequence;
         ASN1_VALUE *asn1_value;
     } value;
-} ASN1_TYPE;
+};
 
-DEFINE_STACK_OF(ASN1_TYPE)
 
 typedef STACK_OF(ASN1_TYPE) ASN1_SEQUENCE_ANY;
 
@@ -511,7 +510,6 @@ ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t);
 void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t);
 
 DECLARE_ASN1_FUNCTIONS(ASN1_OBJECT)
-DEFINE_STACK_OF(ASN1_OBJECT)
 
 ASN1_STRING *ASN1_STRING_new(void);
 void ASN1_STRING_free(ASN1_STRING *a);
diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h
index 837fd427b0..286db9e2eb 100644
--- a/include/openssl/asn1t.h
+++ b/include/openssl/asn1t.h
@@ -880,7 +880,7 @@ DECLARE_ASN1_ITEM(LONG)
 DECLARE_ASN1_ITEM(ZLONG)
 # endif
 
-DEFINE_STACK_OF(ASN1_VALUE)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_VALUE)
 
 /* Functions used internally by the ASN1 code */
 
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index edc9fbd6b4..b4047d55b9 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -286,7 +286,7 @@ int BIO_method_type(const BIO *b);
 typedef int BIO_info_cb(BIO *, int, int);
 typedef BIO_info_cb bio_info_cb;  /* backward compatibility */
 
-DEFINE_STACK_OF(BIO)
+DEFINE_OR_DECLARE_STACK_OF(BIO)
 
 /* Prefix and suffix callback in ASN1 BIO */
 typedef int asn1_ps_func (BIO *b, unsigned char **pbuf, int *plen,
diff --git a/include/openssl/cmp.h b/include/openssl/cmp.h
index 6a5da278d1..76ba0e3bf1 100644
--- a/include/openssl/cmp.h
+++ b/include/openssl/cmp.h
@@ -202,6 +202,12 @@ DECLARE_ASN1_ITEM(OSSL_CMP_PKISTATUS)
 #  define OSSL_CMP_CERTORENCCERT_CERTIFICATE 0
 #  define OSSL_CMP_CERTORENCCERT_ENCRYPTEDCERT 1
 
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CMP_CERTSTATUS)
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CMP_ITAV)
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CMP_PKISI)
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CMP_CERTRESPONSE)
+
 /* data type declarations */
 typedef struct ossl_cmp_ctx_st OSSL_CMP_CTX;
 typedef struct ossl_cmp_pkiheader_st OSSL_CMP_PKIHEADER;
@@ -210,21 +216,16 @@ typedef struct ossl_cmp_msg_st OSSL_CMP_MSG;
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_MSG)
 DECLARE_ASN1_ENCODE_FUNCTIONS(OSSL_CMP_MSG, OSSL_CMP_MSG, OSSL_CMP_MSG)
 typedef struct ossl_cmp_certstatus_st OSSL_CMP_CERTSTATUS;
-DEFINE_STACK_OF(OSSL_CMP_CERTSTATUS)
 typedef struct ossl_cmp_itav_st OSSL_CMP_ITAV;
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_ITAV)
-DEFINE_STACK_OF(OSSL_CMP_ITAV)
 typedef struct ossl_cmp_revrepcontent_st OSSL_CMP_REVREPCONTENT;
 typedef struct ossl_cmp_pkisi_st OSSL_CMP_PKISI;
 DECLARE_ASN1_FUNCTIONS(OSSL_CMP_PKISI)
 DECLARE_ASN1_DUP_FUNCTION(OSSL_CMP_PKISI)
-DEFINE_STACK_OF(OSSL_CMP_PKISI)
 typedef struct ossl_cmp_certrepmessage_st OSSL_CMP_CERTREPMESSAGE;
-DEFINE_STACK_OF(OSSL_CMP_CERTREPMESSAGE)
 typedef struct ossl_cmp_pollrep_st OSSL_CMP_POLLREP;
 typedef STACK_OF(OSSL_CMP_POLLREP) OSSL_CMP_POLLREPCONTENT;
 typedef struct ossl_cmp_certresponse_st OSSL_CMP_CERTRESPONSE;
-DEFINE_STACK_OF(OSSL_CMP_CERTRESPONSE)
 typedef STACK_OF(ASN1_UTF8STRING) OSSL_CMP_PKIFREETEXT;
 
