sync with OpenBSD -current

distrib/sets/lists/base/mi

@@ -2510,6 +2510,7 @@
 ./usr/libexec/ntalkd
 ./usr/libexec/radiusd
 ./usr/libexec/radiusd/radiusd_bsdauth
+./usr/libexec/radiusd/radiusd_ipcp
 ./usr/libexec/radiusd/radiusd_radius
 ./usr/libexec/radiusd/radiusd_standard
 ./usr/libexec/reorder_kernel

distrib/sets/lists/comp/mi

@@ -1927,6 +1927,7 @@
 ./usr/share/man/man3/EVP_PKEY_CTX_get_operation.3
 ./usr/share/man/man3/EVP_PKEY_CTX_new.3
 ./usr/share/man/man3/EVP_PKEY_CTX_set_hkdf_md.3
+./usr/share/man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3
 ./usr/share/man/man3/EVP_PKEY_add1_attr.3
 ./usr/share/man/man3/EVP_PKEY_asn1_get_count.3
 ./usr/share/man/man3/EVP_PKEY_asn1_new.3

distrib/sets/lists/man/mi

@@ -2615,6 +2615,7 @@
 ./usr/share/man/man8/radiusctl.8
 ./usr/share/man/man8/radiusd.8
 ./usr/share/man/man8/radiusd_bsdauth.8
+./usr/share/man/man8/radiusd_ipcp.8
 ./usr/share/man/man8/radiusd_radius.8
 ./usr/share/man/man8/radiusd_standard.8
 ./usr/share/man/man8/rarpd.8

lib/libc/stdlib/getenv.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: getenv.c,v 1.12 2016/03/13 18:34:21 guenther Exp $ */
+/*	$OpenBSD: getenv.c,v 1.13 2024/07/10 14:17:58 jca Exp $ */
 /*
  * Copyright (c) 1987, 1993
  *	The Regents of the University of California.  All rights reserved.
@@ -39,8 +39,6 @@
  *	Sets offset to be the offset of the name/value combination in the
  *	environmental array, for use by putenv(3), setenv(3) and unsetenv(3).
  *	Explicitly removes '=' in argument name.
- *
- *	This routine *should* be a static; don't use it.
  */
 char *
 __findenv(const char *name, int len, int *offset)

lib/libcrypto/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.199 2024/07/09 16:41:44 tb Exp $
+# $OpenBSD: Makefile,v 1.200 2024/07/10 13:30:14 beck Exp $
 
 LIB=	crypto
 LIBREBUILD=y
@@ -53,7 +53,6 @@ CFLAGS+= -I${LCRYPTO_SRC}/x509
 
 VERSION_SCRIPT=	Symbols.map
 SYMBOL_LIST=	${.CURDIR}/Symbols.list
-SYMBOL_NAMESPACE=	${.CURDIR}/Symbols.namespace
 
 .if (${MACHINE_CPU} == "amd64") || (${MACHINE_CPU} == "i386")
 SYMBOL_LIST+=	${.CURDIR}/arch/${MACHINE_CPU}/Symbols.list
@@ -746,9 +745,9 @@ includes: prereq
 	    echo $$j; \
 	    eval "$$j"; \
 	done;
-${VERSION_SCRIPT}: ${SYMBOL_LIST} ${SYMBOL_NAMESPACE}
+${VERSION_SCRIPT}: ${SYMBOL_LIST}
 	{ printf '{\n\tglobal:\n'; \
-	  sed '/^[._a-zA-Z]/s/$$/;/; s/^/		/' ${SYMBOL_NAMESPACE}; \
+	  sed '/^[._a-zA-Z]/s/$$/;/; s/^/		_libre_/' ${SYMBOL_LIST}; \
 	  sed '/^[._a-zA-Z]/s/$$/;/; s/^/		/' ${SYMBOL_LIST}; \
 	  printf '\n\tlocal:\n\t\t*;\n};\n'; } >$@.tmp && mv $@.tmp $@
 

lib/libcrypto/kdf/tls1_prf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls1_prf.c,v 1.39 2024/07/09 17:58:36 tb Exp $ */
+/*	$OpenBSD: tls1_prf.c,v 1.40 2024/07/10 06:53:27 tb Exp $ */
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
  * 2016.
@@ -146,8 +146,7 @@ pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 }
 
 static int
-pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,
+pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value)
-    const char *type, const char *value)
 {
 	if (value == NULL) {
 		KDFerror(KDF_R_VALUE_MISSING);
@@ -178,10 +177,8 @@ pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx,
 }
 
 static int
-tls1_prf_P_hash(const EVP_MD *md,
+tls1_prf_P_hash(const EVP_MD *md, const unsigned char *secret, size_t secret_len,
-    const unsigned char *secret, size_t secret_len,
+    const unsigned char *seed, size_t seed_len, unsigned char *out, size_t out_len)
-    const unsigned char *seed, size_t seed_len,
-    unsigned char *out, size_t out_len)
 {
 	int chunk;
 	EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;

lib/libcrypto/man/EVP_PKEY_CTX_set_hkdf_md.3

@@ -1,4 +1,4 @@
-.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.3 2023/09/13 13:46:52 schwarze Exp $
+.\" $OpenBSD: EVP_PKEY_CTX_set_hkdf_md.3,v 1.4 2024/07/10 07:57:37 tb Exp $
 .\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
 .\"
 .\" This file was written by Alessandro Ghedini <alessandro@ghedini.me>,
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: September 13 2023 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt EVP_PKEY_CTX_SET_HKDF_MD 3
 .Os
 .Sh NAME
@@ -60,6 +60,7 @@
 .Nm EVP_PKEY_CTX_hkdf_mode
 .Nd HMAC-based Extract-and-Expand key derivation algorithm
 .Sh SYNOPSIS
+.In openssl/evp.h
 .In openssl/kdf.h
 .Ft int
 .Fo EVP_PKEY_CTX_hkdf_mode

lib/libcrypto/man/EVP_PKEY_CTX_set_tls1_prf_md.3

@@ -0,0 +1,171 @@
+.\" $OpenBSD: EVP_PKEY_CTX_set_tls1_prf_md.3,v 1.2 2024/07/10 10:22:03 tb Exp $
+.\" full merge up to: OpenSSL 1cb7eff4 Sep 10 13:56:40 2019 +0100
+.\"
+.\" This file was written by Dr Stephen Henson <steve@openssl.org>,
+.\" Copyright (c) 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: July 10 2024 $
+.Dt EVP_PKEY_CTX_SET_TLS1_PRF_MD 3
+.Os
+.Sh NAME
+.Nm EVP_PKEY_CTX_set_tls1_prf_md ,
+.Nm EVP_PKEY_CTX_set1_tls1_prf_secret ,
+.Nm EVP_PKEY_CTX_add1_tls1_prf_seed
+.Nd TLS PRF key derivation algorithm
+.Sh SYNOPSIS
+.In openssl/evp.h
+.In openssl/kdf.h
+.Ft int
+.Fo EVP_PKEY_CTX_set_tls1_prf_md
+.Fa "EVP_PKEY_CTX *pctx"
+.Fa "const EVP_MD *md"
+.Fc
+.Ft int
+.Fo EVP_PKEY_CTX_set1_tls1_prf_secret
+.Fa "EVP_PKEY_CTX *pctx"
+.Fa "unsigned char *sec"
+.Fa "int seclen"
+.Fc
+.Ft int
+.Fo EVP_PKEY_CTX_add1_tls1_prf_seed
+.Fa "EVP_PKEY_CTX *pctx"
+.Fa "unsigned char *seed"
+.Fa "int seedlen"
+.Fc
+.Sh DESCRIPTION
+The
+.Dv EVP_PKEY_TLS1_PRF
+algorithm implements the PRF key derivation function for TLS.
+It has no associated private key and only implements key derivation using
+.Xr EVP_PKEY_derive 3 .
+.Pp
+.Fn EVP_PKEY_set_tls1_prf_md
+sets the message digest associated with the TLS PRF.
+.Xr EVP_md5_sha1 3
+is treated as a special case which uses the PRF algorithm using both
+MD5 and SHA1 as used in TLS 1.0 and 1.1.
+.Pp
+.Fn EVP_PKEY_CTX_set_tls1_prf_secret
+sets the secret value of the TLS PRF to
+.Fa seclen
+bytes of the buffer
+.Fa sec .
+Any existing secret value is replaced and any seed is reset.
+.Pp
+.Fn EVP_PKEY_CTX_add1_tls1_prf_seed
+sets the seed to
+.Fa seedlen
+bytes of
+.Fa seed .
+If a seed is already set it is appended to the existing value.
+.Sh STRING CTRLS
+The TLS PRF also supports string based control operations using
+.Xr EVP_PKEY_CTX_ctrl_str 3 .
+The
+.Fa type
+parameter "md" uses the supplied
+.Fa value
+as the name of the digest algorithm to use.
+The
+.Fa type
+parameters "secret" and "seed" use the supplied
+.Fa value
+parameter as a secret or seed value.
+The names "hexsecret" and "hexseed" are similar except they take a hex
+string which is converted to binary.
+.Sh NOTES
+All these functions are implemented as macros.
+.Pp
+A context for the TLS PRF can be obtained by calling:
+.Bd -literal
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
+.Ed
+.Pp
+The digest, secret value and seed must be set before a key is derived or
+an error occurs.
+.Pp
+The total length of all seeds cannot exceed 1024 bytes in length: this
+should be more than enough for any normal use of the TLS PRF.
+.Pp
+The output length of the PRF is specified by the length parameter in the
+.Xr EVP_PKEY_derive 3
+function.
+Since the output length is variable, setting the buffer to
+.Dv NULL
+is not meaningful for the TLS PRF.
+.Sh RETURN VALUES
+All these functions return 1 for success and 0 or a negative value for
+failure.
+In particular a return value of -2 indicates the operation is not
+supported by the public key algorithm.
+.Sh EXAMPLES
+This example derives 10 bytes using SHA-256 with the secret key "secret"
+and seed value "seed":
+.Bd -literal
+ EVP_PKEY_CTX *pctx;
+ unsigned char out[10];
+ size_t outlen = sizeof(out);
+
+ pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL);
+ if (EVP_PKEY_derive_init(pctx) <= 0)
+     /* Error */
+ if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0)
+     /* Error */
+ if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0)
+     /* Error */
+ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0)
+     /* Error */
+ if (EVP_PKEY_derive(pctx, out, &outlen) <= 0)
+     /* Error */
+.Ed
+.Sh SEE ALSO
+.Xr EVP_PKEY_CTX_ctrl_str 3 ,
+.Xr EVP_PKEY_CTX_new 3 ,
+.Xr EVP_PKEY_derive 3
+.Sh HISTORY
+These functions first appeared in OpenSSL 1.1.0 and have been available since
+.Ox 7.6 .

lib/libcrypto/man/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.287 2024/05/12 11:50:36 tb Exp $
+# $OpenBSD: Makefile,v 1.288 2024/07/10 08:51:28 tb Exp $
 
 .include <bsd.own.mk>
 
@@ -176,6 +176,7 @@ MAN=	\
 	EVP_PKEY_CTX_get_operation.3 \
 	EVP_PKEY_CTX_new.3 \
 	EVP_PKEY_CTX_set_hkdf_md.3 \
+	EVP_PKEY_CTX_set_tls1_prf_md.3 \
 	EVP_PKEY_add1_attr.3 \
 	EVP_PKEY_asn1_get_count.3 \
 	EVP_PKEY_asn1_new.3 \

lib/libssl/man/SSL_CTX_set_alpn_select_cb.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.9 2024/06/28 14:48:43 tb Exp $
+.\"	$OpenBSD: SSL_CTX_set_alpn_select_cb.3,v 1.10 2024/07/11 13:50:44 tb Exp $
 .\"	OpenSSL 87b81496 Apr 19 12:38:27 2017 -0400
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: June 28 2024 $
+.Dd $Mdocdate: July 11 2024 $
 .Dt SSL_CTX_SET_ALPN_SELECT_CB 3
 .Os
 .Sh NAME
@@ -85,10 +85,10 @@
 .Fo SSL_select_next_proto
 .Fa "unsigned char **out"
 .Fa "unsigned char *outlen"
-.Fa "const unsigned char *server"
+.Fa "const unsigned char *peer_list"
-.Fa "unsigned int server_len"
+.Fa "unsigned int peer_list_len"
-.Fa "const unsigned char *client"
+.Fa "const unsigned char *supported_list"
-.Fa "unsigned int client_len"
+.Fa "unsigned int supported_list_len"
 .Fc
 .Ft void
 .Fo SSL_get0_alpn_selected
@@ -149,7 +149,6 @@ parameter is the pointer set via
 .Pp
 .Fn SSL_select_next_proto
 is a helper function used to select protocols.
-It implements the standard protocol selection.
 It is expected that this function is called from the application
 callback
 .Fa cb .
@@ -163,32 +162,30 @@ should ignore
 and fail by returning
 .Dv SSL_TLSEXT_ERR_ALERT_FATAL .
 The protocol data in
-.Fa server ,
+.Fa peer_list ,
-.Fa server_len
+.Fa peer_list_len
 and
-.Fa client ,
+.Fa supported_list ,
-.Fa client_len
+.Fa supported_list_len
-must be in the protocol-list format described below.
+must be two non-empty lists, validly encoded
+in the protocol-list format described below.
 The first item in the
-.Fa server ,
+.Fa peer_list
-.Fa server_len
+that matches an item in the
-list that matches an item in the
+.Fa supported_list
-.Fa client ,
+is selected, and returned in
-.Fa client_len
-list is selected, and returned in
 .Fa out ,
 .Fa outlen .
 The
 .Fa out
 value will point into either
-.Fa server
+.Fa peer_list
 or
-.Fa client ,
+.Fa supported_list ,
 so it must not be modified and
 should be copied immediately.
 If no match is found, the first item in
-.Fa client ,
+.Fa supported_list
-.Fa client_len
 is returned in
 .Fa out ,
 .Fa outlen .
@@ -213,17 +210,13 @@ of non-empty, 8-bit length-prefixed byte strings.
 The length-prefix byte is not included in the length.
 Each string is limited to 255 bytes.
 A byte-string length of 0 is invalid.
-A truncated byte-string is invalid.
 The length of the vector is not in the vector itself, but in a separate
 variable.
 .Pp
 For example:
 .Bd -literal
-unsigned char vector[] = {
+const unsigned char *vector = "\e6" "spdy/1" "\e8" "http/1.1";
-	6, 's', 'p', 'd', 'y', '/', '1',
+unsigned int length = strlen(vector);
-	8, 'h', 't', 't', 'p', '/', '1', '.', '1'
-};
-unsigned int length = sizeof(vector);
 .Ed
 .Pp
 The ALPN callback is executed after the servername callback; as that
@@ -249,8 +242,8 @@ A match was found and is returned in
 .It OPENSSL_NPN_NO_OVERLAP
 No match was found.
 The first item in
-.Fa client ,
+.Fa supported_list ,
-.Fa client_len
+.Fa supported_list_len
 is returned in
 .Fa out ,
 .Fa outlen .
@@ -273,6 +266,16 @@ configured for this connection.
 .Xr ssl 3 ,
 .Xr SSL_CTX_set_tlsext_servername_arg 3 ,
 .Xr SSL_CTX_set_tlsext_servername_callback 3
+.Sh STANDARDS
+.Rs
+.%T TLS Application-Layer Protocol Negotiation Extension
+.%R RFC 7301
+.Re
+.Pp
+.Rs
+.%T TLS Next Protocol Negotiation Extension
+.%U https://datatracker.ietf.org/doc/html/draft-agl-tls-nextprotoneg
+.Re
 .Sh HISTORY
 .Fn SSL_select_next_proto
 first appeared in OpenSSL 1.0.1 and has been available since
@@ -285,3 +288,18 @@ and
 .Fn SSL_get0_alpn_selected
 first appeared in OpenSSL 1.0.2 and have been available since
 .Ox 5.7 .
+.Sh CAVEATS
+The fallback to the first supported protocol in
+.Fn SSL_select_next_proto
+comes from the opportunistic fallback mechanism in the NPN extension.
+This behavior does not make sense for ALPN,
+where missing protocol overlap should result in a handshake failure.
+To avoid accidental selection of a protocol that the server does not
+support, it is recommended to pass the locally configured protocols
+as second pair of protocols in the ALPN callback.
+.Sh BUGS
+The
+.Fa out
+argument of
+.Fn SSL_select_next_proto
+should have been const.

lib/libssl/ssl_lib.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.325 2024/06/29 07:34:12 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.326 2024/07/11 13:48:52 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1791,56 +1791,58 @@ LSSL_ALIAS(SSL_get_servername_type);
  */
 int
 SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-    const unsigned char *server_list, unsigned int server_list_len,
+    const unsigned char *peer_list, unsigned int peer_list_len,
-    const unsigned char *client_list, unsigned int client_list_len)
+    const unsigned char *supported_list, unsigned int supported_list_len)
 {
-	CBS client, client_proto, server, server_proto;
+	CBS peer, peer_proto, supported, supported_proto;
 
 	*out = NULL;
 	*outlen = 0;
 
-	/* First check that the client list is well-formed. */
+	/* First check that the supported list is well-formed. */
-	CBS_init(&client, client_list, client_list_len);
+	CBS_init(&supported, supported_list, supported_list_len);
-	if (!tlsext_alpn_check_format(&client))
+	if (!tlsext_alpn_check_format(&supported))
 		goto err;
 
 	/*
-	 * Use first client protocol as fallback. This is one way of doing NPN's
+	 * Use first supported protocol as fallback. This is one way of doing
-	 * "opportunistic" protocol selection (see security considerations in
+	 * NPN's "opportunistic" protocol selection (see security considerations
-	 * draft-agl-tls-nextprotoneg-04), and it is the documented behavior of
+	 * in draft-agl-tls-nextprotoneg-04), and it is the documented behavior
-	 * this API. For ALPN it's the callback's responsibility to fail on
+	 * of this API. For ALPN it's the callback's responsibility to fail on
 	 * OPENSSL_NPN_NO_OVERLAP.
 	 */
 
-	if (!CBS_get_u8_length_prefixed(&client, &client_proto))
+	if (!CBS_get_u8_length_prefixed(&supported, &supported_proto))
 		goto err;
 
-	*out = (unsigned char *)CBS_data(&client_proto);
+	*out = (unsigned char *)CBS_data(&supported_proto);
-	*outlen = CBS_len(&client_proto);
+	*outlen = CBS_len(&supported_proto);
 
-	/* Now check that the server list is well-formed. */
+	/* Now check that the peer list is well-formed. */
-	CBS_init(&server, server_list, server_list_len);
+	CBS_init(&peer, peer_list, peer_list_len);
-	if (!tlsext_alpn_check_format(&server))
+	if (!tlsext_alpn_check_format(&peer))
 		goto err;
 
 	/*
-	 * Walk the server list and select the first protocol that appears in
+	 * Walk the peer list and select the first protocol that appears in
-	 * the client list.
+	 * the supported list. Thus we honor peer preference rather than local
+	 * preference contrary to a SHOULD in RFC 7301, section 3.2.
 	 */
-	while (CBS_len(&server) > 0) {
+	while (CBS_len(&peer) > 0) {
-		if (!CBS_get_u8_length_prefixed(&server, &server_proto))
+		if (!CBS_get_u8_length_prefixed(&peer, &peer_proto))
 			goto err;
 
-		CBS_init(&client, client_list, client_list_len);
+		CBS_init(&supported, supported_list, supported_list_len);
 
-		while (CBS_len(&client) > 0) {
+		while (CBS_len(&supported) > 0) {
-			if (!CBS_get_u8_length_prefixed(&client, &client_proto))
+			if (!CBS_get_u8_length_prefixed(&supported,
+			    &supported_proto))
 				goto err;
 
-			if (CBS_mem_equal(&client_proto,
+			if (CBS_mem_equal(&supported_proto,
-			    CBS_data(&server_proto), CBS_len(&server_proto))) {
+			    CBS_data(&peer_proto), CBS_len(&peer_proto))) {
-				*out = (unsigned char *)CBS_data(&server_proto);
+				*out = (unsigned char *)CBS_data(&peer_proto);
-				*outlen = CBS_len(&server_proto);
+				*outlen = CBS_len(&peer_proto);
 
 				return OPENSSL_NPN_NEGOTIATED;
 			}

libexec/snmpd/snmpd_metrics/pf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.1.1.1 2022/09/01 14:20:33 martijn Exp $	*/
+/*	$OpenBSD: pf.c,v 1.2 2024/07/10 20:33:31 martijn Exp $	*/
 
 /*
  * Copyright (c) 2012 Joel Knight <joel@openbsd.org>
@@ -210,11 +210,11 @@ pfi_get(struct pfr_buffer *b, const char *filter)
 	bzero(b, sizeof(struct pfr_buffer));
 	b->pfrb_type = PFRB_IFACES;
 	for (;;) {
-		pfr_buf_grow(b, b->pfrb_size);
+		pfr_buf_grow(b, 0);
 		b->pfrb_size = b->pfrb_msize;
 		if (pfi_get_ifaces(filter, b->pfrb_caddr, &(b->pfrb_size)))
 			return (1);
-		if (b->pfrb_size <= b->pfrb_msize)
+		if (b->pfrb_size < b->pfrb_msize)
 			break;
 	}
 

regress/lib/libcrypto/symbols/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.4 2023/06/22 19:23:27 tb Exp $
+#	$OpenBSD: Makefile,v 1.5 2024/07/10 13:11:22 tb Exp $
 
 TESTS = \
 	symbols
@@ -22,7 +22,7 @@ LDADD=		-lcrypto
 DPADD=		${LIBCRYPTO}
 LDFLAGS+=	-lcrypto
 LDFLAGS+=	-Wl,--no-allow-shlib-undefined
-CFLAGS+=	-Wno-deprecated-declarations
+CFLAGS+=	-Wno-deprecated-declarations -DUSE_LIBRESSL_NAMESPACE
 
 CLEANFILES+= include_headers.c symbols.c symbols.c.tmp
 

regress/lib/libcrypto/symbols/symbols.awk

@@ -1,4 +1,4 @@
-# $OpenBSD: symbols.awk,v 1.11 2024/04/15 16:49:13 tb Exp $
+# $OpenBSD: symbols.awk,v 1.12 2024/07/10 13:11:22 tb Exp $
 
 # Copyright (c) 2018,2020 Theo Buehler <tb@openbsd.org>
 #
@@ -32,6 +32,8 @@ BEGIN {
 
 	# Undefine aliases, so we don't accidentally leave them in Symbols.list.
 	printf("#ifdef %s\n#undef %s\n#endif\n", $0, $0)
+
+	printf("static typeof(%s) *_libre_%s;\n", $0, $0);
 }
 
