sync with OpenBSD -current

distrib/arm64/iso/Makefile

@@ -1,7 +1,7 @@
-#	$OpenBSD: Makefile,v 1.10 2024/06/09 17:24:19 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.11 2024/06/18 01:31:48 deraadt Exp $
 
 FS=		install${OSrev}.img
-FSSIZE=		1136400
+FSSIZE=		1236400
 CDROM=		install${OSrev}.iso
 
 MOUNT_POINT=	/mnt

lib/libcrypto/x509/x509_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_lib.c,v 1.21 2024/05/28 15:40:38 tb Exp $ */
+/* $OpenBSD: x509_lib.c,v 1.23 2024/06/17 05:38:08 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -178,77 +178,69 @@ X509V3_EXT_d2i(X509_EXTENSION *ext)
 }
 LCRYPTO_ALIAS(X509V3_EXT_d2i);
 
-/* Get critical flag and decoded version of extension from a NID.
+/*
- * The "idx" variable returns the last found extension and can
+ * This API is only safe to call with known nid, crit != NULL and idx == NULL.
- * be used to retrieve multiple extensions of the same NID.
+ * On NULL return, crit acts as a failure indicator: crit == -1 means an
- * However multiple extensions with the same NID is usually
+ * extension of type nid was not present, crit != -1 is fatal: crit == -2
- * due to a badly encoded certificate so if idx is NULL we
+ * means multiple extensions of type nid are present; if crit is 0 or 1, this
- * choke if multiple extensions exist.
+ * implies the extension was found but could not be decoded.
- * The "crit" variable is set to the critical value.
- * The return value is the decoded extension or NULL on
- * error. The actual error can have several different causes,
- * the value of *crit reflects the cause:
- * >= 0, extension found but not decoded (reflects critical value).
- * -1 extension not found.
- * -2 extension occurs more than once.
  */
 
 void *
-X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
+X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x509_exts, int nid, int *crit,
+    int *idx)
 {
-	int lastpos, i;
+	X509_EXTENSION *ext;
-	X509_EXTENSION *ex, *found_ex = NULL;
+	int lastpos = idx == NULL ? -1 : *idx;
 
-	if (!x) {
+	if (crit != NULL)
-		if (idx)
-			*idx = -1;
-		if (crit)
 		*crit = -1;
+	if (idx != NULL)
+		*idx = -1;
+
+	/*
+	 * Nothing to do if no extensions, unknown nid, or missing extension.
+	 */
+
+	if (x509_exts == NULL)
 		return NULL;
-	}
+	if ((lastpos = X509v3_get_ext_by_NID(x509_exts, nid, lastpos)) < 0)
-	if (idx)
+		return NULL;
-		lastpos = *idx + 1;
+	if ((ext = X509v3_get_ext(x509_exts, lastpos)) == NULL)
-	else
+		return NULL;
-		lastpos = 0;
+
-	if (lastpos < 0)
+	/*
-		lastpos = 0;
+	 * API madness. Only check for a second extension of type nid if
-	for (i = lastpos; i < sk_X509_EXTENSION_num(x); i++) {
+	 * idx == NULL. Indicate this by setting *crit to -2. If idx != NULL,
-		ex = sk_X509_EXTENSION_value(x, i);
+	 * don't care and set *idx to the index of the first extension found.
-		if (OBJ_obj2nid(ex->object) == nid) {
+	 */
-			if (idx) {
+
-				*idx = i;
+	if (idx == NULL && X509v3_get_ext_by_NID(x509_exts, nid, lastpos) > 0) {
-				found_ex = ex;
+		if (crit != NULL)
-				break;
-			} else if (found_ex) {
-				/* Found more than one */
-				if (crit)
 			*crit = -2;
 		return NULL;
 	}
-			found_ex = ex;
-		}
-	}
-	if (found_ex) {
-		/* Found it */
-		if (crit)
-			*crit = X509_EXTENSION_get_critical(found_ex);
-		return X509V3_EXT_d2i(found_ex);
-	}
 
-	/* Extension not found */
+	/*
-	if (idx)
+	 * Another beautiful API detail: *crit will be set to 0 or 1, so if the
-		*idx = -1;
+	 * extension fails to decode, we can deduce this from return value NULL
-	if (crit)
+	 * and crit != -1.
-		*crit = -1;
+	 */
-	return NULL;
+
+	if (crit != NULL)
+		*crit = X509_EXTENSION_get_critical(ext);
+	if (idx != NULL)
+		*idx = lastpos;
+
+	return X509V3_EXT_d2i(ext);
 }
 LCRYPTO_ALIAS(X509V3_get_d2i);
 
 int
-X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
+X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x509_exts, int nid, void *value,
     int crit, unsigned long flags)
 {
-	STACK_OF(X509_EXTENSION) *exts = *x;
+	STACK_OF(X509_EXTENSION) *exts = *x509_exts;
 	X509_EXTENSION *ext = NULL;
 	X509_EXTENSION *existing;
 	int extidx;
@@ -256,7 +248,7 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 	int ret = 0;
 
 	/* See if the extension already exists. */
-	extidx = X509v3_get_ext_by_NID(*x, nid, -1);
+	extidx = X509v3_get_ext_by_NID(*x509_exts, nid, -1);
 
 	switch (flags & X509V3_ADD_OP_MASK) {
 	case X509V3_ADD_DEFAULT:
@@ -296,7 +288,8 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 			errcode = X509V3_R_EXTENSION_NOT_FOUND;
 			goto err;
 		}
-		if ((existing = sk_X509_EXTENSION_delete(*x, extidx)) == NULL) {
+		if ((existing = sk_X509_EXTENSION_delete(*x509_exts,
+		    extidx)) == NULL) {
 			ret = -1;
 			goto err;
 		}
@@ -319,10 +312,10 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 
 	/* If extension exists, replace it. */
 	if (extidx >= 0) {
-		existing = sk_X509_EXTENSION_value(*x, extidx);
+		existing = sk_X509_EXTENSION_value(*x509_exts, extidx);
 		X509_EXTENSION_free(existing);
 		existing = NULL;
-		if (sk_X509_EXTENSION_set(*x, extidx, ext) == NULL) {
+		if (sk_X509_EXTENSION_set(*x509_exts, extidx, ext) == NULL) {
 			/*
 			 * XXX - Can't happen. If it did happen, |existing| is
 			 * now a freed pointer. Nothing we can do here.
@@ -341,7 +334,7 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 		goto err;
 	ext = NULL;
 
-	*x = exts;
+	*x509_exts = exts;
 
  done:
 	return 1;
@@ -350,7 +343,7 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
 	if ((flags & X509V3_ADD_SILENT) == 0 && errcode != 0)
 		X509V3error(errcode);
 
-	if (exts != *x)
+	if (exts != *x509_exts)
 		sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
 	X509_EXTENSION_free(ext);
 

lib/libm/man/feclearexcept.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: feclearexcept.3,v 1.6 2020/11/14 10:35:58 jmc Exp $
+.\"	$OpenBSD: feclearexcept.3,v 1.7 2024/06/17 12:59:28 tim Exp $
 .\"
 .\" Copyright (c) 2011 Martynas Venckus <martynas@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: November 14 2020 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt FECLEAREXCEPT 3
 .Os
 .Sh NAME
@@ -111,7 +111,7 @@ This function does not raise floating-point exceptions, but only
 sets the state of the flags.
 .Pp
 The
-.Fn fetesteexcept
+.Fn fetestexcept
 function determines which of a specified subset of the floating-point
 exception flags are currently set.
 The

regress/lib/libcrypto/x509/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.22 2024/05/28 15:33:35 tb Exp $
+#	$OpenBSD: Makefile,v 1.23 2024/06/16 17:57:08 tb Exp $
 
 PROGS =	constraints verify x509attribute x509name x509req_ext callback
 PROGS += expirecallback callbackfailures x509_asn1 x509_extensions_test

regress/lib/libcrypto/x509/x509_extensions_test.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_extensions_test.c,v 1.2 2024/05/28 15:42:09 tb Exp $ */
+/*	$OpenBSD: x509_extensions_test.c,v 1.3 2024/06/17 05:04:54 tb Exp $ */
 
 /*
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
@@ -27,6 +27,9 @@
 #define ASN1_BOOLEAN_TRUE	0xff
 #define ASN1_BOOLEAN_FALSE	0x00
 
+#define X509V3_EXT_CRITICAL	1
+#define X509V3_EXT_NONCRITICAL	0
+
 static BASIC_CONSTRAINTS *
 create_basic_constraints(int ca)
 {
@@ -40,6 +43,20 @@ create_basic_constraints(int ca)
 	return bc;
 }
 
+static X509_EXTENSION *
+ext_create_basic_constraints(int ca, int critical)
+{
+	X509_EXTENSION *ext;
+	BASIC_CONSTRAINTS *bc;
+
+	bc = create_basic_constraints(ca);
+	if ((ext = X509V3_EXT_i2d(NID_basic_constraints, critical, bc)) == NULL)
+		errx(1, "X509V3_EXT_i2d");
+	BASIC_CONSTRAINTS_free(bc);
+
+	return ext;
+}
+
 static int
 test_x509v3_add1_i2d_empty_stack(STACK_OF(X509_EXTENSION) **extensions)
 {
@@ -644,12 +661,259 @@ test_x509v3_add1_i2d(void)
 	return failed;
 }
 