 /*
diff --git a/include/openssl/cms.h b/include/openssl/cms.h
index c7e5abcf51..a0f4b6a0ec 100644
--- a/include/openssl/cms.h
+++ b/include/openssl/cms.h
@@ -36,10 +36,11 @@ typedef struct CMS_Receipt_st CMS_Receipt;
 typedef struct CMS_RecipientEncryptedKey_st CMS_RecipientEncryptedKey;
 typedef struct CMS_OtherKeyAttribute_st CMS_OtherKeyAttribute;
 
-DEFINE_STACK_OF(CMS_SignerInfo)
-DEFINE_STACK_OF(CMS_RecipientEncryptedKey)
-DEFINE_STACK_OF(CMS_RecipientInfo)
-DEFINE_STACK_OF(CMS_RevocationInfoChoice)
+DEFINE_OR_DECLARE_STACK_OF(CMS_SignerInfo)
+DEFINE_OR_DECLARE_STACK_OF(CMS_RecipientEncryptedKey)
+DEFINE_OR_DECLARE_STACK_OF(CMS_RecipientInfo)
+DEFINE_OR_DECLARE_STACK_OF(CMS_RevocationInfoChoice)
+
 DECLARE_ASN1_FUNCTIONS(CMS_ContentInfo)
 DECLARE_ASN1_FUNCTIONS(CMS_ReceiptRequest)
 DECLARE_ASN1_PRINT_FUNCTION(CMS_ContentInfo)
diff --git a/include/openssl/conf.h b/include/openssl/conf.h
index d15d47873f..6a36a85b0f 100644
--- a/include/openssl/conf.h
+++ b/include/openssl/conf.h
@@ -33,7 +33,9 @@ typedef struct {
     char *value;
 } CONF_VALUE;
 
-DEFINE_STACK_OF(CONF_VALUE)
+DEFINE_OR_DECLARE_STACK_OF(CONF_VALUE)
+DEFINE_OR_DECLARE_STACK_OF(CONF_MODULE)
+
 DEFINE_LHASH_OF(CONF_VALUE);
 
 struct conf_st;
@@ -58,8 +60,7 @@ struct conf_method_st {
 typedef struct conf_imodule_st CONF_IMODULE;
 typedef struct conf_module_st CONF_MODULE;
 
-DEFINE_STACK_OF(CONF_MODULE)
-DEFINE_STACK_OF(CONF_IMODULE)
+STACK_OF(CONF_IMODULE);
 
 /* DSO module function typedefs */
 typedef int conf_init_func (CONF_IMODULE *md, const CONF *cnf);
diff --git a/include/openssl/crmf.h b/include/openssl/crmf.h
index 02ed3af761..4908ebd563 100644
--- a/include/openssl/crmf.h
+++ b/include/openssl/crmf.h
@@ -30,6 +30,9 @@
 extern "C" {
 #  endif
 
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CRMF_MSG)
+DEFINE_OR_DECLARE_STACK_OF(OSSL_CRMF_CERTID)
+
 #  define OSSL_CRMF_POPOPRIVKEY_THISMESSAGE          0
 #  define OSSL_CRMF_POPOPRIVKEY_SUBSEQUENTMESSAGE    1
 #  define OSSL_CRMF_POPOPRIVKEY_DHMAC                2
@@ -43,7 +46,6 @@ typedef struct ossl_crmf_encryptedvalue_st OSSL_CRMF_ENCRYPTEDVALUE;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_ENCRYPTEDVALUE)
 typedef struct ossl_crmf_msg_st OSSL_CRMF_MSG;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_MSG)
-DEFINE_STACK_OF(OSSL_CRMF_MSG)
 typedef struct ossl_crmf_attributetypeandvalue_st OSSL_CRMF_ATTRIBUTETYPEANDVALUE;
 typedef struct ossl_crmf_pbmparameter_st OSSL_CRMF_PBMPARAMETER;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PBMPARAMETER)
@@ -51,7 +53,6 @@ typedef struct ossl_crmf_poposigningkey_st OSSL_CRMF_POPOSIGNINGKEY;
 typedef struct ossl_crmf_certrequest_st OSSL_CRMF_CERTREQUEST;
 typedef struct ossl_crmf_certid_st OSSL_CRMF_CERTID;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_CERTID)
-DEFINE_STACK_OF(OSSL_CRMF_CERTID)
 
 typedef struct ossl_crmf_pkipublicationinfo_st OSSL_CRMF_PKIPUBLICATIONINFO;
 DECLARE_ASN1_FUNCTIONS(OSSL_CRMF_PKIPUBLICATIONINFO)
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index e20d17b5d9..0b3a20dfd2 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -169,7 +169,8 @@ struct crypto_ex_data_st {
     OPENSSL_CTX *ctx;
     STACK_OF(void) *sk;
 };
-DEFINE_STACK_OF(void)
+
+DEFINE_OR_DECLARE_STACK_OF(void)
 