 END {
@@ -41,12 +43,16 @@ END {
 	printf("\tstruct {\n")
 	printf("\t\tconst char *const name;\n")
 	printf("\t\tconst void *addr;\n")
+	printf("\t\tconst void *libre_addr;\n")
 	printf("\t} symbols[] = {\n")
 
 	for (symbol in symbols) {
 		printf("\t\t{\n")
 		printf("\t\t\t.name = \"%s\",\n", symbol)
 		printf("\t\t\t.addr = &%s,\n", symbol)
+		printf("#if defined(USE_LIBRESSL_NAMESPACE)\n")
+		printf("\t\t\t.libre_addr = &_libre_%s,\n", symbol)
+		printf("#endif\n")
 		printf("\t\t},\n")
 	}
 

regress/lib/libssl/unit/ssl_set_alpn_protos.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_set_alpn_protos.c,v 1.3 2024/06/28 14:50:37 tb Exp $ */
+/*	$OpenBSD: ssl_set_alpn_protos.c,v 1.4 2024/07/11 13:51:47 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  *
@@ -202,162 +202,138 @@ test_ssl_set_alpn_protos_edge_cases(void)
 }
 
 static const struct select_next_proto_test {
-	const unsigned char *server_list;
+	const unsigned char *peer_list;
-	size_t server_list_len;
+	size_t peer_list_len;
-	const unsigned char *client_list;
+	const unsigned char *supported_list;
-	size_t client_list_len;
+	size_t supported_list_len;
 	int want_ret;
 	const unsigned char *want_out;
 	unsigned char want_out_len; /* yes, unsigned char */
 } select_next_proto_tests[] = {
 	{
-		.server_list = "\x01" "a" "\x01" "b" "\x01" "c",
+		.peer_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list_len = 6,
+		.peer_list_len = 6,
-		.client_list = "\x01" "a",
+		.supported_list = "\x01" "a",
-		.client_list_len = 2,
+		.supported_list_len = 2,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 		.want_out = "a",
 		.want_out_len = 1,
 	},
 	{
-		.server_list = "\x01" "a" "\x01" "b" "\x01" "c",
+		.peer_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list_len = 6,
+		.peer_list_len = 6,
-		.client_list = "\x02" "aa" "\x01" "b" "\x01" "c",
+		.supported_list = "\x02" "aa" "\x01" "b" "\x01" "c",
-		.client_list_len = 7,
+		.supported_list_len = 7,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 		.want_out = "b",
 		.want_out_len = 1,
 	},
 	{
-		/* Use server preference. */
+		/* Use peer preference. */
-		.server_list = "\x01" "a" "\x01" "b" "\x01" "c",
+		.peer_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list_len = 6,
+		.peer_list_len = 6,
-		.client_list = "\x01" "c" "\x01" "b" "\x01" "a",
+		.supported_list = "\x01" "c" "\x01" "b" "\x01" "a",
-		.client_list_len = 6,
+		.supported_list_len = 6,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 		.want_out = "a",
 		.want_out_len = 1,
 	},
 	{
-		/* Again server preference wins. */
+		/* Again peer preference wins. */
-		.server_list = "\x01" "a" "\x03" "bbb" "\x02" "cc",
+		.peer_list = "\x01" "a" "\x03" "bbb" "\x02" "cc",
-		.server_list_len = 9,
+		.peer_list_len = 9,
-		.client_list = "\x01" "z" "\x02" "cc" "\x03" "bbb",
+		.supported_list = "\x01" "z" "\x02" "cc" "\x03" "bbb",
-		.client_list_len = 9,
+		.supported_list_len = 9,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 		.want_out = "bbb",
 		.want_out_len = 3,
 	},
 	{
-		/* No overlap fails with first client protocol. */
+		/* No overlap fails with first supported protocol. */
-		.server_list = "\x01" "a" "\x01" "b" "\x01" "c",
+		.peer_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list_len = 6,
+		.peer_list_len = 6,
-		.client_list = "\x01" "z" "\x01" "y",
+		.supported_list = "\x01" "z" "\x01" "y",
-		.client_list_len = 4,
+		.supported_list_len = 4,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 		.want_out = "z",
 		.want_out_len = 1,
 	},
 	{
-		/*
+		/* No peer protocols fails cleanly. */
-		 * No server protocols is a misconfiguration, but should fail
+		.peer_list = "",
-		 * cleanly.
+		.peer_list_len = 0,
-		 */
+		.supported_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list = "",
+		.supported_list_len = 6,
-		.server_list_len = 0,
-		.client_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.client_list_len = 6,
 		.want_out = "a",
 		.want_out_len = 1,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* NULL peer protocols fails cleanly. */
-		 * NULL server protocols is a programming error that fails
+		.peer_list = NULL,
-		 * cleanly.
+		.peer_list_len = 0,
-		 */
+		.supported_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list = NULL,
+		.supported_list_len = 6,
-		.server_list_len = 0,
-		.client_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.client_list_len = 6,
 		.want_out = "a",
 		.want_out_len = 1,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* Malformed peer protocols fails cleanly. */
-		 * Malformed server protocols is a misconfiguration, but it
+		.peer_list = "\x00",
-		 * should fail cleanly.
+		.peer_list_len = 1,
-		 */
+		.supported_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list = "\x00",
+		.supported_list_len = 6,
-		.server_list_len = 1,
-		.client_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.client_list_len = 6,
 		.want_out = "a",
 		.want_out_len = 1,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* Malformed peer protocols fails cleanly. */
-		 * Malformed server protocols is a misconfiguration, but it
+		.peer_list = "\x01" "a" "\x03" "bb",
-		 * should fail cleanly.
+		.peer_list_len = 5,
-		 */
+		.supported_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.server_list = "\x01" "a" "\x03" "bb",
+		.supported_list_len = 6,
-		.server_list_len = 5,
-		.client_list = "\x01" "a" "\x01" "b" "\x01" "c",
-		.client_list_len = 6,
 		.want_out = "a",
 		.want_out_len = 1,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* Empty supported list fails cleanly. */
-		 * Empty client protocols is not reachable from the ALPN
+		.peer_list = "\x01" "a",
-		 * callback. It fails cleanly with NULL protocol and 0 length.
+		.peer_list_len = 2,
-		 */
+		.supported_list = "",
-		.server_list = "\x01" "a",
+		.supported_list_len = 0,
-		.server_list_len = 2,
-		.client_list = "",
-		.client_list_len = 0,
 		.want_out = NULL,
 		.want_out_len = 0,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* NULL supported list fails cleanly. */
-		 * NULL client protocols is not reachable from the ALPN
+		.peer_list = "\x01" "a",
-		 * callback. It fails cleanly with NULL protocol and 0 length.
+		.peer_list_len = 2,
-		 */
+		.supported_list = NULL,
-		.server_list = "\x01" "a",
+		.supported_list_len = 0,
-		.server_list_len = 2,
-		.client_list = NULL,
-		.client_list_len = 0,
 		.want_out = NULL,
 		.want_out_len = 0,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* Malformed supported list fails cleanly. */
-		 * Malformed client list fails cleanly with NULL protocol and
+		.peer_list = "\x01" "a",
-		 * 0 length.
+		.peer_list_len = 2,
-		 */
+		.supported_list = "\x01" "a" "\x02" "bb" "\x03" "cc" "\x04" "ddd",
-		.server_list = "\x01" "a",
+		.supported_list_len = 12,
-		.server_list_len = 2,
-		.client_list = "\x01" "a" "\x02" "bb" "\x03" "cc" "\x04" "ddd",
-		.client_list_len = 12,
 		.want_out = NULL,
 		.want_out_len = 0,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/*
+		/* Malformed client list fails cleanly. */
-		 * Malformed client list fails cleanly with NULL protocol and
+		.peer_list = "\x01" "a",
-		 * 0 length.
+		.peer_list_len = 2,
-		 */
+		.supported_list = "\x01" "a" "\x02" "bb" "\x00" "\x03" "ddd",
-		.server_list = "\x01" "a",
+		.supported_list_len = 10,
-		.server_list_len = 2,
-		.client_list = "\x01" "a" "\x02" "bb" "\x00" "\x03" "ddd",
-		.client_list_len = 10,
 		.want_out = NULL,
 		.want_out_len = 0,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
@@ -368,58 +344,58 @@ static const struct select_next_proto_test {
 	 */
 
 	{
-		.server_list = "\x08" "http/1.1" "\x06" "spdy/1",
+		.peer_list = "\x08" "http/1.1" "\x06" "spdy/1",
-		.server_list_len = 16,
+		.peer_list_len = 16,
-		.client_list = "\x08" "http/2.0" "\x08" "http/1.1",
+		.supported_list = "\x08" "http/2.0" "\x08" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = "http/1.1",
 		.want_out_len = 8,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 	},
 	{
-		.server_list = "\x08" "http/2.0" "\x06" "spdy/1",
+		.peer_list = "\x08" "http/2.0" "\x06" "spdy/1",
-		.server_list_len = 16,
+		.peer_list_len = 16,
-		.client_list = "\x08" "http/1.0" "\x08" "http/1.1",
+		.supported_list = "\x08" "http/1.0" "\x08" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = "http/1.0",
 		.want_out_len = 8,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		.server_list = "\x08" "http/1.1" "\x08" "http/1.0",
+		.peer_list = "\x08" "http/1.1" "\x08" "http/1.0",
-		.server_list_len = 18,
+		.peer_list_len = 18,
-		.client_list = "\x08" "http/1.0" "\x08" "http/1.1",
+		.supported_list = "\x08" "http/1.0" "\x08" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = "http/1.1",
 		.want_out_len = 8,
 		.want_ret = OPENSSL_NPN_NEGOTIATED,
 	},
 	{
-		/* Server malformed. */
+		/* Peer list malformed. */
-		.server_list = "\x08" "http/1.1" "\x07" "http/1.0",
+		.peer_list = "\x08" "http/1.1" "\x07" "http/1.0",
-		.server_list_len = 18,
+		.peer_list_len = 18,
-		.client_list = "\x08" "http/1.0" "\x08" "http/1.1",
+		.supported_list = "\x08" "http/1.0" "\x08" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = "http/1.0",
 		.want_out_len = 8,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/* Server malformed. */
+		/* Peer list malformed. */
-		.server_list = "\x07" "http/1.1" "\x08" "http/1.0",
+		.peer_list = "\x07" "http/1.1" "\x08" "http/1.0",
-		.server_list_len = 18,
+		.peer_list_len = 18,
-		.client_list = "\x08" "http/1.0" "\x08" "http/1.1",
+		.supported_list = "\x08" "http/1.0" "\x08" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = "http/1.0",
 		.want_out_len = 8,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
 	},
 	{
-		/* Client has trailing bytes. */
+		/* Supported list has trailing bytes. */
-		.server_list = "\x08" "http/1.1" "\x08" "http/1.0",
+		.peer_list = "\x08" "http/1.1" "\x08" "http/1.0",
-		.server_list_len = 18,
+		.peer_list_len = 18,
-		.client_list = "\x08" "http/1.0" "\x07" "http/1.1",
+		.supported_list = "\x08" "http/1.0" "\x07" "http/1.1",
-		.client_list_len = 18,
+		.supported_list_len = 18,
 		.want_out = NULL,
 		.want_out_len = 0,
 		.want_ret = OPENSSL_NPN_NO_OVERLAP,
@@ -437,8 +413,8 @@ select_next_proto_testcase(const struct select_next_proto_test *test)
 	int ret;
 	int failed = 0;
 
-	ret = SSL_select_next_proto(&out, &out_len, test->server_list,
+	ret = SSL_select_next_proto(&out, &out_len, test->peer_list,
-	    test->server_list_len, test->client_list, test->client_list_len);
+	    test->peer_list_len, test->supported_list, test->supported_list_len);
 
 	if (ret != test->want_ret || out_len != test->want_out_len ||
 	    (out == NULL && test->want_out != NULL) ||
@@ -452,9 +428,9 @@ select_next_proto_testcase(const struct select_next_proto_test *test)
 		fprintf(stderr, "\nwant:\n");
 		hexdump(test->want_out, test->want_out_len);
 		fprintf(stderr, "\nserver:\n");
-		hexdump(test->server_list, test->server_list_len);
+		hexdump(test->peer_list, test->peer_list_len);
 		fprintf(stderr, "\nclient:\n");
-		hexdump(test->client_list, test->client_list_len);
+		hexdump(test->supported_list, test->supported_list_len);
 		fprintf(stderr, "\n");
 		failed = 1;
 	}

regress/usr.bin/diff/t8.2

@@ -1,4 +1,4 @@
-/*	$OpenBSD: t8.2,v 1.1 2003/07/17 21:04:04 otto Exp $	*/
+/*	$OpenBSD: t8.2,v 1.2 2024/07/10 09:20:33 krw Exp $	*/
 /*	$NetBSD: kern_malloc.c,v 1.15.4.2 1996/06/13 17:10:56 cgd Exp $	*/
 
 /*
@@ -76,7 +76,7 @@ struct kmemusage *kmemusage;
 char *kmembase, *kmemlimit;
 char buckstring[16 * sizeof("123456,")];
 int buckstring_init = 0;
-#if defined(KMEMSTATS) || defined(DIAGNOSTIC) || defined(FFS_SOFTUPDATES)
+#if defined(KMEMSTATS) || defined(DIAGNOSTIC)
 char *memname[] = INITKMEMNAMES;
 char *memall = NULL;
 extern struct lock sysctl_kmemlock;
@@ -561,7 +561,7 @@ sysctl_malloc(name, namelen, oldp, oldlenp, newp, newlen, p)
 		return (EOPNOTSUPP);
 #endif
 	case KERN_MALLOC_KMEMNAMES:
-#if defined(KMEMSTATS) || defined(DIAGNOSTIC) || defined(FFS_SOFTUPDATES)
+#if defined(KMEMSTATS) || defined(DIAGNOSTIC)
 		if (memall == NULL) {
 			int totlen;
 

regress/usr.bin/diff/t9.2

@@ -1,4 +1,4 @@
-/*	$OpenBSD: t9.2,v 1.2 2013/12/01 16:40:56 krw Exp $	*/
+/*	$OpenBSD: t9.2,v 1.4 2024/07/10 09:24:03 krw Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -591,10 +591,6 @@ sys_statfs(p, v, retval)
 	if ((error = VFS_STATFS(mp, sp, p)) != 0)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-#if notyet
-	if (mp->mnt_flag & MNT_SOFTDEP)
-		sp->f_eflags = STATFS_SOFTUPD;
-#endif
 	/* Don't let non-root see filesystem id (for NFS security) */
 	if (suser(p->p_ucred, &p->p_acflag)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
@@ -633,10 +629,6 @@ sys_fstatfs(p, v, retval)
 	if (error)
 		return (error);
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-#if notyet
-	if (mp->mnt_flag & MNT_SOFTDEP)
-		sp->f_eflags = STATFS_SOFTUPD;
-#endif
 	/* Don't let non-root see filesystem id (for NFS security) */
 	if (suser(p->p_ucred, &p->p_acflag)) {
 		bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
@@ -689,10 +681,6 @@ sys_getfsstat(p, v, retval)
 			}
 
 			sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-#if notyet
-			if (mp->mnt_flag & MNT_SOFTDEP)
-				sp->f_eflags = STATFS_SOFTUPD;
-#endif
 			if (suser(p->p_ucred, &p->p_acflag)) {
 				bcopy((caddr_t)sp, (caddr_t)&sb, sizeof(sb));
 				sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
@@ -2292,10 +2280,6 @@ sys_fsync(p, v, retval)
 	vp = (struct vnode *)fp->f_data;
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY, p);
 	error = VOP_FSYNC(vp, fp->f_cred, MNT_WAIT, p);
-#ifdef FFS_SOFTUPDATES
-	if (error == 0 && vp->v_mount && (vp->v_mount->mnt_flag & MNT_SOFTDEP))
-		error = softdep_fsync(vp);
-#endif
 
 	VOP_UNLOCK(vp, 0, p);
 	FRELE(fp);

sbin/dhcp6leased/dhcp6leased.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dhcp6leased.c,v 1.11 2024/06/05 16:15:47 florian Exp $	*/
+/*	$OpenBSD: dhcp6leased.c,v 1.12 2024/07/11 10:38:57 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -913,6 +913,9 @@ write_lease_file(struct imsg_lease_info *imsg_lease_info)
 	rem = sizeof(lease_buf);
 
 	for (i = 0; i < iface_conf->ia_count; i++) {
+		if (imsg_lease_info->pds[i].prefix_len == 0)
+			continue;
+
 		len = snprintf(p, rem, "%s%d %s %d\n", LEASE_IA_PD_PREFIX,
 		    i, inet_ntop(AF_INET6, &imsg_lease_info->pds[i].prefix,
 		    ntopbuf, INET6_ADDRSTRLEN),

sbin/dhcp6leased/dhcp6leased.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dhcp6leased.h,v 1.8 2024/06/06 15:15:44 florian Exp $	*/
+/*	$OpenBSD: dhcp6leased.h,v 1.9 2024/07/10 12:44:46 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021 Florian Obser <florian@openbsd.org>
@@ -260,7 +260,7 @@ void			 merge_config(struct dhcp6leased_conf *, struct
 const char		*sin6_to_str(struct sockaddr_in6 *);
 
 /* engine.c */
-const char		*dhcp_message_type2str(uint8_t);
+const char		*dhcp_message_type2str(int);
 
 /* frontend.c */
 struct iface_conf	*find_iface_conf(struct iface_conf_head *, char *);

sbin/dhcp6leased/engine.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine.c,v 1.17 2024/07/09 16:24:57 florian Exp $	*/
+/*	$OpenBSD: engine.c,v 1.24 2024/07/11 10:48:51 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -127,7 +127,7 @@ struct dhcp6leased_iface	*get_dhcp6leased_iface_by_id(uint32_t);
 void			 remove_dhcp6leased_iface(uint32_t);
 void			 parse_dhcp(struct dhcp6leased_iface *,
 			     struct imsg_dhcp *);
-void			 parse_ia_pd_options(uint8_t *, size_t, struct prefix *);
+int			 parse_ia_pd_options(uint8_t *, size_t, struct prefix *);
 void			 state_transition(struct dhcp6leased_iface *, enum
 			     if_state);
 void			 iface_timeout(int, short, void *);
@@ -139,10 +139,9 @@ int			 prefixcmp(struct prefix *, struct prefix *, int);
 void			 send_reconfigure_interface(struct iface_pd_conf *,
 			     struct prefix *, enum reconfigure_action);
 int			 engine_imsg_compose_main(int, pid_t, void *, uint16_t);
-const char		*dhcp_message_type2str(uint8_t);
+const char		*dhcp_option_type2str(int);
-const char		*dhcp_option_type2str(uint16_t);
 const char		*dhcp_duid2str(int, uint8_t *);
-const char		*dhcp_status2str(uint8_t);
+const char		*dhcp_status2str(int);
 void			 in6_prefixlen2mask(struct in6_addr *, int len);
 
 struct dhcp6leased_conf	*engine_conf;
@@ -813,11 +812,19 @@ parse_dhcp(struct dhcp6leased_iface *iface, struct imsg_dhcp *dhcp)
 			log_debug("%s: IA_PD, IAID: %08x, T1: %u, T2: %u",
 			    __func__, ntohl(iapd.iaid), ntohl(iapd.t1),
 			    ntohl(iapd.t2));
-			if (ntohl(iapd.iaid) < iface_conf->ia_count)
+			if (ntohl(iapd.iaid) < iface_conf->ia_count) {
-				parse_ia_pd_options(p +
+				int status_code;
+				status_code = parse_ia_pd_options(p +
 				    sizeof(struct dhcp_iapd), opt_hdr.len -
 				    sizeof(struct dhcp_iapd),
 				    &iface->new_pds[ntohl(iapd.iaid)]);
+
+				if (status_code != DHCP_STATUS_SUCCESS &&
+				    iface->state == IF_RENEWING) {
+					state_transition(iface, IF_REBINDING);
+					goto out;
+				}
+			}
 			break;
 		case DHO_RAPID_COMMIT:
 			if (opt_hdr.len != 0) {
@@ -933,14 +940,14 @@ parse_dhcp(struct dhcp6leased_iface *iface, struct imsg_dhcp *dhcp)
 	return;
 }
 
-void
+int
 parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix)
 {
 	struct dhcp_option_hdr	 opt_hdr;
 	struct dhcp_iaprefix	 iaprefix;
 	struct in6_addr		 mask;
 	int			 i;
-	uint16_t		 status_code;
+	uint16_t		 status_code = DHCP_STATUS_SUCCESS;
 	char			 ntopbuf[INET6_ADDRSTRLEN], *visbuf;
 
 	while (len >= sizeof(struct dhcp_option_hdr)) {
@@ -954,7 +961,7 @@ parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix)
 			    dhcp_option_type2str(opt_hdr.code), opt_hdr.len);
 		if (len < opt_hdr.len) {
 			log_warnx("%s: malformed packet, ignoring", __func__);
-			return;
+			return DHCP_STATUS_UNSPECFAIL;
 		}
 
 		switch (opt_hdr.code) {
@@ -962,7 +969,7 @@ parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix)
 			if (len < sizeof(struct dhcp_iaprefix)) {
 				log_warnx("%s: malformed packet, ignoring",
 				    __func__);
-				return;
+				return DHCP_STATUS_UNSPECFAIL;
 			}
 
 			memcpy(&iaprefix, p, sizeof(struct dhcp_iaprefix));
@@ -997,20 +1004,21 @@ parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix)
 
 			break;
 		case DHO_STATUS_CODE:
-			/*
+			/* XXX STATUS_CODE can also appear outside of options */
-			 * XXX handle STATUS_CODE if not success
-			 * STATUS_CODE can also appear in other parts of
-			 * the packet.
-			 */
 			if (len < 2) {
 				log_warnx("%s: malformed packet, ignoring",
 				    __func__);
-				return;
+				return DHCP_STATUS_UNSPECFAIL;
 			}
 			memcpy(&status_code, p, sizeof(uint16_t));
 			status_code = ntohs(status_code);
-			visbuf = calloc(4, len - 2);
+			/* must be at least 4 * srclen + 1 long */
-			strvisx(visbuf, p + 2, len - 2, VIS_SAFE);
+			visbuf = calloc(4, opt_hdr.len - 2 + 1);
+			if (visbuf == NULL) {
+				log_warn("%s", __func__);
+				break;
+			}
+			strvisx(visbuf, p + 2, opt_hdr.len - 2, VIS_SAFE);
 			log_debug("%s: %s - %s", __func__,
 			    dhcp_status2str(status_code), visbuf);
 			break;
@@ -1020,6 +1028,7 @@ parse_ia_pd_options(uint8_t *p, size_t len, struct prefix *prefix)
 		p += opt_hdr.len;
 		len -= opt_hdr.len;
 	}
+	return status_code;
 }
 
 /* XXX check valid transitions */
@@ -1270,9 +1279,10 @@ configure_interfaces(struct dhcp6leased_iface *iface)
 	struct iface_ia_conf	*ia_conf;
 	struct iface_pd_conf	*pd_conf;
 	struct imsg_lease_info	 imsg_lease_info;
+	uint32_t	 	 i;
+	char		 	 ntopbuf[INET6_ADDRSTRLEN];
 	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
-
 	if ((if_name = if_indextoname(iface->if_index, ifnamebuf)) == NULL) {
 		log_debug("%s: unknown interface %d", __func__,
 		    iface->if_index);
@@ -1285,11 +1295,14 @@ configure_interfaces(struct dhcp6leased_iface *iface)
 		return;
 	}
 
-	memset(&imsg_lease_info, 0, sizeof(imsg_lease_info));
+	for (i = 0; i < iface_conf->ia_count; i++) {
-	imsg_lease_info.if_index = iface->if_index;
+		struct prefix	*pd = &iface->new_pds[i];
-	memcpy(imsg_lease_info.pds, iface->new_pds, sizeof(iface->new_pds));
+
-	engine_imsg_compose_main(IMSG_WRITE_LEASE, 0, &imsg_lease_info,
+		log_info("prefix delegation #%d %s/%d received on %s from "
-	    sizeof(imsg_lease_info));
+		    "server %s", i, inet_ntop(AF_INET6, &pd->prefix, ntopbuf,
+		    INET6_ADDRSTRLEN), pd->prefix_len, if_name,
+		    dhcp_duid2str(iface->serverid_len, iface->serverid));
+	}
 