+static int
+test_x509v3_get_d2i_null(void)
+{
+	X509_EXTENSION *ext;
+	int crit, idx;
+	int failed = 1;
+
+	if ((ext = X509V3_get_d2i(NULL, NID_undef, NULL, NULL)) != NULL) {
+		fprintf(stderr, "FAIL: %s: expected X509V3_get_d2i with three "
+		    "NULL arguments to return NULL\n", __func__);
+		goto err;
+	}
+
+	idx = -5;
+	if (X509V3_get_d2i(NULL, NID_undef, &crit, &idx) != NULL) {
+		/* Leaks whatever garbage libcrypto decoded. What to do... */
+		fprintf(stderr, "FAIL: %s: expected X509V3_get_d2i NULL stack"
+		    "to return NULL\n", __func__);
+		goto err;
+	}
+
+	if (crit != -1 || idx != -1) {
+		fprintf(stderr, "FAIL: %s: crit: want: %d, got: %d; "
+		    "idx: want: %d, got: %d\n", __func__, -1, crit, -1, idx);
+		goto err;
+	}
+
+	failed = 0;
+
+ err:
+	X509_EXTENSION_free(ext);
+
+	return failed;
+}
+
+static int
+test_x509v3_get_d2i_multiple_basic_constraints(void)
+{
+	STACK_OF(X509_EXTENSION) *exts = NULL;
+	ASN1_BIT_STRING *abs = NULL;
+	BASIC_CONSTRAINTS *bc = NULL;
+	X509_EXTENSION *ext;
+	int crit, idx;
+	int ca, nid;
+	int failed = 1;
+
+	/*
+	 * Create extension stack containing three basic constraints extensions:
+	 * 1. critical CA basic constraints,
+	 * 2. non-critical CA basic constraints,
+	 * 3. critical non-CA basic constraints.
+	 */
+
+	if ((exts = sk_X509_EXTENSION_new_null()) == NULL)
+		errx(1, "sk_X509_EXTENSION_new_null");
+
+	ca = 1;
+	ext = ext_create_basic_constraints(ca, X509V3_EXT_CRITICAL);
+
+	if (sk_X509_EXTENSION_push(exts, ext) <= 0)
+		errx(1, "sk_X509_EXTENSION_push");
+	ext = NULL;
+
+	ca = 1;
+	ext = ext_create_basic_constraints(ca, X509V3_EXT_NONCRITICAL);
+
+	if (sk_X509_EXTENSION_push(exts, ext) <= 0)
+		errx(1, "sk_X509_EXTENSION_push");
+	ext = NULL;
+
+	ca = 0;
+	ext = ext_create_basic_constraints(ca, X509V3_EXT_CRITICAL);
+
+	if (sk_X509_EXTENSION_push(exts, ext) <= 0)
+		errx(1, "sk_X509_EXTENSION_push");
+	ext = NULL;
+
+	/*
+	 * There is no key usage in this stack, so we shouldn't find any.
+	 */
+
+	nid = NID_key_usage;
+	if ((abs = X509V3_get_d2i(exts, nid, &crit, NULL)) != NULL) {
+		fprintf(stderr, "FAIL: %s: found key usage extension\n",
+		    __func__);
+		goto err;
+	}
+	if (crit != -1) {
+		fprintf(stderr, "FAIL: %s: key usage: crit: want %d, got %d\n",
+		    __func__, -1, crit);
+		goto err;
+	}
+
+	/*
+	 * If we pass no idx and look for basic constraints,
+	 * we should fail with crit == -2.
+	 */
+
+	nid = NID_basic_constraints;
+	if ((bc = X509V3_get_d2i(exts, nid, &crit, NULL)) != NULL) {
+		fprintf(stderr, "FAIL: %s (NULL idx): did not expect to find "
+		    "basic constraints\n", __func__);
+		goto err;
+	}
+	if (crit != -2) {
+		fprintf(stderr, "FAIL: %s: basic constraints, no idx: \n"
+		    "crit: want %d, got %d\n", __func__, -2, crit);
+		goto err;
+	}
+
+	/*
+	 * If we pass idx = -1 and look for basic constraints, we should find
+	 * the first one: it is critical at idx = 0, with ca bit set to true.
+	 */
+
+	nid = NID_basic_constraints;
+	idx = -1;
+	if ((bc = X509V3_get_d2i(exts, nid, &crit, &idx)) == NULL) {
+		fprintf(stderr, "FAIL: %s (idx %d): expected to find"
+		    "basic constraints\n", __func__, -1);
+		goto err;
+	}
+	if (crit != 1) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "crit: want %d, got %d\n", __func__, -1, 1, crit);
+		goto err;
+	}
+	if (idx != 0) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "idx: want %d, got %d\n", __func__, -1, 0, idx);
+		goto err;
+	}
+	if (bc->ca != ASN1_BOOLEAN_TRUE) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "cA bit: want %x, got %x\n", __func__, -1,
+		    ASN1_BOOLEAN_TRUE, bc->ca);
+		goto err;
+	}
+	BASIC_CONSTRAINTS_free(bc);
+	bc = NULL;
+
+	/*
+	 * Now pass idx = 0 and look for basic constraints, we should find
+	 * the second one: non-critical at idx = 1, with ca bit set to true.
+	 */
+
+	nid = NID_basic_constraints;
+	idx = 0;
+	if ((bc = X509V3_get_d2i(exts, nid, &crit, &idx)) == NULL) {
+		fprintf(stderr, "FAIL: %s (idx %d): expected to find"
+		    "basic constraints\n", __func__, 0);
+		goto err;
+	}
+	if (crit != 0) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "crit: want %d, got %d\n", __func__, 0, 0, crit);
+		goto err;
+	}
+	if (idx != 1) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "idx: want %d, got %d\n", __func__, 0, 1, idx);
+		goto err;
+	}
+	if (bc->ca != ASN1_BOOLEAN_TRUE) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "cA bit: want %x, got %x\n", __func__, 0,
+		    ASN1_BOOLEAN_TRUE, bc->ca);
+		goto err;
+	}
+	BASIC_CONSTRAINTS_free(bc);
+	bc = NULL;
+
+	/*
+	 * Now pass idx = 1 and look for basic constraints, we should find the
+	 * third one: critical at idx = 2, with ca bit set to false.
+	 */
+
+	nid = NID_basic_constraints;
+	idx = 1;
+	if ((bc = X509V3_get_d2i(exts, nid, &crit, &idx)) == NULL) {
+		fprintf(stderr, "FAIL: %s (idx %d): expected to find"
+		    "basic constraints\n", __func__, 1);
+		goto err;
+	}
+	if (crit != 1) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "crit: want %d, got %d\n", __func__, 1, 0, crit);
+		goto err;
+	}
+	if (idx != 2) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "idx: want %d, got %d\n", __func__, 1, 2, idx);
+		goto err;
+	}
+	if (bc->ca != ASN1_BOOLEAN_FALSE) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "cA bit: want %x, got %x\n", __func__, 1,
+		    ASN1_BOOLEAN_FALSE, bc->ca);
+		goto err;
+	}
+	BASIC_CONSTRAINTS_free(bc);
+	bc = NULL;
+
+	/*
+	 * Finally, pass idx = 2 and we should find no basic constraints.
+	 */
+
+	nid = NID_basic_constraints;
+	idx = 2;
+	if ((bc = X509V3_get_d2i(exts, nid, &crit, &idx)) != NULL) {
+		fprintf(stderr, "FAIL: %s (idx %d): expected to find"
+		    "no basic constraints\n", __func__, 2);
+		goto err;
+	}
+	if (crit != -1) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "crit: want %d, got %d\n", __func__, 2, -1, crit);
+		goto err;
+	}
+	if (idx != -1) {
+		fprintf(stderr, "FAIL: %s: basic constraints (idx %d): "
+		    "idx: want %d, got %d\n", __func__, 2, -1, idx);
+		goto err;
+	}
+
+	failed = 0;
+
+ err:
+	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+	ASN1_BIT_STRING_free(abs);
+	BASIC_CONSTRAINTS_free(bc);
+
+	return failed;
+}
+
+static int
+test_x509v3_get_d2i(void)
+{
+	int failed = 0;
+
+	failed |= test_x509v3_get_d2i_null();
+	failed |= test_x509v3_get_d2i_multiple_basic_constraints();
+
+	return failed;
+}
+
 int
 main(void)
 {
 	int failed = 0;
 
 	failed |= test_x509v3_add1_i2d();
+	failed |= test_x509v3_get_d2i();
 
 	return failed;
 }

regress/usr.bin/ssh/penalty-expire.sh

@@ -24,6 +24,7 @@ verbose "penalty expiry"
 # Incur a penalty
 cat /dev/null > $OBJ/authorized_keys_${USER}
 ${SSH} -F $OBJ/ssh_config somehost true && fatal "authfail connect succeeded"
+sleep 2
 
 # Check denied
 cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}

regress/usr.bin/ssh/penalty.sh

@@ -25,14 +25,17 @@ verbose "penalty for authentication failure"
 cat /dev/null > $OBJ/authorized_keys_${USER}
 ${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
 cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
 
 # Should be below penalty threshold
 ${SSH} -F $OBJ/ssh_config somehost true || fatal "authfail not expired"
+sleep 2
 
 # Fail authentication again; penalty should activate
 cat /dev/null > $OBJ/authorized_keys_${USER}
 ${SSH} -F $OBJ/ssh_config somehost true && fatal "noauth connect succeeded"
 cp $OBJ/authorized_keys_${USER}.bak $OBJ/authorized_keys_${USER}
+sleep 2
 
 # These should be refused by the active penalty
 ${SSH} -F $OBJ/ssh_config somehost true && fail "authfail not rejected"
@@ -42,6 +45,7 @@ conf "noauth:100s"
 ${SSH} -F $OBJ/ssh_config somehost true || fatal "basic connect failed"
 verbose "penalty for no authentication"
 ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null || fatal "keyscan failed"
+sleep 2
 
 # Repeat attempt should be penalised
 ${SSHKEYSCAN} -t ssh-ed25519 -p $PORT 127.0.0.1 >/dev/null 2>&1 && fail "keyscan not rejected"

share/man/man7/mdoc.7

@@ -1,4 +1,4 @@
-.\" $OpenBSD: mdoc.7,v 1.183 2024/05/20 18:40:53 schwarze Exp $
+.\" $OpenBSD: mdoc.7,v 1.184 2024/06/17 15:35:33 schwarze Exp $
 .\"
 .\" Copyright (c) 2009, 2010, 2011 Kristaps Dzonsons <kristaps@bsd.lv>
 .\" Copyright (c) 2010, 2011, 2013-2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: May 20 2024 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt MDOC 7
 .Os
 .Sh NAME
@@ -2552,7 +2552,7 @@ It is used as the basis for UNIX 03 certification.
 .br
 The second and last Technical Corrigendum.
 .El
-.It Single UNIX Specification version 4
+.It POSIX issues 7 and 8
 .Pp
 .Bl -tag -width "-p1003.1g-2000" -compact
 .It \-p1003.1-2008
@@ -2560,8 +2560,18 @@ The second and last Technical Corrigendum.
 .It \-susv4
 .St -susv4
 .br
-This standard is also called
+This standard is based on C99.
-X/Open Portability Guide version 7.
+It is also called the
+Open Group Standard Base Specifications, Issue 7.
+.El
+.Pp
+.Bl -tag -width "-p1003.1g-2000" -compact
+.It \-p1003.1-2024
+.St -p1003.1-2024
+.br
+This standard is based on C17.
+It is also called the
+Open Group Standard Base Specifications, Issue 8.
 .El
 .It Other standards
 .Pp

sys/arch/amd64/amd64/identcpu.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: identcpu.c,v 1.143 2024/05/14 01:42:07 guenther Exp $	*/
+/*	$OpenBSD: identcpu.c,v 1.144 2024/06/16 14:01:26 kn Exp $	*/
 /*	$NetBSD: identcpu.c,v 1.1 2003/04/26 18:39:28 fvdl Exp $	*/
 
 /*
@@ -727,7 +727,8 @@ identifycpu(struct cpu_info *ci)
 	}
 
 #ifndef SMALL_KERNEL
-	if (CPU_IS_PRIMARY(ci) && (ci->ci_feature_tpmflags & TPM_SENSOR)) {
+	if (CPU_IS_PRIMARY(ci) && (ci->ci_feature_tpmflags & TPM_SENSOR) &&
+	    ci->ci_vendor == CPUV_INTEL) {
 		ci->ci_sensor.type = SENSOR_TEMP;
 		sensor_task_register(ci, intelcore_update_sensor, 5);
 		sensor_attach(&ci->ci_sensordev, &ci->ci_sensor);

sys/arch/arm64/stand/efiboot/efiboot.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efiboot.c,v 1.51 2024/06/14 19:49:17 kettenis Exp $	*/
+/*	$OpenBSD: efiboot.c,v 1.52 2024/06/17 09:36:04 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
@@ -101,8 +101,7 @@ efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *systab)
 	/* disable reset by watchdog after 5 minutes */
 	BS->SetWatchdogTimer(0, 0, 0, NULL);
 