 /*
  * Per class, we have a STACK of function pointers.
diff --git a/include/openssl/ct.h b/include/openssl/ct.h
index c3447004e6..280f7ceecf 100644
--- a/include/openssl/ct.h
+++ b/include/openssl/ct.h
@@ -34,6 +34,9 @@ extern "C" {
 /* All hashes are SHA256 in v1 of Certificate Transparency */
 # define CT_V1_HASHLEN SHA256_DIGEST_LENGTH
 
+DEFINE_OR_DECLARE_STACK_OF(SCT)
+DEFINE_OR_DECLARE_STACK_OF(CTLOG)
+
 typedef enum {
     CT_LOG_ENTRY_TYPE_NOT_SET = -1,
     CT_LOG_ENTRY_TYPE_X509 = 0,
@@ -61,9 +64,6 @@ typedef enum {
     SCT_VALIDATION_STATUS_UNKNOWN_VERSION
 } sct_validation_status_t;
 
-DEFINE_STACK_OF(SCT)
-DEFINE_STACK_OF(CTLOG)
-
 /******************************************
  * CT policy evaluation context functions *
  ******************************************/
diff --git a/include/openssl/ess.h b/include/openssl/ess.h
index c20bf8201d..5a31f678c1 100644
--- a/include/openssl/ess.h
+++ b/include/openssl/ess.h
@@ -19,16 +19,16 @@ extern "C" {
 # include <openssl/x509.h>
 # include <openssl/esserr.h>
 
+DEFINE_OR_DECLARE_STACK_OF(ESS_CERT_ID)
+DEFINE_OR_DECLARE_STACK_OF(ESS_CERT_ID_V2)
+
 typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL;
 typedef struct ESS_cert_id ESS_CERT_ID;
 typedef struct ESS_signing_cert ESS_SIGNING_CERT;
 
-DEFINE_STACK_OF(ESS_CERT_ID)
-
 typedef struct ESS_signing_cert_v2_st ESS_SIGNING_CERT_V2;
 typedef struct ESS_cert_id_v2_st ESS_CERT_ID_V2;
 
-DEFINE_STACK_OF(ESS_CERT_ID_V2)
 
 DECLARE_ASN1_ALLOC_FUNCTIONS(ESS_ISSUER_SERIAL)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(ESS_ISSUER_SERIAL, ESS_ISSUER_SERIAL)
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index b9f55c0123..d40e843e8f 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -102,14 +102,13 @@ extern "C" {
 #  define OCSP_RESPID_KEY                 0x400
 #  define OCSP_NOTIME                     0x800
 
-typedef struct ocsp_cert_id_st OCSP_CERTID;
-
-DEFINE_STACK_OF(OCSP_CERTID)
+DEFINE_OR_DECLARE_STACK_OF(OCSP_CERTID)
+DEFINE_OR_DECLARE_STACK_OF(OCSP_ONEREQ)
+DEFINE_OR_DECLARE_STACK_OF(OCSP_RESPID)
+DEFINE_OR_DECLARE_STACK_OF(OCSP_SINGLERESP)
 
+typedef struct ocsp_cert_id_st OCSP_CERTID;
 typedef struct ocsp_one_request_st OCSP_ONEREQ;
-
-DEFINE_STACK_OF(OCSP_ONEREQ)
-
 typedef struct ocsp_req_info_st OCSP_REQINFO;
 typedef struct ocsp_signature_st OCSP_SIGNATURE;
 typedef struct ocsp_request_st OCSP_REQUEST;
@@ -126,7 +125,6 @@ typedef struct ocsp_resp_bytes_st OCSP_RESPBYTES;
 #  define V_OCSP_RESPID_NAME 0
 #  define V_OCSP_RESPID_KEY  1
 
-DEFINE_STACK_OF(OCSP_RESPID)
 
 typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
 
@@ -137,7 +135,6 @@ typedef struct ocsp_revoked_info_st OCSP_REVOKEDINFO;
 typedef struct ocsp_cert_status_st OCSP_CERTSTATUS;
 typedef struct ocsp_single_response_st OCSP_SINGLERESP;
 