 	SIMPLEQ_FOREACH(ia_conf, &iface_conf->iface_ia_list, entry) {
 		struct prefix	*pd = &iface->new_pds[ia_conf->id];
@@ -1300,10 +1313,9 @@ configure_interfaces(struct dhcp6leased_iface *iface)
 	}
 
 	if (prefixcmp(iface->pds, iface->new_pds, iface_conf->ia_count) != 0) {
-		uint32_t	 i;
+		log_info("Prefix delegations on %s from server %s changed",
-		char		 ntopbuf[INET6_ADDRSTRLEN];
+		    if_name, dhcp_duid2str(iface->serverid_len,
-
+		    iface->serverid));
-		log_warnx("IA_PDs changed");
 		for (i = 0; i < iface_conf->ia_count; i++) {
 			log_debug("%s: iface->pds [%d]: %s/%d", __func__, i,
 			    inet_ntop(AF_INET6, &iface->pds[i].prefix, ntopbuf,
@@ -1318,6 +1330,12 @@ configure_interfaces(struct dhcp6leased_iface *iface)
 
 	memcpy(iface->pds, iface->new_pds, sizeof(iface->pds));
 	memset(iface->new_pds, 0, sizeof(iface->new_pds));
+
+	memset(&imsg_lease_info, 0, sizeof(imsg_lease_info));
+	imsg_lease_info.if_index = iface->if_index;
+	memcpy(imsg_lease_info.pds, iface->pds, sizeof(iface->pds));
+	engine_imsg_compose_main(IMSG_WRITE_LEASE, 0, &imsg_lease_info,
+	    sizeof(imsg_lease_info));
 }
 
 void
@@ -1326,6 +1344,8 @@ deconfigure_interfaces(struct dhcp6leased_iface *iface)
 	struct iface_conf	*iface_conf;
 	struct iface_ia_conf	*ia_conf;
 	struct iface_pd_conf	*pd_conf;
+	uint32_t	 	 i;
+	char		 	 ntopbuf[INET6_ADDRSTRLEN];
 	char			 ifnamebuf[IF_NAMESIZE], *if_name;
 
 
@@ -1341,6 +1361,15 @@ deconfigure_interfaces(struct dhcp6leased_iface *iface)
 		return;
 	}
 
+	for (i = 0; i < iface_conf->ia_count; i++) {
+		struct prefix *pd = &iface->pds[i];
+
+		log_info("Prefix delegation #%d %s/%d expired on %s from "
+		    "server %s", i, inet_ntop(AF_INET6, &pd->prefix, ntopbuf,
+		    INET6_ADDRSTRLEN), pd->prefix_len, if_name,
+		    dhcp_duid2str(iface->serverid_len, iface->serverid));
+	}
+
 	SIMPLEQ_FOREACH(ia_conf, &iface_conf->iface_ia_list, entry) {
 		struct prefix	*pd = &iface->pds[ia_conf->id];
 
@@ -1348,6 +1377,7 @@ deconfigure_interfaces(struct dhcp6leased_iface *iface)
 			send_reconfigure_interface(pd_conf, pd, DECONFIGURE);
 		}
 	}
+	memset(iface->pds, 0, sizeof(iface->pds));
 }
 
 int
@@ -1416,7 +1446,7 @@ send_reconfigure_interface(struct iface_pd_conf *pd_conf, struct prefix *pd,
 }
 
 const char *
-dhcp_message_type2str(uint8_t type)
+dhcp_message_type2str(int type)
 {
 	static char buf[sizeof("Unknown [255]")];
 
@@ -1448,13 +1478,13 @@ dhcp_message_type2str(uint8_t type)
 	case DHCPRELAYREPL:
 		return "DHCPRELAYREPL";
 	default:
-		snprintf(buf, sizeof(buf), "Unknown [%u]", type);
+		snprintf(buf, sizeof(buf), "Unknown [%u]", type & 0xff);
 		return buf;
 	}
 }
 
 const char *
-dhcp_option_type2str(uint16_t code)
+dhcp_option_type2str(int code)
 {
 	static char buf[sizeof("Unknown [65535]")];
 	switch (code) {
@@ -1481,7 +1511,7 @@ dhcp_option_type2str(uint16_t code)
 	case DHO_INF_MAX_RT:
 		return "DHO_INF_MAX_RT";
 	default:
-		snprintf(buf, sizeof(buf), "Unknown [%u]", code);
+		snprintf(buf, sizeof(buf), "Unknown [%u]", code &0xffff);
 		return buf;
 	}
 }
@@ -1505,7 +1535,7 @@ dhcp_duid2str(int len, uint8_t *p)
 }
 
 const char*
-dhcp_status2str(uint8_t status)
+dhcp_status2str(int status)
 {
 	static char buf[sizeof("Unknown [255]")];
 
@@ -1525,7 +1555,7 @@ dhcp_status2str(uint8_t status)
 	case DHCP_STATUS_NOPREFIXAVAIL:
 		return "NoPrefixAvail";
 	default:
-		snprintf(buf, sizeof(buf), "Unknown [%u]", status);
+		snprintf(buf, sizeof(buf), "Unknown [%u]", status & 0xff);
 		return buf;
     }
 }

sbin/dhcp6leased/frontend.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: frontend.c,v 1.12 2024/06/19 07:42:44 florian Exp $	*/
+/*	$OpenBSD: frontend.c,v 1.14 2024/07/11 13:38:03 florian Exp $	*/
 
 /*
  * Copyright (c) 2017, 2021, 2024 Florian Obser <florian@openbsd.org>
@@ -551,6 +551,9 @@ update_iface(uint32_t if_index)
 	if ((flags = get_flags(if_name)) == -1)
 		return;
 
+	if (find_iface_conf(&frontend_conf->iface_list, if_name) == NULL)
+		return;
+
 	memset(&ifinfo, 0, sizeof(ifinfo));
 	ifinfo.if_index = if_index;
 	ifinfo.link_state = -1;
@@ -873,8 +876,8 @@ build_packet(uint8_t message_type, struct iface *iface, char *if_name)
 void
 send_packet(uint8_t message_type, struct iface *iface)
 {
-	ssize_t			 pkt_len;
+	ssize_t	 pkt_len;
-	char			 ifnamebuf[IF_NAMESIZE], *if_name;
+	char	 ifnamebuf[IF_NAMESIZE], *if_name, *message_name;
 
 	if (!event_initialized(&iface->udpev)) {
 		iface->send_solicit = 1;
@@ -887,7 +890,26 @@ send_packet(uint8_t message_type, struct iface *iface)
 	    == NULL)
 		return; /* iface went away, nothing to do */
 
-	log_debug("%s on %s", dhcp_message_type2str(message_type), if_name);
+	switch (message_type) {
+	case DHCPSOLICIT:
+		message_name = "Soliciting";
+		break;
+	case DHCPREQUEST:
+		message_name = "Requesting";
+		break;
+	case DHCPRENEW:
+		message_name = "Renewing";
+		break;
+	case DHCPREBIND:
+		message_name = "Rebinding";
+		break;
+	default:
+		message_name = NULL;
+		break;
+	}
+
+	if (message_name)
+		log_info("%s lease on %s", message_name, if_name);
 
 	pkt_len = build_packet(message_type, iface, if_name);
 

share/man/man4/bnxt.4

@@ -1,4 +1,4 @@
-.\" $OpenBSD: bnxt.4,v 1.3 2021/09/08 20:29:21 jmc Exp $
+.\" $OpenBSD: bnxt.4,v 1.4 2024/07/10 07:56:21 jmatthew Exp $
 .\"
 .\" Copyright (c) 2018 Jonathan Matthew <jmatthew@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: September 8 2021 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt BNXT 4
 .Os
 .Sh NAME
@@ -41,9 +41,9 @@ Broadcom P210p Adapter (10Gb SFP+)
 .It
 Broadcom P210tp Adapter (10GBASE-T)
 .It
-Broadcom P255c Adapter (10/25Gb QSFP28)
+Broadcom P225c Adapter (10/25Gb QSFP28)
 .It
-Broadcom P255p Adapter (10/25Gb SFP28)
+Broadcom P225p Adapter (10/25Gb SFP28)
 .El
 .Pp
 Adapters based on these chipsets are also available as LOM/Mezzanine

share/man/man5/port-modules.5

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: port-modules.5,v 1.269 2024/07/09 13:05:15 bentley Exp $
+.\"	$OpenBSD: port-modules.5,v 1.270 2024/07/11 12:55:33 bentley Exp $
 .\"
 .\" Copyright (c) 2008 Marc Espie
 .\"
@@ -24,7 +24,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 9 2024 $
+.Dd $Mdocdate: July 11 2024 $
 .Dt PORT-MODULES 5
 .Os
 .Sh NAME
@@ -697,7 +697,7 @@ it sets
 .Ev MODFONT_FAMILY
 should be set to the name of the font family.
 This sets
-.Ev MODFONT_DIR
+.Ev MODFONT_FONTDIR
 and
 .Ev MODFONT_DOCDIR
 using said family name.
@@ -707,10 +707,15 @@ target is provided if the port itself does not provide it.
 This installs fonts from
 .Ev WRKSRC
 in the distribution.
-If one or more file extensions are listed in
+If one or more filenames (relative to
-.Ev MODFONT_TYPES ,
+.Ev WRKSRC )
-files of those types will be used.
+are listed in
-Otherwise, otf files are preferred, with a fallback to ttf.
+.Ev MODFONT_FONTFILES ,
+they will be installed to
+.Ev MODFONT_FONTDIR .
+Otherwise, otf files in
+.Ev WRKSRC
+will be installed, with a fallback to ttf.
 If filenames (relative to
 .Ev WRKSRC )
 are listed in

sys/arch/amd64/amd64/locore0.S

@@ -1,4 +1,4 @@
-/*	$OpenBSD: locore0.S,v 1.23 2024/05/12 16:49:38 guenther Exp $	*/
+/*	$OpenBSD: locore0.S,v 1.24 2024/07/10 12:36:13 bluhm Exp $	*/
 /*	$NetBSD: locore.S,v 1.13 2004/03/25 18:33:17 drochner Exp $	*/
 
 /*
@@ -314,17 +314,21 @@ cont:
 	NDML3_ENTRIES + NDML2_ENTRIES + 3) * NBPG)
 
 #define fillkpt \
-1:	movl	%eax,(%ebx)	;	/* store phys addr */ \
+	pushl	%ebp				;	/* save */ \
-	movl	$0,4(%ebx)	;	/* upper 32 bits 0 */ \
+	movl	RELOC((pg_crypt + 4)), %ebp	;	/* C bit? */ \
-	addl	$8,%ebx		;	/* next pte/pde */ \
+1:	movl	%eax,(%ebx)			;	/* store phys addr */ \
-	addl	$NBPG,%eax	;	/* next phys page */ \
+	movl	%ebp,4(%ebx)			;	/* upper 32 bits */ \
-	loop	1b		;	/* till finished */
+	addl	$8,%ebx				;	/* next pte/pde */ \
+	addl	$NBPG,%eax			;	/* next phys page */ \
+	loop	1b				;	/* till finished */ \
+	popl	%ebp				;	/* restore */
 
 
 #define fillkpt_nx \
 	pushl	%ebp				;	/* save */ \
-1:	movl	%eax,(%ebx)			;	/* store phys addr */ \
 	movl	RELOC((pg_nx + 4)), %ebp	;	/* NX bit? */ \
+	orl	RELOC((pg_crypt + 4)), %ebp	;	/* C bit? */ \
+1:	movl	%eax,(%ebx)			;	/* store phys addr */ \
 	movl	%ebp,4(%ebx)			;	/* upper 32 bits */ \
 	addl	$8,%ebx				;	/* next pte/pde */ \
 	addl	$NBPG,%eax			;	/* next phys page */ \
@@ -510,6 +514,7 @@ store_pte:
 	movl	%eax, (%ebx)
 	pushl	%ebp
 	movl	RELOC((pg_nx + 4)), %ebp
+	orl	RELOC((pg_crypt + 4)), %ebp
 	movl	%ebp, 4(%ebx)
 	popl	%ebp
 	addl	$8, %ebx
@@ -535,6 +540,7 @@ store_pte:
 	movl	%eax,(%ebx)
 	pushl	%ebp
 	movl	RELOC((pg_nx + 4)), %ebp
+	orl	RELOC((pg_crypt + 4)), %ebp
 	movl	%ebp, 4(%ebx)
 	popl	%ebp
 

sys/arch/amd64/include/vmmvar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmmvar.h,v 1.102 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: vmmvar.h,v 1.103 2024/07/10 09:27:32 dv Exp $	*/
 /*
  * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -88,15 +88,15 @@
 #define VMX_EXIT_XSAVES				63
 #define VMX_EXIT_XRSTORS			64
 
+#define VM_EXIT_TERMINATED			0xFFFE
+#define VM_EXIT_NONE				0xFFFF
+
 /*
  * VMX: Misc defines
  */
 #define VMX_MAX_CR3_TARGETS			256
 #define VMX_VMCS_PA_CLEAR			0xFFFFFFFFFFFFFFFFUL
 
-#define VM_EXIT_TERMINATED			0xFFFE
-#define VM_EXIT_NONE				0xFFFF
-
 /*
  * SVM: Intercept codes (exit reasons)
  */
@@ -473,20 +473,6 @@ struct vm_intr_params {
 	uint16_t		vip_intr;
 };
 
-#define VM_RWVMPARAMS_PVCLOCK_SYSTEM_GPA 0x1	/* read/write pvclock gpa */
-#define VM_RWVMPARAMS_PVCLOCK_VERSION	 0x2	/* read/write pvclock version */
-#define VM_RWVMPARAMS_ALL	(VM_RWVMPARAMS_PVCLOCK_SYSTEM_GPA | \
-    VM_RWVMPARAMS_PVCLOCK_VERSION)
-
-struct vm_rwvmparams_params {
-	/* Input parameters to VMM_IOC_READVMPARAMS/VMM_IOC_WRITEVMPARAMS */
-	uint32_t		vpp_vm_id;
-	uint32_t		vpp_vcpu_id;
-	uint32_t		vpp_mask;
-	paddr_t			vpp_pvclock_system_gpa;
-	uint32_t		vpp_pvclock_version;
-};
-
 #define VM_RWREGS_GPRS	0x1	/* read/write GPRs */
 #define VM_RWREGS_SREGS	0x2	/* read/write segment registers */
 #define VM_RWREGS_CRS	0x4	/* read/write CRs */
@@ -936,7 +922,6 @@ int	vm_impl_init(struct vm *, struct proc *);
 void	vm_impl_deinit(struct vm *);
 int	vcpu_init(struct vcpu *);
 void	vcpu_deinit(struct vcpu *);
-int	vm_rwvmparams(struct vm_rwvmparams_params *, int);
 int	vm_rwregs(struct vm_rwregs_params *, int);
 int	vcpu_reset_regs(struct vcpu *, struct vcpu_reg_state *);
 

sys/arch/arm64/arm64/cpu.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cpu.c,v 1.123 2024/07/02 19:59:54 kettenis Exp $	*/
+/*	$OpenBSD: cpu.c,v 1.125 2024/07/11 12:07:39 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
@@ -245,6 +245,7 @@ uint64_t cpu_id_aa64pfr0;
 uint64_t cpu_id_aa64pfr1;
 
 int arm64_has_lse;
+int arm64_has_rng;
 #ifdef CRYPTO
 int arm64_has_aes;
 #endif
@@ -273,8 +274,12 @@ struct cfdriver cpu_cd = {
 	NULL, "cpu", DV_DULL
 };
 
+struct timeout cpu_rng_to;
+void	cpu_rng(void *);
+
 void	cpu_opp_init(struct cpu_info *, uint32_t);
 void	cpu_psci_init(struct cpu_info *);
+void	cpu_psci_idle_cycle(void);
 
 void	cpu_flush_bp_noop(void);
 void	cpu_flush_bp_psci(void);
@@ -285,6 +290,25 @@ void	cpu_kstat_attach(struct cpu_info *ci);
 void	cpu_opp_kstat_attach(struct cpu_info *ci);
 #endif
 
+void
+cpu_rng(void *arg)
+{
+	struct timeout *to = arg;
+	uint64_t rndr;
+	int ret;
+
+	ret = __builtin_arm_rndrrs(&rndr);
+	if (ret)
+		ret = __builtin_arm_rndr(&rndr);
+	if (ret == 0) {
+		enqueue_randomness(rndr & 0xffffffff);
+		enqueue_randomness(rndr >> 32);
+	}
+
+	if (to)
+		timeout_add_msec(to, 1000);
+}
+
 /*
  * Enable mitigation for Spectre-V2 branch target injection
  * vulnerabilities (CVE-2017-5715).
@@ -666,6 +690,7 @@ cpu_identify(struct cpu_info *ci)
 	if (ID_AA64ISAR0_RNDR(id) >= ID_AA64ISAR0_RNDR_IMPL) {
 		printf("%sRNDR", sep);
 		sep = ",";
+		arm64_has_rng = 1;
 	}
 
 	if (ID_AA64ISAR0_TLB(id) >= ID_AA64ISAR0_TLB_IOS) {
@@ -1138,6 +1163,11 @@ cpu_attach(struct device *parent, struct device *dev, void *aux)
 		}
 
 		cpu_init();
+
+		if (arm64_has_rng) {
+			timeout_set(&cpu_rng_to, cpu_rng, &cpu_rng_to);
+			cpu_rng(&cpu_rng_to);
+		}
 #ifdef MULTIPROCESSOR
 	}
 #endif
@@ -1955,6 +1985,51 @@ cpu_psci_init(struct cpu_info *ci)
 	uint32_t cluster;
 	int idx, len, node;
 
+	/*
+	 * Find the shallowest (for now) idle state for this CPU.
+	 * This should be the first one that is listed.  We'll use it
+	 * in the idle loop.
+	 */
+
+	len = OF_getproplen(ci->ci_node, "cpu-idle-states");
+	if (len < (int)sizeof(uint32_t))
+		return;
+
+	states = malloc(len, M_TEMP, M_WAITOK);
+	OF_getpropintarray(ci->ci_node, "cpu-idle-states", states, len);
+	node = OF_getnodebyphandle(states[0]);
+	free(states, M_TEMP, len);
+	if (node) {
+		uint32_t entry, exit, residency, param;
+		int32_t features;
+
+		param = OF_getpropint(node, "arm,psci-suspend-param", 0);
+		entry = OF_getpropint(node, "entry-latency-us", 0);
+		exit = OF_getpropint(node, "exit-latency-us", 0);
+		residency = OF_getpropint(node, "min-residency-us", 0);
+		ci->ci_psci_idle_latency += entry + exit + 2 * residency;
+
+		/* Skip states that stop the local timer. */
+		if (OF_getpropbool(node, "local-timer-stop"))
+			ci->ci_psci_idle_param = 0;
+
+		/* Skip powerdown states. */
+		features = psci_features(CPU_SUSPEND);
+		if (features == PSCI_NOT_SUPPORTED ||
+		    (features & PSCI_FEATURE_POWER_STATE_EXT) == 0) {
+			if (param & PSCI_POWER_STATE_POWERDOWN)
+				param = 0;
+		} else {
+			if (param & PSCI_POWER_STATE_EXT_POWERDOWN)
+				param = 0;
+		}
+
+		if (param) {
+			ci->ci_psci_idle_param = param;
+			cpu_idle_cycle_fcn = cpu_psci_idle_cycle;
+		}
+	}
+
 	/*
 	 * Hunt for the deepest idle state for this CPU.  This is
 	 * fairly complicated as it requires traversing quite a few
@@ -2052,6 +2127,30 @@ cpu_psci_init(struct cpu_info *ci)
 		OF_getpropint(node, "arm,psci-suspend-param", 0);
 }
 
+void
+cpu_psci_idle_cycle(void)
+{
+	struct cpu_info *ci = curcpu();
+	struct timeval start, stop;
+	u_long itime;
+
+	microuptime(&start);
+
+	if (ci->ci_prev_sleep > ci->ci_psci_idle_latency)
+		psci_cpu_suspend(ci->ci_psci_idle_param, 0, 0);
+	else
+		cpu_wfi();
+
+	microuptime(&stop);
+	timersub(&stop, &start, &stop);
+	itime = stop.tv_sec * 1000000 + stop.tv_usec;
+
+	ci->ci_last_itime = itime;
+	itime >>= 1;
+	ci->ci_prev_sleep = (ci->ci_prev_sleep + (ci->ci_prev_sleep >> 1)
+	    + itime) >> 1;
+}
+
 #if NKSTAT > 0
 
 struct cpu_kstats {

sys/arch/arm64/conf/Makefile.arm64

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.arm64,v 1.48 2024/07/02 10:25:16 kettenis Exp $
+#	$OpenBSD: Makefile.arm64,v 1.49 2024/07/11 12:07:40 kettenis Exp $
 
 # For instructions on building kernels consult the config(8) and options(4)
 # manual pages.
@@ -56,7 +56,7 @@ CWARNFLAGS=	-Werror -Wall -Wimplicit-function-declaration \
 		-Wno-unused-but-set-variable -Wno-gnu-folding-constant \
 		-Wframe-larger-than=2047
 
-CMACHFLAGS=	-march=armv8-a+nofp+nosimd \
+CMACHFLAGS=	-march=armv8-a+nofp+nosimd+rng \
 		-fno-omit-frame-pointer -mno-omit-leaf-frame-pointer \
 		-ffixed-x18
 CMACHFLAGS+=	-ffreestanding ${NOPIE_FLAGS}

sys/arch/arm64/include/cpu.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: cpu.h,v 1.47 2024/05/01 12:54:27 mpi Exp $ */
+/* $OpenBSD: cpu.h,v 1.48 2024/07/10 11:01:24 kettenis Exp $ */
 /*
  * Copyright (c) 2016 Dale Rahn <drahn@dalerahn.com>
  *
@@ -146,6 +146,8 @@ struct cpu_info {
 	uint64_t		ci_ttbr1;
 	vaddr_t			ci_el1_stkend;
 
+	uint32_t		ci_psci_idle_latency;
+	uint32_t		ci_psci_idle_param;
 	uint32_t		ci_psci_suspend_param;
 
 	struct opp_table	*ci_opp_table;

sys/arch/arm64/include/efivar.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efivar.h,v 1.1 2023/01/14 12:11:11 kettenis Exp $	*/
+/*	$OpenBSD: efivar.h,v 1.2 2024/07/10 10:53:55 kettenis Exp $	*/
 /*
  * Copyright (c) 2022 Mark Kettenis <kettenis@openbsd.org>
  *
@@ -30,6 +30,11 @@ struct efi_softc {
 	struct todr_chip_handle sc_todr;
 };
 