-	status = BS->HandleProtocol(image, &imgp_guid,
+	status = BS->HandleProtocol(image, &imgp_guid, (void **)&imgp);
-	    (void **)&imgp);
 	if (status == EFI_SUCCESS)
 		status = BS->HandleProtocol(imgp->DeviceHandle, &devp_guid,
 		    (void **)&dp);

sys/arch/armv7/stand/efiboot/conf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: conf.c,v 1.35 2024/03/10 15:37:54 kettenis Exp $	*/
+/*	$OpenBSD: conf.c,v 1.36 2024/06/17 09:12:45 kettenis Exp $	*/
 
 /*
  * Copyright (c) 1996 Michael Shalayeff
@@ -42,7 +42,7 @@
 #include "efidev.h"
 #include "efipxe.h"
 
-const char version[] = "1.22";
+const char version[] = "1.23";
 int	debug = 0;
 
 struct fs_ops file_system[] = {

sys/arch/armv7/stand/efiboot/efiboot.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efiboot.c,v 1.40 2022/12/22 15:44:02 kettenis Exp $	*/
+/*	$OpenBSD: efiboot.c,v 1.41 2024/06/17 09:12:45 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
@@ -36,6 +36,7 @@
 
 #include "efidev.h"
 #include "efiboot.h"
+#include "efidt.h"
 #include "fdt.h"
 
 EFI_SYSTEM_TABLE	*ST;
@@ -59,6 +60,7 @@ static EFI_GUID		 blkio_guid = BLOCK_IO_PROTOCOL;
 static EFI_GUID		 devp_guid = DEVICE_PATH_PROTOCOL;
 static EFI_GUID		 gop_guid = EFI_GRAPHICS_OUTPUT_PROTOCOL_GUID;
 static EFI_GUID		 fdt_guid = FDT_TABLE_GUID;
+static EFI_GUID		 dt_fixup_guid = EFI_DT_FIXUP_PROTOCOL_GUID;
 
 #define efi_guidcmp(_a, _b)	memcmp((_a), (_b), sizeof(EFI_GUID))
 
@@ -1004,12 +1006,18 @@ efi_fdt(void)
 	return fdt_sys;
 }
 
+#define EXTRA_DT_SPACE	(32 * 1024)
+
 int
 fdt_load_override(char *file)
 {
+	EFI_DT_FIXUP_PROTOCOL *dt_fixup;
 	EFI_PHYSICAL_ADDRESS addr;
 	char path[MAXPATHLEN];
+	EFI_STATUS status;
 	struct stat sb;
+	size_t dt_size;
+	UINTN sz;
 	int fd;
 
 	if (file == NULL && fdt_override) {
@@ -1027,7 +1035,8 @@ fdt_load_override(char *file)
 		printf("cannot open %s\n", path);
 		return 0;
 	}
-	if (efi_memprobe_find(EFI_SIZE_TO_PAGES(sb.st_size),
+	dt_size = sb.st_size + EXTRA_DT_SPACE;
+	if (efi_memprobe_find(EFI_SIZE_TO_PAGES(dt_size),
 	    PAGE_SIZE, EfiLoaderData, &addr) != EFI_SUCCESS) {
 		printf("cannot allocate memory for %s\n", path);
 		return 0;
@@ -1037,9 +1046,18 @@ fdt_load_override(char *file)
 		return 0;
 	}
 
+	status = BS->LocateProtocol(&dt_fixup_guid, NULL, (void **)&dt_fixup);
+	if (status == EFI_SUCCESS) {
+		sz = dt_size;
+		status = dt_fixup->Fixup(dt_fixup, (void *)addr, &sz,
+		    EFI_DT_APPLY_FIXUPS | EFI_DT_RESERVE_MEMORY);
+		if (status != EFI_SUCCESS)
+			panic("DT fixup failed: 0x%lx", status);
+	}
+
 	if (!fdt_init((void *)addr)) {
 		printf("invalid device tree\n");
-		BS->FreePages(addr, EFI_SIZE_TO_PAGES(sb.st_size));
+		BS->FreePages(addr, EFI_SIZE_TO_PAGES(dt_size));
 		return 0;
 	}
 
@@ -1050,7 +1068,7 @@ fdt_load_override(char *file)
 	}
 
 	fdt_override = (void *)addr;
-	fdt_override_size = sb.st_size;
+	fdt_override_size = dt_size;
 	return 0;
 }
 

sys/arch/armv7/stand/efiboot/efidt.h

@@ -0,0 +1,44 @@
+/*	$OpenBSD: efidt.h,v 1.1 2024/06/17 09:12:45 kettenis Exp $	*/
+
+/*
+ * Copyright (c) 2024 Mark Kettenis <kettenis@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/param.h>
+
+#include <efi.h>
+#include <efiapi.h>
+
+#define EFI_DT_FIXUP_PROTOCOL_GUID		\
+  { 0xe617d64c, 0xfe08, 0x46da, \
+    { 0xf4, 0xdc, 0xbb, 0xd5, 0x87, 0x0c, 0x73, 0x00 } }
+
+INTERFACE_DECL(_EFI_DT_FIXUP_PROTOCOL);
+
+typedef EFI_STATUS
+(EFIAPI *EFI_DT_FIXUP) (
+    IN struct _EFI_DT_FIXUP_PROTOCOL	*This,
+    IN VOID				*Fdt,
+    IN OUT UINTN			*BufferSize,
+    IN UINT32				Flags
+    );
+
+#define EFI_DT_APPLY_FIXUPS	0x00000001
+#define EFI_DT_RESERVE_MEMORY	0x00000002
+
+typedef struct _EFI_DT_FIXUP_PROTOCOL {
+	UINT64			Revision;
+	EFI_DT_FIXUP		Fixup;
+} EFI_DT_FIXUP_PROTOCOL;

sys/dev/pci/ahci_pci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ahci_pci.c,v 1.17 2024/05/24 06:02:53 jsg Exp $ */
+/*	$OpenBSD: ahci_pci.c,v 1.18 2024/06/16 18:00:08 kn Exp $ */
 
 /*
  * Copyright (c) 2006 David Gwynne <dlg@openbsd.org>
@@ -71,6 +71,8 @@ int			ahci_intel_attach(struct ahci_softc *,
 			    struct pci_attach_args *);
 int			ahci_samsung_attach(struct ahci_softc *,
 			    struct pci_attach_args *);
+int			ahci_storx_attach(struct ahci_softc *,
+			    struct pci_attach_args *);
 
 static const struct ahci_device ahci_devices[] = {
 	{ PCI_VENDOR_AMD,	PCI_PRODUCT_AMD_HUDSON2_SATA_1,
@@ -148,7 +150,10 @@ static const struct ahci_device ahci_devices[] = {
 	    NULL,		ahci_samsung_attach },
 
 	{ PCI_VENDOR_VIATECH,	PCI_PRODUCT_VIATECH_VT8251_SATA,
-	  ahci_no_match,	ahci_vt8251_attach }
+	  ahci_no_match,	ahci_vt8251_attach },
+
+	{ PCI_VENDOR_ZHAOXIN,	PCI_PRODUCT_ZHAOXIN_STORX_AHCI,
+	  NULL,			ahci_storx_attach },
 };
 
 int			ahci_pci_match(struct device *, void *, void *);
@@ -285,6 +290,19 @@ ahci_samsung_attach(struct ahci_softc *sc, struct pci_attach_args *pa)
 	return (0);
 }
 
+int
+ahci_storx_attach(struct ahci_softc *sc, struct pci_attach_args *pa)
+{
+	/*
+	 * Disable MSI with the ZX-100/ZX-200/ZX-E StorX AHCI Controller
+	 * in the Unchartevice 6640MA notebook, otherwise ahci(4) hangs
+	 * with SATA speed set to "Gen3" in BIOS.
+	 */
+	sc->sc_flags |= AHCI_F_NO_MSI;
+
+	return (0);
+}
+
 int
 ahci_pci_match(struct device *parent, void *match, void *aux)
 {

sys/dev/pci/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c

@@ -1135,7 +1135,8 @@ static int reserve_bo_and_cond_vms(struct kgd_mem *mem,
 	int ret;
 
 	ctx->sync = &mem->sync;
-	drm_exec_init(&ctx->exec, DRM_EXEC_INTERRUPTIBLE_WAIT);
+	drm_exec_init(&ctx->exec, DRM_EXEC_INTERRUPTIBLE_WAIT |
+		      DRM_EXEC_IGNORE_DUPLICATES);
 	drm_exec_until_all_locked(&ctx->exec) {
 		ctx->n_vms = 0;
 		list_for_each_entry(entry, &mem->attachments, list) {

sys/dev/pci/drm/amd/amdgpu/amdgpu_atomfirmware.c

@@ -211,6 +211,7 @@ union igp_info {
 	struct atom_integrated_system_info_v1_11 v11;
 	struct atom_integrated_system_info_v1_12 v12;
 	struct atom_integrated_system_info_v2_1 v21;
+	struct atom_integrated_system_info_v2_3 v23;
 };
 
 union umc_info {
@@ -359,6 +360,20 @@ amdgpu_atomfirmware_get_vram_info(struct amdgpu_device *adev,
 					if (vram_type)
 						*vram_type = convert_atom_mem_type_to_vram_type(adev, mem_type);
 					break;
+				case 3:
+					mem_channel_number = igp_info->v23.umachannelnumber;
+					if (!mem_channel_number)
+						mem_channel_number = 1;
+					mem_type = igp_info->v23.memorytype;
+					if (mem_type == LpDdr5MemType)
+						mem_channel_width = 32;
+					else
+						mem_channel_width = 64;
+					if (vram_width)
+						*vram_width = mem_channel_number * mem_channel_width;
+					if (vram_type)
+						*vram_type = convert_atom_mem_type_to_vram_type(adev, mem_type);
+					break;
 				default:
 					return -EINVAL;
 				}

sys/dev/pci/drm/amd/amdgpu/sdma_v4_0.c

@@ -2031,6 +2031,9 @@ static int sdma_v4_0_process_trap_irq(struct amdgpu_device *adev,
 