-DEFINE_STACK_OF(OCSP_SINGLERESP)
 
 typedef struct ocsp_response_data_st OCSP_RESPDATA;
 
diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h
index 51d6e8a485..474992e479 100644
--- a/include/openssl/pkcs12.h
+++ b/include/openssl/pkcs12.h
@@ -46,14 +46,14 @@ extern "C" {
 # define KEY_EX  0x10
 # define KEY_SIG 0x80
 
+DEFINE_OR_DECLARE_STACK_OF(PKCS12_SAFEBAG)
+
 typedef struct PKCS12_MAC_DATA_st PKCS12_MAC_DATA;
 
 typedef struct PKCS12_st PKCS12;
 
 typedef struct PKCS12_SAFEBAG_st PKCS12_SAFEBAG;
 
-DEFINE_STACK_OF(PKCS12_SAFEBAG)
-
 typedef struct pkcs12_bag_st PKCS12_BAGS;
 
 # define PKCS12_ERROR    0
diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h
index 7c079a2ec5..4d114d75e7 100644
--- a/include/openssl/pkcs7.h
+++ b/include/openssl/pkcs7.h
@@ -28,6 +28,7 @@
 extern "C" {
 #endif
 
+
 /*-
 Encryption_ID           DES-CBC
 Digest_ID               MD5
@@ -51,8 +52,7 @@ typedef struct pkcs7_signer_info_st {
     /* The private key to sign with */
     EVP_PKEY *pkey;
 } PKCS7_SIGNER_INFO;
-
-DEFINE_STACK_OF(PKCS7_SIGNER_INFO)
+DEFINE_OR_DECLARE_STACK_OF(PKCS7_SIGNER_INFO)
 
 typedef struct pkcs7_recip_info_st {
     ASN1_INTEGER *version;      /* version 0 */
@@ -61,8 +61,8 @@ typedef struct pkcs7_recip_info_st {
     ASN1_OCTET_STRING *enc_key;
     X509 *cert;                 /* get the pub-key from this */
 } PKCS7_RECIP_INFO;
+DEFINE_OR_DECLARE_STACK_OF(PKCS7_RECIP_INFO)
 
-DEFINE_STACK_OF(PKCS7_RECIP_INFO)
 
 typedef struct pkcs7_signed_st {
     ASN1_INTEGER *version;      /* version 1 */
@@ -148,8 +148,8 @@ typedef struct pkcs7_st {
         ASN1_TYPE *other;
     } d;
 } PKCS7;
+DEFINE_OR_DECLARE_STACK_OF(PKCS7)
 
-DEFINE_STACK_OF(PKCS7)
 
 # define PKCS7_OP_SET_DETACHED_SIGNATURE 1
 # define PKCS7_OP_GET_DETACHED_SIGNATURE 2
diff --git a/include/openssl/safestack.h b/include/openssl/safestack.h
index b8de23cf3a..5d099e6246 100644
--- a/include/openssl/safestack.h
+++ b/include/openssl/safestack.h
@@ -132,11 +132,11 @@ extern "C" {
         return (sk_##t1##_compfunc)OPENSSL_sk_set_cmp_func((OPENSSL_STACK *)sk, (OPENSSL_sk_compfunc)compare); \
     }
 
-# define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2)
 # define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
+# define DEFINE_STACK_OF_CONST(t) SKM_DEFINE_STACK_OF(t, const t, t)
+# define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2)
 # define DEFINE_SPECIAL_STACK_OF_CONST(t1, t2) \
             SKM_DEFINE_STACK_OF(t1, const t2, t2)
-# define DEFINE_STACK_OF_CONST(t) SKM_DEFINE_STACK_OF(t, const t, t)
 
 /*-
  * Strings are special: normally an lhash entry will point to a single
@@ -155,6 +155,28 @@ extern "C" {
 typedef char *OPENSSL_STRING;
 typedef const char *OPENSSL_CSTRING;
 