+
+extern EFI_GET_VARIABLE efi_get_variable;
+extern EFI_SET_VARIABLE efi_set_variable;
+extern EFI_GET_NEXT_VARIABLE_NAME efi_get_next_variable_name;
+
 void	efi_enter(struct efi_softc *);
 void	efi_leave(struct efi_softc *);
 

sys/arch/arm64/include/vmmvar.h

@@ -0,0 +1,91 @@
+/*	$OpenBSD: vmmvar.h,v 1.1 2024/07/10 10:41:19 dv Exp $	*/
+/*
+ * Copyright (c) 2014 Mike Larkin <mlarkin@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * CPU capabilities for VMM operation
+ */
+#ifndef _MACHINE_VMMVAR_H_
+#define _MACHINE_VMMVAR_H_
+
+#define VMM_HV_SIGNATURE 	"OpenBSDVMM58"
+
+#define VMM_PCI_MMIO_BAR_BASE	0xF0000000ULL
+#define VMM_PCI_MMIO_BAR_END	0xFFDFFFFFULL		/* 2 MiB below 4 GiB */
+
+/* Exit Reasons */
+#define VM_EXIT_TERMINATED			0xFFFE
+#define VM_EXIT_NONE				0xFFFF
+
+struct vmm_softc_md {
+	/* Capabilities */
+	uint32_t		nr_cpus;	/* [I] */
+};
+
+/*
+ * struct vcpu_inject_event	: describes an exception or interrupt to inject.
+ */
+struct vcpu_inject_event {
+	uint8_t		vie_vector;	/* Exception or interrupt vector. */
+	uint32_t	vie_errorcode;	/* Optional error code. */
+	uint8_t		vie_type;
+#define VCPU_INJECT_NONE	0
+#define VCPU_INJECT_INTR	1	/* External hardware interrupt. */
+#define VCPU_INJECT_EX		2	/* HW or SW Exception */
+#define VCPU_INJECT_NMI		3	/* Non-maskable Interrupt */
+};
+
+#define VCPU_REGS_NGPRS		31
+
+struct vcpu_reg_state {
+	uint64_t			vrs_gprs[VCPU_REGS_NGPRS];
+};
+
+/*
+ * struct vm_exit
+ *
+ * Contains VM exit information communicated to vmd(8). This information is
+ * gathered by vmm(4) from the CPU on each exit that requires help from vmd.
+ */
+struct vm_exit {
+	struct vcpu_reg_state		vrs;
+};
+
+struct vm_intr_params {
+	/* Input parameters to VMM_IOC_INTR */
+	uint32_t		vip_vm_id;
+	uint32_t		vip_vcpu_id;
+	uint16_t		vip_intr;
+};
+
+#define VM_RWREGS_GPRS	0x1	/* read/write GPRs */
+#define VM_RWREGS_ALL	(VM_RWREGS_GPRS)
+
+struct vm_rwregs_params {
+	/*
+	 * Input/output parameters to VMM_IOC_READREGS /
+	 * VMM_IOC_WRITEREGS
+	 */
+	uint32_t		vrwp_vm_id;
+	uint32_t		vrwp_vcpu_id;
+	uint64_t		vrwp_mask;
+	struct vcpu_reg_state	vrwp_regs;
+};
+
+/* IOCTL definitions */
+#define VMM_IOC_INTR _IOW('V', 6, struct vm_intr_params) /* Intr pending */
+
+#endif /* ! _MACHINE_VMMVAR_H_ */

sys/arch/arm64/stand/efiboot/efiboot.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efiboot.c,v 1.56 2024/07/07 09:38:44 patrick Exp $	*/
+/*	$OpenBSD: efiboot.c,v 1.57 2024/07/10 18:46:42 patrick Exp $	*/
 
 /*
  * Copyright (c) 2015 YASUOKA Masahiko <yasuoka@yasuoka.net>
@@ -588,7 +588,8 @@ efi_dma_constraint(void)
 	    fdt_node_is_compatible(node, "rockchip,rk3588") ||
 	    fdt_node_is_compatible(node, "rockchip,rk3588s"))
 		dma_constraint[1] = htobe64(0xffffffff);
-	if (fdt_node_is_compatible(node, "lenovo,thinkpad-x13s"))
+	if (fdt_node_is_compatible(node, "qcom,sc8280xp") ||
+	    fdt_node_is_compatible(node, "qcom,x1e80100"))
 		dma_constraint[1] = htobe64(0xffffffff);
 
 	/* Pass DMA constraint. */

sys/dev/efi/efi.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: efi.c,v 1.1 2023/01/14 12:11:11 kettenis Exp $	*/
+/*	$OpenBSD: efi.c,v 1.2 2024/07/10 10:53:55 kettenis Exp $	*/
 /*
  * Copyright (c) 2022 3mdeb <contact@3mdeb.com>
  *
@@ -33,6 +33,10 @@ int	efiioc_var_next(struct efi_softc *sc, void *);
 int	efiioc_var_set(struct efi_softc *sc, void *);
 int	efi_adapt_error(EFI_STATUS);
 
+EFI_GET_VARIABLE efi_get_variable;
+EFI_SET_VARIABLE efi_set_variable;
+EFI_GET_NEXT_VARIABLE_NAME efi_get_next_variable_name;
+
 int
 efiopen(dev_t dev, int flag, int mode, struct proc *p)
 {
@@ -142,13 +146,18 @@ efiioc_var_get(struct efi_softc *sc, void *data)
 		goto leave;
 	}
 
-	if (efi_enter_check(sc)) {
+	if (efi_get_variable) {
-		error = ENOSYS;
+		status = efi_get_variable(name, (EFI_GUID *)&ioc->vendor,
-		goto leave;
+					&ioc->attrib, &ioc->datasize, value);
+	} else {
+		if (efi_enter_check(sc)) {
+			error = ENOSYS;
+			goto leave;
+		}
+		status = sc->sc_rs->GetVariable(name, (EFI_GUID *)&ioc->vendor,
+		    &ioc->attrib, &ioc->datasize, value);
+		efi_leave(sc);
 	}
-	status = sc->sc_rs->GetVariable(name, (EFI_GUID *)&ioc->vendor,
-	    &ioc->attrib, &ioc->datasize, value);
-	efi_leave(sc);
 
 	if (status == EFI_BUFFER_TOO_SMALL) {
 		/*
@@ -183,13 +192,18 @@ efiioc_var_next(struct efi_softc *sc, void *data)
 	if (error)
 		goto leave;
 
-	if (efi_enter_check(sc)) {
+	if (efi_get_next_variable_name) {
-		error = ENOSYS;
+		status = efi_get_next_variable_name(&ioc->namesize,
-		goto leave;
+		    name, (EFI_GUID *)&ioc->vendor);
+	} else {
+		if (efi_enter_check(sc)) {
+			error = ENOSYS;
+			goto leave;
+		}
+		status = sc->sc_rs->GetNextVariableName(&ioc->namesize,
+		    name, (EFI_GUID *)&ioc->vendor);
+		efi_leave(sc);
 	}
-	status = sc->sc_rs->GetNextVariableName(&ioc->namesize,
-	    name, (EFI_GUID *)&ioc->vendor);
-	efi_leave(sc);
 
 	if (status == EFI_BUFFER_TOO_SMALL) {
 		/*
@@ -242,13 +256,18 @@ efiioc_var_set(struct efi_softc *sc, void *data)
 		goto leave;
 	}
 
-	if (efi_enter_check(sc)) {
+	if (efi_set_variable) {
-		error = ENOSYS;
+		status = efi_set_variable(name, (EFI_GUID *)&ioc->vendor,
-		goto leave;
+		    ioc->attrib, ioc->datasize, value);
+	} else {
+		if (efi_enter_check(sc)) {
+			error = ENOSYS;
+			goto leave;
+		}
+		status = sc->sc_rs->SetVariable(name, (EFI_GUID *)&ioc->vendor,
+		    ioc->attrib, ioc->datasize, value);
+		efi_leave(sc);
 	}
-	status = sc->sc_rs->SetVariable(name, (EFI_GUID *)&ioc->vendor,
-	    ioc->attrib, ioc->datasize, value);
-	efi_leave(sc);
 
 	error = efi_adapt_error(status);
 

sys/dev/fdt/psci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: psci.c,v 1.16 2024/04/13 14:20:48 kettenis Exp $	*/
+/*	$OpenBSD: psci.c,v 1.17 2024/07/10 11:01:24 kettenis Exp $	*/
 
 /*
  * Copyright (c) 2016 Jonathan Gray <jsg@openbsd.org>
@@ -37,27 +37,6 @@ extern void (*powerdownfn)(void);
 #define SMCCC_ARCH_WORKAROUND_2	0x80007fff
 #define SMCCC_ARCH_WORKAROUND_3	0x80003fff
 
-#define PSCI_VERSION		0x84000000
-#ifdef __LP64__
-#define CPU_SUSPEND		0xc4000001
-#else
-#define CPU_SUSPEND		0x84000001
-#endif
-#define CPU_OFF			0x84000002
-#ifdef __LP64__
-#define CPU_ON			0xc4000003
-#else
-#define CPU_ON			0x84000003
-#endif
-#define SYSTEM_OFF		0x84000008
-#define SYSTEM_RESET		0x84000009
-#define PSCI_FEATURES		0x8400000a
-#ifdef __LP64__
-#define SYSTEM_SUSPEND		0xc400000e
-#else
-#define SYSTEM_SUSPEND		0x8400000e
-#endif
-
 struct psci_softc {
 	struct device	 sc_dev;
 	register_t	 (*sc_callfn)(register_t, register_t, register_t,

sys/dev/fdt/pscivar.h

@@ -10,12 +10,38 @@
 #define PSCI_METHOD_HVC		1
 #define PSCI_METHOD_SMC		2
 
+#define PSCI_VERSION		0x84000000
+#ifdef __LP64__
+#define CPU_SUSPEND		0xc4000001
+#else
+#define CPU_SUSPEND		0x84000001
+#endif
+#define CPU_OFF			0x84000002
+#ifdef __LP64__
+#define CPU_ON			0xc4000003
+#else
+#define CPU_ON			0x84000003
+#endif
+#define SYSTEM_OFF		0x84000008
+#define SYSTEM_RESET		0x84000009
+#define PSCI_FEATURES		0x8400000a
+#ifdef __LP64__
+#define SYSTEM_SUSPEND		0xc400000e
+#else
+#define SYSTEM_SUSPEND		0x8400000e
+#endif
+
+#define PSCI_FEATURE_POWER_STATE_EXT		(1 << 1)
+#define  PSCI_POWER_STATE_POWERDOWN		(1 << 16)
+#define  PSCI_POWER_STATE_EXT_POWERDOWN		(1 << 30)
+
 int	psci_can_suspend(void);
 
 int32_t	psci_system_suspend(register_t, register_t);
 int32_t	psci_cpu_on(register_t, register_t, register_t);
 int32_t	psci_cpu_off(void);
 int32_t	psci_cpu_suspend(register_t, register_t, register_t);
+int32_t	psci_features(uint32_t);
 void	psci_flush_bp(void);
 int	psci_method(void);
 

sys/dev/fdt/qcscm.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: qcscm.c,v 1.7 2024/07/04 20:11:46 kettenis Exp $ */
+/* $OpenBSD: qcscm.c,v 1.8 2024/07/10 10:53:55 kettenis Exp $ */
 /*
  * Copyright (c) 2022 Patrick Wildt <patrick@blueri.se>
  *
@@ -33,11 +33,14 @@
 #include <machine/fdt.h>
 
 #include <dev/efi/efi.h>
+#include <machine/efivar.h>
 
 #include <dev/ofw/openfirm.h>
 #include <dev/ofw/ofw_misc.h>
 #include <dev/ofw/fdt.h>
 
+#include "efi.h"
+
 /* #define QCSCM_DEBUG */
 
 #define ARM_SMCCC_STD_CALL			(0U << 31)
@@ -142,6 +145,12 @@ EFI_STATUS qcscm_uefi_set_variable(struct qcscm_softc *, CHAR16 *,
 EFI_STATUS qcscm_uefi_get_next_variable(struct qcscm_softc *,
 	    CHAR16 *, int *, EFI_GUID *);
 
+EFI_STATUS qcscm_efi_get_variable(CHAR16 *, EFI_GUID *, UINT32 *,
+	    UINTN *, VOID *);
+EFI_STATUS qcscm_efi_set_variable(CHAR16 *, EFI_GUID *, UINT32,
+	    UINTN, VOID *);
+EFI_STATUS qcscm_efi_get_next_variable_name(UINTN *, CHAR16 *, EFI_GUID *);
+
 #ifdef QCSCM_DEBUG
 void	qcscm_uefi_dump_variables(struct qcscm_softc *);
 void	qcscm_uefi_dump_variable(struct qcscm_softc *, CHAR16 *, int,
@@ -188,6 +197,12 @@ qcscm_attach(struct device *parent, struct device *self, void *aux)
 	printf("\n");
 	qcscm_sc = sc;
 
+#if NEFI > 0
+	efi_get_variable = qcscm_efi_get_variable;
+	efi_set_variable = qcscm_efi_set_variable;
+	efi_get_next_variable_name = qcscm_efi_get_next_variable_name;
+#endif
+
 #ifdef QCSCM_DEBUG
 	qcscm_uefi_dump_variables(sc);
 	qcscm_uefi_dump_variable(sc, u"RTCInfo", sizeof(u"RTCInfo"),
@@ -418,7 +433,7 @@ qcscm_uefi_get_variable(struct qcscm_softc *sc,
 
 	resp = QCSCM_DMA_KVA(qdm) + respoff;
 	if (resp->command_id != QCTEE_UEFI_GET_VARIABLE ||
-	    resp->length < sizeof(*resp) || resp->length > respsize) {
+	    resp->length < sizeof(*resp)) {
 		qcscm_dmamem_free(sc, qdm);
 		return QCTEE_UEFI_DEVICE_ERROR;
 	}
@@ -433,7 +448,8 @@ qcscm_uefi_get_variable(struct qcscm_softc *sc,
 		return ret;
 	}
 
-	if (resp->data_offset + resp->data_size > resp->length) {
+	if (resp->length > respsize ||
+	    resp->data_offset + resp->data_size > resp->length) {
 		qcscm_dmamem_free(sc, qdm);
 		return QCTEE_UEFI_DEVICE_ERROR;
 	}
@@ -641,7 +657,71 @@ qcscm_uefi_get_next_variable(struct qcscm_softc *sc,
 	return QCTEE_UEFI_SUCCESS;
 }
 
+#if NEFI > 0
+
+EFI_STATUS
+qcscm_efi_get_variable(CHAR16 *name, EFI_GUID *guid, UINT32 *attributes,
+   UINTN *data_size, VOID *data)
+{
+	struct qcscm_softc *sc = qcscm_sc;
+	EFI_STATUS status;
+	int name_size;
+	int size;
+
+	name_size = 0;
+	while (name[name_size])
+		name_size++;
+	name_size++;
+
+	size = *data_size;
+	status = qcscm_uefi_get_variable(sc, name, name_size * 2, guid,
+	    attributes, data, &size);
+	*data_size = size;
+
+	/* Convert 32-bit status code to 64-bit. */
+	return ((status & 0xf0000000) << 32 | (status & 0x0fffffff));
+}
+
+EFI_STATUS
+qcscm_efi_set_variable(CHAR16 *name, EFI_GUID *guid, UINT32 attributes,
+    UINTN data_size, VOID *data)
+{
+	struct qcscm_softc *sc = qcscm_sc;
+	EFI_STATUS status;
+	int name_size;
+
+	name_size = 0;
+	while (name[name_size])
+		name_size++;
+	name_size++;
+
+	status = qcscm_uefi_set_variable(sc, name, name_size * 2, guid,
+	    attributes, data, data_size);
+
+	/* Convert 32-bit status code to 64-bit. */
+	return ((status & 0xf0000000) << 32 | (status & 0x0fffffff));
+}
+
+EFI_STATUS
+qcscm_efi_get_next_variable_name(UINTN *name_size, CHAR16 *name,
+    EFI_GUID *guid)
+{
+	struct qcscm_softc *sc = qcscm_sc;
+	EFI_STATUS status;
+	int size;
+
+	size = *name_size;
+	status = qcscm_uefi_get_next_variable(sc, name, &size, guid);
+	*name_size = size;
+
+	/* Convert 32-bit status code to 64-bit. */
+	return ((status & 0xf0000000) << 32 | (status & 0x0fffffff));
+}
+
+#endif
+
 #ifdef QCSCM_DEBUG
+
 void
 qcscm_uefi_dump_variables(struct qcscm_softc *sc)
 {
@@ -699,6 +779,7 @@ qcscm_uefi_dump_variable(struct qcscm_softc *sc, CHAR16 *name, int namesize,
 		printf("%02x", data[i]);
 	printf("\n");
 }
+
 #endif
 
 int

sys/dev/pci/drm/include/linux/fb.h

@@ -60,11 +60,9 @@ struct fb_info {
 #define FBINFO_STATE_RUNNING	0
 #define FBINFO_STATE_SUSPENDED	1
 
-#define FBINFO_DEFAULT		0
+#define FBINFO_VIRTFB		0x0001
-#define FBINFO_VIRTFB		1
+#define FBINFO_READS_FAST	0x0002
-#define FBINFO_READS_FAST	2
+#define FBINFO_HIDE_SMEM_START	0x0004
-
-#define FBINFO_HIDE_SMEM_START	0
 
 #define FB_ROTATE_UR		0
 #define FB_ROTATE_CW		1

sys/dev/pci/if_iavf.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_iavf.c,v 1.14 2024/07/09 16:04:15 jmatthew Exp $	*/
+/*	$OpenBSD: if_iavf.c,v 1.17 2024/07/10 09:50:28 jmatthew Exp $	*/
 
 /*
  * Copyright (c) 2013-2015, Intel Corporation
@@ -1115,7 +1115,7 @@ iavf_config_hena(struct iavf_softc *sc)
 	iaq.iaq_flags = htole16(IAVF_AQ_BUF | IAVF_AQ_RD);
 	iaq.iaq_opcode = htole16(IAVF_AQ_OP_SEND_TO_PF);
 	iaq.iaq_vc_opcode = htole32(IAVF_VC_OP_SET_RSS_HENA);
-	iaq.iaq_datalen = htole32(sizeof(*caps));
+	iaq.iaq_datalen = htole16(sizeof(*caps));
 	iavf_aq_dva(&iaq, IAVF_DMA_DVA(&sc->sc_scratch));
 
 	caps = IAVF_DMA_KVA(&sc->sc_scratch);
@@ -2393,11 +2393,15 @@ iavf_atq_done(struct iavf_softc *sc)
 	unsigned int cons;
 	unsigned int prod;
 
+	mtx_enter(&sc->sc_atq_mtx);
+
 	prod = sc->sc_atq_prod;
 	cons = sc->sc_atq_cons;
 
-	if (prod == cons)
+	if (prod == cons) {
+		mtx_leave(&sc->sc_atq_mtx);
 		return;
+	}
 
 	atq = IAVF_DMA_KVA(&sc->sc_atq);
 
@@ -2421,6 +2425,8 @@ iavf_atq_done(struct iavf_softc *sc)
 	    BUS_DMASYNC_PREREAD|BUS_DMASYNC_PREWRITE);
 
 	sc->sc_atq_cons = cons;
+
+	mtx_leave(&sc->sc_atq_mtx);
 }
 
 static int
@@ -2429,6 +2435,8 @@ iavf_atq_post(struct iavf_softc *sc, struct iavf_aq_desc *iaq)
 	struct iavf_aq_desc *atq, *slot;
 	unsigned int prod;
 
+	mtx_enter(&sc->sc_atq_mtx);
+
 	atq = IAVF_DMA_KVA(&sc->sc_atq);
 	prod = sc->sc_atq_prod;
 	slot = atq + prod;
@@ -2446,6 +2454,9 @@ iavf_atq_post(struct iavf_softc *sc, struct iavf_aq_desc *iaq)
 	prod &= IAVF_AQ_MASK;
 	sc->sc_atq_prod = prod;
 	iavf_wr(sc, sc->sc_aq_regs->atq_tail, prod);
+
+	mtx_leave(&sc->sc_atq_mtx);
+
 	return (prod);
 }
 
@@ -2554,15 +2565,15 @@ iavf_config_irq_map(struct iavf_softc *sc)
 	iavf_aq_dva(&iaq, IAVF_DMA_DVA(&sc->sc_scratch));
 
 	map = IAVF_DMA_KVA(&sc->sc_scratch);
-	map->num_vectors = letoh16(1);
+	map->num_vectors = htole16(1);
 
 	vec = map->vecmap;
-	vec[0].vsi_id = letoh16(sc->sc_vsi_id);
+	vec[0].vsi_id = htole16(sc->sc_vsi_id);
 	vec[0].vector_id = 0;
-	vec[0].rxq_map = letoh16(iavf_allqueues(sc));
+	vec[0].rxq_map = htole16(iavf_allqueues(sc));
-	vec[0].txq_map = letoh16(iavf_allqueues(sc));
+	vec[0].txq_map = htole16(iavf_allqueues(sc));
-	vec[0].rxitr_idx = IAVF_NOITR;
+	vec[0].rxitr_idx = htole16(IAVF_NOITR);
-	vec[0].txitr_idx = IAVF_NOITR;
+	vec[0].txitr_idx = htole16(IAVF_NOITR);
 
 	bus_dmamap_sync(sc->sc_dmat, IAVF_DMA_MAP(&sc->sc_scratch), 0, IAVF_DMA_LEN(&sc->sc_scratch),
 	    BUS_DMASYNC_PREREAD);

sys/dev/vmm/vmm.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: vmm.h,v 1.5 2024/07/09 09:31:37 dv Exp $ */
+/* $OpenBSD: vmm.h,v 1.6 2024/07/10 10:41:19 dv Exp $ */
 /*
  * Copyright (c) 2014-2023 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -108,6 +108,20 @@ struct vm_run_params {
 	uint8_t		vrp_irqready;		/* ready for IRQ on entry */
 };
 
+#define VM_RWVMPARAMS_PVCLOCK_SYSTEM_GPA 0x1	/* read/write pvclock gpa */
+#define VM_RWVMPARAMS_PVCLOCK_VERSION	 0x2	/* read/write pvclock version */
+#define VM_RWVMPARAMS_ALL	(VM_RWVMPARAMS_PVCLOCK_SYSTEM_GPA | \
+    VM_RWVMPARAMS_PVCLOCK_VERSION)
+
+struct vm_rwvmparams_params {
+	/* Input parameters to VMM_IOC_READVMPARAMS/VMM_IOC_WRITEVMPARAMS */
+	uint32_t		vpp_vm_id;
+	uint32_t		vpp_vcpu_id;
+	uint32_t		vpp_mask;
+	paddr_t			vpp_pvclock_system_gpa;
+	uint32_t		vpp_pvclock_version;
+};
+
 /* IOCTL definitions */
 #define VMM_IOC_CREATE _IOWR('V', 1, struct vm_create_params) /* Create VM */
 #define VMM_IOC_RUN _IOWR('V', 2, struct vm_run_params) /* Run VCPU */
@@ -225,6 +239,7 @@ void vm_teardown(struct vm **);
 int vm_get_info(struct vm_info_params *);
 int vm_terminate(struct vm_terminate_params *);
 int vm_resetcpu(struct vm_resetcpu_params *);
+int vm_rwvmparams(struct vm_rwvmparams_params *, int);
 int vcpu_must_stop(struct vcpu *);
 int vm_share_mem(struct vm_sharemem_params *, struct proc *);
 int vm_run(struct vm_run_params *);

sys/kern/kern_sig.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sig.c,v 1.331 2024/07/09 09:22:50 claudio Exp $	*/
+/*	$OpenBSD: kern_sig.c,v 1.332 2024/07/10 12:28:46 claudio Exp $	*/
 /*	$NetBSD: kern_sig.c,v 1.54 1996/04/22 01:38:32 christos Exp $	*/
 
 /*
@@ -1078,7 +1078,12 @@ ptsignal(struct proc *p, int signum, enum signal_type type)
 		 */
 		if (signum == SIGKILL) {
 			atomic_clearbits_int(&p->p_flag, P_SUSPSIG);
-			goto runfast;
+			/* Raise priority to at least PUSER. */
+			if (p->p_usrpri > PUSER)
+				p->p_usrpri = PUSER;
+			unsleep(p);
+			setrunnable(p);
+			goto out;
 		}
 
 		if (prop & SA_CONT) {
@@ -1097,10 +1102,19 @@ ptsignal(struct proc *p, int signum, enum signal_type type)
 			wakeparent = 1;
 			if (action == SIG_DFL)
 				mask = 0;
-			if (action == SIG_CATCH)
+			if (action == SIG_CATCH) {
-				goto runfast;
+				/* Raise priority to at least PUSER. */
-			if (p->p_wchan == NULL)
+				if (p->p_usrpri > PUSER)
-				goto run;
+					p->p_usrpri = PUSER;
+				unsleep(p);
+				setrunnable(p);
+				goto out;
+			}
+			if (p->p_wchan == NULL) {
+				unsleep(p);
+				setrunnable(p);
+				goto out;
+			}
 			atomic_clearbits_int(&p->p_flag, P_WSLEEP);
 			p->p_stat = SSLEEP;
 			goto out;
@@ -1146,8 +1160,11 @@ ptsignal(struct proc *p, int signum, enum signal_type type)
 		 * so it can discover the signal in cursig() and stop
 		 * for the parent.
 		 */
-		if (pr->ps_flags & PS_TRACED)
+		if (pr->ps_flags & PS_TRACED) {
-			goto run;
+			unsleep(p);
+			setrunnable(p);
+			goto out;
+		}
 