 	DRM_DEBUG("IH: SDMA trap\n");
 	instance = sdma_v4_0_irq_id_to_seq(entry->client_id);
+	if (instance < 0)
+		return instance;
+
 	switch (entry->ring_id) {
 	case 0:
 		amdgpu_fence_process(&adev->sdma.instance[instance].ring);

sys/dev/pci/drm/amd/amdkfd/kfd_device.c

@@ -402,13 +402,6 @@ struct kfd_dev *kgd2kfd_probe(struct amdgpu_device *adev, bool vf)
 			f2g = &gfx_v11_kfd2kgd;
 			break;
 		case IP_VERSION(11, 0, 3):
-			if ((adev->pdev->device == 0x7460 &&
-			     adev->pdev->revision == 0x00) ||
-			    (adev->pdev->device == 0x7461 &&
-			     adev->pdev->revision == 0x00))
-				/* Note: Compiler version is 11.0.5 while HW version is 11.0.3 */
-				gfx_target_version = 110005;
-			else
 			/* Note: Compiler version is 11.0.1 while HW version is 11.0.3 */
 			gfx_target_version = 110001;
 			f2g = &gfx_v11_kfd2kgd;

sys/dev/pci/drm/amd/include/atomfirmware.h

@@ -1625,6 +1625,49 @@ struct atom_integrated_system_info_v2_2
 	uint32_t  reserved4[189];
 };
 
+struct uma_carveout_option {
+  char       optionName[29];        //max length of string is 28chars + '\0'. Current design is for "minimum", "Medium", "High". This makes entire struct size 64bits
+  uint8_t    memoryCarvedGb;        //memory carved out with setting
+  uint8_t    memoryRemainingGb;     //memory remaining on system
+  union {
+    struct _flags {
+      uint8_t Auto     : 1;
+      uint8_t Custom   : 1;
+      uint8_t Reserved : 6;
+    } flags;
+    uint8_t all8;
+  } uma_carveout_option_flags;
+};
+
+struct atom_integrated_system_info_v2_3 {
+  struct  atom_common_table_header table_header;
+  uint32_t  vbios_misc; // enum of atom_system_vbiosmisc_def
+  uint32_t  gpucapinfo; // enum of atom_system_gpucapinf_def
+  uint32_t  system_config;
+  uint32_t  cpucapinfo;
+  uint16_t  gpuclk_ss_percentage; // unit of 0.001%,   1000 mean 1%
+  uint16_t  gpuclk_ss_type;
+  uint16_t  dpphy_override;  // bit vector, enum of atom_sysinfo_dpphy_override_def
+  uint8_t memorytype;       // enum of atom_dmi_t17_mem_type_def, APU memory type indication.
+  uint8_t umachannelnumber; // number of memory channels
+  uint8_t htc_hyst_limit;
+  uint8_t htc_tmp_limit;
+  uint8_t reserved1; // dp_ss_control
+  uint8_t gpu_package_id;
+  struct  edp_info_table  edp1_info;
+  struct  edp_info_table  edp2_info;
+  uint32_t  reserved2[8];
+  struct  atom_external_display_connection_info extdispconninfo;
+  uint8_t UMACarveoutVersion;
+  uint8_t UMACarveoutIndexMax;
+  uint8_t UMACarveoutTypeDefault;
+  uint8_t UMACarveoutIndexDefault;
+  uint8_t UMACarveoutType;           //Auto or Custom
+  uint8_t UMACarveoutIndex;
+  struct  uma_carveout_option UMASizeControlOption[20];
+  uint8_t reserved3[110];
+};
+
 // system_config
 enum atom_system_vbiosmisc_def{
   INTEGRATED_SYSTEM_INFO__GET_EDID_CALLBACK_FUNC_SUPPORT = 0x01,

sys/dev/pci/drm/amd/pm/swsmu/smu13/smu_v13_0_4_ppt.c

@@ -226,7 +226,8 @@ static int smu_v13_0_4_system_features_control(struct smu_context *smu, bool en)
 	struct amdgpu_device *adev = smu->adev;
 	int ret = 0;
 
-	if (!en && adev->in_s4) {
+	if (!en && !adev->in_s0ix) {
+		if (adev->in_s4) {
 			/* Adds a GFX reset as workaround just before sending the
 			 * MP1_UNLOAD message to prevent GC/RLC/PMFW from entering
 			 * an invalid state.
@@ -235,6 +236,7 @@ static int smu_v13_0_4_system_features_control(struct smu_context *smu, bool en)
 							      SMU_RESET_MODE_2, NULL);
 			if (ret)
 				return ret;
+		}
 
 		ret = smu_cmn_send_smc_msg(smu, SMU_MSG_PrepareMp1ForUnload, NULL);
 	}

sys/dev/pci/drm/drm_fbdev_generic.c

@@ -122,7 +122,6 @@ static int drm_fbdev_generic_helper_fb_probe(struct drm_fb_helper *fb_helper,
 	/* screen */
 	info->flags |= FBINFO_VIRTFB | FBINFO_READS_FAST;
 	info->screen_buffer = screen_buffer;
-	info->fix.smem_start = page_to_phys(vmalloc_to_page(info->screen_buffer));
 	info->fix.smem_len = screen_size;
 
 #ifdef notyet

sys/dev/pci/drm/i915/i915_hwmon.c

@@ -793,7 +793,7 @@ void i915_hwmon_register(struct drm_i915_private *i915)
 	if (!IS_DGFX(i915))
 		return;
 
-	hwmon = devm_kzalloc(dev, sizeof(*hwmon), GFP_KERNEL);
+	hwmon = kzalloc(sizeof(*hwmon), GFP_KERNEL);
 	if (!hwmon)
 		return;
 
@@ -819,14 +819,12 @@ void i915_hwmon_register(struct drm_i915_private *i915)
 	hwm_get_preregistration_info(i915);
 
 	/*  hwmon_dev points to device hwmon<i> */
-	hwmon_dev = devm_hwmon_device_register_with_info(dev, ddat->name,
+	hwmon_dev = hwmon_device_register_with_info(dev, ddat->name,
 						    ddat,
 						    &hwm_chip_info,
 						    hwm_groups);
-	if (IS_ERR(hwmon_dev)) {
+	if (IS_ERR(hwmon_dev))
-		i915->hwmon = NULL;
+		goto err;
-		return;
-	}
 
 	ddat->hwmon_dev = hwmon_dev;
 
@@ -839,16 +837,36 @@ void i915_hwmon_register(struct drm_i915_private *i915)
 		if (!hwm_gt_is_visible(ddat_gt, hwmon_energy, hwmon_energy_input, 0))
 			continue;
 
-		hwmon_dev = devm_hwmon_device_register_with_info(dev, ddat_gt->name,
+		hwmon_dev = hwmon_device_register_with_info(dev, ddat_gt->name,
 							    ddat_gt,
 							    &hwm_gt_chip_info,
 							    NULL);
 		if (!IS_ERR(hwmon_dev))
 			ddat_gt->hwmon_dev = hwmon_dev;
 	}
+	return;
+err:
+	i915_hwmon_unregister(i915);
 }
 
 void i915_hwmon_unregister(struct drm_i915_private *i915)
 {
-	fetch_and_zero(&i915->hwmon);
+	struct i915_hwmon *hwmon = i915->hwmon;
+	struct intel_gt *gt;
+	int i;
+
+	if (!hwmon)
+		return;
+
+	for_each_gt(gt, i915, i)
+		if (hwmon->ddat_gt[i].hwmon_dev)
+			hwmon_device_unregister(hwmon->ddat_gt[i].hwmon_dev);
+
+	if (hwmon->ddat.hwmon_dev)
+		hwmon_device_unregister(hwmon->ddat.hwmon_dev);
+
+	mutex_destroy(&hwmon->hwmon_lock);
+
+	kfree(i915->hwmon);
+	i915->hwmon = NULL;
 }

sys/dev/pci/drm/include/generated/autoconf.h

@@ -93,5 +93,5 @@
 #endif
 
 #if defined(SUSPEND) || defined(HIBERNATE)
-#define CONFIG_PM_SLEEP
+#define CONFIG_PM_SLEEP				1
 #endif

sys/dev/pci/if_vmx.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_vmx.c,v 1.87 2024/06/07 08:44:25 jan Exp $	*/
+/*	$OpenBSD: if_vmx.c,v 1.88 2024/06/17 11:13:43 bluhm Exp $	*/
 
 /*
  * Copyright (c) 2013 Tsubai Masanari
@@ -1619,6 +1619,8 @@ vmxnet3_start(struct ifqueue *ifq)
 	rgen = ring->gen;
 
 	for (;;) {
+		int hdrlen;
+
 		if (free <= NTXSEGS) {
 			ifq_set_oactive(ifq);
 			break;
@@ -1628,6 +1630,30 @@ vmxnet3_start(struct ifqueue *ifq)
 		if (m == NULL)
 			break;
 
+		/*
+		 * Headers for Ether, IP, TCP including options must lay in
+		 * first mbuf to support TSO.  Usually our stack gets that
+		 * right. To avoid packet parsing here, make a rough estimate
+		 * for simple IPv4.  Cases seen in the wild contain only ether 
+		 * header in separate mbuf.  To support IPv6 with TCP options,
+		 * move as much as possible into first mbuf.  Realloc mbuf
+		 * before bus dma load.
+		 */
+		hdrlen = sizeof(struct ether_header) + sizeof(struct ip) +
+		    sizeof(struct tcphdr);
+		if (ISSET(m->m_pkthdr.csum_flags, M_TCP_TSO) &&
+		    m->m_len < hdrlen && hdrlen <= m->m_pkthdr.len) {
+			hdrlen = MHLEN;
+			/* m_pullup preserves alignment, reserve space */
+			hdrlen -= mtod(m, unsigned long) & (sizeof(long) - 1);
+			if (hdrlen > m->m_pkthdr.len)
+				hdrlen = m->m_pkthdr.len;
+			if ((m = m_pullup(m, hdrlen)) == NULL) {
+				ifq->ifq_errors++;
+				continue;
+			}
+		}
+
 		map = ring->dmap[prod];
 
 		if (vmx_load_mbuf(sc->sc_dmat, map, m) != 0) {

sys/dev/pci/pcidevs

@@ -1,4 +1,4 @@
-$OpenBSD: pcidevs,v 1.2076 2024/05/22 16:24:59 martijn Exp $
+$OpenBSD: pcidevs,v 1.2077 2024/06/16 16:20:51 kn Exp $
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
 
 /*
@@ -346,6 +346,7 @@ vendor	SYMPHONY2	0x1c1c	Symphony Labs
 vendor	SKHYNIX		0x1c5c	SK hynix
 vendor	ADATA		0x1cc1	ADATA Technology
 vendor	UMIS		0x1cc4	Union Memory
+vendor	ZHAOXIN		0x1d17	Zhaoxin
 vendor	BAIKAL		0x1d39	Baikal Electronics
 vendor	AQUANTIA	0x1d6a	Aquantia
 vendor	ROCKCHIP	0x1d87	Rockchip
@@ -10039,6 +10040,9 @@ product YMTC PC005		0x1001	PC005
 /* Zeinet products */
 product ZEINET 1221		0x0001	1221
 
+/* Zhaoxin products */
+product ZHAOXIN STORX_AHCI	0x9083	StorX AHCI
+
 /* Ziatech products */
 product ZIATECH ZT8905		0x8905	PCI-ST32
 

sys/dev/pci/pcidevs.h

@@ -2,7 +2,7 @@
  * THIS FILE AUTOMATICALLY GENERATED.  DO NOT EDIT.
  *
  * generated from:
- *	OpenBSD: pcidevs,v 1.2075 2024/05/21 07:03:55 jsg Exp 
+ *	OpenBSD: pcidevs,v 1.2077 2024/06/16 16:20:51 kn Exp 
  */
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
 