+# define DEFINE_STACK_OF_STRING() \
+        DEFINE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
+# define DEFINE_STACK_OF_CSTRING() \
+        DEFINE_SPECIAL_STACK_OF_CONST(OPENSSL_CSTRING, char)
+
+/*
+ * If we're building OpenSSL, or we have no-deprecated configured,
+ * then we don't define the inline functions (see |SKM_DEFINE_STACK_OF|,
+ * above), we just declare the stack datatypes. Otherwise, for compatibility
+ * and to not remove the API's, we define the functions.  We have the
+ * trailing semicolon so that uses of this never need it.
+ */
+#if defined(OPENSSL_BUILDING_OPENSSL) || defined(OPENSSL_NO_DEPRECATED_3_0)
+# define DEFINE_OR_DECLARE_STACK_OF(s) STACK_OF(s);
+# define DEFINE_OR_DECLARE_STACK_OF_STRING() STACK_OF(OPENSSL_STRING);
+# define DEFINE_OR_DECLARE_STACK_OF_CSTRING() STACK_OF(OPENSSL_CSTRING);
+#else
+# define DEFINE_OR_DECLARE_STACK_OF(s) DEFINE_STACK_OF(s)
+# define DEFINE_OR_DECLARE_STACK_OF_STRING() DEFINE_STACK_OF_STRING()
+# define DEFINE_OR_DECLARE_STACK_OF_CSTRING() DEFINE_STACK_OF_CSTRING()
+#endif
+
 /*-
  * Confusingly, LHASH_OF(STRING) deals with char ** throughout, but
  * STACK_OF(STRING) is really more like STACK_OF(char), only, as mentioned
@@ -162,15 +184,17 @@ typedef const char *OPENSSL_CSTRING;
  * chars. So, we have to implement STRING specially for STACK_OF. This is
  * dealt with in the autogenerated macros below.
  */
-DEFINE_SPECIAL_STACK_OF(OPENSSL_STRING, char)
-DEFINE_SPECIAL_STACK_OF_CONST(OPENSSL_CSTRING, char)
+DEFINE_OR_DECLARE_STACK_OF_STRING()
+DEFINE_OR_DECLARE_STACK_OF_CSTRING()
 
+#if !defined(OPENSSL_NO_DEPRECATED_3_0)
 /*
- * Similarly, we sometimes use a block of characters, NOT nul-terminated.
+ * This is not used by OpenSSL.  A block of bytes,  NOT nul-terminated.
  * These should also be distinguished from "normal" stacks.
  */
 typedef void *OPENSSL_BLOCK;
 DEFINE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
+#endif
 
 /*
  * If called without higher optimization (min. -xO3) the Oracle Developer
diff --git a/include/openssl/srp.h b/include/openssl/srp.h
index 56d294b77a..dc7bce935e 100644
--- a/include/openssl/srp.h
+++ b/include/openssl/srp.h
@@ -33,14 +33,15 @@
 extern "C" {
 # endif
 
+DEFINE_OR_DECLARE_STACK_OF(SRP_gN_cache)
+DEFINE_OR_DECLARE_STACK_OF(SRP_user_pwd)
+DEFINE_OR_DECLARE_STACK_OF(SRP_gN)
+
 typedef struct SRP_gN_cache_st {
     char *b64_bn;
     BIGNUM *bn;
 } SRP_gN_cache;
 
-
-DEFINE_STACK_OF(SRP_gN_cache)
-
 typedef struct SRP_user_pwd_st {
     /* Owned by us. */
     char *id;
@@ -60,7 +61,6 @@ void SRP_user_pwd_set_gN(SRP_user_pwd *user_pwd, const BIGNUM *g, const BIGNUM *
 int SRP_user_pwd_set1_ids(SRP_user_pwd *user_pwd, const char *id, const char *info);
 int SRP_user_pwd_set0_sv(SRP_user_pwd *user_pwd, BIGNUM *s, BIGNUM *v);
 
-DEFINE_STACK_OF(SRP_user_pwd)
 
 typedef struct SRP_VBASE_st {
     STACK_OF(SRP_user_pwd) *users_pwd;
@@ -80,7 +80,6 @@ typedef struct SRP_gN_st {
     const BIGNUM *N;
 } SRP_gN;
 
-DEFINE_STACK_OF(SRP_gN)
 
 SRP_VBASE *SRP_VBASE_new(char *seed_key);
 void SRP_VBASE_free(SRP_VBASE *vb);
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e75394676f..7a2b418bf7 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -230,8 +230,10 @@ typedef struct tls_sigalgs_st TLS_SIGALGS;
 typedef struct ssl_conf_ctx_st SSL_CONF_CTX;
 typedef struct ssl_comp_st SSL_COMP;
 
-STACK_OF(SSL_CIPHER);
-STACK_OF(SSL_COMP);
+DEFINE_OR_DECLARE_STACK_OF(SSL_CIPHER)
+DEFINE_OR_DECLARE_STACK_OF(SSL_COMP)
+DEFINE_OR_DECLARE_STACK_OF(SRTP_PROTECTION_PROFILE)
+DEFINE_OR_DECLARE_STACK_OF(SSL_COMP)
 