 		/*
 		 * Recheck sigmask before waking up the process,
@@ -1206,8 +1223,13 @@ ptsignal(struct proc *p, int signum, enum signal_type type)
 		/*
 		 * All other (caught or default) signals
 		 * cause the process to run.
+		 * Raise priority to at least PUSER.
 		 */
-		goto runfast;
+		if (p->p_usrpri > PUSER)
+			p->p_usrpri = PUSER;
+		unsleep(p);
+		setrunnable(p);
+		goto out;
 		/* NOTREACHED */
 
 	case SONPROC:
@@ -1229,15 +1251,6 @@ ptsignal(struct proc *p, int signum, enum signal_type type)
 	}
 	/* NOTREACHED */
 
-runfast:
-	/*
-	 * Raise priority to at least PUSER.
-	 */
-	if (p->p_usrpri > PUSER)
-		p->p_usrpri = PUSER;
-run:
-	unsleep(p);
-	setrunnable(p);
 out:
 	/* finally adjust siglist */
 	if (mask)

sys/kern/kern_sysctl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: kern_sysctl.c,v 1.428 2024/07/08 13:17:12 claudio Exp $	*/
+/*	$OpenBSD: kern_sysctl.c,v 1.429 2024/07/11 14:11:55 bluhm Exp $	*/
 /*	$NetBSD: kern_sysctl.c,v 1.17 1996/05/20 17:49:05 mrg Exp $	*/
 
 /*-
@@ -41,6 +41,7 @@
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/atomic.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/pool.h>
@@ -1005,19 +1006,39 @@ int
 sysctl_int_bounded(void *oldp, size_t *oldlenp, void *newp, size_t newlen,
     int *valp, int minimum, int maximum)
 {
-	int val = *valp;
+	int oldval, newval;
 	int error;
 
 	/* read only */
-	if (newp == NULL || minimum > maximum)
+	if (newp != NULL && minimum > maximum)
-		return (sysctl_rdint(oldp, oldlenp, newp, val));
+		return (EPERM);
 
-	if ((error = sysctl_int(oldp, oldlenp, newp, newlen, &val)))
+	if (oldp != NULL && *oldlenp < sizeof(int))
-		return (error);
+		return (ENOMEM);
-	/* outside limits */
+	if (newp != NULL && newlen != sizeof(int))
-	if (val < minimum || maximum < val)
 		return (EINVAL);
-	*valp = val;
+	*oldlenp = sizeof(int);
+
+	/* copyin() may sleep, call it first */
+	if (newp != NULL) {
+		if ((error = copyin(newp, &newval, sizeof(int))))
+			return (error);
+		/* outside limits */
+		if (newval < minimum || maximum < newval)
+			return (EINVAL);
+	}
+	if (oldp != NULL) {
+		if (newp != NULL)
+			oldval = atomic_swap_uint(valp, newval);
+		else
+			oldval = atomic_load_int(valp);
+		if ((error = copyout(&oldval, oldp, sizeof(int)))) {
+			/* new value has been set although user gets error */
+			return (error);
+		}
+	} else if (newp != NULL)
+		atomic_store_int(valp, newval);
+
 	return (0);
 }
 

sys/kern/vfs_syscalls.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.365 2024/05/18 05:20:22 guenther Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.366 2024/07/10 09:12:11 krw Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -697,10 +697,6 @@ sys_getfsstat(struct proc *p, void *v, register_t *retval)
 			}
 
 			sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-#if notyet
-			if (mp->mnt_flag & MNT_SOFTDEP)
-				sp->f_eflags = STATFS_SOFTUPD;
-#endif
 			error = (copyout_statfs(sp, sfsp, p));
 			if (error) {
 				vfs_unbusy(mp);

usr.bin/mg/mg.1

@@ -1,7 +1,7 @@
-.\"	$OpenBSD: mg.1,v 1.138 2024/07/09 14:51:37 op Exp $
+.\"	$OpenBSD: mg.1,v 1.139 2024/07/10 05:19:02 jmc Exp $
 .\" This file is in the public domain.
 .\"
-.Dd $Mdocdate: July 9 2024 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt MG 1
 .Os
 .Sh NAME
@@ -938,11 +938,11 @@ Set the tab width for the current buffer, or the default for new buffers
 if called with a prefix argument or from the startup file.
 .It Ic shell-command
 Execute external command from mini-buffer.
-With an universal argument it inserts the command output into the current
+With a universal argument it inserts the command output into the current
 buffer.
 .It Ic shell-command-on-region
 Provide the text in region to the shell command as input.
-With an universal argument it replaces the region with the command
+With a universal argument it replaces the region with the command
 output.
 .It Ic shrink-window
 Shrink current window by one line.

usr.bin/ssh/sshd_config.5

@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.366 2024/07/04 22:53:59 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.367 2024/07/10 21:58:34 djm Exp $
-.Dd $Mdocdate: July 4 2024 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1579,7 +1579,7 @@ accumulated.
 .Pp
 Penalties are enabled by default with the default settings listed below
 but may disabled using the
-.Cm off
+.Cm no
 keyword.
 The defaults may be overridden by specifying one or more of the keywords below,
 separated by whitespace.

usr.sbin/npppd/npppd/npppd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd.c,v 1.53 2022/07/01 09:57:24 mvs Exp $ */
+/*	$OpenBSD: npppd.c,v 1.54 2024/07/11 14:05:59 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2005-2008,2009 Internet Initiative Japan Inc.
@@ -29,7 +29,7 @@
  * Next pppd(nppd). This file provides a npppd daemon process and operations
  * for npppd instance.
  * @author	Yasuoka Masahiko
- * $Id: npppd.c,v 1.53 2022/07/01 09:57:24 mvs Exp $
+ * $Id: npppd.c,v 1.54 2024/07/11 14:05:59 yasuoka Exp $
  */
 #include "version.h"
 #include <sys/param.h>	/* ALIGNED_POINTER */
@@ -101,7 +101,6 @@ static void         npppd_timer(int, short, void *);
 static void         npppd_auth_finalizer_periodic(npppd *);
 static int          rd2slist_walk (struct radish *, void *);
 static int          rd2slist (struct radish_head *, slist *);
-static slist       *npppd_get_ppp_by_user (npppd *, const char *);
 static int          npppd_get_all_users (npppd *, slist *);
 static struct ipcpstat
                    *npppd_get_ipcp_stat(struct ipcpstat_head *, const char *);
@@ -255,6 +254,7 @@ npppd_init(npppd *_this, const char *config_file)
 	_this->pid = getpid();
 	slist_init(&_this->realms);
 	npppd_conf_init(&_this->conf);
+	TAILQ_INIT(&_this->raddae_listens);
 
 	log_printf(LOG_NOTICE, "Starting npppd pid=%u version=%s",
 	    _this->pid, VERSION);
@@ -444,6 +444,10 @@ npppd_stop(npppd *_this)
 
 	_this->finalizing = 1;
 	npppd_reset_timer(_this);
+
+#ifdef USE_NPPPD_RADIUS
+	npppd_radius_dae_fini(_this);
+#endif
 }
 
 static void
@@ -763,7 +767,7 @@ npppd_get_ppp_by_ip(npppd *_this, struct in_addr ipaddr)
  * @return	{@link slist} that contains the {@link npppd_ppp} instances.
  * NULL may be returned if no instance has been found.
  */
-static slist *
+slist *
 npppd_get_ppp_by_user(npppd *_this, const char *username)
 {
 	hash_link *hl;

usr.sbin/npppd/npppd/npppd.conf.5

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: npppd.conf.5,v 1.34 2024/07/01 14:56:19 jmc Exp $
+.\"	$OpenBSD: npppd.conf.5,v 1.35 2024/07/11 14:05:59 yasuoka Exp $
 .\"
 .\" Copyright (c) 2012 YASUOKA Masahiko <yasuoka@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 1 2024 $
+.Dd $Mdocdate: July 11 2024 $
 .Dt NPPPD.CONF 5
 .Os
 .Sh NAME
@@ -41,6 +41,8 @@ Interface settings.
 Authentication settings.
 .It Sy Bind
 Bind settings.
+.It Sy RADIUS
+RADIUS settings.
 .El
 .Sh GLOBAL
 The global options are as follows:
@@ -664,6 +666,32 @@ settings so that they are used together.
 .Pp
 .Ic bind tunnel from Ar tunnel Ic authenticated by Ar authentication
 .Ic to Ar ifname
+.Sh RADIUS
+.Ic radius
+configures the RADIUS features.
+The supported options are as follows:
+.Bl -tag -width Ds
+.It Ic radius nas-id Ar identifier
+Specify the
+.Ar identifier
+that is noticed to the RADIUS peers in the NAS-Identifier attribute.
+.It Ic radius dae listen on Ar address Oo port Ar number Oc
+Enable the Dynamic Authorization Extensions for RADIUS
+.Po DAE, RFC 5176 Pc
+server.
+Specify the local
+.Ar address
+.Xr npppd 8
+should listen on for the DAE requests.
+Optionally specify a port
+.Ar number ,
+the default port number is 3799.
+.It Ic radius dae client Ar address Ic secret Ar secret
+Specify
+.Ar address
+for a DAE client and
+.Ar secret .
+.El
 .Sh EXAMPLES
 A very simple configuration example is below:
 .Bd -literal -offset indent

usr.sbin/npppd/npppd/npppd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd.h,v 1.20 2024/07/01 07:09:07 yasuoka Exp $ */
+/*	$OpenBSD: npppd.h,v 1.21 2024/07/11 14:05:59 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -43,6 +43,7 @@
 #include "l2tp_conf.h"
 #include "pptp_conf.h"
 #include "pppoe_conf.h"
+#include "slist.h"
 
 #define MINIMUM(a, b)	(((a) < (b)) ? (a) : (b))
 #define MAXIMUM(a, b)	(((a) > (b)) ? (a) : (b))
@@ -170,6 +171,25 @@ struct authconf {
 	} data;
 };
 
+struct radclientconf {
+	union {
+		struct sockaddr_in         sin4;
+		struct sockaddr_in6        sin6;
+	}                                  addr;
+	TAILQ_ENTRY(radclientconf)         entry;
+	char                               secret[];
+};
+TAILQ_HEAD(radclientconfs,radclientconf);
+
+struct radlistenconf {
+	union {
+		struct sockaddr_in         sin4;
+		struct sockaddr_in6        sin6;
+	}                                  addr;
+	TAILQ_ENTRY(radlistenconf)         entry;
+};
+TAILQ_HEAD(radlistenconfs,radlistenconf);
+
 struct ipcpconf {
 	TAILQ_ENTRY(ipcpconf)              entry;
 	char                               name[NPPPD_GENERIC_NAME_LEN];
@@ -207,6 +227,9 @@ struct npppd_conf {
 	TAILQ_HEAD(ipcpconfs, ipcpconf)    ipcpconfs;
 	TAILQ_HEAD(ifaces, iface)          ifaces;
 	TAILQ_HEAD(confbinds, confbind)    confbinds;
+	struct radclientconfs              raddaeclientconfs;
+	struct radlistenconfs              raddaelistenconfs;
+	char				   nas_id[NPPPD_GENERIC_NAME_LEN];
 	struct l2tp_confs                  l2tp_confs;
 	struct pptp_confs                  pptp_confs;
 	struct pppoe_confs                 pppoe_confs;
@@ -266,65 +289,70 @@ TAILQ_HEAD(ctl_conn_list, ctl_conn);
 extern struct ctl_conn_list ctl_conns;
 
 __BEGIN_DECLS
-npppd           *npppd_get_npppd (void);
+npppd		*npppd_get_npppd(void);
-int              npppd_init (npppd *, const char *);
+int		 npppd_init(npppd *, const char *);
-void             npppd_start (npppd *);
+void		 npppd_start(npppd *);
-void             npppd_stop (npppd *);
+void		 npppd_stop(npppd *);
-void             npppd_fini (npppd *);
+void		 npppd_fini(npppd *);
-int              npppd_reset_routing_table (npppd *, int);
+int		 npppd_reset_routing_table(npppd *, int);
-int              npppd_get_user_password (npppd *, npppd_ppp *, const char *, char *, int *);
+int		 npppd_get_user_password(npppd *, npppd_ppp *, const char *,
-struct in_addr  *npppd_get_user_framed_ip_address (npppd *, npppd_ppp *, const char *);
+		    char *, int *);
-int              npppd_check_calling_number (npppd *, npppd_ppp *);
+struct in_addr	*npppd_get_user_framed_ip_address(npppd *, npppd_ppp *,
-npppd_ppp       *npppd_get_ppp_by_ip (npppd *, struct in_addr);
+		    const char *);
-npppd_ppp       *npppd_get_ppp_by_id (npppd *, u_int);
+int		 npppd_check_calling_number(npppd *, npppd_ppp *);
-int              npppd_check_user_max_session (npppd *, npppd_ppp *);
+npppd_ppp	*npppd_get_ppp_by_ip(npppd *, struct in_addr);
-void             npppd_network_output (npppd *, npppd_ppp *, int, u_char *, int);
+npppd_ppp	*npppd_get_ppp_by_id(npppd *, u_int);
-int              npppd_ppp_pipex_enable (npppd *, npppd_ppp *);
+slist		*npppd_get_ppp_by_user(npppd *, const char *);
-int              npppd_ppp_pipex_disable (npppd *, npppd_ppp *);
+int		 npppd_check_user_max_session(npppd *, npppd_ppp *);
-int              npppd_prepare_ip (npppd *, npppd_ppp *);
+void		 npppd_network_output(npppd *, npppd_ppp *, int, u_char *, int);
-void             npppd_release_ip (npppd *, npppd_ppp *);
+int		 npppd_ppp_pipex_enable(npppd *, npppd_ppp *);
-void             npppd_set_ip_enabled (npppd *, npppd_ppp *, int);
+int		 npppd_ppp_pipex_disable(npppd *, npppd_ppp *);
-int              npppd_assign_ip_addr (npppd *, npppd_ppp *, uint32_t);
+int		 npppd_prepare_ip(npppd *, npppd_ppp *);
-int              npppd_set_radish (npppd *, void *);
+void		 npppd_release_ip(npppd *, npppd_ppp *);
-int              npppd_ppp_bind_realm (npppd *, npppd_ppp *, const char *, int);
+void		 npppd_set_ip_enabled(npppd *, npppd_ppp *, int);
-int              npppd_ppp_is_realm_local (npppd *, npppd_ppp *);
+int		 npppd_assign_ip_addr(npppd *, npppd_ppp *, uint32_t);
-int              npppd_ppp_is_realm_radius (npppd *, npppd_ppp *);
+int		 npppd_set_radish(npppd *, void *);
-int              npppd_ppp_is_realm_ready (npppd *, npppd_ppp *);
+int		 npppd_ppp_bind_realm(npppd *, npppd_ppp *, const char *, int);
-const char      *npppd_ppp_get_realm_name (npppd *, npppd_ppp *);
+int		 npppd_ppp_is_realm_local(npppd *, npppd_ppp *);
-const char      *npppd_ppp_get_iface_name (npppd *, npppd_ppp *);
+int		 npppd_ppp_is_realm_radius(npppd *, npppd_ppp *);
-int              npppd_ppp_iface_is_ready (npppd *, npppd_ppp *);
+int		 npppd_ppp_is_realm_ready(npppd *, npppd_ppp *);
-int              npppd_ppp_bind_iface (npppd *, npppd_ppp *);
+const char	*npppd_ppp_get_realm_name(npppd *, npppd_ppp *);
-void             npppd_ppp_unbind_iface (npppd *, npppd_ppp *);
+const char	*npppd_ppp_get_iface_name(npppd *, npppd_ppp *);
-void            *npppd_get_radius_auth_setting (npppd *, npppd_ppp *);
+int		 npppd_ppp_iface_is_ready(npppd *, npppd_ppp *);
-int              sockaddr_npppd_match (void *, void *);
+int		 npppd_ppp_bind_iface(npppd *, npppd_ppp *);
-const char      *npppd_ppp_get_username_for_auth (npppd *, npppd_ppp *, const char *, char *);
+void		 npppd_ppp_unbind_iface(npppd *, npppd_ppp *);
-const char      *npppd_ppp_tunnel_protocol_name (npppd *, npppd_ppp *);
+void		*npppd_get_radius_auth_setting(npppd *, npppd_ppp *);
-const char      *npppd_tunnel_protocol_name (int);
+int		 sockaddr_npppd_match(void *, void *);
-struct tunnconf *npppd_get_tunnconf (npppd *, const char *);
+const char	*npppd_ppp_get_username_for_auth(npppd *, npppd_ppp *,
-int              npppd_reload_config (npppd *);
+		    const char *, char *);
-int              npppd_modules_reload (npppd *);
+const char	*npppd_ppp_tunnel_protocol_name(npppd *, npppd_ppp *);
-int              npppd_ifaces_load_config (npppd *);
+const char	*npppd_tunnel_protocol_name(int);
+struct tunnconf *npppd_get_tunnconf(npppd *, const char *);
+int		 npppd_reload_config(npppd *);
+int		 npppd_modules_reload(npppd *);
+int		 npppd_ifaces_load_config(npppd *);
 
-int              npppd_conf_parse (struct npppd_conf *, const char *);
+int		 npppd_conf_parse(struct npppd_conf *, const char *);
-void             npppd_conf_init (struct npppd_conf *);
+void		 npppd_conf_init(struct npppd_conf *);
-void             npppd_conf_fini (struct npppd_conf *);
+void		 npppd_conf_fini(struct npppd_conf *);
-int              npppd_config_check (const char *);
+int		 npppd_config_check(const char *);
-void             npppd_on_ppp_start (npppd *, npppd_ppp *);
+void		 npppd_on_ppp_start(npppd *, npppd_ppp *);
-void             npppd_on_ppp_stop (npppd *, npppd_ppp *);
+void		 npppd_on_ppp_stop(npppd *, npppd_ppp *);
-void             imsg_event_add(struct imsgev *);
+void		 imsg_event_add(struct imsgev *);
 
-int              control_init (struct control_sock *);
+int		 control_init(struct control_sock *);
-int              control_listen (struct control_sock *);
+int		 control_listen(struct control_sock *);
-void             control_cleanup (struct control_sock *);
+void		 control_cleanup(struct control_sock *);
-struct npppd_ctl *npppd_ctl_create (npppd *);
+struct npppd_ctl
-void		 npppd_ctl_destroy (struct npppd_ctl *);
+		*npppd_ctl_create(npppd *);
-int              npppd_ctl_who (struct npppd_ctl *);
+void		 npppd_ctl_destroy(struct npppd_ctl *);
-int              npppd_ctl_monitor (struct npppd_ctl *);
+int		 npppd_ctl_who(struct npppd_ctl *);
-int              npppd_ctl_who_and_monitor (struct npppd_ctl *);
+int		 npppd_ctl_monitor(struct npppd_ctl *);
-int              npppd_ctl_add_started_ppp_id (struct npppd_ctl *, uint32_t);
+int		 npppd_ctl_who_and_monitor(struct npppd_ctl *);
-int              npppd_ctl_add_stopped_ppp (struct npppd_ctl *, npppd_ppp *);
+int		 npppd_ctl_add_started_ppp_id(struct npppd_ctl *, uint32_t);
-int              npppd_ctl_imsg_compose (struct npppd_ctl *, struct imsgbuf *);
+int		 npppd_ctl_add_stopped_ppp(struct npppd_ctl *, npppd_ppp *);
-int              npppd_ctl_disconnect (struct npppd_ctl *, u_int *, int);
+int		 npppd_ctl_imsg_compose(struct npppd_ctl *, struct imsgbuf *);
+int		 npppd_ctl_disconnect(struct npppd_ctl *, u_int *, int);
 
 __END_DECLS
 

usr.sbin/npppd/npppd/npppd_config.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd_config.c,v 1.14 2015/01/19 01:48:59 deraadt Exp $ */
+/*	$OpenBSD: npppd_config.c,v 1.15 2024/07/11 14:05:59 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
-/* $Id: npppd_config.c,v 1.14 2015/01/19 01:48:59 deraadt Exp $ */
+/* $Id: npppd_config.c,v 1.15 2024/07/11 14:05:59 yasuoka Exp $ */
 /*@file
  * This file provides functions which operates configuration and so on.
  */
@@ -131,6 +131,9 @@ npppd_modules_reload(npppd *_this)
 #ifdef USE_NPPPD_PPPOE
 	rval |= pppoed_reload(&_this->pppoed, &_this->conf.pppoe_confs);
 #endif
+#ifdef USE_NPPPD_RADIUS
+	npppd_radius_dae_init(_this);
+#endif
 
 	return rval;
 }

usr.sbin/npppd/npppd/npppd_local.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: npppd_local.h,v 1.18 2024/02/26 08:29:37 yasuoka Exp $ */
+/*	$OpenBSD: npppd_local.h,v 1.19 2024/07/11 14:05:59 yasuoka Exp $ */
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -73,6 +73,10 @@
 #include "npppd_pool.h"
 #include "npppd_ctl.h"
 
+#ifdef	USE_NPPPD_RADIUS
+#include "npppd_radius.h"
+#endif
+
 /** structure of pool */
 struct _npppd_pool {
 	/** base of npppd structure */
@@ -169,6 +173,10 @@ struct _npppd {
 
 	struct control_sock  ctl_sock;
 
+#ifdef	USE_NPPPD_RADIUS
+	struct npppd_radius_dae_listens	raddae_listens;
+#endif
+
 	u_int /** whether finalizing or not */
 	    finalizing:1,
 	    /** whether finalize completed or not */

usr.sbin/npppd/npppd/npppd_radius.c

@@ -1,4 +1,4 @@
-/* $Id: npppd_radius.c,v 1.11 2024/07/01 07:09:07 yasuoka Exp $ */
+/* $Id: npppd_radius.c,v 1.12 2024/07/11 14:05:59 yasuoka Exp $ */
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
  * All rights reserved.
@@ -45,12 +45,16 @@
 #include <string.h>
 #include <stdbool.h>
 #include <radius.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <errno.h>
 
 #include <event.h>
 
 #include "radius_req.h"
 #include "npppd_local.h"
 #include "npppd_radius.h"
+#include "net_utils.h"
 
 #ifdef NPPPD_RADIUS_DEBUG
 #define NPPPD_RADIUS_DBG(x) 	ppp_log x
@@ -268,7 +272,7 @@ radius_acct_request(npppd *pppd, npppd_ppp *ppp, int stop)
 	    /* npppd has no physical / virtual ports in design. */
 
 	/* RFC 2865  5.32. NAS-Identifier */
-	ATTR_STR(RADIUS_TYPE_NAS_IDENTIFIER, "npppd");
+	ATTR_STR(RADIUS_TYPE_NAS_IDENTIFIER, pppd->conf.nas_id);
 