@@ -351,6 +351,7 @@
 #define	PCI_VENDOR_SKHYNIX	0x1c5c		/* SK hynix */
 #define	PCI_VENDOR_ADATA	0x1cc1		/* ADATA Technology */
 #define	PCI_VENDOR_UMIS	0x1cc4		/* Union Memory */
+#define	PCI_VENDOR_ZHAOXIN	0x1d17		/* Zhaoxin */
 #define	PCI_VENDOR_BAIKAL	0x1d39		/* Baikal Electronics */
 #define	PCI_VENDOR_AQUANTIA	0x1d6a		/* Aquantia */
 #define	PCI_VENDOR_ROCKCHIP	0x1d87		/* Rockchip */
@@ -10044,6 +10045,9 @@
 /* Zeinet products */
 #define	PCI_PRODUCT_ZEINET_1221	0x0001		/* 1221 */
 
+/* Zhaoxin products */
+#define	PCI_PRODUCT_ZHAOXIN_STORX_AHCI	0x9083		/* StorX AHCI */
+
 /* Ziatech products */
 #define	PCI_PRODUCT_ZIATECH_ZT8905	0x8905		/* PCI-ST32 */
 

sys/dev/pci/pcidevs_data.h

@@ -2,7 +2,7 @@
  * THIS FILE AUTOMATICALLY GENERATED.  DO NOT EDIT.
  *
  * generated from:
- *	OpenBSD: pcidevs,v 1.2075 2024/05/21 07:03:55 jsg Exp 
+ *	OpenBSD: pcidevs,v 1.2077 2024/06/16 16:20:51 kn Exp 
  */
 
 /*	$NetBSD: pcidevs,v 1.30 1997/06/24 06:20:24 thorpej Exp $	*/
@@ -36047,6 +36047,10 @@ static const struct pci_known_product pci_known_products[] = {
 	    PCI_VENDOR_ZEINET, PCI_PRODUCT_ZEINET_1221,
 	    "1221",
 	},
+	{
+	    PCI_VENDOR_ZHAOXIN, PCI_PRODUCT_ZHAOXIN_STORX_AHCI,
+	    "StorX AHCI",
+	},
 	{
 	    PCI_VENDOR_ZIATECH, PCI_PRODUCT_ZIATECH_ZT8905,
 	    "PCI-ST32",
@@ -37279,6 +37283,10 @@ static const struct pci_known_vendor pci_known_vendors[] = {
 	    PCI_VENDOR_UMIS,
 	    "Union Memory",
 	},
+	{
+	    PCI_VENDOR_ZHAOXIN,
+	    "Zhaoxin",
+	},
 	{
 	    PCI_VENDOR_BAIKAL,
 	    "Baikal Electronics",

usr.bin/make/buf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: buf.c,v 1.30 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: buf.c,v 1.31 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: buf.c,v 1.9 1996/12/31 17:53:21 christos Exp $ */
 
 /*
@@ -90,7 +90,7 @@
 #endif
 
 static void
-fatal_overflow()
+fatal_overflow(void)
 {
 	fprintf(stderr, "buffer size overflow\n");
 	exit(2);

usr.bin/make/compat.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: compat.c,v 1.94 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: compat.c,v 1.95 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: compat.c,v 1.14 1996/11/06 17:59:01 christos Exp $	*/
 
 /*
@@ -247,12 +247,12 @@ CompatMake(void *gnp,	/* The node to make */
 }
 
 void
-Compat_Init()
+Compat_Init(void)
 {
 }
 
 void
-Compat_Update(GNode *gn)
+Compat_Update(GNode *gn UNUSED)
 {
 }
 

usr.bin/make/error.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: error.c,v 1.26 2023/09/04 11:35:11 espie Exp $ */
+/*	$OpenBSD: error.c,v 1.27 2024/06/18 02:11:03 millert Exp $ */
 
 /*
  * Copyright (c) 2001 Marc Espie.
@@ -122,7 +122,7 @@ Punt(const char *fmt, ...)
  *	The program exits
  */
 void
-Finish()
+Finish(void)
 {
 	Job_Wait();
 	print_errors();

usr.bin/make/job.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: job.c,v 1.165 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: job.c,v 1.166 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: job.c,v 1.16 1996/11/06 17:59:08 christos Exp $	*/
 
 /*
@@ -297,7 +297,7 @@ quick_summary(int signo)
 }
 
 static void
-internal_print_errors()
+internal_print_errors(void)
 {
 	Job *j, *k, *jnext;
 	int dying;
@@ -375,7 +375,7 @@ notice_signal(int sig)
 }
 
 void
-Sigset_Init()
+Sigset_Init(void)
 {
 	sigemptyset(&emptyset);
 	sigprocmask(SIG_BLOCK, &emptyset, &origset);
@@ -664,7 +664,7 @@ may_continue_job(Job *job)
 }
 
 static void
-may_continue_heldback_jobs()
+may_continue_heldback_jobs(void)
 {
 	while (!no_new_jobs) {
 		if (heldJobs != NULL) {
@@ -775,7 +775,7 @@ reap_jobs(void)
 }
 
 void
-reset_signal_mask()
+reset_signal_mask(void)
 {
 	sigprocmask(SIG_SETMASK, &origset, NULL);
 }
@@ -811,7 +811,7 @@ handle_running_jobs(void)
 }
 
 void
-loop_handle_running_jobs()
+loop_handle_running_jobs(void)
 {
 	while (runningJobs != NULL)
 		handle_running_jobs();

usr.bin/make/main.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.132 2023/09/04 11:35:11 espie Exp $ */
+/*	$OpenBSD: main.c,v 1.133 2024/06/18 02:11:03 millert Exp $ */
 /*	$NetBSD: main.c,v 1.34 1997/03/24 20:56:36 gwr Exp $	*/
 
 /*
@@ -127,7 +127,7 @@ record_option(int c, const char *arg)
 }
 
 void
-set_notparallel()
+set_notparallel(void)
 {
 	compatMake = true;
 }
@@ -465,7 +465,7 @@ add_dirpath(Lst l, const char *n)
  * run-time.
  */
 static char *
-figure_out_MACHINE()
+figure_out_MACHINE(void)
 {
 	char *r = getenv("MACHINE");
 	if (r == NULL) {
@@ -479,7 +479,7 @@ figure_out_MACHINE()
 }
 
 static char *
-figure_out_MACHINE_ARCH()
+figure_out_MACHINE_ARCH(void)
 {
 	char *r = getenv("MACHINE_ARCH");
 	if (r == NULL) {
@@ -492,7 +492,7 @@ figure_out_MACHINE_ARCH()
 	return r;
 }
 static char *
-figure_out_MACHINE_CPU()
+figure_out_MACHINE_CPU(void)
 {
 	char *r = getenv("MACHINE_CPU");
 	if (r == NULL) {
@@ -510,7 +510,7 @@ figure_out_MACHINE_CPU()
 }
 
 static char *
-figure_out_CURDIR()
+figure_out_CURDIR(void)
 {
 	char *dir, *cwd;
 	struct stat sa, sb;
@@ -577,7 +577,7 @@ setup_CURDIR_OBJDIR(struct dirs *d)
  * <directory>:<directory>:<directory>...
  */
 static void
-setup_VPATH()
+setup_VPATH(void)
 {
 	if (Var_Value("VPATH") != NULL) {
 		char *vpath;
@@ -936,7 +936,7 @@ found:		Var_Set("MAKEFILE", fname);
  *	exit with usage message
  */
 static void
-usage()
+usage(void)
 {
 	(void)fprintf(stderr,
 "usage: make [-BeiknpqrSst] [-C directory] [-D variable] [-d flags] [-f mk]\n\

usr.bin/make/make.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: make.c,v 1.84 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: make.c,v 1.85 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: make.c,v 1.10 1996/11/06 17:59:15 christos Exp $	*/
 
 /*
@@ -118,13 +118,13 @@ static bool randomize_queue;
 long random_delay = 0;
 
 bool
-nothing_left_to_build()
+nothing_left_to_build(void)
 {
 	return Array_IsEmpty(&to_build);
 }
 
 static void
-random_setup()
+random_setup(void)
 {
 	randomize_queue = Var_Definedi("RANDOM_ORDER", NULL);
 
@@ -503,7 +503,7 @@ add_targets_to_make(Lst todo)
 }
 
 void
-Make_Init()
+Make_Init(void)
 {
 	/* wild guess at initial sizes */
 	Array_Init(&to_build, 500);

usr.bin/make/parse.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.c,v 1.136 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: parse.c,v 1.137 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: parse.c,v 1.29 1997/03/10 21:20:04 christos Exp $	*/
 
 /*
@@ -219,7 +219,7 @@ static struct {
 #undef P
 
 static void
-create_special_nodes()
+create_special_nodes(void)
 {
 	unsigned int i;
 
@@ -690,7 +690,7 @@ parse_do_targets(Lst paths, unsigned int *op, const char *line)
 }
 
 static void
-dump_targets()
+dump_targets(void)
 {
 	size_t i;
 	for (i = 0; i < gtargets.n; i++)
@@ -1436,6 +1436,7 @@ build_target_group(struct growableArray *targets, struct ohash *t)
 	LstNode ln;
 	bool seen_target = false;
 	unsigned int i;
+	GNode *gn, *gn2;
 
 	/* may be 0 if wildcard expansion resulted in zero match */
 	if (targets->n <= 1)
@@ -1465,7 +1466,6 @@ build_target_group(struct growableArray *targets, struct ohash *t)
 	if (seen_target)
 		return;
 
-	GNode *gn, *gn2;
 	/* targets may already participate in groupling lists,
 	 * so rebuild the circular list "from scratch"
 	 */
@@ -1488,7 +1488,7 @@ build_target_group(struct growableArray *targets, struct ohash *t)
 }
 
 static void
-reset_target_hash()
+reset_target_hash(void)
 {
 	if (htargets_setup)
 		ohash_delete(&htargets);
@@ -1497,7 +1497,7 @@ reset_target_hash()
 }
 
 void
-Parse_End()
+Parse_End(void)
 {
 	if (htargets_setup)
 		ohash_delete(&htargets);

usr.bin/make/parsevar.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parsevar.c,v 1.17 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: parsevar.c,v 1.18 2024/06/18 02:11:03 millert Exp $	*/
 /*	$NetBSD: parse.c,v 1.29 1997/03/10 21:20:04 christos Exp $	*/
 