 /* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/
 typedef struct srtp_protection_profile_st {
@@ -239,7 +241,6 @@ typedef struct srtp_protection_profile_st {
     unsigned long id;
 } SRTP_PROTECTION_PROFILE;
 
-DEFINE_STACK_OF(SRTP_PROTECTION_PROFILE)
 
 typedef int (*tls_session_ticket_ext_cb_fn)(SSL *s, const unsigned char *data,
                                             int len, void *arg);
@@ -979,8 +980,6 @@ extern "C" {
  * These need to be after the above set of includes due to a compiler bug
  * in VisualStudio 2015
  */
-DEFINE_STACK_OF_CONST(SSL_CIPHER)
-DEFINE_STACK_OF(SSL_COMP)
 
 /* compatibility */
 # define SSL_set_app_data(s,arg)         (SSL_set_ex_data(s,0,(char *)(arg)))
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index 1229838da6..bf8f236cf3 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -37,6 +37,8 @@ extern "C" {
 # include <openssl/x509.h>
 # include <openssl/x509v3.h>
 
+DEFINE_OR_DECLARE_STACK_OF(EVP_MD)
+
 typedef struct TS_msg_imprint_st TS_MSG_IMPRINT;
 typedef struct TS_req_st TS_REQ;
 typedef struct TS_accuracy_st TS_ACCURACY;
@@ -264,8 +266,6 @@ typedef int (*TS_extension_cb) (struct TS_resp_ctx *, X509_EXTENSION *,
 
 typedef struct TS_resp_ctx TS_RESP_CTX;
 
-DEFINE_STACK_OF_CONST(EVP_MD)
-
 /* Creates a response context that can be used for generating responses. */
 TS_RESP_CTX *TS_RESP_CTX_new(void);
 void TS_RESP_CTX_free(TS_RESP_CTX *ctx);
diff --git a/include/openssl/types.h b/include/openssl/types.h
index 2b1d0820cf..27f90a7bdf 100644
--- a/include/openssl/types.h
+++ b/include/openssl/types.h
@@ -60,7 +60,9 @@ typedef int ASN1_BOOLEAN;
 typedef int ASN1_NULL;
 # endif
 
+typedef struct asn1_type_st ASN1_TYPE;
 typedef struct asn1_object_st ASN1_OBJECT;
+typedef struct asn1_string_table_st ASN1_STRING_TABLE;
 
 typedef struct ASN1_ITEM_st ASN1_ITEM;
 typedef struct asn1_pctx_st ASN1_PCTX;
diff --git a/include/openssl/ui.h b/include/openssl/ui.h
index 254ec6c29d..fa55d92ac8 100644
--- a/include/openssl/ui.h
+++ b/include/openssl/ui.h
@@ -283,7 +283,8 @@ const UI_METHOD *UI_null(void);
  * about a string or a prompt, including test data for a verification prompt.
  */
 typedef struct ui_string_st UI_STRING;
-DEFINE_STACK_OF(UI_STRING)
+
+DEFINE_OR_DECLARE_STACK_OF(UI_STRING)
 
 /*
  * The different types of strings that are currently supported. This is only
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index c54a91b671..310980299e 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -78,32 +78,24 @@ typedef struct X509_sig_st X509_SIG;
 
 typedef struct X509_name_entry_st X509_NAME_ENTRY;
 
-DEFINE_STACK_OF(X509_NAME_ENTRY)
-
-DEFINE_STACK_OF(X509_NAME)
+DEFINE_OR_DECLARE_STACK_OF(X509_NAME_ENTRY)
+DEFINE_OR_DECLARE_STACK_OF(X509_NAME)
+DEFINE_OR_DECLARE_STACK_OF(X509)
+DEFINE_OR_DECLARE_STACK_OF(X509_REVOKED)
+DEFINE_OR_DECLARE_STACK_OF(X509_CRL)
 