 	/* RFC 2865 5.31. Calling-Station-Id */
 	if (ppp->calling_number[0] != '\0')
@@ -397,7 +401,7 @@ radius_acct_on(npppd *pppd, radius_req_setting *rad_setting)
 	/* RFC 2866  5.1. Acct-Status-Type */
 	ATTR_INT32(RADIUS_TYPE_ACCT_STATUS_TYPE, RADIUS_ACCT_STATUS_TYPE_ACCT_ON);
 	/* RFC 2865  5.32. NAS-Identifier */
-	ATTR_STR(RADIUS_TYPE_NAS_IDENTIFIER, "npppd");
+	ATTR_STR(RADIUS_TYPE_NAS_IDENTIFIER, pppd->conf.nas_id);
 
 	/* Send the request */
 	radius_request(radctx, radpkt);
@@ -561,3 +565,305 @@ ppp_set_radius_attrs_for_authreq(npppd_ppp *_this,
 fail:
 	return 1;
 }
+
+/***********************************************************************
+ * Dynamic Authorization Extensions for RADIUS
+ ***********************************************************************/
+static int	npppd_radius_dae_listen_start(struct npppd_radius_dae_listen *);
+static void	npppd_radius_dae_on_event(int, short, void *);
+static void	npppd_radius_dae_listen_stop(struct npppd_radius_dae_listen *);
+
+void
+npppd_radius_dae_init(npppd *_this)
+{
+	struct npppd_radius_dae_listens	 listens;
+	struct npppd_radius_dae_listen	*listen, *listent;
+	struct radlistenconf		*listenconf;
+
+	TAILQ_INIT(&listens);
+
+	TAILQ_FOREACH(listenconf, &_this->conf.raddaelistenconfs, entry) {
+		TAILQ_FOREACH_SAFE(listen, &_this->raddae_listens, entry,
+		    listent) {
+			if ((listen->addr.sin4.sin_family == AF_INET &&
+			    listenconf->addr.sin4.sin_family == AF_INET &&
+			    memcmp(&listen->addr.sin4, &listenconf->addr.sin4,
+			    sizeof(struct sockaddr_in)) == 0) ||
+			    (listen->addr.sin6.sin6_family == AF_INET6 &&
+			    listenconf->addr.sin6.sin6_family == AF_INET6 &&
+			    memcmp(&listen->addr.sin6, &listenconf->addr.sin6,
+			    sizeof(struct sockaddr_in6)) == 0))
+				break;
+		}
+		if (listen != NULL)
+			/* keep using this */
+			TAILQ_REMOVE(&_this->raddae_listens, listen, entry);
+		else {
+			if ((listen = calloc(1, sizeof(*listen))) == NULL) {
+				log_printf(LOG_ERR, "%s: calloc failed: %m",
+				    __func__);
+				goto fail;
+			}
+			listen->pppd = _this;
+			listen->sock = -1;
+			if (listenconf->addr.sin4.sin_family == AF_INET)
+				listen->addr.sin4 = listenconf->addr.sin4;
+			else
+				listen->addr.sin6 = listenconf->addr.sin6;
+		}
+		TAILQ_INSERT_TAIL(&listens, listen, entry);
+	}
+
+	/* listen on the new addresses */
+	TAILQ_FOREACH(listen, &listens, entry) {
+		if (listen->sock == -1)
+			npppd_radius_dae_listen_start(listen);
+	}
+
+	/* stop listening on the old addresses */
+	TAILQ_FOREACH_SAFE(listen, &_this->raddae_listens, entry, listent) {
+		TAILQ_REMOVE(&_this->raddae_listens, listen, entry);
+		npppd_radius_dae_listen_stop(listen);
+		free(listen);
+	}
+ fail:
+	TAILQ_CONCAT(&_this->raddae_listens, &listens, entry);
+
+	return;
+}
+
+void
+npppd_radius_dae_fini(npppd *_this)
+{
+	struct npppd_radius_dae_listen *listen, *listent;
+
+	TAILQ_FOREACH_SAFE(listen, &_this->raddae_listens, entry, listent) {
+		TAILQ_REMOVE(&_this->raddae_listens, listen, entry);
+		npppd_radius_dae_listen_stop(listen);
+		free(listen);
+	}
+}
+
+int
+npppd_radius_dae_listen_start(struct npppd_radius_dae_listen *listen)
+{
+	char	 buf[80];
+	int	 sock = -1, on = 1;
+
+	if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+		log_printf(LOG_ERR, "%s: socket(): %m", __func__);
+		goto on_error;
+	}
+	on = 1;
+	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) == -1) {
+		log_printf(LOG_WARNING, "%s: setsockopt(,,SO_REUSEADDR): %m",
+		    __func__);
+		goto on_error;
+	}
+	if (bind(sock, (struct sockaddr *)&listen->addr,
+	    listen->addr.sin4.sin_len) == -1) {
+		log_printf(LOG_ERR, "%s: bind(): %m", __func__);
+		goto on_error;
+	}
+
+	listen->sock = sock;
+	event_set(&listen->evsock, listen->sock, EV_READ | EV_PERSIST,
+	    npppd_radius_dae_on_event, listen);
+	event_add(&listen->evsock, NULL);
+	log_printf(LOG_INFO, "radius Listening %s/udp (DAE)",
+	    addrport_tostring((struct sockaddr *)&listen->addr,
+	    listen->addr.sin4.sin_len, buf, sizeof(buf)));
+
+	return (0);
+ on_error:
+	if (sock >= 0)
+		close(sock);
+
+	return (-1);
+}
+
+void
+npppd_radius_dae_on_event(int fd, short ev, void *ctx)
+{
+	char				 buf[80], attr[256], username[256];
+	char				*endp;
+	const char			*reason, *nakcause = NULL;
+	struct npppd_radius_dae_listen	*listen = ctx;
+	struct radclientconf		*client;
+	npppd				*_this = listen->pppd;
+	RADIUS_PACKET			*req = NULL, *res = NULL;
+	struct sockaddr_storage		 ss;
+	socklen_t			 sslen;
+	unsigned long long		 ppp_id;
+	int				 code, n = 0;
+	uint32_t			 cause = 0;
+	struct in_addr			 ina;
+	slist				*users;
+	npppd_ppp			*ppp;
+
+	reason = "disconnect requested";
+	sslen = sizeof(ss);
+	req = radius_recvfrom(listen->sock, 0, (struct sockaddr *)&ss, &sslen);
+	if (req == NULL) {
+		log_printf(LOG_WARNING, "%s: receiving a RADIUS message "
+		    "failed: %m", __func__);
+		return;
+	}
+	TAILQ_FOREACH(client, &_this->conf.raddaeclientconfs, entry) {
+		if (ss.ss_family == AF_INET &&
+		    ((struct sockaddr_in *)&ss)->sin_addr.s_addr ==
+		    client->addr.sin4.sin_addr.s_addr)
+			break;
+		else if (ss.ss_family == AF_INET6 &&
+		    IN6_ARE_ADDR_EQUAL(&((struct sockaddr_in6 *)&ss)->sin6_addr,
+		    &client->addr.sin6.sin6_addr))
+			break;
+	}
+
+	if (client == NULL) {
+		log_printf(LOG_WARNING, "radius received a RADIUS message from "
+		    "%s: unknown client", addrport_tostring(
+		    (struct sockaddr *)&ss, ss.ss_len, buf, sizeof(buf)));
+		goto out;
+	}
+
+	if (radius_check_accounting_request_authenticator(req,
+	    client->secret) != 0) {
+		log_printf(LOG_WARNING, "radius received an invalid RADIUS "
+		    "message from %s: bad response authenticator",
+		    addrport_tostring(
+		    (struct sockaddr *)&ss, ss.ss_len, buf, sizeof(buf)));
+		goto out;
+	}
+	if ((code = radius_get_code(req)) != RADIUS_CODE_DISCONNECT_REQUEST) {
+		/* Code other than Disconnect-Request is not supported */
+		if (code == RADIUS_CODE_COA_REQUEST) {
+			log_printf(LOG_INFO, "received CoA-Request from %s",
+			    addrport_tostring(
+			    (struct sockaddr *)&ss, ss.ss_len, buf,
+			    sizeof(buf)));
+			code = RADIUS_CODE_COA_NAK;
+			cause = RADIUS_ERROR_CAUSE_ADMINISTRATIVELY_PROHIBITED;
+			goto send;
+		}
+		log_printf(LOG_WARNING, "radius received an invalid RADIUS "
+		    "message from %s: unknown code %d",
+		    addrport_tostring((struct sockaddr *)&ss, ss.ss_len, buf,
+		    sizeof(buf)), code);
+		goto out;
+	}
+
+	log_printf(LOG_INFO, "radius received Disconnect-Request from %s",
+	    addrport_tostring((struct sockaddr *)&ss, ss.ss_len, buf,
+	    sizeof(buf)));
+
+	if (radius_get_string_attr(req, RADIUS_TYPE_NAS_IDENTIFIER, attr,
+	    sizeof(attr)) == 0 && strcmp(attr, _this->conf.nas_id) != 0) {
+		cause = RADIUS_ERROR_CAUSE_NAS_IDENTIFICATION_MISMATCH;
+		nakcause = "NAS Identification is mimatch";
+		goto search_done;
+	}
+
+	/* prepare User-Name attribute */
+	memset(&username, 0, sizeof(username));
+	radius_get_string_attr(req, RADIUS_TYPE_USER_NAME, username,
+	    sizeof(username));
+
+	cause = RADIUS_ERROR_CAUSE_SESSION_NOT_FOUND;
+	/* Our Session-Id is represented in "%08X%08x" (boot_id, ppp_id) */
+	snprintf(buf, sizeof(buf), "%08X", _this->boot_id);
+	if (radius_get_string_attr(req, RADIUS_TYPE_ACCT_SESSION_ID, attr,
+	    sizeof(attr)) == 0) {
+		ppp = NULL;
+		/* the client is to disconnect a session */
+		if (strlen(attr) != 16 || strncmp(buf, attr, 8) != 0) {
+			cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
+			nakcause = "Session-Id is wrong";
+			goto search_done;
+		}
+		ppp_id = strtoull(attr + 8, &endp, 16);
+		if (*endp != '\0' || errno == ERANGE || ppp_id == ULLONG_MAX) {
+			cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
+			nakcause = "Session-Id is invalid";
+			goto search_done;
+		}
+		if ((ppp = npppd_get_ppp_by_id(_this, ppp_id)) == NULL)
+			goto search_done;
+		if (username[0] != '\0' &&
+		    strcmp(username, ppp->username) != 0) {
+			/* specified User-Name attribute is mismatched */
+			cause = RADIUS_ERROR_CAUSE_INVALID_ATTRIBUTE_VALUE;
+			nakcause = "User-Name is mismatched";
+			goto search_done;
+		}
+		ppp_stop(ppp, reason);
+		n++;
+	} else if (username[0] != '\0') {
+		users = npppd_get_ppp_by_user(_this, username);
+		if (users == NULL)
+			goto search_done;
+		memset(&ina, 0, sizeof(ina));
+		radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS,
+		    &ina.s_addr);
+		slist_itr_first(users);
+		while ((ppp = slist_itr_next(users)) != NULL) {
+			if (ntohl(ina.s_addr) != 0 &&
+			    ina.s_addr != ppp->ppp_framed_ip_address.s_addr)
+				continue;
+			ppp_stop(ppp, reason);
+			n++;
+		}
+	} else if (radius_get_uint32_attr(req, RADIUS_TYPE_FRAMED_IP_ADDRESS,
+	    &ina.s_addr) == 0) {
+		ppp = npppd_get_ppp_by_ip(_this, ina);
+		if (ppp != NULL) {
+			ppp_stop(ppp, reason);
+			n++;
+		}
+	}
+ search_done:
+	if (n > 0)
+		code = RADIUS_CODE_DISCONNECT_ACK;
+	else {
+		if (nakcause == NULL)
+			nakcause = "session not found";
+		code = RADIUS_CODE_DISCONNECT_NAK;
+	}
+ send:
+	res = radius_new_response_packet(code, req);
+	if (res == NULL) {
+		log_printf(LOG_WARNING, "%s: radius_new_response_packet: %m",
+		    __func__);
+		goto out;
+	}
+	if (cause != 0)
+		radius_put_uint32_attr(res, RADIUS_TYPE_ERROR_CAUSE, cause);
+	radius_set_response_authenticator(res, client->secret);
+	if (radius_sendto(listen->sock, res, 0, (struct sockaddr *)&ss, sslen)
+	    == -1)
+		log_printf(LOG_WARNING, "%s: sendto(): %m", __func__);
+	log_printf(LOG_INFO, "radius send %s to %s%s%s",
+	    (code == RADIUS_CODE_DISCONNECT_ACK)? "Disconnect-ACK" :
+	    (code == RADIUS_CODE_DISCONNECT_NAK)? "Disconnect-NAK" : "CoA-NAK",
+	    addrport_tostring((struct sockaddr *)&ss, ss.ss_len, buf,
+	    sizeof(buf)), (nakcause)? ": " : "", (nakcause)? nakcause : "");
+ out:
+	radius_delete_packet(req);
+	if (res != NULL)
+		radius_delete_packet(res);
+}
+
+void
+npppd_radius_dae_listen_stop(struct npppd_radius_dae_listen *listen)
+{
+	char	 buf[80];
+
+	if (listen->sock >= 0) {
+		log_printf(LOG_INFO, "radius Shutdown %s/udp (DAE)",
+		    addrport_tostring((struct sockaddr *)&listen->addr,
+		    listen->addr.sin4.sin_len, buf, sizeof(buf)));
+		event_del(&listen->evsock);
+		close(listen->sock);
+		listen->sock = -1;
+	}
+}

usr.sbin/npppd/npppd/npppd_radius.h

@@ -1,15 +1,35 @@
 #ifndef NPPPD_RADIUS_H
 #define NPPPD_RADIUS_H 1
 
+#include <sys/tree.h>
+#include <netinet/in.h>
+#include <event.h>
+
+struct npppd_radius_dae_listen {
+	int					 sock;
+	struct event				 evsock;
+	union {
+		struct sockaddr_in		 sin4;
+		struct sockaddr_in6		 sin6;
+	}					 addr;
+	npppd					*pppd;
+	TAILQ_ENTRY(npppd_radius_dae_listen)	 entry;
+};
+
+TAILQ_HEAD(npppd_radius_dae_listens, npppd_radius_dae_listen);
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-void  ppp_proccess_radius_framed_ip (npppd_ppp *, RADIUS_PACKET *);
+void	 ppp_proccess_radius_framed_ip(npppd_ppp *, RADIUS_PACKET *);
-int   ppp_set_radius_attrs_for_authreq (npppd_ppp *, radius_req_setting *, RADIUS_PACKET *);
+int	 ppp_set_radius_attrs_for_authreq(npppd_ppp *, radius_req_setting *,
-void  npppd_ppp_radius_acct_start (npppd *, npppd_ppp *);
+	    RADIUS_PACKET *);
-void  npppd_ppp_radius_acct_stop (npppd *, npppd_ppp *);
+void	 npppd_ppp_radius_acct_start(npppd *, npppd_ppp *);
-void  radius_acct_on(npppd *, radius_req_setting *);
+void	 npppd_ppp_radius_acct_stop(npppd *, npppd_ppp *);
+void	 radius_acct_on(npppd *, radius_req_setting *);
+void	 npppd_radius_dae_init(npppd *);
+void	 npppd_radius_dae_fini(npppd *);
 
 #ifdef __cplusplus
 }

usr.sbin/npppd/npppd/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.28 2024/07/01 07:09:07 yasuoka Exp $ */
+/*	$OpenBSD: parse.y,v 1.29 2024/07/11 14:05:59 yasuoka Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -32,6 +32,7 @@
 #include <inttypes.h>
 #include <limits.h>
 #include <stdarg.h>
+#include <stddef.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -134,6 +135,7 @@ typedef struct {
 %token  INTERFACE ADDRESS IPCP
 %token	BIND FROM AUTHENTICATED BY TO
 %token	ERROR
+%token	DAE CLIENT NAS_ID
 %token	<v.string>		STRING
 %token	<v.number>		NUMBER
 %type	<v.yesno>		yesno
@@ -164,6 +166,7 @@ grammar		: /* empty */
 		| grammar ipcp '\n'
 		| grammar interface '\n'
 		| grammar bind '\n'
+		| grammar radius '\n'
 		| grammar error '\n'		{ file->errors++; }
 		;
 
@@ -513,6 +516,80 @@ tunnopt		: LISTEN ON addressport {
 			curr_tunnconf->debug_dump_pktout = $2;
 		}
 		;
+radius		: RADIUS NAS_ID STRING {
+			if (strlcpy(conf->nas_id, $3, sizeof(conf->nas_id))
+			    >= sizeof(conf->nas_id)) {
+				yyerror("`radius nas-id' is too long.  use "
+				    "less than %u chars.",
+				    (unsigned)sizeof(conf->nas_id) - 1);
+				free($3);
+				YYERROR;
+			}
+			free($3);
+		}
+		| RADIUS DAE CLIENT address SECRET STRING {
+			struct radclientconf *client;
+			int secretsiz;
+
+			secretsiz = strlen($6) + 1;
+			if ((client = calloc(1, offsetof(struct radclientconf,
+			    secret[secretsiz]))) == NULL) {
+				yyerror("%s", strerror(errno));
+				free($6);
+				YYERROR;
+			}
+			strlcpy(client->secret, $6, secretsiz);
+
+			switch ($4.ss_family) {
+			case AF_INET:
+				memcpy(&client->addr, &$4,
+				    sizeof(struct sockaddr_in));
+				break;
+			case AF_INET6:
+				memcpy(&client->addr, &$4,
+				    sizeof(struct sockaddr_in6));
+				break;
+			default:
+				yyerror("address family %d not supported",
+				    $4.ss_family);
+				free($6);
+				YYERROR;
+				break;
+			}
+			TAILQ_INSERT_TAIL(&conf->raddaeclientconfs, client,
+			    entry);
+			free($6);
+		}
+		| RADIUS DAE LISTEN ON addressport {
+			struct radlistenconf *listen;
+
+			if (ntohs(((struct sockaddr_in *)&$5)->sin_port) == 0)
+				((struct sockaddr_in *)&$5)->sin_port = htons(
+				    RADIUS_DAE_DEFAULT_PORT);
+
+			if ((listen = calloc(1, sizeof(*listen))) == NULL) {
+				yyerror("%s", strerror(errno));
+				YYERROR;
+			}
+			switch ($5.ss_family) {
+			case AF_INET:
+				memcpy(&listen->addr, &$5,
+				    sizeof(struct sockaddr_in));
+				break;
+			case AF_INET6:
+				memcpy(&listen->addr, &$5,
+				    sizeof(struct sockaddr_in6));
+				break;
+			default:
+				yyerror("address family %d not supported",
+				    $5.ss_family);
+				YYERROR;
+				break;
+			}
+			TAILQ_INSERT_TAIL(&conf->raddaelistenconfs, listen,
+			    entry);
+		}
+		;
 
 tunnelproto	: L2TP                        { $$ = NPPPD_TUNNEL_L2TP; }
 		| PPTP                        { $$ = NPPPD_TUNNEL_PPTP; }
@@ -1011,6 +1088,8 @@ lookup(char *s)
 		{ "ccp-timeout",                  CCP_TIMEOUT},
 		{ "chap",                         CHAP},
 		{ "chap-name",                    CHAP_NAME},
+		{ "client",                       CLIENT},
+		{ "dae",                          DAE},
 		{ "debug-dump-pktin",             DEBUG_DUMP_PKTIN},
 		{ "debug-dump-pktout",            DEBUG_DUMP_PKTOUT},
 		{ "dns-servers",                  DNS_SERVERS},
@@ -1061,6 +1140,7 @@ lookup(char *s)
 		{ "mppe-key-state",               MPPE_KEY_STATE},
 		{ "mru",                          MRU},
 		{ "mschapv2",                     MSCHAPV2},
+		{ "nas-id",			  NAS_ID},
 		{ "nbns-servers",                 NBNS_SERVERS},
 		{ "no",                           NO},
 		{ "on",                           ON},
@@ -1429,6 +1509,9 @@ npppd_conf_init(struct npppd_conf *xconf)
 	TAILQ_INIT(&xconf->l2tp_confs);
 	TAILQ_INIT(&xconf->pptp_confs);
 	TAILQ_INIT(&xconf->pppoe_confs);
+	TAILQ_INIT(&xconf->raddaeclientconfs);
+	TAILQ_INIT(&xconf->raddaelistenconfs);
+	strlcpy(xconf->nas_id, "npppd", sizeof(xconf->nas_id));
 }
 
 void
@@ -1439,6 +1522,8 @@ npppd_conf_fini(struct npppd_conf *xconf)
 	struct ipcpconf *ipcp, *ipcp0;
 	struct iface    *iface, *iface0;
 	struct confbind *confbind, *confbind0;
+	struct radclientconf *radc, *radct;
+	struct radlistenconf *radl, *radlt;
 
 	TAILQ_FOREACH_SAFE(tunn, &xconf->tunnconfs, entry, tunn0) {
 		tunnconf_fini(tunn);
@@ -1455,6 +1540,10 @@ npppd_conf_fini(struct npppd_conf *xconf)
 	TAILQ_FOREACH_SAFE(confbind, &xconf->confbinds, entry, confbind0) {
 		free(confbind);
 	}
+	TAILQ_FOREACH_SAFE(radc, &xconf->raddaeclientconfs, entry, radct)
+		free(radc);
+	TAILQ_FOREACH_SAFE(radl, &xconf->raddaelistenconfs, entry, radlt)
+	free(radl);
 	TAILQ_INIT(&xconf->l2tp_confs);
 	TAILQ_INIT(&xconf->pptp_confs);
 	TAILQ_INIT(&xconf->pppoe_confs);

usr.sbin/pstat/pstat.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pstat.c,v 1.129 2022/02/22 17:35:01 deraadt Exp $	*/
+/*	$OpenBSD: pstat.c,v 1.130 2024/07/10 13:29:23 krw Exp $	*/
 /*	$NetBSD: pstat.c,v 1.27 1996/10/23 22:50:06 cgd Exp $	*/
 