 /*
@@ -38,7 +38,6 @@
 #include "parsevar.h"
 
 static const char *find_op1(const char *);
-static const char *find_op2(const char *);
 static bool parse_variable_assignment(const char *, int);
 
 static const char *
@@ -55,18 +54,6 @@ find_op1(const char *p)
 	return p;
 }
 
-static const char *
-find_op2(const char *p)
-{
-	for(;; p++) {
-		if (ISSPACE(*p) || *p == '$' || *p == '\0')
-			break;
-		if (p[strspn(p, "?:!+")] == '=')
-			break;
-	}
-	return p;
-}
-
 static bool
 parse_variable_assignment(const char *line, int ctxt)
 {

usr.bin/make/targ.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: targ.c,v 1.87 2024/05/21 05:00:48 jsg Exp $ */
+/*	$OpenBSD: targ.c,v 1.88 2024/06/18 02:11:03 millert Exp $ */
 /*	$NetBSD: targ.c,v 1.11 1997/02/20 16:51:50 christos Exp $	*/
 
 /*
@@ -337,7 +337,7 @@ status_to_string(GNode *gn)
 }
 
 struct ohash *
-targets_hash()
+targets_hash(void)
 {
 	return &targets;
 }

usr.bin/make/targequiv.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: targequiv.c,v 1.10 2023/09/04 11:35:11 espie Exp $ */
+/*	$OpenBSD: targequiv.c,v 1.11 2024/06/18 02:11:04 millert Exp $ */
 /*
  * Copyright (c) 2007-2008 Marc Espie.
  *
@@ -109,7 +109,7 @@ add_to_equiv_list(struct ohash *equiv, GNode *gn)
 }
 
 static void
-build_equivalence()
+build_equivalence(void)
 {
 	unsigned int i;
 	GNode *gn;

usr.bin/make/var.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: var.c,v 1.106 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: var.c,v 1.107 2024/06/18 02:11:04 millert Exp $	*/
 /*	$NetBSD: var.c,v 1.18 1997/03/18 19:24:46 christos Exp $	*/
 
 /*
@@ -1365,7 +1365,7 @@ Var_SubstVar(Buffer buf,	/* To store result */
  ***/
 
 static void
-set_magic_shell_variable()
+set_magic_shell_variable(void)
 {
 	const char *name = "SHELL";
 	const char *ename = NULL;
@@ -1380,7 +1380,7 @@ set_magic_shell_variable()
 }
 
 static void
-set_magic_name_list_variable()
+set_magic_name_list_variable(void)
 {
 	const char *name = VARNAME_LIST;
 	const char *ename = NULL;

usr.bin/make/varmodifiers.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: varmodifiers.c,v 1.49 2023/09/04 11:35:11 espie Exp $	*/
+/*	$OpenBSD: varmodifiers.c,v 1.50 2024/06/18 02:11:04 millert Exp $	*/
 /*	$NetBSD: var.c,v 1.18 1997/03/18 19:24:46 christos Exp $	*/
 
 /*
@@ -174,7 +174,7 @@ static struct modifier {
 ;
 
 void
-VarModifiers_Init()
+VarModifiers_Init(void)
 {
 	choose_mod['M'] = &match_mod;
 	choose_mod['N'] = &nomatch_mod;

usr.bin/mandoc/st.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: st.c,v 1.14 2022/01/13 08:39:24 schwarze Exp $ */
+/* $OpenBSD: st.c,v 1.15 2024/06/16 18:33:05 job Exp $ */
 /*
  * Copyright (c) 2009, 2010 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -35,6 +35,7 @@ LINE("-p1003.1-96",	"ISO/IEC 9945-1:1996 (\\(lqPOSIX.1\\(rq)")
 LINE("-p1003.1-2001",	"IEEE Std 1003.1-2001 (\\(lqPOSIX.1\\(rq)")
 LINE("-p1003.1-2004",	"IEEE Std 1003.1-2004 (\\(lqPOSIX.1\\(rq)")
 LINE("-p1003.1-2008",	"IEEE Std 1003.1-2008 (\\(lqPOSIX.1\\(rq)")
+LINE("-p1003.1-2024",	"IEEE Std 1003.1-2024 (\\(lqPOSIX.1\\(rq)")
 LINE("-p1003.1",	"IEEE Std 1003.1 (\\(lqPOSIX.1\\(rq)")
 LINE("-p1003.1b",	"IEEE Std 1003.1b (\\(lqPOSIX.1b\\(rq)")
 LINE("-p1003.1b-93",	"IEEE Std 1003.1b-1993 (\\(lqPOSIX.1b\\(rq)")

usr.bin/sed/compile.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: compile.c,v 1.51 2022/12/26 19:16:02 jmc Exp $	*/
+/*	$OpenBSD: compile.c,v 1.52 2024/06/18 00:32:22 millert Exp $	*/
 
 /*-
  * Copyright (c) 1992 Diomidis Spinellis.
@@ -151,7 +151,7 @@ compile_stream(struct s_command **link)
 
 	stack = 0;
 	for (;;) {
-		if ((p = cu_fgets(&lbuf, &bufsize)) == NULL) {
+		if ((p = cu_getline(&lbuf, &bufsize)) == NULL) {
 			if (stack != 0)
 				error(COMPILE, "unexpected EOF (pending }'s)");
 			return (link);
@@ -538,7 +538,7 @@ compile_subst(char *p, struct s_subst *s)
 			*sp++ = *p;
 		}
 		size += sp - op;
-	} while ((p = cu_fgets(&lbuf, &bufsize)));
+	} while ((p = cu_getline(&lbuf, &bufsize)));
 	error(COMPILE, "unterminated substitute in regular expression");
 }
 
@@ -682,7 +682,7 @@ compile_text(void)
 
 	lbuf = text = NULL;
 	asize = size = 0;
-	while ((p = cu_fgets(&lbuf, &bufsize))) {
+	while ((p = cu_getline(&lbuf, &bufsize))) {
 		size_t len = ROUNDLEN(strlen(p) + 1);
 		if (asize - size < len) {
 			do {

usr.bin/sed/extern.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.14 2018/11/14 10:59:33 martijn Exp $ */
+/*	$OpenBSD: extern.h,v 1.15 2024/06/18 00:32:22 millert Exp $ */
 /*-
  * Copyright (c) 1992 Diomidis Spinellis.
  * Copyright (c) 1992, 1993
@@ -48,10 +48,10 @@ extern FILE *infile, *outfile;
 void	 cfclose(struct s_command *, struct s_command *);
 void	 compile(void);
 void	 cspace(SPACE *, const char *, size_t, enum e_spflag);
-char	*cu_fgets(char **, size_t *);
+char	*cu_getline(char **, size_t *);
 __dead void error(int, const char *, ...);
 void	warning(const char *, ...);
-int	 mf_fgets(SPACE *, enum e_spflag);
+int	 mf_getline(SPACE *, enum e_spflag);
 int	 lastline(void);
 void	 finish_file(void);
 void	 process(void);

usr.bin/sed/main.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.44 2023/02/08 08:18:11 tb Exp $	*/
+/*	$OpenBSD: main.c,v 1.45 2024/06/18 00:32:22 millert Exp $	*/
 
 /*-
  * Copyright (c) 1992 Diomidis Spinellis.
@@ -209,11 +209,11 @@ main(int argc, char *argv[])
 }
 
 /*
- * Like fgets, but go through the chain of compilation units chaining them
+ * Like getline, but go through the chain of compilation units chaining them
  * together.  Empty strings and files are ignored.
  */
 char *
-cu_fgets(char **outbuf, size_t *outsize)
+cu_getline(char **outbuf, size_t *outsize)
 {
 	static enum {ST_EOF, ST_FILE, ST_STRING} state = ST_EOF;
 	static FILE *f;		/* Current open file */
@@ -328,11 +328,11 @@ finish_file(void)
 }
 
 /*
- * Like fgets, but go through the list of files chaining them together.
+ * Like getline, but go through the list of files chaining them together.
  * Set len to the length of the line.
  */
 int
-mf_fgets(SPACE *sp, enum e_spflag spflag)
+mf_getline(SPACE *sp, enum e_spflag spflag)
 {
 	struct stat sb;
 	size_t len;

usr.bin/sed/process.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: process.c,v 1.35 2022/01/12 15:13:36 martijn Exp $	*/
+/*	$OpenBSD: process.c,v 1.36 2024/06/18 00:32:22 millert Exp $	*/
 
 /*-
  * Copyright (c) 1992 Diomidis Spinellis.
@@ -90,7 +90,7 @@ process(void)
 	size_t len, oldpsl;
 	char *p;
 
-	for (linenum = 0; mf_fgets(&PS, REPLACE);) {
+	for (linenum = 0; mf_getline(&PS, REPLACE);) {
 		pd = 0;
 top:
 		cp = prog;
@@ -164,14 +164,14 @@ redirect:
 				if (!nflag && !pd)
 					OUT();
 				flush_appends();
-				if (!mf_fgets(&PS, REPLACE))
+				if (!mf_getline(&PS, REPLACE))
 					exit(0);
 				pd = 0;
 				break;
 			case 'N':
 				flush_appends();
 				cspace(&PS, "\n", 1, 0);
-				if (!mf_fgets(&PS, 0))
+				if (!mf_getline(&PS, 0))
 					exit(0);
 				break;
 			case 'p':

usr.bin/ssh/Makefile.inc

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.93 2024/06/04 15:14:45 deraadt Exp $
+#	$OpenBSD: Makefile.inc,v 1.94 2024/06/17 08:30:29 djm Exp $
 
 .include <bsd.own.mk>
 
@@ -37,7 +37,7 @@ WARNINGS=yes
 
 OPENSSL?=	yes
 ZLIB?=		yes
-DSAKEY?=	yes
+DSAKEY?=	no
 
 .if (${OPENSSL:L} == "yes")
 CFLAGS+=	-DWITH_OPENSSL

usr.bin/ssh/serverloop.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.239 2024/05/17 00:30:24 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.240 2024/06/17 08:28:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -260,11 +260,11 @@ process_input(struct ssh *ssh, int connection_in)
 		if (errno == EAGAIN || errno == EINTR)
 			return 0;
 		if (errno == EPIPE) {
-			verbose("Connection closed by %.100s port %d",
+			logit("Connection closed by %.100s port %d",
 			    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 			return -1;
 		}
-		verbose("Read error from remote host %s port %d: %s",
+		logit("Read error from remote host %s port %d: %s",
 		    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
 		    strerror(errno));
 		cleanup_exit(255);

usr.bin/ssh/ssh-add.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-add.1,v 1.86 2023/12/19 06:57:34 jmc Exp $
+.\"	$OpenBSD: ssh-add.1,v 1.87 2024/06/17 08:30:29 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 19 2023 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH-ADD 1
 .Os
 .Sh NAME
@@ -67,10 +67,9 @@ When run without arguments, it adds the files
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
+.Pa ~/.ssh/id_ed25519
-.Pa ~/.ssh/id_ed25519_sk ,
 and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
 After loading a private key,
 .Nm
 will try to load corresponding certificate information from the
@@ -314,13 +313,12 @@ the built-in USB HID support.
 .El
 .Sh FILES
 .Bl -tag -width Ds -compact
-.It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ecdsa_sk
 .It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_ed25519_sk
 .It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
 authenticator-hosted Ed25519 or RSA authentication identity of the user.
 .El
 .Pp