 # define X509_EX_V_NETSCAPE_HACK         0x8000
 # define X509_EX_V_INIT                  0x0001
 typedef struct X509_extension_st X509_EXTENSION;
-
+DEFINE_OR_DECLARE_STACK_OF(X509_EXTENSION)
 typedef STACK_OF(X509_EXTENSION) X509_EXTENSIONS;
-
-DEFINE_STACK_OF(X509_EXTENSION)
-
 typedef struct x509_attributes_st X509_ATTRIBUTE;
-
-DEFINE_STACK_OF(X509_ATTRIBUTE)
-
+DEFINE_OR_DECLARE_STACK_OF(X509_ATTRIBUTE)
 typedef struct X509_req_info_st X509_REQ_INFO;
-
 typedef struct X509_req_st X509_REQ;
-
 typedef struct x509_cert_aux_st X509_CERT_AUX;
-
 typedef struct x509_cinf_st X509_CINF;
 
-DEFINE_STACK_OF(X509)
-
 /* This is used for a table of trust checking functions */
 
 typedef struct x509_trust_st {
@@ -114,8 +106,8 @@ typedef struct x509_trust_st {
     int arg1;
     void *arg2;
 } X509_TRUST;
+DEFINE_OR_DECLARE_STACK_OF(X509_TRUST)
 
-DEFINE_STACK_OF(X509_TRUST)
 
 /* standard trust ids */
 
@@ -227,12 +219,8 @@ DEFINE_STACK_OF(X509_TRUST)
                         XN_FLAG_FN_LN | \
                         XN_FLAG_FN_ALIGN)
 
-DEFINE_STACK_OF(X509_REVOKED)
-
 typedef struct X509_crl_info_st X509_CRL_INFO;
 
-DEFINE_STACK_OF(X509_CRL)
-
 typedef struct private_key_st {
     int version;
     /* The PKCS#8 data types */
@@ -256,8 +244,7 @@ typedef struct X509_info_st {
     int enc_len;
     char *enc_data;
 } X509_INFO;
-
-DEFINE_STACK_OF(X509_INFO)
+DEFINE_OR_DECLARE_STACK_OF(X509_INFO)
 
 /*
  * The next 2 structures and their 8 routines are used to manipulate Netscape's
diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h
index 5822eab52d..84b076a1cb 100644
--- a/include/openssl/x509_vfy.h
+++ b/include/openssl/x509_vfy.h
@@ -60,9 +60,9 @@ typedef enum {
 #define X509_LU_FAIL    0
 #endif
 
-DEFINE_STACK_OF(X509_LOOKUP)
-DEFINE_STACK_OF(X509_OBJECT)
-DEFINE_STACK_OF(X509_VERIFY_PARAM)
+DEFINE_OR_DECLARE_STACK_OF(X509_LOOKUP)
+DEFINE_OR_DECLARE_STACK_OF(X509_OBJECT)
+DEFINE_OR_DECLARE_STACK_OF(X509_VERIFY_PARAM)
 
 int X509_STORE_set_depth(X509_STORE *store, int depth);
 
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index 6f4743d150..e4f09adfce 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -25,6 +25,25 @@
 extern "C" {
 #endif
 
+DEFINE_OR_DECLARE_STACK_OF(GENERAL_NAME)
+DEFINE_OR_DECLARE_STACK_OF(X509V3_EXT_METHOD)
+DEFINE_OR_DECLARE_STACK_OF(GENERAL_NAMES)
+DEFINE_OR_DECLARE_STACK_OF(ACCESS_DESCRIPTION)
+DEFINE_OR_DECLARE_STACK_OF(DIST_POINT)
+DEFINE_OR_DECLARE_STACK_OF(SXNETID)
+DEFINE_OR_DECLARE_STACK_OF(POLICYQUALINFO)
+DEFINE_OR_DECLARE_STACK_OF(POLICYINFO)
+DEFINE_OR_DECLARE_STACK_OF(POLICY_MAPPING)
+DEFINE_OR_DECLARE_STACK_OF(GENERAL_SUBTREE)
+DEFINE_OR_DECLARE_STACK_OF(X509_PURPOSE)
+DEFINE_OR_DECLARE_STACK_OF(X509_POLICY_NODE)
+DEFINE_OR_DECLARE_STACK_OF(ASIdOrRange)
+DEFINE_OR_DECLARE_STACK_OF(IPAddressOrRange)
+DEFINE_OR_DECLARE_STACK_OF(IPAddressFamily)
+DEFINE_OR_DECLARE_STACK_OF(ASN1_STRING)
+DEFINE_OR_DECLARE_STACK_OF(ADMISSIONS)
+DEFINE_OR_DECLARE_STACK_OF(PROFESSION_INFO)
+
 /* Forward reference */
 struct v3_ext_method;
 struct v3_ext_ctx;
@@ -97,8 +116,6 @@ struct v3_ext_ctx {
 
 typedef struct v3_ext_method X509V3_EXT_METHOD;
 