 /*-
@@ -739,6 +739,11 @@ mount_print(struct mount *mp)
 			flags &= ~MNT_NODEV;
 			comma = ",";
 		}
+		if (flags & MNT_NOPERM) {
+			(void)printf("%snoperm", comma);
+			flags &= ~MNT_NOPERM;
+			comma = ",";
+		}
 		if (flags & MNT_ASYNC) {
 			(void)printf("%sasync", comma);
 			flags &= ~MNT_ASYNC;
@@ -810,6 +815,16 @@ mount_print(struct mount *mp)
 			flags &= ~MNT_FORCE;
 			comma = ",";
 		}
+		if (flags & MNT_STALLED) {
+			(void)printf("%sstalled", comma);
+			flags &= ~MNT_STALLED;
+			comma = ",";
+		}
+		if (flags & MNT_SWAPPABLE) {
+			(void)printf("%sswappable", comma);
+			flags &= ~MNT_SWAPPABLE;
+			comma = ",";
+		}
 		if (flags & MNT_WANTRDWR) {
 			(void)printf("%swantrdwr", comma);
 			flags &= ~MNT_WANTRDWR;
@@ -820,6 +835,11 @@ mount_print(struct mount *mp)
 			flags &= ~MNT_SOFTDEP;
 			comma = ",";
 		}
+		if (flags & MNT_DOOMED) {
+			(void)printf("%sdoomed", comma);
+			flags &= ~MNT_DOOMED;
+			comma = ",";
+		}
 		if (flags)
 			(void)printf("%sunknown_flags:%x", comma, flags);
 		(void)printf(")");

usr.sbin/radiusctl/radiusctl.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: radiusctl.8,v 1.6 2024/07/09 17:26:14 yasuoka Exp $
+.\"	$OpenBSD: radiusctl.8,v 1.7 2024/07/10 05:41:34 jmc Exp $
 .\"
 .\" Copyright (c) YASUOKA Masahiko <yasuoka@yasuoka.net>
 .\"
@@ -15,7 +15,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .\"
-.Dd $Mdocdate: July 9 2024 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt RADIUSCTL 8
 .Os
 .Sh NAME
@@ -111,7 +111,6 @@ shows the sessions in JSON format.
 .It Cm ipcp disconnect Ar sequence
 Request to disconnect the session specfied by the
 .Ar sequence .
-.Xc
 .El
 .Sh EXAMPLES
 .Bd -literal -offset indent

usr.sbin/radiusd/parse.y

@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.21 2024/07/09 17:26:14 yasuoka Exp $	*/
+/*	$OpenBSD: parse.y,v 1.22 2024/07/10 16:30:43 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -394,7 +394,6 @@ authenticate	: AUTHENTICATE str_l BY STRING optdeco {
 				yyerror("Out of memory: %s", strerror(errno));
 				goto authenticate_error;
 			}
-			modref = create_module_ref($4);
 			if ((auth->auth = create_module_ref($4)) == NULL)
 				goto authenticate_error;
 			auth->username = $2.v;
@@ -495,7 +494,7 @@ account		: ACCOUNT optquick str_l TO STRING optdeco {
 			struct radiusd_module_ref	*modref, *modreft;
 
 			if ((acct = calloc(1,
-			    sizeof(struct radiusd_authentication))) == NULL) {
+			    sizeof(struct radiusd_accounting))) == NULL) {
 				yyerror("Out of memory: %s", strerror(errno));
 				goto account_error;
 			}

usr.sbin/radiusd/radiusd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd.c,v 1.45 2024/07/09 17:26:14 yasuoka Exp $	*/
+/*	$OpenBSD: radiusd.c,v 1.46 2024/07/10 16:30:43 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2013, 2023 Internet Initiative Japan Inc.
@@ -118,7 +118,7 @@ main(int argc, char *argv[])
 {
 	extern char		*__progname;
 	const char		*conffile = CONFFILE;
-	int			 ch;
+	int			 ch, error;
 	struct radiusd		*radiusd;
 	bool			 noaction = false;
 	struct passwd		*pw;
@@ -213,10 +213,11 @@ main(int argc, char *argv[])
 
 	event_loop(0);
 
+	error = radiusd->error;
 	radiusd_free(radiusd);
 	event_base_free(NULL);
 
-	if (radiusd->error != 0)
+	if (error != 0)
 		exit(EXIT_FAILURE);
 	else
 		exit(EXIT_SUCCESS);
@@ -339,6 +340,7 @@ radiusd_free(struct radiusd *radiusd)
 	struct radiusd_module		*module, *modulet;
 	struct radiusd_module_ref	*modref, *modreft;
 	struct radiusd_authentication	*authen, *authent;
+	struct radiusd_accounting	*acct, *acctt;
 
 	TAILQ_FOREACH_SAFE(authen, &radiusd->authen, next, authent) {
 		TAILQ_REMOVE(&radiusd->authen, authen, next);
@@ -352,6 +354,19 @@ radiusd_free(struct radiusd *radiusd)
 		free(authen->username);
 		free(authen);
 	}
+	TAILQ_FOREACH_SAFE(acct, &radiusd->account, next, acctt) {
+		TAILQ_REMOVE(&radiusd->account, acct, next);
+		free(acct->secret);
+		free(acct->acct);
+		TAILQ_FOREACH_SAFE(modref, &acct->deco, next, modreft) {
+			TAILQ_REMOVE(&acct->deco, modref, next);
+			free(modref);
+		}
+		for (i = 0; acct->username[i] != NULL; i++)
+			free(acct->username[i]);
+		free(acct->username);
+		free(acct);
+	}
 	TAILQ_FOREACH_SAFE(module, &radiusd->module, next, modulet) {
 		TAILQ_REMOVE(&radiusd->module, module, next);
 		radiusd_module_unload(module);

usr.sbin/radiusd/radiusd.conf.5

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: radiusd.conf.5,v 1.28 2024/07/09 17:26:14 yasuoka Exp $
+.\"	$OpenBSD: radiusd.conf.5,v 1.29 2024/07/10 05:40:08 jmc Exp $
 .\"
 .\" Copyright (c) 2014 Esdenera Networks GmbH
 .\" Copyright (c) 2014, 2023 Internet Initiative Japan Inc.
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 9 2024 $
+.Dd $Mdocdate: July 10 2024 $
 .Dt RADIUSD.CONF 5
 .Os
 .Sh NAME
@@ -86,8 +86,8 @@ See
 .It Do ipcp Dc module
 The
 .Dq ipcp
-module provides IP configuration and manages IP address pool.
+module provides IP configuration and manages the IP address pool.
-Also provides session-timeout and disconnection feature.
+It also provides session-timeout and disconnection feature.
 See
 .Xr radiusd_ipcp 8 .
 .It Do radius Dc module

usr.sbin/radiusd/radiusd_ipcp.8

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: radiusd_ipcp.8,v 1.2 2024/07/09 17:34:10 yasuoka Exp $
+.\"	$OpenBSD: radiusd_ipcp.8,v 1.4 2024/07/11 14:14:56 yasuoka Exp $
 .\"
 .\" Copyright (c) 2024 Internet Initiative Japan Inc.
 .\"
@@ -16,7 +16,7 @@
 .\"
 .\" The following requests are required for all man pages.
 .\"
-.Dd $Mdocdate: July 9 2024 $
+.Dd $Mdocdate: July 11 2024 $
 .Dt RADIUSD_IPCP 8
 .Os
 .Sh NAME
@@ -30,21 +30,20 @@ The
 module is executed by
 .Xr radiusd 8
 as a module to provide IP configuration through RADIUS Access-Accept messages
-and manages IP address pool through RADIUS accounting messages.
+and manages the IP address pool through RADIUS accounting messages.
 The internal sessions can be shown or monitored by
 .Xr radiusctl 8 .
-Also
 .Nm
-provides session timeouts and disconnects requested by
+also provides session timeouts and disconnects requested by
 .Xr radiusctl 8
 through the Dynamic Authorization Extension
-.Po DAE, RFC 5176 Pc .
+.Pq DAE, RFC 5176 .
 .Sh CONFIGURATIONS
 To use the
 .Nm
 module,
-it should be configure as a decoration module of the authentication
+it should be configured as a decoration module of the authentication
-and as an accouting module.
+and as an accounting module.
 .Bd -literal -offset indent
 authenticate * by (any auth module) decorate-by ipcp
 account      * to ipcp
@@ -52,27 +51,24 @@ account      * to ipcp
 .Pp
 The
 .Nm
-module supports the following configuration key and value:
+module supports the following configuration keys and values:
-.Pp
 .Bl -tag -width Ds
 .It Ic address pool Ar address-space ...
 Specify the IP address spaces that is pooled.
 The
 .Ar address-space
-can be specified by a address range
+can be specified by an address range
 .Pq e.g. 192.168.1.1-192.168.1.199
-or a address mask
+or an address mask
 .Pq e.g. 192.168.1.0/24 .
 The pooled addresses are used for dynamic assignment.
 .It Ic address static Ar address-space ...
 Specify the IP address spaces that is pooled for static assignment.
 The
 .Ar address-space
-is the same syntax of
+is the same syntax as
 .Ic address pool ,
-see the description for
+above.
-.Ic address pool
-for detail.
 .It Ic name-server Ar primary-address Op Ar secondary-address
 Specify the DNS servers' IP addresses.
 .It Ic netbios-server Ar primary-address Op Ar secondary-address
@@ -109,12 +105,12 @@ the server is selected only for the session which NAS-Identifier is
 matched the specified value.
 The default port number is 3799.
 .It Ic max-sessions Ar number
-Specify the maxinum number of sessions.
+Specify the maximum number of sessions.
 .Sq 0
 means no limit.
 The default value is 0.
 .It Ic user-max-sessions Ar number
-Specify the maxinum number of sessions per a user.
+Specify the maximum number of sessions per a user.
 .Sq 0
 means no limit.
 The default value is 0.
@@ -125,13 +121,19 @@ session after Access-Accept.
 preserves the assigned IP address for that period.
 The default value is 60 seconds.
 .El
+.Sh FILES
+.Bl -tag -width "/usr/libexec/radiusd/radiusd_ipcp" -compact
+.It Pa /usr/libexec/radiusd/radiusd_ipcp
+.Dq ipcp
+module executable.
+.El
 .Sh EXAMPLES
-An example which
+An example with
 .Nm
-works with
+working with
-.Xr npppd 8 .
+.Xr npppd 8 :
 .Pp
-.Pa /etc/radiusd.conf:
+.Pa /etc/radiusd.conf :
 .Bd -literal -offset indent
 listen on 127.0.0.1
 listen on 127.0.0.1 accounting
@@ -150,14 +152,15 @@ module ipcp {
     set name-server       192.168.0.4
     set max-sessions      128
     set user-max-sessions 2
-    #set dae server        127.0.0.1 "SECRET3"
+    set dae server        127.0.0.1 "SECRET3"
+    set session-timeout   radius
 }
 
 authenticate * by radius decorate-by ipcp
 account      * to ipcp
 .Ed
 .Pp
-.Pa /etc/npppd/npppd.conf:
+.Pa /etc/npppd/npppd.conf :
 .Bd -literal -offset indent
 tunnel L2TP protocol l2tp {
     listen on 192.0.2.51
@@ -175,19 +178,16 @@ authentication RADIUS type radius {
     }
 }
 bind tunnel from L2TP authenticated by RADIUS to pppac0
+
+radius dae listen on 127.0.0.1
+radius dae client 127.0.0.1 secret "SECRET3"
 .Ed
-.Sh FILES
-.Bl -tag -width "/usr/libexec/radiusd/radiusd_ipcp" -compact
-.It Pa /usr/libexec/radiusd/radiusd_ipcp
-.Dq ipcp
-module executable.
-.El
 .Sh SEE ALSO
-.Xr radiusctl 8 ,
 .Xr authenticate 3 ,
-.Xr radiusd 8 ,
 .Xr radiusd.conf 5 ,
-.Xr npppd 8
+.Xr npppd 8 ,
+.Xr radiusctl 8 ,
+.Xr radiusd 8
 .Sh HISTORY
 The
 .Nm

usr.sbin/radiusd/radiusd_ipcp.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: radiusd_ipcp.c,v 1.1 2024/07/09 17:26:14 yasuoka Exp $	*/
+/*	$OpenBSD: radiusd_ipcp.c,v 1.3 2024/07/11 13:29:08 yasuoka Exp $	*/
 
 /*
  * Copyright (c) 2024 Internet Initiative Japan Inc.
@@ -190,6 +190,7 @@ static void	 ipcp_schedule_timer(struct module_ipcp *);
 static void	 ipcp_dae_send_disconnect_request(struct assigned_ipv4 *);
 static void	 ipcp_dae_request_on_timeout(int, short, void *);
 static void	 ipcp_dae_on_event(int, short, void *);
+static void	 ipcp_dae_reset_request(struct assigned_ipv4 *);
 static struct ipcp_address
 		*parse_address_range(const char *);
 static const char
@@ -625,7 +626,9 @@ ipcp_dispatch_control(void *ctx, struct imsg *imsg)
 			else {
 				log_info("Disconnect id=%u requested",
 				    assign->seq);
-				ipcp_dae_send_disconnect_request(assign);
+				if (assign->dae_ntry == 0)
+					ipcp_dae_send_disconnect_request(
+					    assign);
 			}
 		}
 		break;
@@ -1057,7 +1060,7 @@ ipcp_accounting_request(void *ctx, u_int q_id, const u_char *pkt,
 				    assign->session_timeout;
 		}
 		assign->nas_ipv4 = nas_ipv4;
-		assign->nas_ipv4 = nas_ipv4;
+		assign->nas_ipv6 = nas_ipv6;
 		strlcpy(assign->nas_id, nas_id, sizeof(assign->nas_id));
 
 		if (radius_get_string_attr(radpkt, RADIUS_TYPE_ACCT_SESSION_ID,
@@ -1222,18 +1225,7 @@ ipcp_ipv4_release(struct module_ipcp *self, struct assigned_ipv4 *assign)
 		TAILQ_REMOVE(&assign->user->ipv4s, assign, next);
 		RB_REMOVE(assigned_ipv4_tree, &self->ipv4s, assign);
 		self->nsessions--;
-		if (assign->dae != NULL) {
+		ipcp_dae_reset_request(assign);
-			if (assign->dae_ntry > 0) {
-				TAILQ_REMOVE(&assign->dae->reqs, assign,
-				    dae_next);
-				if (evtimer_pending(&assign->dae_evtimer, NULL))
-					evtimer_del(&assign->dae_evtimer);
-			}
-		}
-		if (assign->dae_reqpkt != NULL)
-			radius_delete_packet(assign->dae_reqpkt);
-		if (evtimer_pending(&assign->dae_evtimer, NULL))
-			evtimer_del(&assign->dae_evtimer);
 		free(assign);
 	}
 }
@@ -1505,37 +1497,50 @@ ipcp_dae_send_disconnect_request(struct assigned_ipv4 *assign)
 	if (assign->dae == NULL)
 		return;		/* DAE is not configured */
 
-	if (assign->dae_ntry == 0)
+	if (assign->dae_reqpkt == NULL) {
-
+		if ((reqpkt = radius_new_request_packet(
-	if (assign->dae_reqpkt != NULL) {
+		    RADIUS_CODE_DISCONNECT_REQUEST)) == NULL) {
-		radius_delete_packet(assign->dae_reqpkt);
+			log_warn("%s: radius_new_request_packet(): %m",
-		assign->dae_reqpkt = NULL;
+			    __func__);
+			return;
+		}
+		radius_put_string_attr(reqpkt, RADIUS_TYPE_ACCT_SESSION_ID,
+		    assign->session_id);
+		/*
+		 * RFC 5176 Section 3, "either the User-Name or
+		 * Chargeable-User-Identity attribute SHOULD be present in
+		 * Disconnect-Request and CoA-Request packets."
+		 */
+		radius_put_string_attr(reqpkt, RADIUS_TYPE_USER_NAME,
+		    assign->user->name);
+		if (assign->nas_id[0] != '\0')
+			radius_put_string_attr(reqpkt,
+			    RADIUS_TYPE_NAS_IDENTIFIER, assign->nas_id);
+		if (ntohl(assign->nas_ipv4.s_addr) != 0)
+			radius_put_ipv4_attr(reqpkt,
+			    RADIUS_TYPE_NAS_IP_ADDRESS, assign->nas_ipv4);
+		if (!IN6_IS_ADDR_UNSPECIFIED(&assign->nas_ipv6))
+			radius_put_ipv6_attr(reqpkt,
+			    RADIUS_TYPE_NAS_IPV6_ADDRESS, &assign->nas_ipv6);
+		radius_set_accounting_request_authenticator(reqpkt,
+		    assign->dae->secret);
+		assign->dae_reqpkt = reqpkt;
 	}
 
-	reqpkt = radius_new_request_packet(RADIUS_CODE_DISCONNECT_REQUEST);
+	if (assign->dae_ntry == 0) {
-
-	radius_put_string_attr(reqpkt, RADIUS_TYPE_ACCT_SESSION_ID,
-	    assign->session_id);
-
-	radius_set_accounting_request_authenticator(reqpkt,
-	    assign->dae->secret);
-
-	if (radius_send(assign->dae->sock, reqpkt, 0) < 0)
-		log_warn("%s: sendto: %m", __func__);
-
-	if (assign->dae_ntry == 0)
 		log_info("Sending Disconnect-Request seq=%u to %s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &assign->dae->nas_addr, buf, sizeof(buf)));
+		TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
+	}
 
-	assign->dae_reqpkt = reqpkt;
+	if (radius_send(assign->dae->sock, assign->dae_reqpkt, 0) < 0)
-	tv.tv_sec = dae_request_timeouts[assign->dae_ntry];
+		log_warn("%s: sendto: %m", __func__);
+
+	tv.tv_sec = dae_request_timeouts[assign->dae_ntry++];
 	tv.tv_usec = 0;
 	evtimer_set(&assign->dae_evtimer, ipcp_dae_request_on_timeout, assign);
 	evtimer_add(&assign->dae_evtimer, &tv);
-
-	if (assign->dae_ntry++ == 0)
-		TAILQ_INSERT_TAIL(&assign->dae->reqs, assign, dae_next);
 }
 
 void
@@ -1544,11 +1549,12 @@ ipcp_dae_request_on_timeout(int fd, short ev, void *ctx)
 	struct assigned_ipv4	*assign = ctx;
 	char			 buf[80];
 
-	if (assign->dae_ntry >= (int)nitems(dae_request_timeouts))
+	if (assign->dae_ntry >= (int)nitems(dae_request_timeouts)) {
 		log_warnx("No answer for Disconnect-Request seq=%u from %s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &assign->dae->nas_addr, buf, sizeof(buf)));
-	else
+		ipcp_dae_reset_request(assign);
+	} else
 		ipcp_dae_send_disconnect_request(assign);
 }
 
@@ -1561,7 +1567,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 	uint32_t		 u32;
 	struct assigned_ipv4	*assign;
 	char			 buf[80], causestr[80];
-	const char		*cause;
+	const char		*cause = "";
 
 	if ((ev & EV_READ) == 0)
 		return;
@@ -1581,7 +1587,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 		log_warnx("Received RADIUS packet from %s has unknown id=%d",
 		    print_addr((struct sockaddr *)&dae->nas_addr, buf,
 		    sizeof(buf)), radius_get_id(radres));
-		return;
+		goto out;
 	}
 
 	radius_set_request_packet(radres, assign->dae_reqpkt);
@@ -1590,7 +1596,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 		    "authenticator", assign->seq, print_addr(
 			(struct sockaddr *)&dae->nas_addr, buf,
 		    sizeof(buf)));
-		return;
+		goto out;
 	}
 	causestr[0] = '\0';
 	if (radius_get_uint32_attr(radres, RADIUS_TYPE_ERROR_CAUSE, &u32) == 0){
@@ -1600,6 +1606,7 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 			    u32, cause);
 		else
 			snprintf(causestr, sizeof(causestr), " cause=%u", u32);
+		cause = causestr;
 	}
 
 	code = radius_get_code(radres);
@@ -1608,13 +1615,11 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 		log_info("Received Disconnect-ACK for seq=%u from %s%s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &dae->nas_addr, buf, sizeof(buf)), cause);
-		evtimer_del(&assign->dae_evtimer);
 		break;
 	case RADIUS_CODE_DISCONNECT_NAK:
 		log_warnx("Received Disconnect-NAK for seq=%u from %s%s",
 		    assign->seq, print_addr((struct sockaddr *)
 		    &dae->nas_addr, buf, sizeof(buf)), cause);
-		evtimer_del(&assign->dae_evtimer);
 		break;
 	default:
 		log_warn("Received unknown code=%d for id=%u from %s",
@@ -1622,6 +1627,25 @@ ipcp_dae_on_event(int fd, short ev, void *ctx)
 		    &dae->nas_addr, buf, sizeof(buf)));
 		break;
 	}
+	ipcp_dae_reset_request(assign);
+ out:
+	if (radres != NULL)
+		radius_delete_packet(radres);
+}
+
+void
+ipcp_dae_reset_request(struct assigned_ipv4 *assign)
+{
+	if (assign->dae != NULL) {
+		if (assign->dae_ntry > 0)
+			TAILQ_REMOVE(&assign->dae->reqs, assign, dae_next);
+	}
+	if (assign->dae_reqpkt != NULL)
+		radius_delete_packet(assign->dae_reqpkt);
+	assign->dae_reqpkt = NULL;
+	if (evtimer_pending(&assign->dae_evtimer, NULL))
+		evtimer_del(&assign->dae_evtimer);
+	assign->dae_ntry = 0;
 }
 
 /***********************************************************************

usr.sbin/vmctl/Makefile

@@ -1,6 +1,6 @@
-#	$OpenBSD: Makefile,v 1.6 2019/01/18 01:24:07 pd Exp $
+#	$OpenBSD: Makefile,v 1.7 2024/07/10 09:27:33 dv Exp $
 
-.if ${MACHINE} == "amd64"
+.if ${MACHINE} == "amd64" || ${MACHINE} == "arm64"
 
 .PATH:	${.CURDIR}/../vmd
 

usr.sbin/vmd/Makefile

@@ -1,13 +1,20 @@
-#	$OpenBSD: Makefile,v 1.29 2023/04/27 22:47:27 dv Exp $
+#	$OpenBSD: Makefile,v 1.30 2024/07/10 09:27:33 dv Exp $
 
-.if ${MACHINE} == "amd64"
+.if ${MACHINE} == "amd64" || ${MACHINE} == "arm64"
 
 PROG=		vmd
-SRCS=		vmd.c control.c log.c priv.c proc.c config.c vmm.c
+SRCS=		vmd.c control.c log.c priv.c proc.c config.c vmm.c vm.c
-SRCS+=		vm.c loadfile_elf.c pci.c virtio.c i8259.c mc146818.c
+SRCS+=		pci.c virtio.c dhcp.c packet.c parse.y atomicio.c
-SRCS+=		ns8250.c i8253.c dhcp.c packet.c mmio.c
+SRCS+=		vioscsi.c vioraw.c vioqcow2.c vm_agentx.c vioblk.c
-SRCS+=		parse.y atomicio.c vioscsi.c vioraw.c vioqcow2.c fw_cfg.c
+SRCS+=		vionet.c
-SRCS+=		vm_agentx.c vioblk.c vionet.c
+
+.if ${MACHINE} == "amd64"
+SRCS+=		i8253.c i8259.c fw_cfg.c loadfile_elf.c mc146818.c ns8250.c
+SRCS+=		x86_vm.c x86_mmio.c
+.endif # amd64
+.if ${MACHINE} == "arm64"
+SRCS+=		arm64_vm.c
+.endif # arm64
 
 CFLAGS+=	-Wall -I${.CURDIR}
 CFLAGS+=	-Wstrict-prototypes -Wmissing-prototypes
@@ -24,7 +31,7 @@ YFLAGS=
 
 NOPROG= yes
 
-.endif
+.endif # amd64 or arm64
 
 MAN=		vmd.8 vm.conf.5
 

usr.sbin/vmd/arm64_vm.c

@@ -0,0 +1,162 @@
+/*	$OpenBSD: arm64_vm.c,v 1.1 2024/07/10 10:41:19 dv Exp $	*/
+/*
+ * Copyright (c) 2024 Dave Voutila <dv@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+#include <sys/types.h>
+
+#include "vmd.h"
+
+void
+create_memory_map(struct vm_create_params *vcp)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+int
+load_firmware(struct vmd_vm *vm, struct vcpu_reg_state *vrs)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+void
+init_emulated_hw(struct vmop_create_params *vcp, int child_cdrom,
+    int child_disks[][VM_MAX_BASE_PER_DISK], int *child_taps)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+void
+restore_emulated_hw(struct vm_create_params *vcp, int fd, int *child_taps,
+    int child_disks[][VM_MAX_BASE_PER_DISK], int child_cdrom)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+void
+pause_vm_md(struct vmd_vm *vm)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+void
+unpause_vm_md(struct vmd_vm *vm)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+int
+dump_devs(int fd)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+int
+dump_send_header(int fd)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+void *
+hvaddr_mem(paddr_t gpa, size_t len)
+{	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (NULL);
+}
+
+int
+write_mem(paddr_t dst, const void *buf, size_t len)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+int
+read_mem(paddr_t src, void *buf, size_t len)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+int
+intr_pending(struct vmd_vm *vm)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+void
+intr_toggle_el(struct vmd_vm *vm, int irq, int val)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+}
+
+int
+intr_ack(struct vmd_vm *vm)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+void
+vcpu_assert_irq(uint32_t vm_id, uint32_t vcpu_id, int irq)
+{
+	fatalx("%s: unimplemented", __func__);
+}
+
+void
+vcpu_deassert_irq(uint32_t vm_id, uint32_t vcpu_id, int irq)
+{
+	fatalx("%s: unimplemented", __func__);
+}
+
+int
+vmd_check_vmh(struct vm_dump_header *vmh)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+int
+vcpu_exit(struct vm_run_params *vrp)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (-1);
+}
+
+uint8_t
+vcpu_exit_pci(struct vm_run_params *vrp)
+{
+	fatalx("%s: unimplemented", __func__);
+	/* NOTREACHED */
+	return (0xff);
+}

usr.sbin/vmd/i8253.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: i8253.c,v 1.40 2024/07/09 09:31:37 dv Exp $ */
+/* $OpenBSD: i8253.c,v 1.41 2024/07/10 09:27:33 dv Exp $ */
 /*
  * Copyright (c) 2016 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -29,7 +29,6 @@
 