usr.bin/ssh/ssh-keygen.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.230 2023/09/04 10:29:58 job Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.232 2024/06/17 13:50:18 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 4 2023 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -51,7 +51,7 @@
 .Op Fl m Ar format
 .Op Fl N Ar new_passphrase
 .Op Fl O Ar option
-.Op Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
+.Op Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
 .Op Fl w Ar provider
 .Op Fl Z Ar cipher
 .Nm ssh-keygen
@@ -205,7 +205,6 @@ section for details.
 Normally each user wishing to use SSH
 with public key authentication runs this once to create the authentication
 key in
-.Pa ~/.ssh/id_dsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ecdsa_sk ,
 .Pa ~/.ssh/id_ed25519 ,
@@ -296,7 +295,6 @@ Show the bubblebabble digest of specified private or public key file.
 Specifies the number of bits in the key to create.
 For RSA keys, the minimum size is 1024 bits and the default is 3072 bits.
 Generally, 3072 bits is considered sufficient.
-DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
 For ECDSA keys, the
 .Fl b
 flag determines the key length by selecting from one of three elliptic
@@ -414,9 +412,8 @@ section.
 Prints the contents of one or more certificates.
 .It Fl l
 Show fingerprint of specified public key file.
-For RSA and DSA keys
 .Nm
-tries to find the matching public key file and prints its fingerprint.
+will try to find the matching public key file and prints its fingerprint.
 If combined with
 .Fl v ,
 a visual ASCII art representation of the key is supplied with the
@@ -579,10 +576,9 @@ by key ID or serial number.
 See the
 .Sx KEY REVOCATION LISTS
 section for details.
-.It Fl t Cm dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
+.It Fl t Cm ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa
 Specifies the type of key to create.
 The possible values are
-.Dq dsa ,
 .Dq ecdsa ,
 .Dq ecdsa-sk ,
 .Dq ed25519 ,
@@ -1290,13 +1286,12 @@ the built-in USB HID support.
 .El
 .Sh FILES
 .Bl -tag -width Ds -compact
-.It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ecdsa_sk
 .It Pa ~/.ssh/id_ed25519
 .It Pa ~/.ssh/id_ed25519_sk
 .It Pa ~/.ssh/id_rsa
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
 authenticator-hosted Ed25519 or RSA authentication identity of the user.
 This file should not be readable by anyone but the user.
 It is possible to
@@ -1308,13 +1303,12 @@ but it is offered as the default file for the private key.
 .Xr ssh 1
 will read this file when a login attempt is made.
 .Pp
-.It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
 .It Pa ~/.ssh/id_ecdsa_sk.pub
 .It Pa ~/.ssh/id_ed25519.pub
 .It Pa ~/.ssh/id_ed25519_sk.pub
 .It Pa ~/.ssh/id_rsa.pub
-Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519,
+Contains the ECDSA, authenticator-hosted ECDSA, Ed25519,
 authenticator-hosted Ed25519 or RSA public key for authentication.
 The contents of this file should be added to
 .Pa ~/.ssh/authorized_keys

usr.bin/ssh/ssh-keyscan.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.51 2024/06/14 05:20:34 jmc Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.52 2024/06/17 08:30:29 djm Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: June 14 2024 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -130,7 +130,6 @@ The default is 5 seconds.
 .It Fl t Ar type
 Specify the type of the key to fetch from the scanned hosts.
 The possible values are
-.Dq dsa ,
 .Dq ecdsa ,
 .Dq ed25519 ,
 .Dq ecdsa-sk ,
@@ -138,14 +137,7 @@ The possible values are
 or
 .Dq rsa .
 Multiple values may be specified by separating them with commas.
-The default is to fetch
+The default is to fetch all the above key types.
-.Dq rsa ,
-.Dq ecdsa ,
-.Dq ed25519 ,
-.Dq ecdsa-sk ,
-and
-.Dq ed25519-sk
-keys.
 .It Fl v
 Verbose mode:
 print debugging messages about progress.
@@ -177,7 +169,7 @@ Find all hosts from the file
 which have new or different keys from those in the sorted file
 .Pa ssh_known_hosts :
 .Bd -literal -offset indent
-$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
+$ ssh-keyscan -t rsa,ecdsa,ed25519 -f ssh_hosts | \e
 	sort -u - ssh_known_hosts | diff ssh_known_hosts -
 .Ed
 .Sh SEE ALSO

usr.bin/ssh/ssh-keysign.8

@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-keysign.8,v 1.17 2022/03/31 17:27:27 naddy Exp $
+.\" $OpenBSD: ssh-keysign.8,v 1.18 2024/06/17 08:30:29 djm Exp $
 .\"
 .\" Copyright (c) 2002 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: March 31 2022 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH-KEYSIGN 8
 .Os
 .Sh NAME
@@ -61,7 +61,6 @@ Controls whether
 .Nm
 is enabled.
 .Pp
-.It Pa /etc/ssh/ssh_host_dsa_key
 .It Pa /etc/ssh/ssh_host_ecdsa_key
 .It Pa /etc/ssh/ssh_host_ed25519_key
 .It Pa /etc/ssh/ssh_host_rsa_key
@@ -73,7 +72,6 @@ Since they are readable only by root,
 .Nm
 must be set-uid root if host-based authentication is used.
 .Pp
-.It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ed25519_key-cert.pub
 .It Pa /etc/ssh/ssh_host_rsa_key-cert.pub

usr.bin/ssh/ssh.1

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.440 2024/05/26 20:35:12 naddy Exp $
+.\" $OpenBSD: ssh.1,v 1.441 2024/06/17 08:30:29 djm Exp $
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -304,10 +304,9 @@ The default is
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
+.Pa ~/.ssh/id_ed25519
-.Pa ~/.ssh/id_ed25519_sk
 and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
 Identity files may also be specified on
 a per-host basis in the configuration file.
 It is possible to have multiple
@@ -929,10 +928,10 @@ key pair for authentication purposes.
 The server knows the public key, and only the user knows the private key.
 .Nm
 implements public key authentication protocol automatically,
-using one of the DSA, ECDSA, Ed25519 or RSA algorithms.
+using one of the ECDSA, Ed25519 or RSA algorithms.
 The HISTORY section of
 .Xr ssl 8
-contains a brief discussion of the DSA and RSA algorithms.
+contains a brief discussion of the RSA and ECDSA algorithms.
 .Pp
 The file
 .Pa ~/.ssh/authorized_keys
@@ -959,8 +958,6 @@ flag).
 The user creates their key pair by running
 .Xr ssh-keygen 1 .
 This stores the private key in
-.Pa ~/.ssh/id_dsa
-(DSA),
 .Pa ~/.ssh/id_ecdsa
 (ECDSA),
 .Pa ~/.ssh/id_ecdsa_sk
@@ -973,8 +970,6 @@ or
 .Pa ~/.ssh/id_rsa
 (RSA)
 and stores the public key in
-.Pa ~/.ssh/id_dsa.pub
-(DSA),
 .Pa ~/.ssh/id_ecdsa.pub
 (ECDSA),
 .Pa ~/.ssh/id_ecdsa_sk.pub
@@ -1556,7 +1551,7 @@ secret, but the recommended permissions are read/write/execute for the user,
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
+Lists the public keys (ECDSA, Ed25519, RSA)
 that can be used for logging in as this user.
 The format of this file is described in the
 .Xr sshd 8
@@ -1576,7 +1571,6 @@ Contains additional definitions for environment variables; see
 .Sx ENVIRONMENT ,
 above.
 .Pp
-.It Pa ~/.ssh/id_dsa
 .It Pa ~/.ssh/id_ecdsa
 .It Pa ~/.ssh/id_ecdsa_sk
 .It Pa ~/.ssh/id_ed25519
@@ -1592,7 +1586,6 @@ It is possible to specify a passphrase when
 generating the key which will be used to encrypt the
 sensitive part of this file using AES-128.
 .Pp
-.It Pa ~/.ssh/id_dsa.pub
 .It Pa ~/.ssh/id_ecdsa.pub
 .It Pa ~/.ssh/id_ecdsa_sk.pub
 .It Pa ~/.ssh/id_ed25519.pub

usr.bin/ssh/ssh_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.395 2024/06/14 05:01:22 djm Exp $
+.\" $OpenBSD: ssh_config.5,v 1.396 2024/06/17 08:30:29 djm Exp $
-.Dd $Mdocdate: June 14 2024 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -1114,7 +1114,7 @@ section and environment variables as described in the
 .Sx ENVIRONMENT VARIABLES
 section.
 .It Cm IdentityFile
-Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
+Specifies a file from which the user's ECDSA, authenticator-hosted ECDSA,
 Ed25519, authenticator-hosted Ed25519 or RSA authentication identity is read.
 You can also specify a public key file to use the corresponding
 private key that is loaded in
@@ -1124,10 +1124,9 @@ The default is
 .Pa ~/.ssh/id_rsa ,
 .Pa ~/.ssh/id_ecdsa ,
 .Pa ~/.ssh/id_ecdsa_sk ,
-.Pa ~/.ssh/id_ed25519 ,
+.Pa ~/.ssh/id_ed25519
-.Pa ~/.ssh/id_ed25519_sk
 and
-.Pa ~/.ssh/id_dsa .
+.Pa ~/.ssh/id_ed25519_sk .
 Additionally, any identities represented by the authentication agent
 will be used for authentication unless
 .Cm IdentitiesOnly

usr.bin/ssh/sshd.8

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.325 2023/09/19 20:37:07 deraadt Exp $
+.\" $OpenBSD: sshd.8,v 1.326 2024/06/17 08:30:29 djm Exp $
-.Dd $Mdocdate: September 19 2023 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -438,8 +438,6 @@ sk-ssh-ed25519@openssh.com
 .It
 ssh-ed25519
 .It
-ssh-dss
-.It
 ssh-rsa
 .El
 .Pp
@@ -450,7 +448,6 @@ Note that lines in this file can be several hundred bytes long
 (because of the size of the public key encoding) up to a limit of
 8 kilobytes, which permits RSA keys up to 16 kilobits.
 You don't want to type them in; instead, copy the
-.Pa id_dsa.pub ,
 .Pa id_ecdsa.pub ,
 .Pa id_ecdsa_sk.pub ,
 .Pa id_ed25519.pub ,
@@ -854,7 +851,7 @@ secret, but the recommended permissions are read/write/execute for the user,
 and not accessible by others.
 .Pp
 .It Pa ~/.ssh/authorized_keys
-Lists the public keys (DSA, ECDSA, Ed25519, RSA)
+Lists the public keys (ECDSA, Ed25519, RSA)
 that can be used for logging in as this user.
 The format of this file is described above.
 The content of the file is not highly sensitive, but the recommended

usr.bin/timeout/timeout.1

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: timeout.1,v 1.8 2023/11/03 19:16:31 cheloha Exp $
+.\"	$OpenBSD: timeout.1,v 1.9 2024/06/16 18:33:56 job Exp $
 .\"	$NetBSD: timeout.1,v 1.4 2016/10/13 06:22:26 dholland Exp $
 .\"
 .\" Copyright (c) 2014 Baptiste Daroussin <bapt@FreeBSD.org>
@@ -27,7 +27,7 @@
 .\"
 .\" $FreeBSD: head/usr.bin/timeout/timeout.1 268861 2014-07-18 22:56:59Z bapt $
 .\"
-.Dd $Mdocdate: November 3 2023 $
+.Dd $Mdocdate: June 16 2024 $
 .Dt TIMEOUT 1
 .Os
 .Sh NAME
@@ -118,6 +118,12 @@ returns the exit status of the
 .Sh SEE ALSO
 .Xr kill 1 ,
 .Xr signal 3
+.Sh STANDARDS
+The
+.Nm
+utility is compliant with the
+.St -p1003.1-2024
+specification.
 .Sh HISTORY
 The
 .Nm

usr.sbin/relayd/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.255 2023/10/29 11:27:11 kn Exp $	*/
+/*	$OpenBSD: parse.y,v 1.256 2024/06/17 08:02:57 sashan Exp $	*/
 