-DEFINE_STACK_OF(X509V3_EXT_METHOD)
-
 /* ext_flags values */
 # define X509V3_EXT_DYNAMIC      0x1
 # define X509V3_EXT_CTX_DEP      0x2
@@ -169,11 +186,7 @@ typedef STACK_OF(ASN1_OBJECT) EXTENDED_KEY_USAGE;
 
 typedef STACK_OF(ASN1_INTEGER) TLS_FEATURE;
 
-DEFINE_STACK_OF(GENERAL_NAME)
 typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
-DEFINE_STACK_OF(GENERAL_NAMES)
-
-DEFINE_STACK_OF(ACCESS_DESCRIPTION)
 
 typedef struct DIST_POINT_NAME_st {
     int type;
@@ -208,8 +221,6 @@ struct DIST_POINT_st {
 
 typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS;
 
-DEFINE_STACK_OF(DIST_POINT)
-
 struct AUTHORITY_KEYID_st {
     ASN1_OCTET_STRING *keyid;
     GENERAL_NAMES *issuer;
@@ -223,8 +234,6 @@ typedef struct SXNET_ID_st {
     ASN1_OCTET_STRING *user;
 } SXNETID;
 
-DEFINE_STACK_OF(SXNETID)
-
 typedef struct SXNET_st {
     ASN1_INTEGER *version;
     STACK_OF(SXNETID) *ids;
@@ -256,8 +265,6 @@ typedef struct POLICYQUALINFO_st {
     } d;
 } POLICYQUALINFO;
 
-DEFINE_STACK_OF(POLICYQUALINFO)
-
 typedef struct POLICYINFO_st {
     ASN1_OBJECT *policyid;
     STACK_OF(POLICYQUALINFO) *qualifiers;
@@ -265,15 +272,11 @@ typedef struct POLICYINFO_st {
 
 typedef STACK_OF(POLICYINFO) CERTIFICATEPOLICIES;
 
-DEFINE_STACK_OF(POLICYINFO)
-
 typedef struct POLICY_MAPPING_st {
     ASN1_OBJECT *issuerDomainPolicy;
     ASN1_OBJECT *subjectDomainPolicy;
 } POLICY_MAPPING;
 
-DEFINE_STACK_OF(POLICY_MAPPING)
-
 typedef STACK_OF(POLICY_MAPPING) POLICY_MAPPINGS;
 
 typedef struct GENERAL_SUBTREE_st {
@@ -282,8 +285,6 @@ typedef struct GENERAL_SUBTREE_st {
     ASN1_INTEGER *maximum;
 } GENERAL_SUBTREE;
 
-DEFINE_STACK_OF(GENERAL_SUBTREE)
-
 struct NAME_CONSTRAINTS_st {
     STACK_OF(GENERAL_SUBTREE) *permittedSubtrees;
     STACK_OF(GENERAL_SUBTREE) *excludedSubtrees;
@@ -458,8 +459,6 @@ typedef struct x509_purpose_st {
 # define X509V3_ADD_DELETE               5L
 # define X509V3_ADD_SILENT               0x10
 
-DEFINE_STACK_OF(X509_PURPOSE)
-
 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
 
 DECLARE_ASN1_FUNCTIONS(SXNET)
@@ -736,7 +735,6 @@ int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE) *dn_sk,
                              unsigned long chtype);
 
 void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent);
-DEFINE_STACK_OF(X509_POLICY_NODE)
 
 #ifndef OPENSSL_NO_RFC3779
 typedef struct ASRange_st {
@@ -755,7 +753,6 @@ typedef struct ASIdOrRange_st {
 } ASIdOrRange;
 
 typedef STACK_OF(ASIdOrRange) ASIdOrRanges;
-DEFINE_STACK_OF(ASIdOrRange)
 
 # define ASIdentifierChoice_inherit              0
 # define ASIdentifierChoice_asIdsOrRanges        1
@@ -793,7 +790,6 @@ typedef struct IPAddressOrRange_st {
 } IPAddressOrRange;
 
 typedef STACK_OF(IPAddressOrRange) IPAddressOrRanges;
-DEFINE_STACK_OF(IPAddressOrRange)
 
 # define IPAddressChoice_inherit                 0
 # define IPAddressChoice_addressesOrRanges       1
@@ -812,7 +808,6 @@ typedef struct IPAddressFamily_st {
 } IPAddressFamily;