 #include "i8253.h"
 #include "vmd.h"
-#include "vmm.h"
 #include "atomicio.h"
 
 extern char *__progname;
@@ -369,7 +368,7 @@ i8253_fire(int fd, short type, void *arg)
 	struct timeval tv;
 	struct i8253_channel *ctr = (struct i8253_channel *)arg;
 
-	vcpu_assert_pic_irq(ctr->vm_id, 0, 0);
+	vcpu_assert_irq(ctr->vm_id, 0, 0);
 
 	if (ctr->mode != TIMER_INTTC) {
 		timerclear(&tv);

usr.sbin/vmd/mc146818.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: mc146818.c,v 1.28 2024/07/09 09:31:37 dv Exp $ */
+/* $OpenBSD: mc146818.c,v 1.29 2024/07/10 09:27:33 dv Exp $ */
 /*
  * Copyright (c) 2016 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -31,7 +31,6 @@
 #include "mc146818.h"
 #include "virtio.h"
 #include "vmd.h"
-#include "vmm.h"
 
 #define MC_RATE_MASK 0xf
 
@@ -148,7 +147,7 @@ rtc_fireper(int fd, short type, void *arg)
 {
 	rtc.regs[MC_REGC] |= MC_REGC_PF;
 
-	vcpu_assert_pic_irq((ptrdiff_t)arg, 0, 8);
+	vcpu_assert_irq((ptrdiff_t)arg, 0, 8);
 
 	evtimer_add(&rtc.per, &rtc.per_tv);
 }

usr.sbin/vmd/ns8250.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ns8250.c,v 1.39 2024/07/09 09:31:37 dv Exp $ */
+/* $OpenBSD: ns8250.c,v 1.40 2024/07/10 09:27:33 dv Exp $ */
 /*
  * Copyright (c) 2016 Mike Larkin <mlarkin@openbsd.org>
  *
@@ -30,7 +30,6 @@
 #include "atomicio.h"
 #include "ns8250.h"
 #include "vmd.h"
-#include "vmm.h"
 
 extern char *__progname;
 struct ns8250_dev com1_dev;
@@ -80,7 +79,7 @@ ratelimit(int fd, short type, void *arg)
 	com1_dev.regs.iir |= IIR_TXRDY;
 	com1_dev.regs.iir &= ~IIR_NOPEND;
 
-	vcpu_assert_pic_irq(com1_dev.vmid, 0, com1_dev.irq);
+	vcpu_assert_irq(com1_dev.vmid, 0, com1_dev.irq);
 	mutex_unlock(&com1_dev.mutex);
 }
 
@@ -157,7 +156,7 @@ com_rcv_event(int fd, short kind, void *arg)
 	/* If pending interrupt, inject */
 	if ((com1_dev.regs.iir & IIR_NOPEND) == 0) {
 		/* XXX: vcpu_id */
-		vcpu_assert_pic_irq((uintptr_t)arg, 0, com1_dev.irq);
+		vcpu_assert_irq((uintptr_t)arg, 0, com1_dev.irq);
 	}
 
 	mutex_unlock(&com1_dev.mutex);

usr.sbin/vmd/pci.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pci.c,v 1.32 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: pci.c,v 1.33 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -28,12 +28,12 @@
 
 #include "vmd.h"
 #include "pci.h"
-#include "vmm.h"
 #include "i8259.h"
 #include "atomicio.h"
 
 struct pci pci;
 
+extern struct vmd_vm current_vm;
 extern char *__progname;
 
 /* PIC IRQs, assigned to devices in order */
@@ -86,7 +86,9 @@ pci_add_bar(uint8_t id, uint32_t type, void *barfn, void *cookie)
 		pci.pci_devices[id].pd_bartype[bar_ct] = PCI_BAR_TYPE_MMIO;
 		pci.pci_devices[id].pd_barsize[bar_ct] = VM_PCI_MMIO_BAR_SIZE;
 		pci.pci_devices[id].pd_bar_ct++;
-	} else if (type == PCI_MAPREG_TYPE_IO) {
+	}
+#ifdef __amd64__
+	else if (type == PCI_MAPREG_TYPE_IO) {
 		if (pci.pci_next_io_bar >= VM_PCI_IO_BAR_END)
 			return (1);
 
@@ -102,6 +104,7 @@ pci_add_bar(uint8_t id, uint32_t type, void *barfn, void *cookie)
 		pci.pci_devices[id].pd_barsize[bar_ct] = VM_PCI_IO_BAR_SIZE;
 		pci.pci_devices[id].pd_bar_ct++;
 	}
+#endif /* __amd64__ */
 
 	return (0);
 }
@@ -195,7 +198,7 @@ pci_add_device(uint8_t *id, uint16_t vid, uint16_t pid, uint8_t class,
 		pci.pci_next_pic_irq++;
 		DPRINTF("assigned irq %d to pci dev %d",
 		    pci.pci_devices[*id].pd_irq, *id);
-		pic_set_elcr(pci.pci_devices[*id].pd_irq, 1);
+		intr_toggle_el(&current_vm, pci.pci_devices[*id].pd_irq, 1);
 	}
 
 	pci.pci_dev_ct ++;
@@ -216,7 +219,10 @@ pci_init(void)
 
 	memset(&pci, 0, sizeof(pci));
 	pci.pci_next_mmio_bar = VMM_PCI_MMIO_BAR_BASE;
+
+#ifdef __amd64__
 	pci.pci_next_io_bar = VM_PCI_IO_BAR_BASE;
+#endif /* __amd64__ */
 
 	if (pci_add_device(&id, PCI_VENDOR_OPENBSD, PCI_PRODUCT_OPENBSD_PCHB,
 	    PCI_CLASS_BRIDGE, PCI_SUBCLASS_BRIDGE_HOST,
@@ -226,6 +232,7 @@ pci_init(void)
 	}
 }
 
+#ifdef __amd64__
 void
 pci_handle_address_reg(struct vm_run_params *vrp)
 {
@@ -415,6 +422,7 @@ pci_handle_data_reg(struct vm_run_params *vrp)
 		}
 	}
 }
+#endif /* __amd64__ */
 
 int
 pci_dump(int fd)

usr.sbin/vmd/pci.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: pci.h,v 1.10 2023/02/06 20:33:34 dv Exp $	*/
+/*	$OpenBSD: pci.h,v 1.11 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -93,9 +93,6 @@ struct pci {
 };
 
 int pci_find_first_device(uint16_t);
-void pci_handle_address_reg(struct vm_run_params *);
-void pci_handle_data_reg(struct vm_run_params *);
-uint8_t pci_handle_io(struct vm_run_params *);
 void pci_init(void);
 int pci_add_device(uint8_t *, uint16_t, uint16_t, uint8_t, uint8_t, uint16_t,
     uint16_t, uint8_t, pci_cs_fn_t);
@@ -105,4 +102,10 @@ uint8_t pci_get_dev_irq(uint8_t);
 int pci_dump(int);
 int pci_restore(int);
 
+#ifdef __amd64__
+void pci_handle_address_reg(struct vm_run_params *);
+void pci_handle_data_reg(struct vm_run_params *);
+uint8_t pci_handle_io(struct vm_run_params *);
+#endif /* __amd64__ */
+
 #endif /* _PCI_H_ */

usr.sbin/vmd/vioblk.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vioblk.c,v 1.13 2024/02/20 21:40:37 dv Exp $	*/
+/*	$OpenBSD: vioblk.c,v 1.14 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2023 Dave Voutila <dv@openbsd.org>
@@ -555,7 +555,7 @@ handle_sync_io(int fd, short event, void *arg)
 		case VIODEV_MSG_IO_WRITE:
 			/* Write IO: no reply needed */
 			if (handle_io_write(&msg, dev) == 1)
-				virtio_assert_pic_irq(dev, 0);
+				virtio_assert_irq(dev, 0);
 			break;
 		case VIODEV_MSG_SHUTDOWN:
 			event_del(&dev->sync_iev.ev);
@@ -614,7 +614,7 @@ handle_io_write(struct viodev_msg *msg, struct virtio_dev *dev)
 			vioblk->cfg.isr_status = 0;
 			vioblk->vq[0].last_avail = 0;
 			vioblk->vq[0].notified_avail = 0;
-			virtio_deassert_pic_irq(dev, msg->vcpu);
+			virtio_deassert_irq(dev, msg->vcpu);
 		}
 		break;
 	default:

usr.sbin/vmd/virtio.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: virtio.c,v 1.114 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: virtio.c,v 1.115 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -47,7 +47,6 @@
 #include "vioscsi.h"
 #include "virtio.h"
 #include "vmd.h"
-#include "vmm.h"
 
 extern struct vmd *env;
 extern char *__progname;
@@ -274,7 +273,7 @@ virtio_rnd_io(int dir, uint16_t reg, uint32_t *data, uint8_t *intr,
 		case VIRTIO_CONFIG_ISR_STATUS:
 			*data = viornd.cfg.isr_status;
 			viornd.cfg.isr_status = 0;
-			vcpu_deassert_pic_irq(viornd.vm_id, 0, viornd.irq);
+			vcpu_deassert_irq(viornd.vm_id, 0, viornd.irq);
 			break;
 		}
 	}
@@ -310,7 +309,7 @@ vmmci_ctl(unsigned int cmd)
 
 		/* Trigger interrupt */
 		vmmci.cfg.isr_status = VIRTIO_CONFIG_ISR_CONFIG_CHANGE;
-		vcpu_assert_pic_irq(vmmci.vm_id, 0, vmmci.irq);
+		vcpu_assert_irq(vmmci.vm_id, 0, vmmci.irq);
 
 		/* Add ACK timeout */
 		tv.tv_sec = VMMCI_TIMEOUT;
@@ -322,7 +321,7 @@ vmmci_ctl(unsigned int cmd)
 			vmmci.cmd = cmd;
 
 			vmmci.cfg.isr_status = VIRTIO_CONFIG_ISR_CONFIG_CHANGE;
-			vcpu_assert_pic_irq(vmmci.vm_id, 0, vmmci.irq);
+			vcpu_assert_irq(vmmci.vm_id, 0, vmmci.irq);
 		} else {
 			log_debug("%s: RTC sync skipped (guest does not "
 			    "support RTC sync)\n", __func__);
@@ -468,7 +467,7 @@ vmmci_io(int dir, uint16_t reg, uint32_t *data, uint8_t *intr,
 		case VIRTIO_CONFIG_ISR_STATUS:
 			*data = vmmci.cfg.isr_status;
 			vmmci.cfg.isr_status = 0;
-			vcpu_deassert_pic_irq(vmmci.vm_id, 0, vmmci.irq);
+			vcpu_deassert_irq(vmmci.vm_id, 0, vmmci.irq);
 			break;
 		}
 	}
@@ -1586,9 +1585,9 @@ handle_dev_msg(struct viodev_msg *msg, struct virtio_dev *gdev)
 	switch (msg->type) {
 	case VIODEV_MSG_KICK:
 		if (msg->state == INTR_STATE_ASSERT)
-			vcpu_assert_pic_irq(vm_id, msg->vcpu, irq);
+			vcpu_assert_irq(vm_id, msg->vcpu, irq);
 		else if (msg->state == INTR_STATE_DEASSERT)
-			vcpu_deassert_pic_irq(vm_id, msg->vcpu, irq);
+			vcpu_deassert_irq(vm_id, msg->vcpu, irq);
 		break;
 	case VIODEV_MSG_READY:
 		log_debug("%s: device reports ready", __func__);
@@ -1702,9 +1701,9 @@ virtio_pci_io(int dir, uint16_t reg, uint32_t *data, uint8_t *intr,
 			 * device performs a register read.
 			 */
 			if (msg.state == INTR_STATE_ASSERT)
-				vcpu_assert_pic_irq(dev->vm_id, msg.vcpu, msg.irq);
+				vcpu_assert_irq(dev->vm_id, msg.vcpu, msg.irq);
 			else if (msg.state == INTR_STATE_DEASSERT)
-				vcpu_deassert_pic_irq(dev->vm_id, msg.vcpu, msg.irq);
+				vcpu_deassert_irq(dev->vm_id, msg.vcpu, msg.irq);
 		} else {
 			log_warnx("%s: expected IO_READ, got %d", __func__,
 			    msg.type);
@@ -1716,7 +1715,7 @@ virtio_pci_io(int dir, uint16_t reg, uint32_t *data, uint8_t *intr,
 }
 
 void
-virtio_assert_pic_irq(struct virtio_dev *dev, int vcpu)
+virtio_assert_irq(struct virtio_dev *dev, int vcpu)
 {
 	struct viodev_msg msg;
 	int ret;
@@ -1734,7 +1733,7 @@ virtio_assert_pic_irq(struct virtio_dev *dev, int vcpu)
 }
 
 void
-virtio_deassert_pic_irq(struct virtio_dev *dev, int vcpu)
+virtio_deassert_irq(struct virtio_dev *dev, int vcpu)
 {
 	struct viodev_msg msg;
 	int ret;

usr.sbin/vmd/virtio.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: virtio.h,v 1.51 2024/02/20 21:40:37 dv Exp $	*/
+/*	$OpenBSD: virtio.h,v 1.52 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -346,8 +346,8 @@ uint32_t vring_size(uint32_t);
 int vm_device_pipe(struct virtio_dev *, void (*)(int, short, void *),
     struct event_base *);
 int virtio_pci_io(int, uint16_t, uint32_t *, uint8_t *, void *, uint8_t);
-void virtio_assert_pic_irq(struct virtio_dev *, int);
+void virtio_assert_irq(struct virtio_dev *, int);
-void virtio_deassert_pic_irq(struct virtio_dev *, int);
+void virtio_deassert_irq(struct virtio_dev *, int);
 
 int virtio_rnd_io(int, uint16_t, uint32_t *, uint8_t *, void *, uint8_t);
 int viornd_dump(int);

usr.sbin/vmd/vmd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmd.c,v 1.158 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: vmd.c,v 1.159 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -41,7 +41,6 @@
 #include <grp.h>
 
 #include <dev/vmm/vmm.h>
-#include <machine/specialreg.h>
 
 #include "proc.h"
 #include "atomicio.h"
@@ -613,134 +612,6 @@ vmd_dispatch_priv(int fd, struct privsep_proc *p, struct imsg *imsg)
 	return (0);
 }
 
-int
-vmd_check_vmh(struct vm_dump_header *vmh)
-{
-	int i;
-	unsigned int code, leaf;
-	unsigned int a, b, c, d;
-
-	if (strncmp(vmh->vmh_signature, VM_DUMP_SIGNATURE, strlen(VM_DUMP_SIGNATURE)) != 0) {
-		log_warnx("%s: incompatible dump signature", __func__);
-		return (-1);
-	}
-
-	if (vmh->vmh_version != VM_DUMP_VERSION) {
-		log_warnx("%s: incompatible dump version", __func__);
-		return (-1);
-	}
-
-	for (i = 0; i < VM_DUMP_HEADER_CPUID_COUNT; i++) {
-		code = vmh->vmh_cpuids[i].code;
-		leaf = vmh->vmh_cpuids[i].leaf;
-		if (leaf != 0x00) {
-			log_debug("%s: invalid leaf 0x%x for code 0x%x",
-			    __func__, leaf, code);
-			return (-1);
-		}
-
-		switch (code) {
-		case 0x00:
-			CPUID_LEAF(code, leaf, a, b, c, d);
-			if (vmh->vmh_cpuids[i].a > a) {
-				log_debug("%s: incompatible cpuid level",
-				    __func__);
-				return (-1);
-			}
-			if (!(vmh->vmh_cpuids[i].b == b &&
-			    vmh->vmh_cpuids[i].c == c &&
-			    vmh->vmh_cpuids[i].d == d)) {
-				log_debug("%s: incompatible cpu brand",
-				    __func__);
-				return (-1);
-			}
-			break;
-
-		case 0x01:
-			CPUID_LEAF(code, leaf, a, b, c, d);
-			if ((vmh->vmh_cpuids[i].c & c & VMM_CPUIDECX_MASK) !=
-			    (vmh->vmh_cpuids[i].c & VMM_CPUIDECX_MASK)) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: c", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			if ((vmh->vmh_cpuids[i].d & d & VMM_CPUIDEDX_MASK) !=
-			    (vmh->vmh_cpuids[i].d & VMM_CPUIDEDX_MASK)) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: d", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			break;
-
-		case 0x07:
-			CPUID_LEAF(code, leaf, a, b, c, d);
-			if ((vmh->vmh_cpuids[i].b & b & VMM_SEFF0EBX_MASK) !=
-			    (vmh->vmh_cpuids[i].b & VMM_SEFF0EBX_MASK)) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: c", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			if ((vmh->vmh_cpuids[i].c & c & VMM_SEFF0ECX_MASK) !=
-			    (vmh->vmh_cpuids[i].c & VMM_SEFF0ECX_MASK)) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: d", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			break;
-
-		case 0x0d:
-			CPUID_LEAF(code, leaf, a, b, c, d);
-			if (vmh->vmh_cpuids[i].b > b) {
-				log_debug("%s: incompatible cpu: insufficient "
-				    "max save area for enabled XCR0 features",
-				    __func__);
-				return (-1);
-			}
-			if (vmh->vmh_cpuids[i].c > c) {
-				log_debug("%s: incompatible cpu: insufficient "
-				    "max save area for supported XCR0 features",
-				    __func__);
-				return (-1);
-			}
-			break;
-
-		case 0x80000001:
-			CPUID_LEAF(code, leaf, a, b, c, d);
-			if ((vmh->vmh_cpuids[i].a & a) !=
-			    vmh->vmh_cpuids[i].a) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: a", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			if ((vmh->vmh_cpuids[i].c & c) !=
-			    vmh->vmh_cpuids[i].c) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: c", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			if ((vmh->vmh_cpuids[i].d & d) !=
-			    vmh->vmh_cpuids[i].d) {
-				log_debug("%s: incompatible cpu features "
-				    "code: 0x%x leaf: 0x%x  reg: d", __func__,
-				    code, leaf);
-				return (-1);
-			}
-			break;
-
-		default:
-			log_debug("%s: unknown code 0x%x", __func__, code);
-			return (-1);
-		}
-	}
-
-	return (0);
-}
 
 void
 vmd_sighdlr(int sig, short event, void *arg)

usr.sbin/vmd/vmd.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmd.h,v 1.126 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: vmd.h,v 1.127 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -43,6 +43,9 @@
 
 #define nitems(_a)      (sizeof((_a)) / sizeof((_a)[0]))
 
+#define MB(x)	(x * 1024UL * 1024UL)
+#define GB(x)	(x * 1024UL * 1024UL * 1024UL)
+
 #define VMD_USER		"_vmd"
 #define VMD_CONF		"/etc/vm.conf"
 #define SOCKET_NAME		"/var/run/vmd.sock"
@@ -492,21 +495,51 @@ int	 opentap(char *);
 int	 fd_hasdata(int);
 int	 vmm_pipe(struct vmd_vm *, int, void (*)(int, short, void *));
 
-/* vm.c */
+/* {mach}_vm.c (md interface) */
+void	 create_memory_map(struct vm_create_params *);
+int	 load_firmware(struct vmd_vm *, struct vcpu_reg_state *);
+void	 init_emulated_hw(struct vmop_create_params *, int,
+    int[][VM_MAX_BASE_PER_DISK], int *);
+void	 restore_emulated_hw(struct vm_create_params *vcp, int, int *,
+    int[][VM_MAX_BASE_PER_DISK], int);
+int	 vcpu_reset(uint32_t, uint32_t, struct vcpu_reg_state *);
+void	 pause_vm_md(struct vmd_vm *);
+void	 unpause_vm_md(struct vmd_vm *);
+int	 dump_devs(int);
+int	 dump_send_header(int);
+void	*hvaddr_mem(paddr_t, size_t);
+int	 write_mem(paddr_t, const void *, size_t);
+int	 read_mem(paddr_t, void *, size_t);
+int	 intr_ack(struct vmd_vm *);
+int	 intr_pending(struct vmd_vm *);
+void	 intr_toggle_el(struct vmd_vm *, int, int);
+void	 vcpu_assert_irq(uint32_t, uint32_t, int);
+void	 vcpu_deassert_irq(uint32_t, uint32_t, int);
+int	 vcpu_exit(struct vm_run_params *);
+uint8_t	 vcpu_exit_pci(struct vm_run_params *);
+
+#ifdef __amd64__
+/* x86 io functions in x86_vm.c */
+void	 set_return_data(struct vm_exit *, uint32_t);
+void	 get_input_data(struct vm_exit *, uint32_t *);
+#endif /* __amd64 __ */
+
+/* vm.c (mi functions) */
+void	 vcpu_halt(uint32_t);
+void	 vcpu_unhalt(uint32_t);
+void	 vcpu_signal_run(uint32_t);
+int 	 vcpu_intr(uint32_t, uint32_t, uint8_t);
 void	 vm_main(int, int);
 void	 mutex_lock(pthread_mutex_t *);
 void	 mutex_unlock(pthread_mutex_t *);
-int	 read_mem(paddr_t, void *buf, size_t);
+int	 vmd_check_vmh(struct vm_dump_header *);
-int	 start_vm(struct vmd_vm *, int);
-__dead void vm_shutdown(unsigned int);
 void	 vm_pipe_init(struct vm_dev_pipe *, void (*)(int, short, void *));
 void	 vm_pipe_init2(struct vm_dev_pipe *, void (*)(int, short, void *),
 	    void *);
 void	 vm_pipe_send(struct vm_dev_pipe *, enum pipe_msg_type);
 enum pipe_msg_type vm_pipe_recv(struct vm_dev_pipe *);
-int	 write_mem(paddr_t, const void *buf, size_t);
-void*	 hvaddr_mem(paddr_t, size_t);
 int	 remap_guest_mem(struct vmd_vm *, int);
+__dead void vm_shutdown(unsigned int);
 
 /* config.c */
 int	 config_init(struct vmd *);

usr.sbin/vmd/vmm.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: vmm.c,v 1.120 2024/07/09 09:31:37 dv Exp $	*/
+/*	$OpenBSD: vmm.c,v 1.121 2024/07/10 09:27:33 dv Exp $	*/
 
 /*
  * Copyright (c) 2015 Mike Larkin <mlarkin@openbsd.org>
@@ -30,9 +30,6 @@
 #include <dev/pci/pcireg.h>
 #include <dev/vmm/vmm.h>
 
-#include <machine/psl.h>
-#include <machine/specialreg.h>
-
 #include <net/if.h>
 
 #include <errno.h>
@@ -50,7 +47,6 @@
 #include <util.h>
 
 #include "vmd.h"
-#include "vmm.h"
 #include "atomicio.h"
 #include "proc.h"