 /*
  * Copyright (c) 2007 - 2014 Reyk Floeter <reyk@openbsd.org>
@@ -179,14 +179,14 @@ typedef struct {
 %token	TIMEOUT TLS TO ROUTER RTLABEL TRANSPARENT URL WITH TTL RTABLE
 %token	MATCH PARAMS RANDOM LEASTSTATES SRCHASH KEY CERTIFICATE PASSWORD ECDHE
 %token	EDH TICKETS CONNECTION CONNECTIONS CONTEXT ERRORS STATE CHANGES CHECKS
-%token	WEBSOCKETS
+%token	WEBSOCKETS PFLOG
 %token	<v.string>	STRING
 %token  <v.number>	NUMBER
 %type	<v.string>	context hostname interface table value path
 %type	<v.number>	http_type loglevel quick
 %type	<v.number>	dstmode flag forwardmode retry
 %type	<v.number>	opttls opttlsclient
-%type	<v.number>	redirect_proto relay_proto match
+%type	<v.number>	redirect_proto relay_proto match pflog
 %type	<v.number>	action ruleaf key_option
 %type	<v.port>	port
 %type	<v.host>	host
@@ -605,7 +605,7 @@ rdroptsl	: forwardmode TO tablespec interface	{
 			$3->conf.rdrid = rdr->conf.id;
 			$3->conf.flags |= F_USED;
 		}
-		| LISTEN ON STRING redirect_proto port interface {
+		| LISTEN ON STRING redirect_proto port interface pflog {
 			if (host($3, &rdr->virts,
 			    SRV_MAX_VIRTS, &$5, $6, $4) <= 0) {
 				yyerror("invalid virtual ip: %s", $3);
@@ -618,6 +618,8 @@ rdroptsl	: forwardmode TO tablespec interface	{
 			if (rdr->conf.port == 0)
 				rdr->conf.port = $5.val[0];
 			tableport = rdr->conf.port;
+			if ($7)
+				rdr->conf.flags |= F_PFLOG;
 		}
 		| DISABLE		{ rdr->conf.flags |= F_DISABLE; }
 		| STICKYADDR		{ rdr->conf.flags |= F_STICKY; }
@@ -651,6 +653,10 @@ match		: /* empty */		{ $$ = 0; }
 		| MATCH			{ $$ = 1; }
 		;
 
+pflog		: /* empty */		{ $$ = 0; }
+		| PFLOG			{ $$ = 1; }
+		;
+
 forwardmode	: FORWARD		{ $$ = FWD_NORMAL; }
 		| ROUTE			{ $$ = FWD_ROUTE; }
 		| TRANSPARENT FORWARD	{ $$ = FWD_TRANS; }
@@ -2454,6 +2460,7 @@ lookup(char *s)
 		{ "pass",		PASS },
 		{ "password",		PASSWORD },
 		{ "path",		PATH },
+		{ "pflog",		PFLOG },
 		{ "pftag",		PFTAG },
 		{ "port",		PORT },
 		{ "prefork",		PREFORK },

usr.sbin/relayd/pfe.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfe.c,v 1.90 2020/09/14 11:30:25 martijn Exp $	*/
+/*	$OpenBSD: pfe.c,v 1.91 2024/06/17 08:36:56 sashan Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -584,11 +584,14 @@ int
 disable_host(struct ctl_conn *c, struct ctl_id *id, struct host *host)
 {
 	struct host	*h;
-	struct table	*table;
+	struct table	*table, *t;
+	int	 host_byname = 0;
 
 	if (host == NULL) {
-		if (id->id == EMPTY_ID)
+		if (id->id == EMPTY_ID) {
 			host = host_findbyname(env, id->name);
+			host_byname = 1;
+		}
 		else
 			host = host_find(env, id->id);
 		if (host == NULL || host->conf.parentid)
@@ -625,6 +628,16 @@ disable_host(struct ctl_conn *c, struct ctl_id *id, struct host *host)
 		/* Disable all children */
 		SLIST_FOREACH(h, &host->children, child)
 			disable_host(c, id, h);
+
+		/* Disable hosts with same name on all tables */
+		if (host_byname)
+			TAILQ_FOREACH(t, env->sc_tables, entry)
+				TAILQ_FOREACH(h, &t->hosts, entry)
+					if (strcmp(h->conf.name,
+					    host->conf.name) == 0 &&
+					    h->conf.id != host->conf.id &&
+					    !h->conf.parentid)
+						disable_host(c, id, h);
 		pfe_sync();
 	}
 	return (0);
@@ -634,10 +647,15 @@ int
 enable_host(struct ctl_conn *c, struct ctl_id *id, struct host *host)
 {
 	struct host	*h;
+	struct table	*t;
+	int	 host_byname = 0;
+
 
 	if (host == NULL) {
-		if (id->id == EMPTY_ID)
+		if (id->id == EMPTY_ID) {
 			host = host_findbyname(env, id->name);
+			host_byname = 1;
+		}
 		else
 			host = host_find(env, id->id);
 		if (host == NULL || host->conf.parentid)
@@ -666,6 +684,16 @@ enable_host(struct ctl_conn *c, struct ctl_id *id, struct host *host)
 		/* Enable all children */
 		SLIST_FOREACH(h, &host->children, child)
 			enable_host(c, id, h);
+
+		/* Enable hosts with same name on all tables */
+		if (host_byname)
+			TAILQ_FOREACH(t, env->sc_tables, entry)
+				TAILQ_FOREACH(h, &t->hosts, entry)
+					if (strcmp(h->conf.name,
+					    host->conf.name) == 0 &&
+					    h->conf.id != host->conf.id &&
+					    !h->conf.parentid)
+						enable_host(c, id, h);
 		pfe_sync();
 	}
 	return (0);

usr.sbin/relayd/pfe_filter.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfe_filter.c,v 1.65 2023/09/14 09:54:31 yasuoka Exp $	*/
+/*	$OpenBSD: pfe_filter.c,v 1.66 2024/06/17 08:02:57 sashan Exp $	*/
 
 /*
  * Copyright (c) 2006 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -377,6 +377,11 @@ sync_ruleset(struct relayd *env, struct rdr *rdr, int enable)
 		rio.rule.direction = PF_IN;
 		rio.rule.keep_state = PF_STATE_NORMAL;
 
+		if (rdr->conf.flags & F_PFLOG)
+			rio.rule.log = 1;
+		else
+			rio.rule.log = 0; /* allow change via reload */
+
 		switch (t->conf.fwdmode) {
 		case FWD_NORMAL:
 			/* traditional redirection */

usr.sbin/relayd/relayd.conf.5

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: relayd.conf.5,v 1.207 2023/10/29 11:27:11 kn Exp $
+.\"	$OpenBSD: relayd.conf.5,v 1.208 2024/06/17 08:02:57 sashan Exp $
 .\"
 .\" Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
 .\" Copyright (c) 2006, 2007 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: October 29 2023 $
+.Dd $Mdocdate: June 17 2024 $
 .Dt RELAYD.CONF 5
 .Os
 .Sh NAME
@@ -517,6 +517,7 @@ At least one entry for the main table is mandatory.
 .Op ip-proto
 .Ic port Ar port
 .Op Ic interface Ar name
+.Op Ic pflog
 .Xc
 Specify an
 .Ar address
@@ -540,6 +541,12 @@ or
 it defaults to
 .Cm tcp .
 The rule can be optionally restricted to a given interface name.
+The optional
+.Ic pflog
+keyword will add
+.Cm log
+to the rule. The logged packets are sent to
+.Xr pflog 4 .
 .It Xo
 .Op Ic match
 .Ic pftag Ar name

usr.sbin/relayd/relayd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: relayd.h,v 1.272 2024/05/18 06:34:46 jsg Exp $	*/
+/*	$OpenBSD: relayd.h,v 1.273 2024/06/17 08:02:57 sashan Exp $	*/
 
 /*
  * Copyright (c) 2006 - 2016 Reyk Floeter <reyk@openbsd.org>
@@ -402,6 +402,7 @@ union hashkey {
 #define F_TLSINSPECT		0x04000000
 #define F_HASHKEY		0x08000000
 #define F_AGENTX_TRAPONLY	0x10000000
+#define F_PFLOG			0x20000000
 
 #define F_BITS								\
 	"\10\01DISABLE\02BACKUP\03USED\04DOWN\05ADD\06DEL\07CHANGED"	\

usr.sbin/rpki-client/crl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: crl.c,v 1.41 2024/06/12 10:03:09 tb Exp $ */
+/*	$OpenBSD: crl.c,v 1.42 2024/06/17 18:52:50 tb Exp $ */
 /*
  * Copyright (c) 2024 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -296,6 +296,10 @@ crl_get(struct crl_tree *crlt, const struct auth *a)
 {
 	struct crl	find;
 
+	/* XXX - this should be removed, but filemode relies on it. */
+	if (a == NULL)
+		return NULL;
+
 	find.aki = a->cert->ski;
 	find.mftpath = a->cert->mft;
 

usr.sbin/rpki-client/filemode.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: filemode.c,v 1.46 2024/06/12 10:03:09 tb Exp $ */
+/*	$OpenBSD: filemode.c,v 1.47 2024/06/17 18:54:36 tb Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -227,7 +227,7 @@ parse_load_certchain(char *uri)
 		cert->talid = a->cert->talid;
 		a = auth_insert(uri, &auths, cert, a);
 		uripath_add(uri, cert);
-		stack[i] = NULL;
+		stack[i - 1] = NULL;
 	}
 
 	return a;

usr.sbin/rpki-client/validate.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.75 2024/06/12 10:03:09 tb Exp $ */
+/*	$OpenBSD: validate.c,v 1.76 2024/06/17 18:52:50 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -304,6 +304,10 @@ build_chain(const struct auth *a, STACK_OF(X509) **intermediates,
 	*intermediates = NULL;
 	*root = NULL;
 
+	/* XXX - this should be removed, but filemode relies on it. */
+	if (a == NULL)
+		return;
+
 	if ((*intermediates = sk_X509_new_null()) == NULL)
 		err(1, "sk_X509_new_null");
 	if ((*root = sk_X509_new_null()) == NULL)